onion-grater leaks info about unassociated circuits to Tor Browser
(This is a general issue, but let's be concrete and talk only about the Tor Browser situation.)
The current Tor Browser filter rules has
restrict-stream-events so when subscribing to stream events it will only learn about its own streams, great. However, the filter rules also allow
getinfo circuit-status, so Tor Browser can actually see all circuits, while it would be sufficient if it could only see those that are associated with any of its streams (and since we employ proper stream isolation, circuits are not shared with other applications, so it wouldn't see any other applications' circuits). So we could do better here.
There is a similar story about
getinfo stream-status and subscribing to circuit events, but it is not relevant for our current filter rules so we should just wait for arti, but in the meantime Tor Browser knowing about all circuits is an issue.
The impact is basically: "Tor Browser knows which exit nodes that are used at any given time". Since
circuit-status also lists Socks username/password set for stream isolation purposes it could potentially tell which application is using which circuit, but I believe we don't use that, except when
torsocks --isolate is involved (so e.g.
wget) which sets the Socks credentials based on the torified process' PID, but we are narrowly saved since Tor Browser's AppArmor confinement should prevent it from mapping PID to application. But maybe there is some other leak I haven't thought about.
Is it worth fixing, or should we wait for arti? I think the fix shouldn't be too hard:
onion-grater would need to intercept
getinfo circuit-status and for each circuit only show those that has a stream that belongs to the application.