Automatically Firejailing Tor Browser

troubadour · October 15, 2018, 9:06pm

Playing with firejail. There are many threads, I choose that one since it concerns Tor Browser.

Done in firejail 0.9.56-2, available from Debian testing. It installs both firejail and firejail-profiles packages.

I wrote a profile for /usr/bin/torbrowser.

Regarding this thread’s subject, automatically using (or not) any profile is a matter of appending (or commenting) the program name in firecfg.config and running firecfg as root.

The question is, should we create a package for firejail, something like firejail-profiles-whonix, because it should be more than torbrowser. An example: thunderbird cannot open external links when sandboxed, most likely because we do not run Tor Browser directly.

This is very preliminary, from a first glance. There are more issues, like the location of firecfg.config, the real status of children programs…

Patrick · October 17, 2018, 11:04am

If the profiles are tested exclusively in Whonix then firejail-profiles-whonix. But that package name someone hinders ports to Debian. If one package with many profiles for simplicity (easier just to have one package) seems most appealing please go for it. Since you’re the one implementing it, I guess I should just brainstorm and let you decide what you find most appealing.

Could also put into GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. Maybe that name is good enough or I rename all our apparmor-profile-* packages to enforcement-profiles-torbrowser etc. so apparmor and firejail can go there? Or not worth it, will apparmor be a thing of the past in favor of firejail?

Or firejail-profiles (when that will be existing as per https://community.parrotsec.org/t/firejail-implementation-details/2175/9?u=adrelanos).

nurmagoz · October 26, 2018, 6:33am

" Perhaps you can create a torbrowser profile and do a pull request."

github.com/netblue30/firejail

Firejail 0.9.56 + TorBrowserBundle 8.0.2 Doesnt start inside Whonix

opened 04:59PM - 04 Oct 18 UTC

closed 11:15AM - 15 May 19 UTC

TNTBOMBOM

Hi there, i was trying to run firejail version 0.9.56 with Tor Browser insid…e Whonix Anonymous OS , but it will not run at all. wonder if someone can drop the light on the issue here: ``` user@host:~$ firejail --debug torbrowser Autoselecting /bin/bash as shell Building quoted command line: 'torbrowser' Command name #torbrowser# Attempting to find default.profile... Found default profile in /etc/firejail directory Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 7580, child pid 7581 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp.postexec file Build protocol filter: unix,inet,inet6 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kallsyms Disable /lib/modules Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /home/user/.bash_history Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Disable /home/user/.config/kscreenlockerrc Mounting read-only /home/user/.cache/ksycoca5_en_DUcAY8MHK9CqUalxnSyf45tD93g= Mounting read-only /home/user/.config/knotifyrc Mounting read-only /home/user/.config/kdeglobals Mounting read-only /home/user/.config/kio_httprc Mounting read-only /home/user/.local/share/konsole Disable /run/user/1000/kdeinit5__0 Disable /var/lib/systemd Disable /var/cache/apt Disable /var/lib/apt Disable /var/mail Disable /var/opt Disable /var/spool/cron Disable /var/mail (requested /var/spool/mail) Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/cron.d Disable /etc/cron.daily Disable /etc/crontab Disable /etc/profile.d Disable /etc/rc.local Disable /etc/rc1.d Disable /etc/rc0.d Disable /etc/rcS.d Disable /etc/rc5.d Disable /etc/rc4.d Disable /etc/rc2.d Disable /etc/rc3.d Disable /etc/rc6.d Disable /etc/kernel Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/selinux Disable /etc/modules Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/adduser.conf Mounting read-only /home/user/.bash_logout Mounting read-only /home/user/.bashrc.whonix Mounting read-only /home/user/.profile Mounting read-only /home/user/.nano Disable /home/user/.local/share/Trash Disable /home/user/.gnupg Disable /home/user/.pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /sbin Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /bin/fusermount Disable /usr/bin/gpasswd Disable /bin/mount Disable /usr/bin/newgrp Disable /bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/strace Disable /bin/su Disable /usr/bin/sudo Disable /bin/umount Disable /usr/bin/xev Mounting noexec /tmp/.X11-unix Disable /home/user/.config/KeePass Disable /home/user/.config/keepassx Disable /home/user/.config/baloofilerc Disable /home/user/.config/dolphinrc Disable /home/user/.config/emaildefaults Disable /home/user/.config/enchant Disable /home/user/.config/hexchat Disable /home/user/.config/katepartrc Disable /home/user/.config/katevirc Disable /home/user/.config/kwriterc Disable /home/user/.config/org.kde.gwenviewrc Disable /home/user/.config/torbrowser Disable /home/user/.config/vlc Disable /home/user/.local/share/baloo Disable /home/user/.local/share/dolphin Disable /home/user/.local/share/kwrite Disable /home/user/.local/share/meld Disable /home/user/.local/share/org.kde.gwenview Disable /home/user/.local/share/torbrowser Disable /home/user/.local/share/vlc Disable /home/user/.mozilla Disable /home/user/.thunderbird Disable /home/user/.cache/mozilla Disable /home/user/.cache/thunderbird Disable /sys/fs Disable /sys/module 1154 1034 0:91 /pulse /home/user/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 fsname=/pulse dir=/home/user/.config/pulse fstype=tmpfs Current directory: /home/user DISPLAY=:0 parsed as 0 Dropping all capabilities Install protocol filter: unix,inet,inet6 configuring 14 seccomp entries in /run/firejail/mnt/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp.32 (null) Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Dual 32/64 bit seccomp filter configured configuring 74 seccomp entries in /run/firejail/mnt/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp (null) Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008) 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009) 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a) 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b) 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c) 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d) 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e) 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f) 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010) 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011) 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012) 0012: 15 36 00 000000b9 jeq security 0049 (false 0013) 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014) 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015) 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016) 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017) 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018) 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019) 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a) 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b) 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c) 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d) 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e) 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f) 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020) 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021) 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022) 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023) 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024) 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025) 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026) 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027) 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028) 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029) 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a) 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b) 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c) 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d) 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e) 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f) 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030) 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031) 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032) 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033) 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034) 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035) 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036) 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037) 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038) 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039) 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a) 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b) 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c) 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d) 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e) 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f) 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040) 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041) 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042) 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043) 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044) 0044: 15 04 00 00000143 jeq userfaultfd 0049 (false 0045) 0045: 15 03 00 00000065 jeq ptrace 0049 (false 0046) 0046: 15 02 00 00000087 jeq personality 0049 (false 0047) 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048) 0048: 06 00 00 7fff0000 ret ALLOW 0049: 06 00 01 00000000 ret KILL seccomp filter configured noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 Supplementary groups: 29 starting application LD_PRELOAD=(null) Running 'torbrowser' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'torbrowser' Child process initialized in 35.20 ms Installing /run/firejail/mnt/seccomp seccomp filter Installing /run/firejail/mnt/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp.protocol seccomp filter monitoring pid 6 Sandbox monitor: waitpid 6 retval 6 status 0 Sandbox monitor: monitoring 40 monitoring pid 40 Sandbox monitor: waitpid 40 retval 40 status 0 Parent is shutting down, bye... user@host:~$ ``` Thanks!

cc @HulaHoop @0brand @torjunkie

torjunkie · October 29, 2018, 10:09am

Thanks for following this up.

madaidan · May 5, 2019, 3:42pm

It seems that Firejail is going to be installed by default in Whonix 15 so this seems like it’d be a good idea.

Any Xorg window has access to any other Xorg window. This makes it easier for things like keyloggers or screenshot programs that can even record the root password. [1]

Firejail has a way to sandbox these windows with an external X11 server so one window doesn’t have access to another window. It seems that there is only support for Xpra and Xephyr. I prefer Xephyr over Xpra.

Would it be good for Whonix to sandbox the Tor Browser or other programs in an X11 sandbox by default?

There is a guide on X11 sandboxing here

The Linux Security Circus: On GUI isolation | The Invisible Things

HulaHoop · May 5, 2019, 7:19pm

A quote from @Patrick in another thread:

Though I think the implications are worth researching and asking The Tor Project about if you don’t mind posting on theirTor Browser mailing list.

Patrick · May 5, 2019, 8:19pm

Worth investing time into X11?
Wayland more suitable?
On the downside XFCE doesn’t support wayland yet.

As for firejail that’s not doable since we don’t have a firejail maintainer, see:

https://forums.whonix.org/t/looking-for-firejail-seccomp-maintainer-for-better-security/2211

madaidan · May 5, 2019, 8:23pm

Wayland would be much more suitable than X11 but right now X11 is the only choice unless Whonix uses something else as the default DE.

I’ll research into if there are any fingerprinting issues with firejail.

I would volunteer to maintain firejail but I don’t have any experience with that.

HulaHoop · May 6, 2019, 4:20am

Yes. It’s going to be a looong time before the wayland problems are ironed out and the protocol gains the needed extension and then have the necessary libs baked in to XFCE:

When Wayland comes along I don’t believe GUI isolation needs to be explicitly handled by firejail since it is all done properly by the compositor?

Patrick · July 18, 2019, 5:18pm

github.com/netblue30/firejail

Tor Browser profile for Whonix / tb-updater

opened 05:17PM - 18 Jul 19 UTC

closed 06:00PM - 17 Sep 19 UTC

adrelanos

enhancement

TLDR: Could you please provide a firejail profile for use with Tor Browser wh…en using path `/home/user/.tb/tor-browser` as installation folder? This would then work for all users of tb-updater (Debian, Qubes and Whonix users). ---- Long: Whonix maintainer here. In Whonix we are using a slightly different folder. /home/user/.tb/tor-browser/ Full path to `start-tor-browser.desktop` /home/user/.tb/tor-browser/start-tor-browser.desktop Working: firejail --private=/home/user/.tb/tor-browser ./start-tor-browser.desktop Not working: firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found Can we avoid using `--private`? Could we somehow use the full path to `/home/user/.tb/tor-browser/start-tor-browser.desktop`? I would hope that using firejail can become a simple prepend firejail vs not prepend firejail. At the moment our startup wrapper /usr/bin/torbrowser (does various unrelated things) does in essence: cd ~/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop Which is working. firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop > -rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop Also previously running `cd ~/.tb/tor-browser` does not help. Also same error: firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop `start-tor-browser.desktop` is special indeed. cat start-tor-browser.desktop > #!/usr/bin/env ./Browser/execdesktop .... Might that be confusing firejail? What does also work: (based on https://github.com/netblue30/firejail/issues/2429#issuecomment-465545751 thanks to @rusty-snake) firejail --whitelist=$HOME/.tb/tor-browser --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser --detach What also works: firejail --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser Why were we able to drop `--whitelist=$HOME/.tb/tor-browser`? Is profile `/etc/firejail/start-tor-browser.profile` only covering /home/user/.tb/tor-browser/Browser/start-tor-browser or all subsequent execution (i.e. the forked Firefox)?

Patrick · July 19, 2019, 1:21pm

Why use --seccomp? Why not use the default firejail profile?

madaidan · July 19, 2019, 2:27pm

The default firejail profile would be used in combination with the --seccomp flag. But the default profile already uses seccomp so that flag would be redundant.

Patrick · July 19, 2019, 2:50pm

Removed from wiki.

Patrick · July 19, 2019, 2:50pm

Anyone managed to make firejail gui isolation work?

firejail --x11

madaidan · July 19, 2019, 2:54pm

I have. It’s pretty simple but it might be a bit annoying to use as the external X server has to be set at a specific resolution which may be better or worse depending on the users monitor.

Patrick · July 19, 2019, 2:55pm

Which helper package (required as far as I understand) would be better/recommended/easier/safer/whatnot?

xpra
xserver-xephyr

Which did you use?

madaidan · July 19, 2019, 3:00pm

I prefer to use Xephyr. Xpra seems a bit more complicated.

Patrick · July 19, 2019, 4:49pm

What about…?

--x11=xorg

Seems to have zero usability impact?

Patrick · July 19, 2019, 4:58pm

--x11=xephyr --xephyr-screen=1366x768 is also interesting since then we could get a better web fingerprint by using the most popular screen resolution on desktop computers? But xephyr looks weird in Qubes. All window contents on the left and then a lot black area on the right side. Looks incompatible. And xephyr breaks copy/paste of text from and to the browser window?

--x11=xpra crashed for me in a Qubes VM.

So for Qubes --x11=xorg seems like the way to go for now.

Patrick · July 19, 2019, 5:04pm