[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Automatically Firejailing Tor Browser


#1

/wiki/Security_Guide#Firejail:
"Note: There is no secure and reliable way to create start menu entries / desktop shortcuts using Firejail. In the meantime, start firejailed applications from the command line. "

Tor Browser can be reliably firejailed in Whonix by adding the proper Exec arguments to /usr/share/applications/janondisttorbrowser.desktop in the Whonix-WS TemplateVM. Is there any security risk in doing this, besides generic recommendations to avoid modifying TemplateVMs?


#2

We already discussed this in another thread (wiki edits one). There was some reason (that I forget) about not using menu entries / desktop shortcuts. You could search and find it.

Anyway, do you mind posting your working janondisttorbrowser.desktop for interest here?


#3

The only information I’ve found was at “firejail / seccomp / More Options for Program Containment”. Patrick mentioned janondisttorbrowser.desktop in post 31, relating to waiting on a trac.torproject ticket and tb-starter. But this was in 2016.

Here’s the text. changes are in bold. Simple!

[Desktop Entry]
Exec=firejail --seccomp torbrowser %u
Type=Application
Name=Tor Browser (AnonDist)
GenericName=Privacy Browser
Comment=Start Tor Browser (AnonDist)
Categories=Network;
Icon=/usr/share/icons/anon-icon-pack/torbrowser.png
X-KDE-StartupNotify=false
Keywords=browser;privacy;Tor;
MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;

Any flags besides --seccomp that would be useful?


#4

In Whonix 14 you can edit etc/torbrowser.d/50_user.conf and add

tb_starter_bin_pre="firejail --seccomp"

#5

Nice.

Wiki fixed.

Re: the many, many options, run:

man firejail

or refer to the Firejail website:

https://firejail.wordpress.com/features-3/man-firejail/

I’ve tried a bunch of security-related options before, but seccomp seemed to be the only one that worked properly, at least in Whonix (from wiki) i.e.

Preliminary tests of other security features reveals they are not yet functional in Whonix, for instance --apparmor, --private, and --overlay-tmpfs. If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a profile is not found, a default profile will be used.

See also: https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment


#6

No good idea to change that. Will be dropped on any package upgrade.

In Whonix 13 it would be better to overwrite function tb_start_tor_browser using a config snippet /etc/torbrowser.d/50_user.conf.

tb_start_tor_browser() {
   if [ -x "$tb_browser_folder/Browser/start-tor-browser" ]; then
      ## Preferring $tb_browser_folder/Browser/start-tor-browser to work around
      ## The Tor Project upstream issue:
      ## 'start-tor-browser.desktop parameter passing broken on spaces'
      ## https://trac.torproject.org/projects/tor/ticket/18022
      firejail --seccomp "$tb_browser_folder/Browser/start-tor-browser" --allow-remote "$@"
   elif [ -x "$tb_browser_folder/start-tor-browser" ]; then
      firejail --seccomp "$tb_browser_folder/start-tor-browser" --allow-remote "$@"
   elif [ -x "$tb_browser_folder/start-tor-browser.desktop" ]; then
      firejail --seccomp "$tb_browser_folder/start-tor-browser.desktop" --allow-remote "$@"
   else
      error "Neither $tb_browser_folder/Browser/start-tor-browser nor\
$tb_browser_folder/start-tor-browser nor \
$tb_browser_folder/start-tor-browser.desktop is executable."
   fi
}

Untested. And make sure to remove this in Whonix 14 (replace with above mentioned method).


#7

Noted.

The user.conf works well. Thank you for providing it.


#8

Playing with firejail. There are many threads, I choose that one since it concerns Tor Browser.

Thanks to @hulahoop

Done in firejail 0.9.56-2, available from Debian testing. It installs both firejail and firejail-profiles packages.

I wrote a profile for /usr/bin/torbrowser.

Regarding this thread’s subject, automatically using (or not) any profile is a matter of appending (or commenting) the program name in firecfg.config and running firecfg as root.

The question is, should we create a package for firejail, something like firejail-profiles-whonix, because it should be more than torbrowser. An example: thunderbird cannot open external links when sandboxed, most likely because we do not run Tor Browser directly.

This is very preliminary, from a first glance. There are more issues, like the location of firecfg.config, the real status of children programs…


#9

If the profiles are tested exclusively in Whonix then firejail-profiles-whonix. But that package name someone hinders ports to Debian. If one package with many profiles for simplicity (easier just to have one package) seems most appealing please go for it. Since you’re the one implementing it, I guess I should just brainstorm and let you decide what you find most appealing.

Could also put into https://github.com/Whonix/apparmor-profile-torbrowser. Maybe that name is good enough or I rename all our apparmor-profile-* packages to enforcement-profiles-torbrowser etc. so apparmor and firejail can go there? Or not worth it, will apparmor be a thing of the past in favor of firejail?

Or firejail-profiles (when that will be existing as per https://community.parrotsec.org/t/firejail-implementation-details/2175/9?u=adrelanos).


#10

" Perhaps you can create a torbrowser profile and do a pull request."

cc @HulaHoop @0brand @torjunkie


#11

Thanks for following this up.