I can, and will iron out any issues as far as that is possible. Will look into adding variable to disable remount-exec function now. Please keep letting me know what is causing issues and I will look into fixes. Seems pretty simple on my side of adjusting /usr/bin/torbrowser for this use case, doable quickly.
/usr/bin/torbrowser is not critical but would be useful if that works. Has some usability features:
- open link conformation
- notify non-zero (error) exit codes and advice visiting Tor Browser Essentials
- i2browser support
- SecBrowser support
- starter binary detection
- refuse running as root
- Waiting for tb-updater-first-boot.service is useful in Qubes to make sure permission fix is done for Qubes DispVMs.
- Check directory is not set to
noexecand show error popup if that is the case. - Avoid running in Qubes DVM Template.
- Avoid running in Qubes TemplateVM.
- running pre scripts through configuration folder
- injecting command line options through configuration folder
- folder permission check (often messed up after user data restore)
- remount-exec (related to (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - can be looked into once that progressed)
Sane for sandbox to inherit environment variables? Probably not…
Then we need to somewhat, “emulate a full boot” inside the sandbox. At least setting relevant environment variables.
Related package: anon-ws-disable-stacked-tor
Related files:
/usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh/etc/X11/Xsession.d/20torbrowser- (
/etc/profile.d/20_torbrowser.sh)
Therefore sh (.) (or bash source) (load environment variables) from file /etc/X11/Xsession.d/20torbrowser? I.e.:
source /etc/X11/Xsession.d/20torbrowser
Somewhat unrelated, general question… Or source all of /etc/X11/Xsession.d/, source /etc/environment? (Check if file exists.)
What about hardened malloc ld preload inside sandbox?
(Hardened Malloc - Hardened Memory Allocator)