From 5499f32f080874af2b88e691c349aad913e8267e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dav=C3=AD=C3=B0=20Steinn=20Geirsson?= Date: Thu, 4 Nov 2021 23:10:37 +0000 Subject: [PATCH] tor-browser-bundle-bin: Enable content sandbox and hardened malloc Tor browser enables multi-process support in firefox to sandbox each site in its own process. This is a very important security feature. It was disabled in the nixpkgs version, according to a comment due to "crashing tabs", but running with it enabled I have not been able to recreate this. Sandboxing enabled is the upstream default, and if we can't ship a tor browser that way then we should not ship one at all. Also re-enable useHardenedMalloc to use graphene-hardened-malloc. Here there was also a comment, in this case saying it caused "crashes with intel driver". I have also been unable to recreate this on my Intel UHD P630 onboard graphics. I believe neither of these are issues any longer. --- .../browsers/tor-browser-bundle-bin/default.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix index a512c119d53a..c679b568736b 100644 --- a/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix +++ b/pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix @@ -43,12 +43,11 @@ # Hardening , graphene-hardened-malloc -# crashes with intel driver -, useHardenedMalloc ? false +# Whether to use graphene-hardened-malloc +, useHardenedMalloc ? true -# Whether to disable multiprocess support to work around crashing tabs -# TODO: fix the underlying problem instead of this terrible work-around -, disableContentSandbox ? true +# Whether to disable multiprocess support +, disableContentSandbox ? false # Extra preferences , extraPrefs ? ""