#22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured. -------------------------------------------------+------------------------- Reporter: yawning | Owner: | pospeselr Type: defect | Status: | needs_review Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-security, tbb-sandboxing, | Actual Points: TorBrowserTeam201802R | Parent ID: #20775 | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by teor): macOS legacy sandbox support has: {{{ #include <sandbox.h> ... kSBXProfileNoInternet TCP/IP networking is prohibited. DEPRECATED. kSBXProfileNoNetwork All sockets-based networking is pro- hibited. DEPRECATED. }}} sandbox-exec is also legacy, but it works from the command line: https://paolozaino.wordpress.com/2015/10/20/maximum-security-and-privacy- using-mac-os-sandbox-and-tor-browser-bundle/ Unfortunately, the replacement API doesn't seem to distinguish between TCP/IP and unix sockets. We'd need to do some testing. {{{ com.apple.security.network.client Network socket for connecting to other machines com.apple.security.network.server Network socket for listening for incoming connections initiated by other machines }}} https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW9 -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22794#comment:21> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs