[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-dev] Enhanced Tor Browser sandboxing upstreaming
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx, whonix-devel-owner@xxxxxxxxxx
- Subject: [tor-dev] Enhanced Tor Browser sandboxing upstreaming
- From: "procmem@xxxxxxxxxx" <procmem@xxxxxxxxxx>
- Date: Sat, 24 Aug 2019 17:23:28 +0000
- Autocrypt: addr=procmem@xxxxxxxxxx; keydata= mQINBFT0lDcBEADpIeaG7w/laWqf1mmLAwzmRfaLQiZlzK1Zut7AlmU3JO7bWCFV54u+UJhY xjv4lox6UAEAAWeaWbmq7BRIKjq/tqBf1+dyywF4JXLQo+Td9cQZBJ5BptGjuOsdey9S5ru1 n4+eRM829vVwMNhBhOSGGCQ7XH3z3bhuxjC4vJF6SXUCI3jGOTjXP9FXWqL4iRJicukiYlhB /i/MmLRzhitL4/FPJkT5fpkJBcgGEyCFlRvBNYu1zbaON5AMvCCOj4uMqI2C1MIHUAPJ0pbQ lOZyRjxFTPrIov+h56XWoOUroy7AODXSogM+dE6GTX7yMm7vVccOwLIaGxZciCdvRhVWWpug 8r0EBOpTEwtauKmRmD7uSeKcWHdr9uDtpZ22GELuaKrgoT53SJ6X8SSnnCghcKFT4WWv5uGq PqJcahHJCgRHY+9BTh0UIJlv0bATXwuLJMDIrLA3Ul/x/nqw/0u0Dc6RI72dxjR91Nf4hh6D KM4qcNvnKPE3Fcebb/6JyUr7w9WqyoCE3bgxsnHbnVT4ixjbI3Y89jYIh1HL9Rs9PQhySf7E S2exS+R26v3Bdsg/hteEMEniM5p0E3JZ4oGd1tW0Y6fLXNz7onYJm3Aab5HaIXGLIZuCcxOO ukPETfWcDwcnmHuvrABagLjZt9lhNL8AmZi6kb68Y2okLmNL+QARAQABtBYgIDxwcm9jbWVt QHJpc2V1cC5uZXQ+iQI3BBMBCgAhBQsJCAcDBhUKCQsIAwQWAgMBAhkBBYJU9JQ4Ap4BApsB AAoJENfnBNtT9D78xZcQALrb86rH6xnR9yQdjXYmUySlUmq5MEtpb/gAip/Ki2tyq6CPJjty rA5g+uRV/XfYrSw7dNPyHhxdntaRYo2T1UUMyKR/sgfXT7r3ZCEDqRpDX6yV0BvnSxK/slgu iuqQq3LegwsYDcnNYEJEZydRDkUXUP7InkiLGrhPfwx+KH9tKg6nAk95fif/2CmYbwJsHoHA g564eRGS4LLT0LaZWCmWEVoj4ftWy1mMBGhqGMWgYQDe+qlPH79Ylcwvv6IC0mxHN3hfD7dD e14Ew7DfxJk5QQK6HZzhvYfy613IzTBLV2r60UMY44NpPa5cQS4OkkSZBAk4aKXSqL3Ch9f1 3dHkX5Q3qWeerfHkohEVA1lXIm1OXYFuFCr9oEimYodT5tlt0Fji9QGxN6qeAsnkxacxfFsC TprQA8nz3ZQTBhQCkJ2FG0DxhfVjZptxa9PcY9JS7OfDP+6ZhV4d4BXXWcIThHYBoj7FRhCH zNJAWpfuZwi1dJJ4LaF9nrQLA84xI8to5SRL4WYdkP1bEL0UFrjy1xviARPTZ/ogQRpOJTPV /yU3A0CTGhCAM9LrR5iLH25biR5bIuy3lsYP1NZKsS7ZCDET1HW9B8iEv5JjD+JWrVzfE4Al MSUnfEcY9bsdmq0v3fy6vtaS3oklz7V6tm7r/06n4jSfksvQUlVhcNueuQINBFT0lFABEADD TUFg/ZDFCf1Feltad0dIBdYP+GWKA9s7sQpKojyREhb0+YKMpQSSEX6T0kcFKOgB/7+NTjxn RwdXS7gzCV9YJDHGjzEKpPrpXLkULW3AfB3AQGvMzgAXSD7OlaD+Nv1koLhvVITyb44D2VIE hOQ/0YIUlrRxGgMCtRaWy5BLrnOicgXevY3+3N9YT5MW+BV37j5HITsDO3OB+A7P1O5iSx3X 61SdazOtRdhuYAA0xUrWjeu0R/RrcM0qfBpdij8Jqr3/8w+Fkq2Ms8/6Cvrs/5hJBVWHcRvm J20Ez51m4W0IRLzdCqdJ0PuVfgw9ux6aZ0mo93Kf2/4YSCm8G3KkCYNdE01qGO6sq74B4m15 6PvtUKDDew9sAiOZRjmrTdr0dKn7vh4Gzzjy6HFHtDzNKJHnkzoruxynUQXWj86whl3Z38Xm DmicDR+vfjnM/T/TtPrW+EffcPhdxjAyDf9mNwtBlsYU8wRY7pFLv3KQJRCQWynnFCPwySRM 7pU13wIb3Wy8saVgBzd81Q5YqtVClf3CzBZYA1GVUzKtagXLeuH3wgSfPQxUs+WeecAOtGds Jr9mHEnaqrsjt9i/6efqNSWemiAm4PQGdCFyswtxSe3jVjFYieyPgZDQrsqzeyn93DeoLtPq +z65J8FPyx8RZzQLBh21TNNSJx2tAMZtNQARAQABiQQ+BBgBCgAJBYJU9JRQApsCAikJENfn BNtT9D78wV2gBBkBCgAGBQJU9JRQAAoJEJls+27gMu74fw8P/iHsz2w+WvX4IvoC+qfkZp5O 6bSWXH9BqbOcM0zlBxBnHhViT+A8uP4CbDw7cBRvZ5nVbs+eZJtvxrXR3NagyAGTfEdFfBpz +5DP4qRcpwZog5bNlbaDIM8uZabXR9Yynxle4hCd6oxt5EhHGx7rt/X+ESpAOCw3dWlr6JpT 2cHZ/wSelNzw1UZvEU+Osmp4Z4x2+agKs1mMv38+CojKYeblBVJsYWU70hzgaer4naxMpUP4 GVrN2qR9NsBjs9FODmv+07LuHJUBeHQlvKPz0bg9J/Ensv94ZEDiiYyq5dLkH3FVdyBDWK7t rUQhCu/Yy6WrKifbv9jQD+63IWZkz+4BIIsVKAoZvYi4Cq9cEdKgXnRcyH9ECGw9G1hCVwxR wnRWOen5C4/9PkKOrGsgrueSjJPjPPXpjAg7noCPKHpRVJ37QuV79eYjDVTEjMgHUT3w+sst WcjLoXRKPUcSWZhJVoE0rjr7DOCkQWJ9B0DiCiQ30599ZeABl5iuAx3UAkz4i55nFfIUVxiQ TD6Tsz/BOG+wratwG7BbZHADGoFgPMizpIeMLQSn5lE0NYwC3bG8q+op1Qbu4xqx+OO2wUvj zBrXNq3/DD/3OHCYpyjgR+I+Ag7XJKPA4ajcHtTl4O1k/e0Otq/3btCrTKp5vhbUMOJmnTj9 qgDunEoKsiO6Y0EQAJ89Nc5cbwCqL3HDDGswXTPl+yCIGTg5zL7aIudylViEqWm+g7VsH0c+ QYaSOAF2KlSjCLCtdaQynjfGuJ1mMSJQhjYEwWoavihDsMpfE45PJW9ZUo1oKD4VZWw6YerX M9nlW6TADLA1IJYIlfoXQIE6wvy7Duv++HHY97KFZY2aH7GLlFpAw1OSldG9F92rKxVsPl4n vA4SI6dUryyk8Gc+LY78t1ym8EyvG9OOh8rew+vDx9qIsFvpgG+EsOgxIr+3JpU1gRHsshDf kEMQ24Wx2UFBdIdEvEkCK5HAOyXYhNdxcJCPwBTfEsF9R8cgnY8cgQzBHysNy0mC9FW0IUmH CbGpPsyQqkce+Lrc5RGQFlfvVEpQBIPxAA7+wO2J26KFJS5AoHT7n0GXCLmkYBk961Bp9yDC LSVwmbH389SnhLZ7sqLemaGAl+VuAxZpj37JgloUS6/7QYgXSKIheFNdg+0csBamQCPLKUpH WESZK9oovcClMEeySTr7ZCSpnpp7zElTTC+sojG8t6q5zV4ca4b4WOMU3p3EuR4qdnkFrZjH ER7ocqVlhuUy2JpRxZWhPNAoP3nx132Dmk/gFvy4VSK6RXHs198hlrX097GRT4WVNCy48yyW ZCuCqGG3bTVhwWp8e6WJPRhcTGT35nGAundNndIqjRyuSmoFak0yuQINBFT0lJYBEADMmn5C mDgM+XdPdT7nOmGr0u017Iv90kGtU9pAgbu3Ozr32aLhQ+aQRhsAjYi9aw27eiJCyiyoN0WL 6GOPJ67BjlzKRuBE+VJQD5ln0GU6qXu55k2NAegNw2pvFfKpPrYkKaQgXPT4KuncveVTCVqu oBKeeYfRVg4HILE6C9hOiSWuZI7DMwfSb6PS+9jDN1/ZLUB+t4dz0xukgzQiTV3RxtO36X3E KFjmQ5e3LpezseYWVP4HjA3xTaO+WuZqComy/WUqr73c8tz0Y2/ka4KMuKsG1lt5nsQYX0h/ X3/lMeRO8hWY+AM4KRDvq32P0wX1uAOq+LbEraszf6LTmFncFofGlJms6cmt5SkCAhFQiwJM tFA5Gg2ftzUIB2Fmn9obJPiH7iRmKqfX6vWHX0+AOB+98Uy7QQ6CjgimWVA7pu46+gXCBpx9 /QwfpefBvmQggJYPXapoJd+VBu3BmAFwFlBFCt6r5PGpuLvx5CP3MAf87DBcOBL1Cb0YUoAO +qG2gfvVq18gX/Qepbld4OPJZOAN9MNzxPf+AMd22pUEopzdZG+8RFLC/r0ltgPpnEITuiz7 9eKHxCq/OBi6vOYgbd5F/d+iI0/P5bImkLBnPro7Pu46o0mb3Z1hJmihsIbHdWFU8FEMjzdm iNm7EJJqYwypmT5SclMaoVwyMaEQAwARAQABiQIfBBgBCgAJBYJU9JSWApsMAAoJENfnBNtT 9D78otgQAK4p+qL8N+KBqM8fKPGFLlbzHQr1ZMO+IC1HseUuiAM1n3Bvr+Lb0hgJZqlDz3Df jfUKKEy4Azm5Awe19Z+wF+KWeTkXnbBnYH7XnbFIVL8SULQ6JzrwhlNltpbG6wSvNv4ATPVo BO5EPQjWmrKhNZ/mNc5LXI7GXaErKsgXaZxBdhMgkcvXKk2zi5WcpXiSER/UOR24qLYzk2y8 5mVCApIQa4p6HkUGg7IYgxPH7EvvaNzL4aDJIgQ7qQvuc0WlwGjWUX/J/rjbG9fiE6dZfSIV 86+RHM2W+BoUtWFlsRG9y44z8KdRcr89ShkuShP3FY6QYwmFlXdrEGxLuW5pl6N0KDfKElVG fp3CHxBtYkVez36lQdUPJ5NRzkS1DJxpsy1VxVgFxzWrKfJTQxJacHaqbr08jNP6zPURvsgW Tctd/8xeCOL1CW7XjuMmdiCz4pAAn5Qf2I/aYSEj10UavEmlvbaMqFdKei3OYAt/71SVUZgx 25qeGZGAYFPMKtSE0OFIDk2ak5cbnTxchUqusDWARYUv7+u16Ekk7r4+XZztlxolUp0SLCl5 ii0IN/tXND80lZgnBjaWntQEFRB2z7hFx7NcSLExJnMDDEWRBvqGPLRK+w1cpVEcdvjgW56g VPk8RWCxXsrOI71QZIdzgKX/venU9+RswQyKtRpKT4Ms
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Sat, 24 Aug 2019 13:23:52 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1566667415; bh=WIVz/2s5YPD7ubQFXzzYUO0MvyogFLaZVTVH4Zn+1g4=; h=To:From:Subject:Date:From; b=hVRrd+lwts2yg1PczWtQtXoDEcj1EjZyEyJqTijzqaxJhOUrYqD1QJu4k2zpi7xyO aCdNS4+vXYHxU9EEdWsLBSXrxfU//osegBAt5DiLVKdqlPZ+a6/JnzTdwH/DVHIPIK X1m9zAyANdM9EdlVs0aF8CP794+qyUlTx5lkHZ24=
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- Openpgp: preference=signencrypt
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
Hi. We aim to make enhanced sandboxing for Tor Browser widely available
on Linux that's well maintained in the long term. We would appreciate it
if TBB team provides the currently developed Apparmor and firejail
profiles below from your repos and run unit testing and check/fix any
breakages with updated browser versions.
It turns out there is an advantage to stacking both Apparmor and
Firejail. Firejail doesn’t offer nearly as good file path whitelisting
as AppArmor. Firejail also can’t do many things AppArmor can such as
managing ptrace or signals, yet firejail can use xpra to isolate Tor
Browser's access to X, pulseaudio and the clipboard. The Firejail
package included in Debian stable cannot keep pace with the needed
changes as Tor Browser continues to change.
Stacking is also a good defense in depth. If there’s a vulnerability in
Firejail then AppArmor will still restrict the application or vice versa.
Firejail provides a maintained official profile for Tor Browser [0].
We have a Apparmor profile that we've maintained for years [1].
[0]
https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.profile
[1] https://github.com/Whonix/apparmor-profile-torbrowser
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev