Project

General

Profile

Bug #12679

Sandbox Tor Browser's content renderer processes more strictly

Added by intrigeri 12 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
06/10/2017
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
feature/12679-sandbox-firefox-content-renderers
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Browser

Description

Since we have enabled Electrolysis (e10s), we confine these processes in exactly the same way as the parent Firefox process. I'm pretty sure they could be confined much more strictly, without impacting UX whatsoever. And while we're at it, maybe some permissions we currently grant to the parent Firefox process are not needed anymore, as it does less work.


Related issues

Blocked by Tails - Feature #12653: Upstream changes to our Tor Browser 7.0 AppArmor profile Resolved 06/07/2017
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 06/29/2017

Associated revisions

Revision 6e2ca1eb (diff)
Added by intrigeri 11 months ago

Import Tor Browser AppArmor profiles with stricter content rendering processes confinement (refs: #12679).

These profiles were taken from the
feature/12679-sandbox-firefox-content-renderers branch in our
torbrowser-launcher.git repository at commit
a86475a2565cbbbdf846248238ffb7f072bebed5, which is based on my
https://github.com/intrigeri/torbrowser-launcher/tree/apparmor-e10s branch at
commit 33502fa03669c009c4344eb825f1d58c95f1e929.

Note: we must not merge a branch with this commit as-is: once these profiles
have passed our own QA, I will submit a PR to torbrowser-launcher upstream, and
then they'll make it into Debian, and then we can revert this commit and replace
it with an updated
config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch.

Revision c86c6eb4 (diff)
Added by intrigeri 11 months ago

Import Tor Browser AppArmor profiles with stricter content rendering processes confinement (refs: #12679).

These profiles were taken from the
feature/12679-sandbox-firefox-content-renderers branch in our
torbrowser-launcher.git repository at commit
807bd87e7ee51b179bbd7d394f57d939f314ae20, which is based on my
https://github.com/intrigeri/torbrowser-launcher/tree/apparmor-e10s branch at
commit 33502fa03669c009c4344eb825f1d58c95f1e929.

Note: we must not merge a branch with this commit as-is: once these profiles
have passed our own QA, I will submit a PR to torbrowser-launcher upstream, and
then they'll make it into Debian, and then we can revert this commit and replace
it with an updated
config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch.

Revision 7623daa0 (diff)
Added by intrigeri 11 months ago

Add missing permissions to the torbrowser_plugin_container AppArmor profile (refs: #12679).

From the feature/12679-sandbox-firefox-content-renderers branch in our
torbrowser-launcher repository at
commit 9932f9c2f2417f91cb79483a53b293704cc4f38a.

Revision 1c603eb4 (diff)
Added by intrigeri 11 months ago

Update Tor Browser AppArmor profile (refs: #12679).

They come from the feature/12679-sandbox-firefox-content-renderers branch in our
torbrowser-launcher Git repo, at
commit f5ecf6452e77b25a2027f14fcc75c13fc23546d3.

Revision 59fcf762 (diff)
Added by intrigeri 11 months ago

Test suite: update Tor Browser tests to match current AppArmor confinement (refs: #12679).

Revision 3735ab47 (diff)
Added by anonym 4 months ago

Fix devel from FTBFS by downgrading torbrowser-launcher.

torbrowser-launcher 0.2.9 has entered sid and thus the APT snapshot
used by devel, and since our AppArmor profile patch does not apply, we
FTBFS. Updating the patch is the real fix, but is complex and will be
part of #12679.

Fix-committed: #15270
Refs: #12679

Revision 547bbdf4 (diff)
Added by intrigeri 4 months ago

Install current upstream Tor Browser AppArmor profiles + our custom patch (refs: #12679).

Taken from 894f2cb1474f78121d2da8cf954d2a23919666df in our
torbrowser-launcher.git.

Revision 932407f1 (diff)
Added by intrigeri 3 months ago

Tor Browser AppArmor profiles: update our custom patch (refs: #12679).

Taken from 3286cb1f342218e9bbb2638e1bdda99b2d2f0737 in our
torbrowser-launcher.git.

Changes:

- Silence denial of access to ~/.cache/fontconfig/.
- Allow innocuous access to /usr/share/applications/gnome-mimeapps.list to
silence logs.

Revision 9e19bb4e
Added by anonym 3 months ago

Merge remote-tracking branch 'origin/feature/12679-sandbox-firefox-content-renderers' into devel

Fix-committed: #12679, #15270

History

#1 Updated by intrigeri 11 months ago

  • Blocked by Feature #12653: Upstream changes to our Tor Browser 7.0 AppArmor profile added

#2 Updated by intrigeri 11 months ago

(This blocking relationship is not exactly correct, but it would be nice to upstream our existing delta before adding some more.)

#3 Updated by intrigeri 11 months ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

I have something that Works On My Machine™. Up-to-date info about it can be found on https://github.com/micahflee/torbrowser-launcher/issues/278.

#4 Updated by intrigeri 11 months ago

  • % Done changed from 10 to 20
  • Feature Branch set to feature/12679-sandbox-firefox-content-renderers

#5 Updated by intrigeri 11 months ago

It passed the subset of our test suite we run on Jenkins.

Next step: run all affected tests locally.

#6 Updated by intrigeri 11 months ago

  • % Done changed from 20 to 30

The branch now passes features/documentation.feature:4 features/localization.feature features/tor_enforcement.feature:15 features/tor_stream_isolation.feature:26 features/torified_browsing.feature features/unsafe_browser.feature locally. Next step: upstream my changes to tbl, and then wait for them to reach Debian sid, and then we can replace my hard-coded profiles in tails.git with a proper patch.

#7 Updated by intrigeri 11 months ago

  • Type of work changed from Code to Wait

#8 Updated by intrigeri 11 months ago

#10 Updated by intrigeri 9 months ago

  • Target version changed from Tails_3.2 to Tails_3.3

I'll ping again during next cycle.

#11 Updated by intrigeri 9 months ago

Pinged upstream, refreshed our branch so it's tested by Jenkins again.

#12 Updated by intrigeri 8 months ago

#13 Updated by intrigeri 8 months ago

#14 Updated by intrigeri 8 months ago

  • Target version changed from Tails_3.3 to Tails_3.5

#15 Updated by intrigeri 6 months ago

  • Target version changed from Tails_3.5 to Tails_3.6

That's for a major release (and pinging upstream doesn't seem to help).

#16 Updated by intrigeri 5 months ago

#17 Updated by intrigeri 5 months ago

#18 Updated by intrigeri 4 months ago

  • % Done changed from 30 to 40

My branch was merged upstream \o/ but I'm not sure how well it will work as-is (I had actually asked upstream to first merge something else so I could then update my branch on top of that).

I've sent a follow-up PR: https://github.com/micahflee/torbrowser-launcher/pull/310.

#19 Updated by intrigeri 4 months ago

My branch was merged upstream \o/

This implies that devel will FTBFS once torbrowser-launcher 0.2.9 makes it into Debian.

#20 Updated by intrigeri 4 months ago

  • Type of work changed from Wait to Code

#21 Updated by bertagaz 4 months ago

eeek, torbrowser-launcher 0.2.9-1 has entered stretch-backports, so devel do FTBFS again. :/ I'm giving a try to your branch as is, at least to see if it fixes the build.

#22 Updated by intrigeri 3 months ago

eeek, torbrowser-launcher 0.2.9-1 has entered stretch-backports, so devel do FTBFS again. :/ I'm giving a try to your branch as is, at least to see if it fixes the build.

Yes, see #15270.

#23 Updated by intrigeri 3 months ago

I'll request a first merge of this branch to fix #15270 as soon as some local test suite runs finish successfully, but I'm not done here yet: I want to do some more manual testing, ensure the plugin container profile is applied and e10s is enabled, look at AppArmor logs, and possibly backport some deny rules from my last upstream PR to make the kernel logs less noisy.

#24 Updated by intrigeri 3 months ago

The only failing relevant automated test in my local run is caused by #14935#note-13.

#25 Updated by intrigeri 3 months ago

  • Blocked by Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid added

#26 Updated by intrigeri 3 months ago

intrigeri wrote:

I want to do some more manual testing, ensure the plugin container profile is applied and e10s is enabled, look at AppArmor logs, and possibly backport some deny rules from my last upstream PR to make the kernel logs less noisy.

Done all this, will submit for QA once I've confirmed an ISO built from my (updated) branch behaves correctly.

#27 Updated by intrigeri 3 months ago

  • Assignee changed from intrigeri to bertagaz
  • % Done changed from 40 to 50
  • QA Check set to Ready for QA

#28 Updated by intrigeri 3 months ago

  • Blocked by deleted (Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid)

#29 Updated by segfault 3 months ago

  • Blocks Feature #11753: Port complex shell scripts shipped in /usr/local to Python added

#30 Updated by intrigeri 3 months ago

  • Blocks deleted (Feature #11753: Port complex shell scripts shipped in /usr/local to Python)

#31 Updated by anonym 3 months ago

  • Assignee changed from bertagaz to anonym

I'm taking this one over to relieve our overloaded RM, and to get devel building again (#15270).

#32 Updated by anonym 3 months ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Works for me! I found it a bit hard to track our patch's changes being split over the two profiles, but think I managed to in the end. :)

#33 Updated by bertagaz 2 months ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF