Opened 7 years ago

Last modified 13 months ago

#5791 assigned project

Gather apparmor/selinux/seatbelt profiles for each component of TBB

Reported by: arma Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, apparmor
Cc: Shondoit, gk, andreas@…, unknown@…, tagnaq@…, tichodroma@…, ioerror, intrigeri, adrelanos@…, arthuredelstein@… Actual Points:
Parent ID: #4522 Points:
Reviewer: Sponsor:

Description (last modified by trams)

It's increasingly clear that shipping TBB without any "system call permissions" wrappers is an arms race that is too easy to lose. Bug 5741 is the latest of what will continue to be many instances.

The Tor wiki has a variety of instructions on putting your TBB in a VM, or running it wrapped by apparmor, or somebody saying the word SELinux, etc.

We should gather all these instructions together, and start vetting them with the goal of integrating as many as we can into the main build processes, and providing the rest as "for experts, you can be even safer if".

We need a volunteer with good security taste to get this started. I could easily see this project being a bounty too.

Child Tickets

TicketStatusOwnerSummaryComponent
#5756closedSeccomp system call whitelisting on LinuxCore Tor/Tor
#6560newtbb-teamAppArmor, SELinux and other protectionsApplications/Tor Browser
#8991closedweaseltor debian package installs apparmor profile ineffectivelyApplications/Tor bundles/installation
#9460closedweaselTor AppArmor profile prevents obfsproxy from startingApplications/Tor bundles/installation
#9461reopenedweaselTor AppArmor profile prevents flashproxy-client from startingApplications/Tor Browser

Attachments (1)

tor-sandbox-2013-02-19.tar (26.5 KB) - added by trams 7 years ago.
seatbelt files + wrapperscripts to get it to work on osx 10.7, 10.8

Download all attachments as: .zip

Change History (46)

comment:1 Changed 7 years ago by arma

Owner: erinn deleted
Status: newassigned

comment:2 Changed 7 years ago by arma

Status: assignednew

comment:3 Changed 7 years ago by Sebastian

I think on OSX, this could be fairly possible with the sandboxing work that's already been started. On Windows, I don't have a clue. On Linux, our biggest problem will be that we don't want to limit the platforms where TBB runs even more, I suspect.

comment:4 in reply to:  3 ; Changed 7 years ago by arma

Replying to Sebastian:

On Linux, our biggest problem will be that we don't want to limit the platforms where TBB runs even more, I suspect.

Sounds like a great time for "if foo is installed, use it" logic in the launch scripts.

comment:5 in reply to:  4 Changed 7 years ago by Sebastian

Replying to arma:

Replying to Sebastian:

On Linux, our biggest problem will be that we don't want to limit the platforms where TBB runs even more, I suspect.

Sounds like a great time for "if foo is installed, use it" logic in the launch scripts.

Yes, except a couple of things actually want baking into the binaries.

comment:6 Changed 7 years ago by mikeperry

In #5741, some dude pasted iptables rules that both block and log non-tor traffic. There's also a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB.

comment:7 Changed 7 years ago by Shondoit

Cc: Shondoit added

comment:8 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:9 Changed 7 years ago by trams

Cc: andreas@… added

Note that one of the bigger issues with going apparmor/selinux is that there is no way for the application to "opt-in" for the extra protection. The user needs to load a profile or a module to get it contained. This requires root privileges on the system.

comment:10 in reply to:  9 Changed 7 years ago by mikeperry

Replying to trams:

Note that one of the bigger issues with going apparmor/selinux is that there is no way for the application to "opt-in" for the extra protection. The user needs to load a profile or a module to get it contained. This requires root privileges on the system.

Yeah, that rules them out for shipping with TBB, but they are still useful to document because they are useful for testing purposes (#5767). In the future, I envision a Volunteer QA team running auditing profiles to tell them about disk leaks, proxy bypass, etc in new versions of TBB/Firefox while testing against a suite of test pages we recommend (#5292), and also during general usage.

comment:11 Changed 7 years ago by unknown

Cc: unknown@… added

comment:12 Changed 7 years ago by unknown

#4522 can be merged or crosslinked with the ticket.

comment:13 Changed 7 years ago by unknown

Target SELinux policy is possible. After unpack TBB archive in ~/.torbrowser dir user with root privileges can start script relabeling their files in right security context. If SELinux HOME_DIR parameters for relative paths is used then recompilation and reloading security policy module after unpack new TBB is not required, only file relabeling is needed.

To start writing SELinux TBB target policy module already existed modules can be used: for Mozilla and tor. They can be combined in one module and pathnames changed to relative path with HOME_DIR. Tor module works good for servers and outdated only slight, it need nonsignificant changes only. Mozilla module supports FF significantly outdated and need hard efforts to keep in actual state. At first time all not worked parts from Mozilla module can be commented to disable security protections blindly. Only preventing DNS and other network leakages functions can be added. I am not sure about only SELinux functionality is enough or iptables will be needed nevertheless to operating with traffic marked with SECMARKs.

Another interesting option of SELinux is sandbox but currently working in RH/Fedora (only ?).


Primarily, more interesting is adapt iptables to actual state of manner for flexible using TBB, system-tor-daemon, transparent torification, blocking and logging leakages. My example of iptables rules from #5741consist an awkward problem: if system group is used to separate TBB processes from current users processes then all TBB processes itself are not separable. TBB-Mozilla and TBB-Tor are not separable, we can log and block DNS queries from that groups and all non tcp-traffic but we cannot say to TBB-Mozilla make a tcp connections only to TBB-tor (localhost or particular address).

I found interesting option "User UID" for tor config but this not helped. Tor directory in TBB has permission '700' and that is right. If tor-uid changed then tor cannot has access to its directory. If we can found a way to starting Tor and FF from TBB with different system groups then we can separate theirs traffics with iptables completely without need SELinux/Apparmor/etc (at first time, iptables is not a replacement for this). In that solution we need a way to secure deliver two different passwords to two different system groups (tbb-browser-itself and tbb-tor-itself) before starting. Using passwordless system groups is not recommended: if malicious code execution with users rights can change its groups then avoiding firewall separation is possible.

comment:14 Changed 7 years ago by tagnaq

Cc: tagnaq@… added

comment:15 Changed 7 years ago by Tichodroma

Cc: tichodroma@… added

comment:16 in reply to:  9 ; Changed 7 years ago by mikeperry

Owner: set to cypherpunks
Parent ID: #4522
Status: newassigned

Replying to trams:

Note that one of the bigger issues with going apparmor/selinux is that there is no way for the application to "opt-in" for the extra protection. The user needs to load a profile or a module to get it contained. This requires root privileges on the system.

Actually now that I think about it, isn't stuff like this what PAM was designed for? Can't ./start-tor-browser just ask for root authentication to temporarily enable either an SELinux module or AppArmor profile? I know on Mac OS this definitely is the case (but most likely Mac won't require root to load Seatbelt profiles, I assume).

Assuming, of course, that the kernel itself doesn't write a record to disk of the profile being loaded... Though even if it does, we could just warn the user of that fact.

comment:17 in reply to:  16 Changed 7 years ago by unknown

All SELinux modules are predefined in a policies and loaded with the system starting and without any interaction with user. Root/unconfined privilegies needed only to install this modules at first time and labeling files with security context.

comment:18 Changed 7 years ago by mikeperry

Summary: Gather apparmor/selinux/sandbox instructions for each component of TBBGather apparmor/selinux/seatbelt profiles for each component of TBB

unknown: Do you have a working SELinux module for TBB yet? Even if it only sort of works, it would be worth attaching for review. Pastebin also works.

comment:19 Changed 7 years ago by cypherpunks

OSX sandbox is available here:
https://romab.com/tbb/

Not well tested, but will allow for browsing with a sandboxed ff. only 10.7

comment:20 in reply to:  18 Changed 7 years ago by unknown

Replying to mikeperry:

unknown: Do you have a working SELinux module for TBB yet? Even if it only sort of works, it would be worth attaching for review. Pastebin also works.

I've got nothing to show for it at the moment, sorry. I'm not an expert or skillful SELinux user and have some good experience for using SELinux on a servers in the past and bad for a desktops without deep knowledge of it. Last time I return to using SELinux on my desktop and have more positive results. I'll be glad to share any useful results with Torproject immediately but going slow in this direction.

For iptables separation described before I use not only sg command to starting TBB with another group. A two parallel running X-sessions is used just adding two lines in /etc/gdm/gdm.conf

[servers]

0=Standard vt7
1=Standard vt8

AFAIK it works good for some types of nonproprietary videodrivers only.

comment:21 Changed 7 years ago by karsten

Keywords: SponsorZ added
Milestone: Sponsor Z: March 1, 2013

Switching from using milestones to keywords for sponsor deliverables. See #6365 for details.

comment:22 Changed 7 years ago by mikeperry

Xephyr and Xnest are apparently two other ways of sandboxing X11 by running nested X servers:
https://en.wikipedia.org/wiki/Xephyr
https://en.wikipedia.org/wiki/Xnest

They look like they might be a bit heavyweight for us, but worth noting for the record.

Also, the NSA has this set of docs on securing X11 with SELinux:
http://www.nsa.gov/research/_files/selinux/papers/x11/t1.shtml

Not sure how much of that is actually implemented yet.

Changed 7 years ago by trams

Attachment: tor-sandbox-2013-02-19.tar added

seatbelt files + wrapperscripts to get it to work on osx 10.7, 10.8

comment:23 Changed 7 years ago by trams

Description: modified (diff)

comment:24 Changed 7 years ago by trams

Description: modified (diff)

comment:25 Changed 7 years ago by trams

Ok, comment should have been here instead. Attached sandbox files that can be applied to latest tbb/osx by doing the following steps:

  1. unzip the TorBrowser-2.2.35-11-osx-x86_64-en-US.zip
  2. cd TorBrowser_en-US.app
  3. tar xvf ../path/to/tor-sandbox.tar

happy sandboxing

comment:26 Changed 7 years ago by arma

Cc: ioerror added

comment:27 Changed 6 years ago by intrigeri

Cc: intrigeri@… added

comment:28 in reply to:  6 Changed 6 years ago by proper

Cc: adrelanos@… added

Replying to mikeperry:

There's also a TBB AppArmor profile at https://trac.torproject.org/projects/tor/wiki/doc/AppArmorForTBB.

Before it gets purged from pastebin someday, I made a backup on github, but don't plan development:
https://github.com/adrelanos/Inoffical-TBB-AppArmor

comment:29 Changed 5 years ago by arthuredelstein

Cc: arthuredelstein@… added

comment:30 Changed 5 years ago by gk

Cc: gk added; g.koppen@… removed

comment:31 Changed 5 years ago by proper

Overview of recent AppArmor efforts:

comment:32 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:33 Changed 5 years ago by erinn

Component: Tor bundles/installationTor Browser
Keywords: needs-triage removed
Owner: changed from cypherpunks to erinn

comment:34 Changed 5 years ago by mikeperry

Keywords: tbb-security added; SponsorZ removed

comment:35 Changed 5 years ago by intrigeri

Cc: intrigeri added; intrigeri@… removed

comment:36 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201410D added

comment:37 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201411 added

comment:38 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201410D removed

comment:39 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201411 removed

comment:40 Changed 4 years ago by gk

Keywords: tbb-hardening added

comment:41 Changed 4 years ago by gk

Keywords: tbb-hardened added; tbb-hardening removed

comment:42 Changed 4 years ago by cypherpunks

Severity: Normal

This really should be of major priority, not sure why it isn't and getting postponed for years. Proper AppArmor/SElinux profiles would have helped reduce and even prevented the high profile attacks on TBB using Javascript in past.

comment:43 Changed 4 years ago by yawning

Was feeling inspired despite having some death flu Influenza variant, so I played around with firejail.

https://git.schwanenlied.me/yawning/tor-firejail

IIRC AppArmor doesn't do seccomp-bpf based sandboxing, so I view some of the functionality as complimentary (Though firejail needs to be SUID root as a consequence since a lot of the operations involved in setting up a sandbox are privileged).

comment:44 Changed 2 years ago by gk

Keywords: tbb-hardened removed

Remove tbb-hardened keyword.

comment:45 Changed 13 months ago by traumschule

Keywords: apparmor added

group tickets related to AppArmorForTBB/tor packages

Note: See TracTickets for help on using tickets.