|Version 7 (modified by ioerror, 4 years ago) (diff)|
OS X sandbox
As the tbb for MACOSX will be sandboxed to prevent the tbb from revealing the user by mistake, we enforce some rules. There are however some open questions that should be answered after some discussion.
Rules enforced by sandbox
- FF may only talk tcp to the proxy (IPC is still allowed)
- IPC to which proxy? The http proxy or Tor?
- No write, except to $TMPDIR, and the PROFILE directory. Should be more finegrained.
- Is it possible to make TMPDIR a RAM disk or something else that doesn't actually write to the disk, perhaps a memory only file system that is already mounted?
- Only allow execution of ff-binary and netstat (needed for entropy). This makes "open downloaded file" dialog nonstandard.
- How does netstat give us entropy?
- No read at all in user homedir unless package is installed there. This sacrifices user preferences, fonts, color correction etc
- Seems safer than nothing
- We only allow the bare minimum of Mach ports (IPC).
- What's allowed?
- No signals
- What signals would it ever need and what do we gain by denying them?
Issues in need of discussion
- TBB is not allowed to read the users preferences. This can make the browser look different than other windows (as it will use the default).
- No plugins - maybe we(or the user) wants flash etc?
- Flash probably isn't safe if the MAC address or local network is visible to flash
- Should we allow users to add extensions?
- We should ship with only trusted and tested plugins like HTTPS-Everywhere
- Are We allowing cut & paste?
- Yes, I think we should allow cut and paste
- Are users allowed to write to disk? where?
- Into tmp directories and onto their desktop?
- Only system fonts are allowed ( privacy )
- Also good for fixing code execution bugs - see OTS by Google - http://code.google.com/p/ots/wiki/DesignDoc
- Uploading files is tricky if users are not allowed to read any directory visible in finder
- I think we should allow their Desktop for Usability reasons
- Certain operations can trigger NSCF errors, which will be present in the systemlog. This needs testing
- What operations? Perhaps we can run an audit as part of the alpha?