Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
tails
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 961
    • Issues 961
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 14
    • Merge Requests 14
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #5525

Closed
Open
Created Jul 18, 2013 by import-from-Redmine@import-from-Redmine4 of 4 tasks completed4/4 tasks

Sandbox the web browser

Originally created by Tails on #5525 (Redmine)

The web browser probably has one the biggest attack surface exposed by Tails to a network attacker, so anything we can do to make it harder, for an attacker, to escalate from "browser exploited" to "whole system under’s attacker control", is welcome.

When a container-based solution becomes a viable, secure solution for creating isolated jails, the chroot approach used by the unsafe browser will be adaptable to the regular Iceweasel.

Our work to add AppArmor support will be useful in this area too, either in replacement of a container-based approach, or to complement it.

Special care needs to be given to allow sharing files between the Tor Browser and the rest of the system, e.g. to download and upload files. One could give read/write access from/to one special directory in $HOME (likely: “Downloads”), using bind-mounts and ACLs as needed.

Blueprint: https://tails.boum.org/blueprint/sandbox_the_web_browser/

Feature Branch: feature/5525-sandbox-web-browser

Subtasks

  • #8786 (closed)
  • #8787 (closed)
  • #8790 (closed)
  • #8821 (closed)

Related issues

  • Related to #5422
  • Related to #5370 (closed)
  • Related to #8280
  • Related to #6178 (closed)
  • Related to sysadmin#8852 (closed)
Edited May 15, 2020 by import-from-Redmine
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Tails_1.3
Milestone
Tails_1.3 (Past due)
Assign milestone
Time tracking
None
Due date
None