Version 10 (modified by karsten, 6 years ago) (diff)

Name changed from org/projects/TorBrowserBundle/OSX/Security to doc/TorBrowserBundle/OSX/Security

OS X sandbox

As the tbb for MACOSX will be sandboxed to prevent the tbb from revealing the user by mistake, we enforce some rules. There are however some open questions that should be answered after some discussion. The first goal of the policy is to prevent compromise of the tor browser bundle to compromise the users machine or the users privacy.

Tbb consists of 4 different components.

  • Firefox
  • tor
  • polipo
  • Vidalia

Vidalia is responsible for launching each of the other components, and are now able force them into a sandbox.

Rules enforced by sandbox for bundled Firefox

  • FF may only talk tcp to the polipo, running on localhost (tcp localhost:8118)
  • No write, except to $TMPDIR, and the PROFILE directory. Should be more finegrained.
    • Is it possible to make TMPDIR a RAM disk or something else that doesn't actually write to the disk, perhaps a memory only file system that is already mounted?
    • Might be, but TMPDIR does not appear to hold anything interesting. The profile directory otoh does, but it would seriously hamper usability. (perhaps different usecases?)
  • Only allow execution of ff-binary and netstat (needed for entropy). This makes "open downloaded file" dialog nonstandard.
  • No read at all in user homedir unless package is installed there. This sacrifices user preferences, fonts, color correction etc
    • Seems safer than nothing
  • We only allow the bare minimum of Mach ports (IPC).
    • What's allowed?
    • We only allow the machports required for the browser to start and display a window correctly (and otherwies function). These are
    things like allowing an icon to appera on the dock (, allowing a window to be drawn (, (, fontservices, nameservice resolution, etc. For a complete list see the sandbox policy file, soon to appear in a git near you.

  • No signals
    • What signals would it ever need and what do we gain by denying them?
    • It does not need any signals, so we deny an attacker the possiblity to use them for whatever purpose.

Issues in need of discussion

  • TBB is not allowed to read the users preferences. This can make the browser look different than other windows (as it will use the default).
  • No plugins - maybe we(or the user) wants flash etc?
    • Flash probably isn't safe if the MAC address or local network is visible to flash
    • Hard to prevent on firefox3, in firefox4 we can have a much more finegrained confinement of flash, as plugins run in a separate process.
  • Should we allow users to add extensions?
    • We should ship with only trusted and tested plugins like HTTPS-Everywhere
    • We already do, but are we to allow the user to install extensions?
  • Are We allowing cut & paste?
    • Yes, I think we should allow cut and paste
  • Are users allowed to write to disk? where?
    • Into tmp directories and onto their desktop?
    • Usbvolumes?
  • Only system fonts are allowed ( privacy )
  • Uploading files is tricky if users are not allowed to read any directory visible in finder
    • I think we should allow their Desktop for Usability reasons
    • Usbvolumes?
  • Certain operations can trigger NSCF errors, which will be present in the systemlog. This needs testing
    • What operations? Perhaps we can run an audit as part of the alpha?
    • We need testers for this, but mostlikely unexpected stuff, like drag-and-drop(which is currently not allowed) to a directory not readable/writeable. I do not have an example from FF at the moment, but here is one from adium running snadboxed:
    Adium[30828]: * -[NSCFArray initWithObjects:count:]: attempt to insert nil object at objects[0]

Rules for polipo

  • Only the following files may be read:
    • POLIPODIR/Contents/Resources/Data/Polipo/polipo.conf
    • /dev/{null|urandom|dtracehelper}
    • /private/var/run/resolv.conf
    • /usr/share/.*
  • We only allow write to /dev/dtracehelper
  • ipc-posix-shm is allowed.
  • 3 mach-ports (directory service, ie nameservices)
  • only allow inbound on tcp localhost:8118
  • only allow outbound on tcp localhost:9050
  • Only allow exec of the polipo binary
  • Allow sysctl-read

Rules for tor

  • written, but not document here ( yet!)

Note that the sandbox rules are more relaxed in 10.5 as the sandbox there lacks some of the desired functions. (port filtering for example).