I think we need to flesh out the Firejail stuff a bit, so people use better options e.g.
Is it possible to run a video player like VLC or SMplayer by allowing it access to videos in filesystem, while blocking its access to the internet?
$ firejail --net=none vlc
If any problem is encountered, a solution is to replace “–net=none” with “–protocol=unix”, the effect will be the same as “–net=none”.
Is it possible to combine Firejail with TorBrowser, with the profiles you made for Firefox? (TorBrowser has full access to .gnupg folder contents of same user). It will useful if you will write a separate blog article post about this if it is difficult to do.
You can reuse an existing profile for another application. Actually, this is how I start tor:
$ firejail --profile=/etc/firejail/firefox.profile ./start-tor-browser
Now, we can’t do the above in Whonix for Tor Browser (the firefox-esr.profile doesn’t work), but I’ve gone through the man firejail entry, and tried to run Tor Browser with various security options.
Most of them don’t work in Whonix e.g. --apparmor --caps.drop=all --private --overlay-tmpfs etc probably due to the unique environment running.
But --seccomp works nicely, as does --debug so you can see what the program is doing.
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_han dle_at, create_module, init_module, finit_module, delete_module, iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl and get_kernel_syms.
System architecture is not strictly imposed. The filter is applied at run time only if the correct architecture was detected. For the case of I386 and AMD64 both 32-bit and 64-bit filters are installed.
So, using a layered security approach, surely we should recommend from the terminal for Firejail users:
firejail --debug --seccomp torbrowser
(it ends up using a default profile which isn’t too bad. Advanced users can build their own config)
This blacklists a lot of directories and processes - see man firejail for more information.
I thought the developer had released a tor browser .profile but I couldn’t find it, or at least it’s not part of the Debian 8 package that is installed.
PS Apparmor profile for Tor Browser in Whonix still unusable? Blank pages would only appear in recent times. Pity not to use it.