[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5791 [Tor bundles/installation]: Gather apparmor/selinux/sandbox instructions for each component of TBB



#5791: Gather apparmor/selinux/sandbox instructions for each component of TBB
--------------------------------------+-------------------------------------
 Reporter:  arma                      |          Owner:                          
     Type:  project                   |         Status:  new                     
 Priority:  normal                    |      Milestone:  Sponsor Z: March 1, 2013
Component:  Tor bundles/installation  |        Version:                          
 Keywords:                            |         Parent:                          
   Points:                            |   Actualpoints:                          
--------------------------------------+-------------------------------------

Comment(by unknown):

 Target SELinux policy is possible. After unpack TBB archive in
 ~/.torbrowser dir user with root privileges can start script relabeling
 their files in right security context. If SELinux HOME_DIR parameters for
 relative paths is used then recompilation and reloading security policy
 module after unpack new TBB is not required, only file relabeling is
 needed.

 To start writing SELinux TBB target policy module already existed modules
 can be used: for Mozilla and tor. They can be combined in one module and
 pathnames changed to relative path with HOME_DIR. Tor module works good
 for servers and outdated only slight, it need nonsignificant changes only.
 Mozilla module supports FF significantly outdated and need hard efforts to
 keep in actual state. At first time all not worked parts from Mozilla
 module can be commented to disable security protections blindly. Only
 preventing DNS and other network leakages functions can be added. I am not
 sure about only SELinux functionality is enough or iptables will be needed
 nevertheless to operating with traffic marked with SECMARKs.

 Another interesting option of SELinux is sandbox but currently working in
 RH/Fedora (only ?).

 ----

 Primarily, more interesting is adapt iptables to actual state of manner
 for flexible using TBB, system-tor-daemon, transparent torification,
 blocking and logging leakages. My example of iptables rules from
 #5741consist an awkward problem: if system group is used to separate TBB
 processes from current users processes then all TBB processes itself are
 not separable. TBB-Mozilla and TBB-Tor are not separable, we can log and
 block DNS queries from that groups and all non tcp-traffic but we cannot
 say to TBB-Mozilla make a tcp connections only to TBB-tor (localhost or
 particular address).

 I found interesting option "User UID" for tor config but this not helped.
 Tor directory in TBB has permission '700' and that is right. If tor-uid
 changed then tor cannot has access to its directory. If we can found a way
 to starting Tor and FF from TBB with different system groups then we can
 separate theirs traffics with iptables completely without need
 SELinux/Apparmor/etc (at first time, iptables is not a replacement for
 this). In that solution we need a way to secure deliver two different
 passwords to two different system groups (tbb-browser-itself and tbb-tor-
 itself) before starting. Using passwordless system groups is not
 recommended: if malicious code execution with users rights can change its
 groups then avoiding firewall separation is possible.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5791#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs