Project

General

Profile

Feature #5525

Sandbox the web browser

Added by Tails about 6 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
01/24/2015
Due date:
02/04/2015
% Done:

100%

Feature Branch:
feature/5525-sandbox-web-browser
Type of work:
Code
Starter:
No
Affected tool:
Browser

Description

The web browser probably has one the biggest attack surface exposed by Tails to a network attacker, so anything we can do to make it harder, for an attacker, to escalate from "browser exploited" to "whole system under's attacker control", is welcome.

When a container-based solution becomes a viable, secure solution for creating isolated jails, the chroot approach used by the unsafe browser will be adaptable to the regular Iceweasel.

Our work to add AppArmor support will be useful in this area too, either in replacement of a container-based approach, or to complement it.

Special care needs to be given to allow sharing files between the Tor Browser and the rest of the system, e.g. to download and upload files. One could give read/write access from/to one special directory in $HOME (likely: "Downloads"), using bind-mounts and ACLs as needed.


Subtasks

Feature #8786: Decide upon a strategy to maintain our delta for the Tor Browser AppArmor profileResolvedintrigeri

Bug #8787: Fix persistent bookmarks feature with AppArmorResolvedintrigeri

Feature #8790: Add a persistence feature for Tor Browser DownloadsRejectedintrigeri

Feature #8821: Design how to deal with downloads and uploads in sandboxed Tor BrowserResolvedintrigeri


Related issues

Related to Tails - Feature #5422: Sandbox the Unsafe Browser Confirmed
Related to Tails - Feature #5370: AppArmor confinement Resolved 07/27/2013 08/24/2014
Related to Tails - Bug #8280: Users should be able to manipulate local files in I2P browser Confirmed 11/20/2014
Related to Tails - Feature #6178: Evaluate current state of Linux namespaces Rejected 07/20/2013
Related to Tails - Feature #8852: Proactively check for upstream merge conflicts in our Tor Browser AppArmor profile Resolved 02/04/2015

Associated revisions

Revision 3ce737a0
Added by Tails developers over 4 years ago

Merge remote-tracking branch 'origin/feature/5525-sandbox-web-browser' into devel

Fix-committed: #5525

History

#1 Updated by intrigeri about 6 years ago

  • Type of work changed from Wait to Code
  • Starter set to No

#2 Updated by intrigeri almost 6 years ago

  • Category set to 176

#3 Updated by intrigeri over 5 years ago

  • Subject changed from contain Iceweasel to Sandbox the web browser

#4 Updated by FireballDWF over 5 years ago

Suggest leveraging the profile being tested at https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle, as well as the other AppArmor profiles at https://www.whonix.org/wiki/AppArmor

#5 Updated by intrigeri almost 5 years ago

  • Assignee set to intrigeri
  • Target version changed from Sustainability_M1 to Tails_1.3

#6 Updated by intrigeri almost 5 years ago

  • Related to deleted (Feature #5385: Have 3 AppArmor profiles in enforce mode)

#7 Updated by intrigeri almost 5 years ago

#11 Updated by intrigeri almost 5 years ago

  • Feature Branch set to feature/5525-sandbox-web-browser

Note to myself: I'll have to revert the workaround for #8186 in this branch.

#12 Updated by intrigeri almost 5 years ago

intrigeri wrote:

Note to myself: I'll have to revert the workaround for #8186 in this branch.

More or less done: instead, I'm still allowing Pidgin to run Tor Browser (since the custom path we're using is not supported in Pidgin't AppArmor profile), but under its own profile.

#13 Updated by intrigeri over 4 years ago

  • Related to Bug #8280: Users should be able to manipulate local files in I2P browser added

#14 Updated by intrigeri over 4 years ago

  • Description updated (diff)

#15 Updated by intrigeri over 4 years ago

  • Blocked by deleted (Feature #6178: Evaluate current state of Linux namespaces)

#16 Updated by intrigeri over 4 years ago

  • Related to Feature #6178: Evaluate current state of Linux namespaces added

#17 Updated by intrigeri over 4 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#18 Updated by intrigeri over 4 years ago

  • Blueprint set to https://tails.boum.org/blueprint/sandbox_the_web_browser/

#19 Updated by intrigeri over 4 years ago

  • Description updated (diff)

#20 Updated by intrigeri over 4 years ago

  • Related to Feature #8852: Proactively check for upstream merge conflicts in our Tor Browser AppArmor profile added

#21 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check set to Ready for QA

#22 Updated by intrigeri over 4 years ago

The test suite is incomplete and not robust enough. I'm on it, so hold on for merging. But still an initial review would be welcome :)

#23 Updated by intrigeri over 4 years ago

intrigeri wrote:

The test suite is incomplete and not robust enough.

Should be better now, especially with #8875.

#24 Updated by intrigeri over 4 years ago

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Dev Needed

This branch somehow introduces a DNS request to 127.0.0.1:53.

#25 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:

This branch somehow introduces a DNS request to 127.0.0.1:53.

Fixed with commit:6f3661d5d68d9a423ca4d5ff2064cd07753a379d.

#26 Updated by sajolida over 4 years ago

I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.

#27 Updated by intrigeri over 4 years ago

I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.

Reviewed these changes, look good without building.

#28 Updated by anonym over 4 years ago

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Dev Needed

See review sent to the thread on tails-dev@.

#29 Updated by intrigeri over 4 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

#30 Updated by Tails over 4 years ago

  • Status changed from In Progress to Fix committed

Applied in changeset commit:e7aa8f64141b35dc8c7f83445526b7e3c8b88b5d.

#31 Updated by anonym over 4 years ago

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#32 Updated by BitingBird over 4 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF