Automatically Firejailing Tor Browser

Development
1

/wiki/Security_Guide#Firejail:
"Note: There is no secure and reliable way to create start menu entries / desktop shortcuts using Firejail. In the meantime, start firejailed applications from the command line. "

Tor Browser can be reliably firejailed in Whonix by adding the proper Exec arguments to /usr/share/applications/janondisttorbrowser.desktop in the Whonix-WS TemplateVM. Is there any security risk in doing this, besides generic recommendations to avoid modifying TemplateVMs?

Edit by Patrick:

https://forums.whonix.org/t/looking-for-firejail-seccomp-maintainer-for-better-security/2211/8

2

We already discussed this in another thread (wiki edits one). There was some reason (that I forget) about not using menu entries / desktop shortcuts. You could search and find it.

Anyway, do you mind posting your working janondisttorbrowser.desktop for interest here?

3

The only information I’ve found was at “firejail / seccomp / More Options for Program Containment”. Patrick mentioned janondisttorbrowser.desktop in post 31, relating to waiting on a trac.torproject ticket and tb-starter. But this was in 2016.

Here’s the text. changes are in bold. Simple!

[Desktop Entry]
Exec=firejail --seccomp torbrowser %u
Type=Application
Name=Tor Browser (AnonDist)
GenericName=Privacy Browser
Comment=Start Tor Browser (AnonDist)
Categories=Network;
Icon=/usr/share/icons/anon-icon-pack/torbrowser.png
X-KDE-StartupNotify=false
Keywords=browser;privacy;Tor;
MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;

Any flags besides --seccomp that would be useful?

1 Like
4

In Whonix 14 you can edit etc/torbrowser.d/50_user.conf and add

tb_starter_bin_pre="firejail --seccomp"
1 Like
5

Nice.

Wiki fixed.

Re: the many, many options, run:

man firejail

or refer to the Firejail website:

https://firejail.wordpress.com/features-3/man-firejail/

I’ve tried a bunch of security-related options before, but seccomp seemed to be the only one that worked properly, at least in Whonix (from wiki) i.e.

Preliminary tests of other security features reveals they are not yet functional in Whonix, for instance --apparmor, --private, and --overlay-tmpfs. If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a profile is not found, a default profile will be used.

See also: https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

6

No good idea to change that. Will be dropped on any package upgrade.

In Whonix 13 it would be better to overwrite function tb_start_tor_browser using a config snippet /etc/torbrowser.d/50_user.conf.

tb_start_tor_browser() {
   if [ -x "$tb_browser_folder/Browser/start-tor-browser" ]; then
      ## Preferring $tb_browser_folder/Browser/start-tor-browser to work around
      ## The Tor Project upstream issue:
      ## 'start-tor-browser.desktop parameter passing broken on spaces'
      ## https://trac.torproject.org/projects/tor/ticket/18022
      firejail --seccomp "$tb_browser_folder/Browser/start-tor-browser" --allow-remote "$@"
   elif [ -x "$tb_browser_folder/start-tor-browser" ]; then
      firejail --seccomp "$tb_browser_folder/start-tor-browser" --allow-remote "$@"
   elif [ -x "$tb_browser_folder/start-tor-browser.desktop" ]; then
      firejail --seccomp "$tb_browser_folder/start-tor-browser.desktop" --allow-remote "$@"
   else
      error "Neither $tb_browser_folder/Browser/start-tor-browser nor\
$tb_browser_folder/start-tor-browser nor \
$tb_browser_folder/start-tor-browser.desktop is executable."
   fi
}

Untested. And make sure to remove this in Whonix 14 (replace with above mentioned method).

1 Like
7

Noted.

The user.conf works well. Thank you for providing it.

1 Like
8

Playing with firejail. There are many threads, I choose that one since it concerns Tor Browser.

Thanks to @hulahoop

Done in firejail 0.9.56-2, available from Debian testing. It installs both firejail and firejail-profiles packages.

I wrote a profile for /usr/bin/torbrowser.

Regarding this thread’s subject, automatically using (or not) any profile is a matter of appending (or commenting) the program name in firecfg.config and running firecfg as root.

The question is, should we create a package for firejail, something like firejail-profiles-whonix, because it should be more than torbrowser. An example: thunderbird cannot open external links when sandboxed, most likely because we do not run Tor Browser directly.

This is very preliminary, from a first glance. There are more issues, like the location of firecfg.config, the real status of children programs…

4 Likes
9

If the profiles are tested exclusively in Whonix then firejail-profiles-whonix. But that package name someone hinders ports to Debian. If one package with many profiles for simplicity (easier just to have one package) seems most appealing please go for it. Since you’re the one implementing it, I guess I should just brainstorm and let you decide what you find most appealing.

Could also put into GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. Maybe that name is good enough or I rename all our apparmor-profile-* packages to enforcement-profiles-torbrowser etc. so apparmor and firejail can go there? Or not worth it, will apparmor be a thing of the past in favor of firejail?

Or firejail-profiles (when that will be existing as per https://community.parrotsec.org/t/firejail-implementation-details/2175/9?u=adrelanos).

1 Like
10

" Perhaps you can create a torbrowser profile and do a pull request."

cc @HulaHoop @0brand @torjunkie

1 Like
11

Thanks for following this up.

1 Like
12

It seems that Firejail is going to be installed by default in Whonix 15 so this seems like it’d be a good idea.

Any Xorg window has access to any other Xorg window. This makes it easier for things like keyloggers or screenshot programs that can even record the root password. [1]

Firejail has a way to sandbox these windows with an external X11 server so one window doesn’t have access to another window. It seems that there is only support for Xpra and Xephyr. I prefer Xephyr over Xpra.

Would it be good for Whonix to sandbox the Tor Browser or other programs in an X11 sandbox by default?

There is a guide on X11 sandboxing here

  1. The Linux Security Circus: On GUI isolation | The Invisible Things
3 Likes
13

A quote from @Patrick in another thread:

Though I think the implications are worth researching and asking The Tor Project about if you don’t mind posting on theirTor Browser mailing list.

2 Likes
14

Worth investing time into X11?
Wayland more suitable?
On the downside XFCE doesn’t support wayland yet.

As for firejail that’s not doable since we don’t have a firejail maintainer, see:

https://forums.whonix.org/t/looking-for-firejail-seccomp-maintainer-for-better-security/2211

1 Like
15

Wayland would be much more suitable than X11 but right now X11 is the only choice unless Whonix uses something else as the default DE.

I’ll research into if there are any fingerprinting issues with firejail.

I would volunteer to maintain firejail but I don’t have any experience with that.

1 Like
16

Yes. It’s going to be a looong time before the wayland problems are ironed out and the protocol gains the needed extension and then have the necessary libs baked in to XFCE:

When Wayland comes along I don’t believe GUI isolation needs to be explicitly handled by firejail since it is all done properly by the compositor?

2 Likes
17
1 Like
18

Why use --seccomp? Why not use the default firejail profile?

19

The default firejail profile would be used in combination with the --seccomp flag. But the default profile already uses seccomp so that flag would be redundant.

1 Like
20

Removed from wiki.

1 Like