Tor Browser sandbox breakout via X11 testing extensions (#14623) · Issues · tails / tails

Tor Browser sandbox breakout via X11 testing extensions

Originally created by @yawning on #14623 (Redmine)

The issue reported by Google Project Zero against the Tor Browser sandbox allows escape from the Tails browser’s confinement via way of X11.

While this may be beyond Tails’ threat model in this area (and to be frank, it was beyond mine, primarily as I view securing X a lost cause), this can be mitigated by disallowing access to the particularly unsafe X protocol extensions.

The easy way to accomplish this is to spawn the X server with `-tst` (See Xserver(1)), with the caveat that it will globally break applications that rely on that functionality (such as `xdotool`). The approach that I took, which is considerably more involved, is to intercept X protocol calls and whitelist the extensions that the browser is allowed to use, but my app operates under considerably different constraints.

See: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293

Feature Branch: bugfix/14623-disable-X11-testing-extension

Related issues

Related to #14675 (closed)
Related to #12213
Related to #14712 (closed)
Blocks #13234 (closed)

_Originally created by @yawning on [#14623 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/14623)_

The issue reported by Google Project Zero against the Tor Browser
sandbox allows escape from the Tails browser’s confinement via way of
X11.

While this may be beyond Tails’ threat model in this area (and to be
frank, it was beyond mine, primarily as I view securing X a lost cause),
this can be mitigated by disallowing access to the particularly unsafe X
protocol extensions.

The easy way to accomplish this is to spawn the X server with \`-tst\`
(See Xserver(1)), with the caveat that it will globally break
applications that rely on that functionality (such as \`xdotool\`). The
approach that I took, which is considerably more involved, is to
intercept X protocol calls and whitelist the extensions that the browser
is allowed to use, but my app operates under considerably different
constraints.

See: <https://bugs.chromium.org/p/project-zero/issues/detail?id=1293>

Feature Branch: bugfix/14623-disable-X11-testing-extension

### Related issues

- **Related to** tails/tails#14675
  - **Related to** tails/tails#12213
  - **Related to** tails/tails#14712
  - **Blocks** tails/tails#13234

Edited May 15, 2020 by yawning

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.