Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 968
    • Issues 968
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 32
    • Merge requests 32
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #19421
Closed
Open
Issue created Feb 08, 2023 by boyska@boyskaMaintainer

Prevent spawning Unsafe Browser from main apps

As per !956 (comment 198972) , some apps (LibreOffice for sure; Thunderbird has not been tested) can spawn Unsafe Browser. This is a security problem that can lead to deanonymization, e.g. via the accessibility bus (if enabled).

Improving the AppArmor profile should be enough.

But we've tought of a more elegant and possibly more maintainable approach on !989. The last plan there is an allow-list approach, that does not need AppArmor 3.0, that is safe vs. PID cycles, and does not require hardening AppArmor profiles for risky apps:

  • Scrap most of the !989 branch
  • Run GNOME Shell and TCA portal under almost-dummy AppArmor profiles, that:
    • allow everything
    • when executing Unsafe Browser, transition to a specific AppArmor profile (not the one that it would get by default if I started Unsafe Browser in a Terminal)
  • Unsafe Browser script: abort unless running under this specific AppArmor profile
  • AppArmor policy: by default, don't apply any profile to the Unsafe Browser
  • Only root can run a program under an AppArmor profile of their choice, so this should be safe.
Edited Mar 22, 2023 by intrigeri
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking