Re: [Tails-dev] [tbb-dev] Tor Browser self-updater vs. sandb…

Delete this message

Reply to this message
Autor: intrigeri
Data:  
A: discussion regarding Tor Browser Bundle development
CC: freepto, The Tails public development discussion list
Assumptes vells: Re: [Tails-dev] [tbb-dev] Tor Browser self-updater vs. sandboxing
Assumpte: Re: [Tails-dev] [tbb-dev] Tor Browser self-updater vs. sandboxing
Hi,

Tom Ritter wrote (30 Jun 2014 17:03:49 GMT) :
> Preventing a program from modifying itself is a distinct problem.


Point taken.

> Trying to prevent an application from modifying itself on disk, so
> that the changes persist after application shutdown, _could_ be
> achieved by a sandbox - but it would have to be taken on a
> case-by-case basis. Considering Tor Browser, the sandbox could
> probably, easily, enforce read-only access to executables and
> libraries. But I'm not sure how many things the 'New Identity' button
> wipes out. If it doesn't wipe out everything, there are persistence
> mechanisms between application executions that the sandbox _should_
> allow. For example, if installed extensions persist between 'New
> Identity' - that's allows arbitrary code execution (inside the
> sandbox).


Indeed, the sandbox I have in mind would grant write access to
Data/Browser/profile.default/extensions, and given the potential for
persisting arbitrary code in there, it makes little sense to block
write access to other programs and libraries shipped by the bundle.

> It could change the entry guards, hardcode an exit, [...]


Yep, I guess that's correct due to the fact the browser (when using
tor-launcher) needs to be allowed to control Tor directly.

> It sounds more like you want application imaging. [...]


Thanks for the detailed analysis!

Cheers,
--
intrigeri