Feature #12105
Adjust chrooted browsers to overlayfs
Start date:
2017-01-02
Due date:
% Done:
100%
Description
Their setup script currently relies on aufs.
Subtasks
History
#1 Updated by Anonymous 2018-01-16 13:45:14
- Assignee set to anonym
The parent ticket seems to be part of our roadmap, so assigning this ticket to the person responsible for the parent ticket. I’ll let you verify if this is correct or if somebody else is responsible for this, or nobody.
#2 Updated by intrigeri 2018-07-09 08:13:30
It may actually be simpler to get rid of unionfs entirely here:
configure_chroot_browser_profile
: generate the chroot’ed browser profile in a new tmpfs outside of the chrootset_chroot_browser_name
,delete_chroot_browser_searchplugins
:- copy the langpacks from
$TBB_EXT
to a new tmpfs outside of the chroot and modify them there - copy
$TBB_INSTALL/browser/omni.ja
from$TBB_EXT
to a new tmpfs outside of the chroot and modify it there
- copy the langpacks from
- set up the chroot:
- bind-mount read-only the host system’s
/
to$chroot
; compared to what we do now, that means we get all the changes that were made there since booting, as opposed to having a pristine stack of SquashFS - to hide sensitive data in the chroot, mount brand new (and empty) tmpfs’es on
$chroot/home/amnesia
; that’s the ugly part (for those wondering, no need to do the same in$chroot/lib/live/mount/persistence
as long as we bind-mount/
as opposed torbind
it) - bind-mount the profile tmpfs read-write to the right place inside the chroot
- bind-mount the modified
$TBB_EXT
tmpfs read-only to$chroot/$TBB_EXT
- bind-mount the modified
$TBB_INSTALL/browser/omni.ja
read-only to$chroot/$TBB_INSTALL/browser/omni.ja
- bind-mount read-only the host system’s
Advantages:
- It becomes very clear what is read-write inside the chroot (the profile directory and nothing else; or perhaps the full
/home/clearnet
if needed); everything else is read-only. - We can keep the modified extensions and omni.ja and reuse them accross Unsafe Browser sessions. The profile (or
/home/clearnet
) directory is another matter, having a clean one on every start is probably a good idea. - This allows us to use
bwrap
orsystemd-nspawn
, which simplifies setting up the chroot… and provide stricter confinement.
Downsides:
- We expose runtime system config & data from the host to the Unsafe Browser and have to carefully single-out the bits we want to hide from it.
#3 Updated by intrigeri 2018-09-12 06:50:08
- Assignee changed from anonym to segfault
- Target version set to Tails_3.11
#4 Updated by intrigeri 2018-09-12 06:50:18
- blocks
Feature #15506: Core work 2018Q4: Foundations Team added
#5 Updated by intrigeri 2018-11-06 15:04:45
- Target version changed from Tails_3.11 to Tails_3.13
#6 Updated by intrigeri 2018-12-02 21:53:34
- blocks
Feature #15507: Core work 2019Q1: Foundations Team added
#7 Updated by intrigeri 2018-12-02 21:53:39
- blocked by deleted (
)Feature #15506: Core work 2018Q4: Foundations Team
#8 Updated by intrigeri 2019-02-06 14:01:13
- blocks Feature #16209: Core work: Foundations Team added
#9 Updated by intrigeri 2019-02-06 14:01:16
- blocked by deleted (
)Feature #15507: Core work 2019Q1: Foundations Team
#10 Updated by intrigeri 2019-02-06 14:01:25
- Target version changed from Tails_3.13 to 2019
#11 Updated by intrigeri 2019-04-05 16:07:58
- Assignee deleted (
segfault)
#12 Updated by segfault 2019-11-23 15:04:28
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|5a7a6f02cfd6feadd14b8dce089a35fc0dc4cbe9.
#13 Updated by segfault 2019-11-23 17:52:34
- Assignee set to segfault
- Feature Branch changed from feature/8415-overlayfs-stretch to feature/8415-overlayfs+force-all-tests
#14 Updated by segfault 2019-11-23 19:00:42
- Status changed from In Progress to Resolved
- Assignee deleted (
segfault)
#15 Updated by intrigeri 2020-01-28 09:06:17
- % Done changed from 0 to 100