Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor: sandbox the content rendering processes (e10s) more strictly (Closes: #278) #280

Merged
merged 18 commits into from
Jan 28, 2018
Merged

AppArmor: sandbox the content rendering processes (e10s) more strictly (Closes: #278) #280

merged 18 commits into from
Jan 28, 2018

Conversation

intrigeri
Copy link
Collaborator

I've been using this on my system for a few days, and the (adjusted) version we have in Tails passes our test suite.
@intrigeri
AppArmor: create a new profile for Firefox' content rendering process…
a2bc002 
…es (plugin-container).

This profile was copied as-is from torbrowser.Browser.firefox, and I updated the
name of the profile and the corresponding local include only.
@intrigeri
AppArmor: fully transition to plugin-container's own confinement when…
46ea9f3 
… starting it, i.e. don't inherit Firefox' confinement.

We will later remove credentials plugin-container doesn't need, in order to
confine it more strictly. Such effort would be worthless if we kept inheriting
the permissions we grant the parent Firefox process.
@intrigeri
AppArmor: allow plugin-container to read/map/execute itself.
3b0ef2a
@intrigeri
AppArmor: remove useless "Last modified" lines that don't convey any …
9fee29d 
…information.
@intrigeri
AppArmor: remove lots of permissions the plugin-container process doe…
6f6c8f9 
…sn't need.
@intrigeri
AppArmor: give plugin-container read-only access to the Tor Browser c…
b679cee 
…omponents it needs, and to user extensions.
@intrigeri
setup.py: install the new torbrowser.Browser.plugin-container profile.
76aca91
@intrigeri
AppArmor: add missing "owner" prefix, for consistency.
c06722b
@intrigeri
AppArmor (refactoring): extract often used paths into variables.
33502fa
@intrigeri
Merge remote-tracking branch 'upstream-repo/master' into apparmor-e10s
0184abb
@intrigeri
AppArmor: add missing library loading permissions.
0fedf0d 
Otherwise at least printing is broken.
@intrigeri
AppArmor: grant plugin-container write access to the Downloads direct…
af8567e 
…ory.

Otherwise at least printing to a PDF file in that directory fails.
@intrigeri
AppArmor: move to plugin-container, and extend, the commented-out lin…
3f8e6f9 
…es that help making sound work.

Apparently these permissions are now needed by plugin-container, not by the
master firefox process.
@intrigeri
AppArmor: grant plugin-container write access to its temporary direct…
4a2501e 
…ory.

Otherwise e.g. printing to a PDF file fails.
@intrigeri
AppArmor: merge lines to ease maintenance.
da82f9c
@intrigeri
AppArmor: improve comment about allowing sound.
c58b5af
@intrigeri intrigeri mentioned this pull request Jun 23, 2017
Closed
@intrigeri
Copy link
Collaborator Author

Hold on, this seems to break downloading files.
@intrigeri
Copy link
Collaborator Author

False alert, I was running an older version with a bug that's fixed in this branch. Please review and merge :)
@intrigeri
Copy link
Collaborator Author

A month later, here's a gentle ping about this PR :)
@intrigeri
Copy link
Collaborator Author

Hi Micah!

Another 1.5 month later: ping? I've now been running Tor Browser with these changes for 2.5 months on my personal system, and didn't notice any regression.

Background: I would love to have this in Tails 3.2, whose code freeze is on September 14, but as usual I would greatly prefer not diverging from upstream :)
@intrigeri
AppArmor: grant plugin-container read-write access on the fontconfig …
6608523 
…cache.

Apparently it needs that to use & manage the cache.
@intrigeri
AppArmor: support sysvinit systems.
72d385f 
With systemd (at least on current Debian sid), /run/shm is a symlink to
/dev/shm, so "owner /dev/shm/org.chromium.* rw," is enough. With sysvinit,
apparently things are set up differently (perhaps the symlinks are in the
opposite direction?) so Firefox tries to access /run/shm/org.chromium.*,
which was rejected.

Let's support both!

Thanks to gregor herrmann <gregoa@debian.org> for the bug report:
https://bugs.debian.org/874383

Note that this problem happens with pristine 0.2.8 profiles,
without the changes brought by my apparmor-e10s branch.
@intrigeri
Copy link
Collaborator Author

Hold on, this branch will need updates for Linux 4.14. Whenever you're in the mood for reviewing PRs please focus on #290, #291 and #294 first.
@micahflee
Copy link
Collaborator

Sorry about ignoring this for many, many, months @intrigeri. Can you verify that these these AppArmor changes are still current with Tor Browser 7.5?
@micahflee
Copy link
Collaborator

I just tested this, along with the other AppArmor PRs, with Tor Browser 7.5 and they all appear to work fine.
@micahflee micahflee merged commit 72d385f into torproject:master Jan 28, 2018
@intrigeri
Copy link
Collaborator Author

I just tested this, along with the other AppArmor PRs, with Tor Browser 7.5 and they all appear to work fine.

Strange. As said in #280 (comment) I think this branch needed updates especially once the PR for #294 is merged. I'll send a new PR about these updates ASAP.
@intrigeri intrigeri deleted the apparmor-e10s branch January 28, 2018 18:49
@intrigeri intrigeri mentioned this pull request Jan 29, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@intrigeri @micahflee