Feature #5525
Sandbox the web browser
100%
Description
The web browser probably has one the biggest attack surface exposed by Tails to a network attacker, so anything we can do to make it harder, for an attacker, to escalate from "browser exploited" to "whole system under’s attacker control", is welcome.
When a container-based solution becomes a viable, secure solution for creating isolated jails, the chroot approach used by the unsafe browser will be adaptable to the regular Iceweasel.
Our work to add AppArmor support will be useful in this area too, either in replacement of a container-based approach, or to complement it.
Special care needs to be given to allow sharing files between the Tor Browser and the rest of the system, e.g. to download and upload files. One could give read/write access from/to one special directory in $HOME
(likely: “Downloads”), using bind-mounts and ACLs as needed.
Subtasks
Feature #8786: Decide upon a strategy to maintain our delta for the Tor Browser AppArmor profile | Resolved | intrigeri | 100 |
||
Bug #8787: Fix persistent bookmarks feature with AppArmor | Resolved | intrigeri | 100 |
||
Feature #8790: Add a persistence feature for Tor Browser Downloads | Rejected | intrigeri | 100 |
||
Feature #8821: Design how to deal with downloads and uploads in sandboxed Tor Browser | Resolved | intrigeri | 100 |
Related issues
Related to Tails - Feature #5422: Sandbox the Unsafe Browser | Confirmed | ||
Related to Tails - |
Resolved | 2013-07-27 | 2014-08-24 |
Related to Tails - Bug #8280: Users should be able to manipulate local files in I2P browser | Confirmed | 2014-11-20 | |
Related to Tails - |
Rejected | 2013-07-20 | |
Related to Tails - |
Resolved | 2015-02-04 |
History
#1 Updated by intrigeri 2013-07-22 14:31:25
- Type of work changed from Wait to Code
- Starter set to No
#2 Updated by intrigeri 2013-10-04 08:03:30
- Category set to 176
#3 Updated by intrigeri 2013-12-18 06:49:58
- Subject changed from contain Iceweasel to Sandbox the web browser
#4 Updated by FireballDWF 2014-04-20 21:14:31
Suggest leveraging the profile being tested at https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle, as well as the other AppArmor profiles at https://www.whonix.org/wiki/AppArmor
#5 Updated by intrigeri 2014-10-05 06:12:07
- Assignee set to intrigeri
- Target version changed from Sustainability_M1 to Tails_1.3
#6 Updated by intrigeri 2014-10-05 06:27:57
- related to deleted (
)Feature #5385: Have 3 AppArmor profiles in enforce mode
#7 Updated by intrigeri 2014-10-05 06:28:07
- related to
Feature #5370: AppArmor confinement added
#8 Updated by sajolida 2014-10-14 15:12:25
- blocked by #8117 added
#9 Updated by sajolida 2014-10-14 15:12:36
- blocks deleted (
#8117)
#10 Updated by sajolida 2014-10-14 15:13:07
- blocks #8117 added
#11 Updated by intrigeri 2014-10-30 12:55:49
- Feature Branch set to feature/5525-sandbox-web-browser
Note to myself: I’ll have to revert the workaround for Bug #8186 in this branch.
#12 Updated by intrigeri 2014-10-30 17:35:03
intrigeri wrote:
> Note to myself: I’ll have to revert the workaround for Bug #8186 in this branch.
More or less done: instead, I’m still allowing Pidgin to run Tor Browser (since the custom path we’re using is not supported in Pidgin’t AppArmor profile), but under its own profile.
#13 Updated by intrigeri 2014-11-20 19:28:42
- related to Bug #8280: Users should be able to manipulate local files in I2P browser added
#14 Updated by intrigeri 2015-01-10 09:24:40
- Description updated
#15 Updated by intrigeri 2015-01-13 18:36:05
- blocks deleted (
)Feature #6178: Evaluate current state of Linux namespaces
#16 Updated by intrigeri 2015-01-13 18:36:11
- related to
Feature #6178: Evaluate current state of Linux namespaces added
#17 Updated by intrigeri 2015-01-23 22:09:15
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
#18 Updated by intrigeri 2015-01-24 08:44:20
- Blueprint set to https://tails.boum.org/blueprint/sandbox_the_web_browser/
#19 Updated by intrigeri 2015-01-24 08:46:02
- Description updated
#20 Updated by intrigeri 2015-02-04 17:23:21
- related to
Feature #8852: Proactively check for upstream merge conflicts in our Tor Browser AppArmor profile added
#21 Updated by intrigeri 2015-02-06 18:51:46
- Assignee changed from intrigeri to anonym
- QA Check set to Ready for QA
#22 Updated by intrigeri 2015-02-07 10:53:52
The test suite is incomplete and not robust enough. I’m on it, so hold on for merging. But still an initial review would be welcome :)
#23 Updated by intrigeri 2015-02-07 13:58:41
intrigeri wrote:
> The test suite is incomplete and not robust enough.
Should be better now, especially with Bug #8875.
#24 Updated by intrigeri 2015-02-09 11:35:43
- Assignee changed from anonym to intrigeri
- QA Check changed from Ready for QA to Dev Needed
This branch somehow introduces a DNS request to 127.0.0.1:53.
#25 Updated by intrigeri 2015-02-09 12:11:54
- Assignee changed from intrigeri to anonym
- QA Check changed from Dev Needed to Ready for QA
intrigeri wrote:
> This branch somehow introduces a DNS request to 127.0.0.1:53.
Fixed with commit:6f3661d5d68d9a423ca4d5ff2064cd07753a379d.
#26 Updated by sajolida 2015-02-10 08:32:56
I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.
#27 Updated by intrigeri 2015-02-10 08:58:39
> I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.
Reviewed these changes, look good without building.
#28 Updated by anonym 2015-02-10 15:31:25
- Assignee changed from anonym to intrigeri
- QA Check changed from Ready for QA to Dev Needed
See review sent to the thread on tails-dev@.
#29 Updated by intrigeri 2015-02-10 17:23:51
- Assignee changed from intrigeri to anonym
- QA Check changed from Dev Needed to Ready for QA
#30 Updated by Tails 2015-02-10 18:27:05
- Status changed from In Progress to Fix committed
Applied in changeset commit:e7aa8f64141b35dc8c7f83445526b7e3c8b88b5d.
#31 Updated by anonym 2015-02-10 18:29:48
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#32 Updated by BitingBird 2015-02-24 22:52:10
- Status changed from Fix committed to Resolved