[Tails-dev] Sandboxing Tor Browser: strategy for tracking "u…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: tails-dev
Subject: [Tails-dev] Sandboxing Tor Browser: strategy for tracking "upstream" AppArmor profile
Hi,

I'm working on #5525 ("Sandbox the web browser"), and have an AppArmor
profile that works locally for most basic use cases. Now, I'm
wondering how to integrate it into Tails and I need your input.

This profile was derived from the one I've worked a lot on for
torbrowser-launcher (https://micahflee.com/torbrowser-launcher/).

I think we have two solutions:

   1. Download "upstream" profile and apply Tails-specific patch at
      ISO build time


2. Ship a forked profile in our Git repository

(And no, there's no "3. Upstream our changes" given how our different
our Tor Browser installation is from standard ones. About 20% of our
changes could be made configurable upstream with tunables, but given
it's only 20%, I don't think it's worth the added complexity.)

#1 has the advantages that we get upstream improvements for free,
and we're forced to track upstream, and to adjust our own patch
whenever needed: otherwise, Tails ISO build fails.

#2 has the advantage that the Tails build won't ever fail due to
upstream changes. But our Tor Browser may break at runtime because we
failed to integrate upstream changes in their AppArmor profile.

>From my point of view, #1 feels cleaner: it forces us to do the right

thing wrt. upstream, and it fails earlier (at build time). However,
I see how it can be annoying to see the build suddenly start failing,
if only few of us feel comfortable updating our profile delta.
These disadvantages are slightly mitigated, though:

  * U. is gaining a lot of AppArmor knowledge these days, and may want
    to give a hand maintaining our Tails-specific profile patch e.g.
    when I'm not available to fix the build
  * at least Alan and bertagaz have some knowledge of AppArmor, and
    may want to give a hand too
  * it would be good if more of us learned the basics of AppArmor,
    anyway :)
  * U. and I are part of the team that maintains torbrowser-launcher
    in Debian, so generally, we'll notice when the upstream AppArmor
    profile changes. In particular, if #1 is implemented by retrieving
    the "upstream" profile from the Debian sid source package, we'll
    notice such changes before they hit the Debian archive and thus
    impact Tails.


=> I'm in favor of #1.

Thoughts, opinions, volunteers?

For now, I'll go with #2 which is trivial to implement) until we have
decided whether #1 (which needs a little bit more work) is better.

Cheers,
--
intrigeri