#22000: update OSX browser sandbox profile for e10s -------------------------------------------------+------------------------- Reporter: brade | Owner: tbb- | team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-security, tbb- | Actual Points: sandboxing, tbb-e10s,tbb-7.0-must- | alpha,TorBrowserTeam201705 | Parent ID: | Points: Reviewer: | Sponsor: | Sponsor4 -------------------------------------------------+-------------------------
Comment (by mcs): Kathy and I were hoping to come up with a quick fix for this ticket, but it turns out that nesting of sandbox configs is not supported on OSX. That means that we either need to disable Mozilla's content process sandbox or we need to disable our sandbox. Since it seems like there may be a way in our sandbox profile to say "allow exec of this specific executable and start it without a sandbox" and since (hopefully) Mozilla enables their sandbox as early as possible, the second approach is probably the one to use. In other words, our tb.sb profile would apply to the chrome process and Mozilla's built in content process sandbox rules would apply to the content/tab process. But we should look and see what we are giving up if we do that, e.g., what does Mozilla allow that we don't want to allow? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22000#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs