I was running tor browser with the command firejail --seccomp torbrowser. It worked fine, then all of the suddn noscript stopped working and said it had to be restarted. I restarted tor browser the same way (firejail --seccomp) and got a red screen, saying something went wrong.
I then opened up torbrowser without firejail and it worked perfectly.
Does firejail --seccomp torbrowser disable noscript in some way?
As for apparmor, when I run sudo aa-status, it shows 3 processes in enforce mode for tor-browser, but I am only running 1. They each have their own id also.
Can anyone help me investigate this to see what is going on and how to correct it?
Documentation updated just now. See Tor Browser Essentials instead.
Not deliberate. It probably happens due to firejail restricting access to that file or something else.
The default seccomp filter for firejail likely blocks a syscall the Tor Browser needs. Use the proper profile instead by running
firejail --profile=/etc/firejail/start-tor-browser.profile torbrowser
Insufficient. Details:
opened 05:17PM - 18 Jul 19 UTC
closed 06:00PM - 17 Sep 19 UTC
enhancement
TLDR:
Could you please provide a firejail profile for use with Tor Browser wh… en using path `/home/user/.tb/tor-browser` as installation folder?
This would then work for all users of tb-updater (Debian, Qubes and Whonix users).
----
Long:
Whonix maintainer here.
In Whonix we are using a slightly different folder.
/home/user/.tb/tor-browser/
Full path to `start-tor-browser.desktop`
/home/user/.tb/tor-browser/start-tor-browser.desktop
Working:
firejail --private=/home/user/.tb/tor-browser ./start-tor-browser.desktop
Not working:
firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop
> Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found
Can we avoid using `--private`?
Could we somehow use the full path to `/home/user/.tb/tor-browser/start-tor-browser.desktop`? I would hope that using firejail can become a simple prepend firejail vs not prepend firejail. At the moment our startup wrapper /usr/bin/torbrowser (does various unrelated things) does in essence:
cd ~/.tb/tor-browser
/home/user/.tb/tor-browser/start-tor-browser.desktop
Which is working.
firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop
> Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found
ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop
> -rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop
Also previously running `cd ~/.tb/tor-browser` does not help.
Also same error:
firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop
`start-tor-browser.desktop` is special indeed.
cat start-tor-browser.desktop
> #!/usr/bin/env ./Browser/execdesktop
....
Might that be confusing firejail?
What does also work: (based on https://github.com/netblue30/firejail/issues/2429#issuecomment-465545751 thanks to @rusty-snake)
firejail --whitelist=$HOME/.tb/tor-browser --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser --detach
What also works:
firejail --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser
Why were we able to drop `--whitelist=$HOME/.tb/tor-browser`?
Is profile `/etc/firejail/start-tor-browser.profile` only covering /home/user/.tb/tor-browser/Browser/start-tor-browser or all subsequent execution (i.e. the forked Firefox)?
We don’t confine the wrapper /usr/bin/torbrowser. As per above ticket. We confine actual Tor Browser only.
Use as per wiki instructions.
1 Like
Yes but the only way to confine the Tor Browser only while still using the torbrowser script is to set a variable in a file in /etc/torbrowser.d which is permanent unless you remove it which is not good for a one-time test.
No, can also use.
torbrowser --hardening
That is temporary until next browser start.
(Environment variable would also work.)
2 Likes
Patrick_mobile:
torbrowser --hardening
Ah, I haven’t tried that yet so I forgot it was possible.