System-wide sandboxing framework - sandbox-app-launcher

No, I mean moving the Tor Browser files so they’re placed in a standard directory like /usr/bin or something rather than /home.

Running torbrowser within the sandbox will break it since it’s too restrictive. Is there a way to make torbrowser only install the files normally before starting the sandbox and then start the Tor Browser within the sandbox? I.e. separate the installation and execution.

E.g.

export HOME=/home/sandbox-app-launcher-appdata/sandbox-torbrowser
torbrowser install-only

sudo -H -u "${app_user}" bash -c "
bwrap \
...

That would probably be difficult, and fragile (with Tor Browser internal updater breaking). If going this route, please create a new forum thread, because that seems rather complex.

Copy only is now implemented in git master.

HOME=/home/sandbox-app-launcher-appdata/sandbox-torbrowser tb_no_start=true torbrowser

Just make sure that folder exists and is writable. Perhaps a test? It would be similar to /home/user.

I.e. HOME=/home/non-existing tb_no_start=true torbrowser would not copy but HOME=/home/existing-user tb_no_start=true torbrowser would work.

As an added bonus if the cached folder /var/cache/tb-binary is not populated for whatever reason it will ask if one wants to download using Tor Browser downloader by Whonix developers.

Please try. Package not available yet but in 1 day or so. Patch should be easy to apply manually though.

Inside the sandbox you can then run torbrowser (/usr/bin/torbrowser) manually since already copied? Otherwise could also use its own startup script but to keep the differences as small as possible the former (/usr/bin/torbrowser) would be preferable. Also /usr/bin/torbrowser has more sanity testing, usability.

(Will require some fine tuning to be compatible with Qubes DispVMs but I can work on that later. Also later on I will see to make sure that /var/cache/tb-binary stays up to date in Non-Qubes-Whonix too. Nothing that would block your development at this point.)

Now in Whonix developers repository.

I have working Tor Browser support in this tree although with 2 main issues and I’m not sure exactly how to approach fixing these.

GitHub - madaidan/sandbox-app-launcher at torbrowser

1) The torbrowser command fails after installing the Tor Browser as it tries to execute:

sudo --non-interactive tb_home_folder="$tb_home_folder" tb_user_home="$tb_user_home" /usr/lib/tb-starter/remount-exec

which results in a password required error. However, everything works fine when executing sandbox-app-launcher torbrowser again since it only relies on torbrowser for installation, not execution (I don’t see the need for executing torbrowser within the sandbox, it’ll likely cause more issues).

2) The TOR_SKIP_LAUNCH=1 and other variables are not set which causes errors about the Tor daemon upon launch. I’d imagine stream isolation is also going to be an issue.

I can, and will iron out any issues as far as that is possible. Will look into adding variable to disable remount-exec function now. Please keep letting me know what is causing issues and I will look into fixes. Seems pretty simple on my side of adjusting /usr/bin/torbrowser for this use case, doable quickly.

/usr/bin/torbrowser is not critical but would be useful if that works. Has some usability features:

• open link conformation
• notify non-zero (error) exit codes and advice visiting Tor Browser Essentials
• i2browser support
• SecBrowser support
• starter binary detection
• refuse running as root
• Waiting for tb-updater-first-boot.service is useful in Qubes to make sure permission fix is done for Qubes DispVMs.
• Check directory is not set to noexec and show error popup if that is the case.
• Avoid running in Qubes DVM Template.
• Avoid running in Qubes TemplateVM.
• running pre scripts through configuration folder
• injecting command line options through configuration folder
• folder permission check (often messed up after user data restore)
• remount-exec (related to (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - can be looked into once that progressed)

Sane for sandbox to inherit environment variables? Probably not…

Then we need to somewhat, “emulate a full boot” inside the sandbox. At least setting relevant environment variables.

Related package: anon-ws-disable-stacked-tor

Related files:

• /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
• /etc/X11/Xsession.d/20torbrowser
• (/etc/profile.d/20_torbrowser.sh)

Therefore sh (.) (or bash source) (load environment variables) from file /etc/X11/Xsession.d/20torbrowser? I.e.:

source /etc/X11/Xsession.d/20torbrowser

Somewhat unrelated, general question… Or source all of /etc/X11/Xsession.d/, source /etc/environment? (Check if file exists.)

What about hardened malloc ld preload inside sandbox?
(Hardened Malloc - Hardened Memory Allocator)

Yay, tb-starter has now the same skip function feature that tb-updater has. This gives flexibility to skip any function during development (or even final implementation) through setting environment variables.

Example:

tb_skip_functions+=" remount_exec tb_start_tor_browser " torbrowser

Package ready soon.

Now available in developers repository.

This fixes the issue although the proxy settings are now borked and it can’t connect to the internet. Should we add a user.js file?

user.js based solutions are usually breaking after a while due to Tor Browser changes.

Therefore the approach in Whonix is to not do any Tor Browser modifications in the “inside” and only prepare the “outside” so Tor Browser does not have to “know” about anything.

(Whonix ™ Tor Browser Differences)

Can we make the anon-ws-disable-stacked-tor approach work inside the sandbox? I.e…

As set in /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh.

## Environment variable to configure Tor Browser to use a pre existing unix
## domain socket file instead of creating its own one to avoid Tor over Tor and
## to keep it being able to connect.
## systemd-socket-proxyd is being used for creation of unix domain socket file
## /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock and forwarding it to
## to Whonix-Gateway port 9150.
## https://phabricator.whonix.org/T192
## https://trac.torproject.org/projects/tor/ticket/20111#comment:5
export TOR_SOCKS_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock"
export TOR_CONTROL_IPC_PATH="/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock"

I.e. is it sane and possible for the sandbox to allow access to files:

• /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
• /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock

? I speculate if that was allowed, connectivity would be fixed.

That was indeed the issue, thanks.

The only remaining issue is that it doesn’t execute torbrowser but rather the start-tor-browser script. Executing torbrowser inside the sandbox doesn’t work. I will investigate it further but this should be ok for now.

Merged. And added few minor commits on top.
Great progress lately!

sandbox-app-launcher torbrowser

systemd journal:

Oct 08 07:32:52 host audit[2981]: AVC apparmor="DENIED" operation="signal" profile="sandbox-app-launcher-wx" pid=2981 comm="Gecko_IOThread" requested_mask="send" denied_mask="send" signal=exists peer="sandbox-app-launcher-wx"
Oct 08 07:32:52 host audit[2981]: AVC apparmor="DENIED" operation="signal" profile="sandbox-app-launcher-wx" pid=2981 comm="Gecko_IOThread" requested_mask="receive" denied_mask="receive" signal=exists peer="sandbox-app-launcher-wx"
Oct 08 07:32:52 host kernel: audit: type=1400 audit(1602142372.828:1469): apparmor="DENIED" operation="signal" profile="sandbox-app-launcher-wx" pid=2981 comm="Gecko_IOThread" requested_mask="send" denied_mask="send" signal=exists peer="sandbox-app-launcher-wx"
Oct 08 07:32:52 host kernel: audit: type=1400 audit(1602142372.828:1470): apparmor="DENIED" operation="signal" profile="sandbox-app-launcher-wx" pid=2981 comm="Gecko_IOThread" requested_mask="receive" denied_mask="receive" signal=exists peer="sandbox-app-launcher-wx"
Oct 08 07:32:53 host audit[2981]: AVC apparmor="DENIED" operation="signal" profile="sandbox-app-launcher-wx" pid=2981 comm="Gecko_IOThread" requested_mask="send" denied_mask="send" signal=exists peer="sandbox-app-launcher-wx"

Otherwise working, which is great!

Other minor stuff…

Could you please silent this?

DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-…
DBUS_SESSION_BUS_PID=8
DBUS_SESSION_BUS_WINDOWID=…

And this?

INFO: Installing Tor Browser in sandbox…

I will also silent tb-starter copying Tor Browser with --verbose. (It is bad practice for wrappers to introduce extraneous console output since that could break other wrappers (custom, written by users) which parse these program’s output.)

This should only be done for Tor Browser:

–ro-bind-try /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock /run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
–ro-bind-try /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock /run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock \

Otherwise all applications even those with networking disabled in sandbox would gain access to networking?

No, the network namespace should still handle that anyway but it’s a good idea to remove them from other apps.

Merged.

Minor: Could you please split the bwrap_args+= into two different bwrap_args+=? That would look a bit nicer than a very long line.

Network namespace excludes unix domain socket files?

Btw there is still Don't try to remove users if they don't exist by madaidan · Pull Request #42 · Kicksecure/sandbox-app-launcher · GitHub

This fixes an issue when uninstalling sandbox-app-launcher if no users were created.

It isolates all networking-related stuff.

https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html

You can use the network from within the namespace but only if you set it up prior. We use empty net namespaces for allow_net=no so no networking should be possible at all without a kernel exploit.

We could also expand allow_net to blacklist network-related syscalls in addition to the network namespace but this seems redundant.

Lost track of that one. Thanks for reminding me. Now merged.
One that one, I’ve added -q to grep, i.e. now grep -q.
And changed userdel "${user}" to userdel "${user}" || true. userdel might fail? Not sure. But if it ever does, it is probably not worth “breaking APT” for that?

Wiki page (or readme) could use some information: how dbus, audio and X11 (did I miss something else important?) is currently handled, potentially future enhancements.

Also how does Linux · Wiki · The Tor Project / Applications / Tor Browser · GitLab compare to sandbox-app-launcher?

Quote Linux · Wiki · The Tor Project / Applications / Tor Browser · GitLab

WARNING: There are several unresolved issues that affect security and
fingerprinting. Do not assume that this is perfect, merely “an improvement over nothing”.

Does this apply to sandbox-app-launcher too?

Also on Linux · Wiki · The Tor Project / Applications / Tor Browser · GitLab

• We have an easier time since we don’t use Tor, pluggable transports in he workstation.
• Tor Browser Downloader by Whonix developers is nicely separated, complicated the setup with intermingling that directly inside the browser / sandbox.
• We don’t support read-only mode (yet?) but I don’t really understand above link to what extend it was using read-only mode. You?
  • Did TorBrowser/Sandbox/Linux have a concept of which folders inside the browser folder are for binaries and which for profile data?
  • And then somehow only profile data was read-only?
  • Or all was read-only?
  • Or whole Tor Browser folder (application and profile) was reset at each browser restart?

It’s not really comparable. That sandbox is designed/fine-tuned for a single application. sandbox-app-launcher is a generic, “catch-all” sandbox.

I don’t see how sandbox-app-launcher could affect fingerprinting. Websites don’t have direct access to files, syscalls, etc. They can’t detect whether the browser is sandboxed.

There are security issues of course. The main one being X11 but hopefully we can switch to Wayland.

I assume they made as much as possible read-only. This wouldn’t really make sense for sandbox-app-launcher since it isn’t Tor Browser specific unless we add exceptions but even then, I don’t see any advantage of this. Persistent malware could implant itself into the Tor Browser files but if it had that level of access, it could also implant itself into ~/.bashrc, etc.

The only place malware can persist is the home directory or shared storage (if enabled as read-write) and it can only ever be executed if W^X is disabled.