Tor Browser sandbox breakout via X11 testing extensions
The issue reported by Google Project Zero against the Tor Browser sandbox allows escape from the Tails browser’s confinement via way of X11.
While this may be beyond Tails’ threat model in this area (and to be frank, it was beyond mine, primarily as I view securing X a lost cause), this can be mitigated by disallowing access to the particularly unsafe X protocol extensions.
The easy way to accomplish this is to spawn the X server with `-tst` (See Xserver(1)), with the caveat that it will globally break applications that rely on that functionality (such as `xdotool`). The approach that I took, which is considerably more involved, is to intercept X protocol calls and whitelist the extensions that the browser is allowed to use, but my app operates under considerably different constraints.
See: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293
Feature Branch: bugfix/14623-disable-X11-testing-extension
Related issues
- Related to #14675 (closed)
- Related to #12213
- Related to #14712 (closed)
- Blocks #13234 (closed)
Original created by @yawning on 14623 (Redmine)