Feature #5525

Sandbox the web browser

Added by Tails 2013-07-18 07:42:19 . Updated 2015-02-24 22:52:10 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-01-24
Due date:
2015-02-04
% Done:

100%

Feature Branch:
feature/5525-sandbox-web-browser
Type of work:
Code
Starter:
0
Affected tool:
Browser
Deliverable for:

Description

The web browser probably has one the biggest attack surface exposed by Tails to a network attacker, so anything we can do to make it harder, for an attacker, to escalate from "browser exploited" to "whole system under’s attacker control", is welcome.

When a container-based solution becomes a viable, secure solution for creating isolated jails, the chroot approach used by the unsafe browser will be adaptable to the regular Iceweasel.

Our work to add AppArmor support will be useful in this area too, either in replacement of a container-based approach, or to complement it.

Special care needs to be given to allow sharing files between the Tor Browser and the rest of the system, e.g. to download and upload files. One could give read/write access from/to one special directory in $HOME (likely: “Downloads”), using bind-mounts and ACLs as needed.


Subtasks

Feature #8786: Decide upon a strategy to maintain our delta for the Tor Browser AppArmor profile Resolved intrigeri

100

Bug #8787: Fix persistent bookmarks feature with AppArmor Resolved intrigeri

100

Feature #8790: Add a persistence feature for Tor Browser Downloads Rejected intrigeri

100

Feature #8821: Design how to deal with downloads and uploads in sandboxed Tor Browser Resolved intrigeri

100


Related issues

Related to Tails - Feature #5422: Sandbox the Unsafe Browser Confirmed
Related to Tails - Feature #5370: AppArmor confinement Resolved 2013-07-27 2014-08-24
Related to Tails - Bug #8280: Users should be able to manipulate local files in I2P browser Confirmed 2014-11-20
Related to Tails - Feature #6178: Evaluate current state of Linux namespaces Rejected 2013-07-20
Related to Tails - Feature #8852: Proactively check for upstream merge conflicts in our Tor Browser AppArmor profile Resolved 2015-02-04

History

#1 Updated by intrigeri 2013-07-22 14:31:25

  • Type of work changed from Wait to Code
  • Starter set to No

#2 Updated by intrigeri 2013-10-04 08:03:30

  • Category set to 176

#3 Updated by intrigeri 2013-12-18 06:49:58

  • Subject changed from contain Iceweasel to Sandbox the web browser

#4 Updated by FireballDWF 2014-04-20 21:14:31

Suggest leveraging the profile being tested at https://www.whonix.org/wiki/AppArmor/Tor_Browser_Bundle, as well as the other AppArmor profiles at https://www.whonix.org/wiki/AppArmor

#5 Updated by intrigeri 2014-10-05 06:12:07

  • Assignee set to intrigeri
  • Target version changed from Sustainability_M1 to Tails_1.3

#6 Updated by intrigeri 2014-10-05 06:27:57

  • related to deleted (Feature #5385: Have 3 AppArmor profiles in enforce mode)

#7 Updated by intrigeri 2014-10-05 06:28:07

#8 Updated by sajolida 2014-10-14 15:12:25

  • blocked by #8117 added

#9 Updated by sajolida 2014-10-14 15:12:36

  • blocks deleted (#8117)

#10 Updated by sajolida 2014-10-14 15:13:07

  • blocks #8117 added

#11 Updated by intrigeri 2014-10-30 12:55:49

  • Feature Branch set to feature/5525-sandbox-web-browser

Note to myself: I’ll have to revert the workaround for Bug #8186 in this branch.

#12 Updated by intrigeri 2014-10-30 17:35:03

intrigeri wrote:
> Note to myself: I’ll have to revert the workaround for Bug #8186 in this branch.

More or less done: instead, I’m still allowing Pidgin to run Tor Browser (since the custom path we’re using is not supported in Pidgin’t AppArmor profile), but under its own profile.

#13 Updated by intrigeri 2014-11-20 19:28:42

  • related to Bug #8280: Users should be able to manipulate local files in I2P browser added

#14 Updated by intrigeri 2015-01-10 09:24:40

  • Description updated

#15 Updated by intrigeri 2015-01-13 18:36:05

  • blocks deleted (Feature #6178: Evaluate current state of Linux namespaces)

#16 Updated by intrigeri 2015-01-13 18:36:11

  • related to Feature #6178: Evaluate current state of Linux namespaces added

#17 Updated by intrigeri 2015-01-23 22:09:15

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

#18 Updated by intrigeri 2015-01-24 08:44:20

  • Blueprint set to https://tails.boum.org/blueprint/sandbox_the_web_browser/

#19 Updated by intrigeri 2015-01-24 08:46:02

  • Description updated

#20 Updated by intrigeri 2015-02-04 17:23:21

  • related to Feature #8852: Proactively check for upstream merge conflicts in our Tor Browser AppArmor profile added

#21 Updated by intrigeri 2015-02-06 18:51:46

  • Assignee changed from intrigeri to anonym
  • QA Check set to Ready for QA

#22 Updated by intrigeri 2015-02-07 10:53:52

The test suite is incomplete and not robust enough. I’m on it, so hold on for merging. But still an initial review would be welcome :)

#23 Updated by intrigeri 2015-02-07 13:58:41

intrigeri wrote:
> The test suite is incomplete and not robust enough.

Should be better now, especially with Bug #8875.

#24 Updated by intrigeri 2015-02-09 11:35:43

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Dev Needed

This branch somehow introduces a DNS request to 127.0.0.1:53.

#25 Updated by intrigeri 2015-02-09 12:11:54

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:
> This branch somehow introduces a DNS request to 127.0.0.1:53.

Fixed with commit:6f3661d5d68d9a423ca4d5ff2064cd07753a379d.

#26 Updated by sajolida 2015-02-10 08:32:56

I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.

#27 Updated by intrigeri 2015-02-10 08:58:39

> I pushed a bunch of minor documentation fixes (6f3661d..1954441) to the initial work by intrigeri. So the doc is ready for me.

Reviewed these changes, look good without building.

#28 Updated by anonym 2015-02-10 15:31:25

  • Assignee changed from anonym to intrigeri
  • QA Check changed from Ready for QA to Dev Needed

See review sent to the thread on tails-dev@.

#29 Updated by intrigeri 2015-02-10 17:23:51

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Dev Needed to Ready for QA

#30 Updated by Tails 2015-02-10 18:27:05

  • Status changed from In Progress to Fix committed

Applied in changeset commit:e7aa8f64141b35dc8c7f83445526b7e3c8b88b5d.

#31 Updated by anonym 2015-02-10 18:29:48

  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#32 Updated by BitingBird 2015-02-24 22:52:10

  • Status changed from Fix committed to Resolved