Tor Browser sandbox breakout via X11 testing extensions (#14623) · Issues · tails / tails

Tor Browser sandbox breakout via X11 testing extensions

Originally created by @yawning on #14623 (Redmine)

The issue reported by Google Project Zero against the Tor Browser sandbox allows escape from the Tails browser’s confinement via way of X11.

While this may be beyond Tails’ threat model in this area (and to be frank, it was beyond mine, primarily as I view securing X a lost cause), this can be mitigated by disallowing access to the particularly unsafe X protocol extensions.

The easy way to accomplish this is to spawn the X server with `-tst` (See Xserver(1)), with the caveat that it will globally break applications that rely on that functionality (such as `xdotool`). The approach that I took, which is considerably more involved, is to intercept X protocol calls and whitelist the extensions that the browser is allowed to use, but my app operates under considerably different constraints.

See: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293

Feature Branch: bugfix/14623-disable-X11-testing-extension

Related issues

Related to #14675 (closed)
Related to #12213
Related to #14712 (closed)
Blocks #13234 (closed)

Edited May 15, 2020 by yawning

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information