Automatically Firejailing Tor Browser

Yes. It’s going to be a looong time before the wayland problems are ironed out and the protocol gains the needed extension and then have the necessary libs baked in to XFCE:

When Wayland comes along I don’t believe GUI isolation needs to be explicitly handled by firejail since it is all done properly by the compositor?

2 Likes
1 Like

Why use --seccomp? Why not use the default firejail profile?

The default firejail profile would be used in combination with the --seccomp flag. But the default profile already uses seccomp so that flag would be redundant.

1 Like

Removed from wiki.

1 Like

Anyone managed to make firejail gui isolation work?

firejail --x11
1 Like

I have. It’s pretty simple but it might be a bit annoying to use as the external X server has to be set at a specific resolution which may be better or worse depending on the users monitor.

2 Likes

Which helper package (required as far as I understand) would be better/recommended/easier/safer/whatnot?

  • xpra
  • xserver-xephyr

Which did you use?

1 Like

I prefer to use Xephyr. Xpra seems a bit more complicated.

1 Like

What about…?

--x11=xorg

Seems to have zero usability impact?

1 Like

--x11=xephyr --xephyr-screen=1366x768 is also interesting since then we could get a better web fingerprint by using the most popular screen resolution on desktop computers? But xephyr looks weird in Qubes. All window contents on the left and then a lot black area on the right side. Looks incompatible. And xephyr breaks copy/paste of text from and to the browser window?

--x11=xpra crashed for me in a Qubes VM.

So for Qubes --x11=xorg seems like the way to go for now.

2 Likes
1 Like

--x11=xorg uses the X security extension which is poorly documented.

https://www.x.org/wiki/Development/Documentation/Security/

It will also allow applications which both use the security extension to interact with eachother as if there was no sandbox at all.

I found some discussion here What is up with the X11 SECURITY extension? : linux

1 Like

That’s to be expected since X handles the clipboard.

1 Like
1 Like
1 Like

I’ve been messing around with xpra and bubblewrap and xpra seems to be a better choice than xephyr. It allows for near seamless X11 sandboxing.

Although xpra has really large attack surface. It has webcam forwarding, mic forwarding, mDNS, its own web server, printing support, it can be accessed over SSH, TCP, UDP and a whole bunch of other things.

Luckily, many of these things can be disabled through flags. e.g. the --mdns=no flag can be used to disable mDNS. There doesn’t seem to be a flag to explicitly disallow any connections over the network so I used an AppArmor profile to explicitly deny network access.

Dunno how firejail deals with these.

2 Likes

It doesn’t look like firejail disables any of these which is a bit worrying firejail/src/firejail/x11.c at master · netblue30/firejail · GitHub

2 Likes