[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TBB in a sandbox (osx)



On Tue, Oct 05, 2010 at 11:31:25PM +0200, Andreas Jonsson wrote:
> Hi List!
> 
> I've been working with Erinn to sandbox the TBB much like chrome and
> ironfox are on osx, but now I think we need some opinions regarding
> where to go next.
> 
> See this page for more information on what the sandbox is enforcing:
> 
>  https://trac.torproject.org/projects/tor/wiki/projects/TorBrowserBundle/OSX/Security
> 
> For those that hate clicking on links;
> Issues in need of discussion
> 
>     * TBB is not allowed to read the users preferences. This can man the
> browser look different than other windows (as it will use the default).
>     * No plugins - maybe we(or the user) wants flash etc?
>     * Should we allow users to add extensions?
>     * Are We allowing cut & paste?
>     * Are users allowed to write to disk? where?
>     * Only system fonts are allowed ( privacy )
>     * Uploading files is tricky if users are not allowed to read any
> directory visible in finder
>     * Certain operations can trigger NSCF errors, which will be present
> in the systemlog. This needs testing
> 
> Also, as we need to maintain two different policies (as the Sandbox have
> different limitations on 10.5 vs 10.6), there might be some limitations
> on what we can accomplish on both platforms.
> 
> Obvious things left to be done is to sandbox polipo and tor itself (when
> they launch from vidalia).

Hi Andreas!

Thanks for working on this. Sorry for the delay in response.

As we talked about today in person, I think the sandboxed TBB on OS
X should start with a quite relaxed policy. So long as we block the
super-dangerous stuff like executing other programs, we're doing a lot
better than we would be doing without a sandbox.

We could ship with a very locked-down policy, but then most people would
try the bundle and abandon it without ever filing a bug report. On the
other hand, if we ship the main bundle with a relaxed policy and then try
out new experimental versions that are slightly more locked down, people
are more likely to complain to us when we break their expected workflow.

The eventual goal is to get a better handle on what workflows actual OS
X users expect to use with a sandboxed TBB. We could certainly anticipate
all possible workflows and try to design sandbox rules that will work for
every person, but we will go mad. We could try to guess the top 6 choices
that users will want to make (allow flash or not, allow downloads or not,
etc), but I think we should wait to hear from actual users what they
most want to do. Then we could imagine that the first time you launch
TBB, Vidalia walks you through choosing how locked down you want your
Firefox to be.

The flash question in particular is tricky -- TBB for Windows ships
without Flash, yet when people complain that we broke Youtube we point
them at https://www.torproject.org/torbutton/torbutton-faq.html.en#noflash
which tells them how to turn off Torbutton's protections. But their
Firefox doesn't have flash in the first place, so turning off Torbutton's
protections doesn't actually solve their problem. Mike and Erinn were
recently trying to decide whether to reenable Firefox's plugin search
path, which would let it find Flash if you have another Firefox+Flash
installed on the system. That would be good for the people who want to
find and use their Flash from TBB, but it would be bad for the people
who really want Tor to disable their Flash (less defense-in-depth). Both
options are messy.

Hope that helps as a general strategy suggestion. Let us know if there
are still specific choices to be made -- or just pick something smart and
run with it, so we can get to the 'actual users testing it' phase. :)

Thanks!
--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/