Project

General

Profile

Bug #12679

Sandbox Tor Browser's content renderer processes more strictly

Added by intrigeri about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
06/10/2017
Due date:
% Done:

100%

Feature Branch:
feature/12679-sandbox-firefox-content-renderers
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

Since we have enabled Electrolysis (e10s), we confine these processes in exactly the same way as the parent Firefox process. I'm pretty sure they could be confined much more strictly, without impacting UX whatsoever. And while we're at it, maybe some permissions we currently grant to the parent Firefox process are not needed anymore, as it does less work.


Related issues

Related to Tails - Bug #15717: Firefox' "Web Content" processes are not confined as strictly as they used to Resolved 07/05/2018
Blocked by Tails - Feature #12653: Upstream changes to our Tor Browser 7.0 AppArmor profile Resolved 06/07/2017
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 06/29/2017

Associated revisions

Revision 3735ab47 (diff)
Added by anonym over 1 year ago

Fix devel from FTBFS by downgrading torbrowser-launcher.

torbrowser-launcher 0.2.9 has entered sid and thus the APT snapshot
used by devel, and since our AppArmor profile patch does not apply, we
FTBFS. Updating the patch is the real fix, but is complex and will be
part of #12679.

Fix-committed: #15270
Refs: #12679

Revision 547bbdf4 (diff)
Added by intrigeri over 1 year ago

Install current upstream Tor Browser AppArmor profiles + our custom patch (refs: #12679).

Taken from 894f2cb1474f78121d2da8cf954d2a23919666df in our
torbrowser-launcher.git.

Revision 932407f1 (diff)
Added by intrigeri over 1 year ago

Tor Browser AppArmor profiles: update our custom patch (refs: #12679).

Taken from 3286cb1f342218e9bbb2638e1bdda99b2d2f0737 in our
torbrowser-launcher.git.

Changes:

- Silence denial of access to ~/.cache/fontconfig/.
- Allow innocuous access to /usr/share/applications/gnome-mimeapps.list to
silence logs.

Revision 9e19bb4e
Added by anonym over 1 year ago

Merge remote-tracking branch 'origin/feature/12679-sandbox-firefox-content-renderers' into devel

Fix-committed: #12679, #15270

History

#1 Updated by intrigeri about 2 years ago

  • Blocked by Feature #12653: Upstream changes to our Tor Browser 7.0 AppArmor profile added

#2 Updated by intrigeri about 2 years ago

(This blocking relationship is not exactly correct, but it would be nice to upstream our existing delta before adding some more.)

#3 Updated by intrigeri about 2 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

I have something that Works On My Machine™. Up-to-date info about it can be found on https://github.com/micahflee/torbrowser-launcher/issues/278.

#4 Updated by intrigeri about 2 years ago

  • % Done changed from 10 to 20
  • Feature Branch set to feature/12679-sandbox-firefox-content-renderers

#5 Updated by intrigeri almost 2 years ago

It passed the subset of our test suite we run on Jenkins.

Next step: run all affected tests locally.

#6 Updated by intrigeri almost 2 years ago

  • % Done changed from 20 to 30

The branch now passes features/documentation.feature:4 features/localization.feature features/tor_enforcement.feature:15 features/tor_stream_isolation.feature:26 features/torified_browsing.feature features/unsafe_browser.feature locally. Next step: upstream my changes to tbl, and then wait for them to reach Debian sid, and then we can replace my hard-coded profiles in tails.git with a proper patch.

#7 Updated by intrigeri almost 2 years ago

  • Type of work changed from Code to Wait

#8 Updated by intrigeri almost 2 years ago

#10 Updated by intrigeri almost 2 years ago

  • Target version changed from Tails_3.2 to Tails_3.3

I'll ping again during next cycle.

#11 Updated by intrigeri almost 2 years ago

Pinged upstream, refreshed our branch so it's tested by Jenkins again.

#12 Updated by intrigeri over 1 year ago

#13 Updated by intrigeri over 1 year ago

#14 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.3 to Tails_3.5

#15 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.5 to Tails_3.6

That's for a major release (and pinging upstream doesn't seem to help).

#16 Updated by intrigeri over 1 year ago

#17 Updated by intrigeri over 1 year ago

#18 Updated by intrigeri over 1 year ago

  • % Done changed from 30 to 40

My branch was merged upstream \o/ but I'm not sure how well it will work as-is (I had actually asked upstream to first merge something else so I could then update my branch on top of that).

I've sent a follow-up PR: https://github.com/micahflee/torbrowser-launcher/pull/310.

#19 Updated by intrigeri over 1 year ago

My branch was merged upstream \o/

This implies that devel will FTBFS once torbrowser-launcher 0.2.9 makes it into Debian.

#20 Updated by intrigeri over 1 year ago

  • Type of work changed from Wait to Code

#21 Updated by bertagaz over 1 year ago

eeek, torbrowser-launcher 0.2.9-1 has entered stretch-backports, so devel do FTBFS again. :/ I'm giving a try to your branch as is, at least to see if it fixes the build.

#22 Updated by intrigeri over 1 year ago

eeek, torbrowser-launcher 0.2.9-1 has entered stretch-backports, so devel do FTBFS again. :/ I'm giving a try to your branch as is, at least to see if it fixes the build.

Yes, see #15270.

#23 Updated by intrigeri over 1 year ago

I'll request a first merge of this branch to fix #15270 as soon as some local test suite runs finish successfully, but I'm not done here yet: I want to do some more manual testing, ensure the plugin container profile is applied and e10s is enabled, look at AppArmor logs, and possibly backport some deny rules from my last upstream PR to make the kernel logs less noisy.

#24 Updated by intrigeri over 1 year ago

The only failing relevant automated test in my local run is caused by #14935#note-13.

#25 Updated by intrigeri over 1 year ago

  • Blocked by Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid added

#26 Updated by intrigeri over 1 year ago

intrigeri wrote:

I want to do some more manual testing, ensure the plugin container profile is applied and e10s is enabled, look at AppArmor logs, and possibly backport some deny rules from my last upstream PR to make the kernel logs less noisy.

Done all this, will submit for QA once I've confirmed an ISO built from my (updated) branch behaves correctly.

#27 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to bertagaz
  • % Done changed from 40 to 50
  • QA Check set to Ready for QA

#28 Updated by intrigeri over 1 year ago

  • Blocked by deleted (Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid)

#29 Updated by segfault over 1 year ago

  • Blocks Feature #11753: Port complex shell scripts shipped in /usr/local to Python added

#30 Updated by intrigeri over 1 year ago

  • Blocks deleted (Feature #11753: Port complex shell scripts shipped in /usr/local to Python)

#31 Updated by anonym over 1 year ago

  • Assignee changed from bertagaz to anonym

I'm taking this one over to relieve our overloaded RM, and to get devel building again (#15270).

#32 Updated by anonym over 1 year ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Works for me! I found it a bit hard to track our patch's changes being split over the two profiles, but think I managed to in the end. :)

#33 Updated by bertagaz over 1 year ago

  • Status changed from Fix committed to Resolved

#34 Updated by intrigeri 12 months ago

  • Related to Bug #15717: Firefox' "Web Content" processes are not confined as strictly as they used to added

Also available in: Atom PDF