System-wide sandboxing framework - sandbox-app-launcher

This is an issue in a Qubes TempalteBasedVM.

sandbox-app-launcher firefox

ERROR: Must run as root.

sudo sandbox-app-launcher firefox

bwrap: Can’t find source path /home/sandbox-app-launcher-appdata/firefox: Permission denied

The issue is that after reboot the new user created by useradd is lost but the home folder might still exist.

Reasons for using adduser instead of useradd:

1 Like

But got another issue now.

bwrap: Can’t find source path /home/sandbox-app-launcher-appdata/nano: Permission denied

sudo stat /home/sandbox-app-launcher-appdata/nano

File: /home/sandbox-app-launcher-appdata/nano
Access: (0700/drwx------) Uid: ( 1003/sandbox-nano) Gid: ( 1003/sandbox-nano)

1 Like
stat /home/sandbox-app-launcher-appdata

File: /home/sandbox-app-launcher-appdata
Access: (0750/drwxr-x—) Uid: ( 0/ root) Gid: ( 0/ root)

1 Like

This fixes it.

1 Like
1 Like

There is a lot stuff in /etc/X11/Xsession.d. I am looking for ways to parse all in a generic way.

find /etc/X11/Xsession.d

/etc/X11/Xsession.d/
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/90qubes-keymap

1 Like

Here is an example wrapper script that I’ve been auto generating:
/var/cache/sandbox-app-launcher-autogenerated/wrappers-wx/torbrowser

#!/bin/sh

## Using sh because /etc/X11/Xsession is written in sh.

## Debugging.
set -x

export sandbox_app_launcher_wrapper_script=true
SYSSESSIONDIR=/etc/X11/Xsession.d
SESSIONFILES=$(run-parts --list $SYSSESSIONDIR)
if [ -n "$SESSIONFILES" ]; then
  set +e
  for SESSIONFILE in $SESSIONFILES; do
    if [ "$SESSIONFILE" = "/etc/X11/Xsession.d/99x11-common_start" ]; then
       continue
    fi
    . $SESSIONFILE
  done
  set -e
fi
"/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser" "${@}"
1 Like

Here is the relevant xtrace.

+ export sandbox_app_launcher_wrapper_script=true
+ SYSSESSIONDIR=/etc/X11/Xsession.d
+ run-parts --list /etc/X11/Xsession.d
+ SESSIONFILES=/etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/90qubes-keymap
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start
+ [ -n /etc/X11/Xsession.d/20qt-gnome-desktop-session-id
/etc/X11/Xsession.d/20qt-x11-no-mitshm
/etc/X11/Xsession.d/20torbrowser
/etc/X11/Xsession.d/20uwt
/etc/X11/Xsession.d/20whonix
/etc/X11/Xsession.d/20whonix-welcome-page
/etc/X11/Xsession.d/20x11-common_process-args
/etc/X11/Xsession.d/25xdg-qubes-settings
/etc/X11/Xsession.d/30x11-common_xresources
/etc/X11/Xsession.d/35x11-common_xhost-local
/etc/X11/Xsession.d/40open_link_confirmation
/etc/X11/Xsession.d/40open_link_confirmation_kde
/etc/X11/Xsession.d/40x11-common_xsessionrc
/etc/X11/Xsession.d/50anon-apps-config
/etc/X11/Xsession.d/50default_editor
/etc/X11/Xsession.d/50panic_on_oops
/etc/X11/Xsession.d/50security-misc
/etc/X11/Xsession.d/50tb_default_browser
/etc/X11/Xsession.d/50torbrowser_default_browser
/etc/X11/Xsession.d/50x11-common_determine-startup
/etc/X11/Xsession.d/75dbus_dbus-launch
/etc/X11/Xsession.d/90gpg-agent
/etc/X11/Xsession.d/90qubes-keymap
/etc/X11/Xsession.d/90x11-common_ssh-agent
/etc/X11/Xsession.d/95dbus_update-activation-env
/etc/X11/Xsession.d/99x11-common_start ]
+ set +e
+ [ /etc/X11/Xsession.d/20qt-gnome-desktop-session-id = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20qt-gnome-desktop-session-id
+ [ -z  ]
+ export GNOME_DESKTOP_SESSION_ID=
+ [ /etc/X11/Xsession.d/20qt-x11-no-mitshm = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20qt-x11-no-mitshm
+ export QT_X11_NO_MITSHM=1
+ [ /etc/X11/Xsession.d/20torbrowser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20torbrowser
+ [ -x /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh ]
+ . /usr/lib/anon-ws-disable-stacked-tor/torbrowser.sh
+ export TOR_SKIP_LAUNCH=1
+ export TOR_SOCKS_IPC_PATH=/run/anon-ws-disable-stacked-tor/127.0.0.1_9150.sock
+ export TOR_CONTROL_IPC_PATH=/run/anon-ws-disable-stacked-tor/127.0.0.1_9151.sock
+ export TOR_SKIP_CONTROLPORTTEST=1
+ export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
+ [ /etc/X11/Xsession.d/20uwt = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20uwt
+ [ -x /usr/lib/uwt/uwt.sh ]
+ . /usr/lib/uwt/uwt.sh
+ export TORSOCKS_LOG_LEVEL=1
+ [ /etc/X11/Xsession.d/20whonix = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20whonix
+ [ -x /usr/lib/whonix/whonix.sh ]
+ . /usr/lib/whonix/whonix.sh
+ export WHONIX=1
+ export TOR_HIDE_BROWSER_LOGO=1
+ [ /etc/X11/Xsession.d/20whonix-welcome-page = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20whonix-welcome-page
+ [ -x /usr/lib/whonix-welcome-page/env_var.sh ]
+ . /usr/lib/whonix-welcome-page/env_var.sh
+ [  =  ]
+ TOR_DEFAULT_HOMEPAGE=/usr/share/homepage/whonix-welcome-page/whonix.html
+ export TOR_DEFAULT_HOMEPAGE
+ [ /etc/X11/Xsession.d/20x11-common_process-args = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/20x11-common_process-args
+ cat 
cat: '': No such file or directory
+ OPTIONS=
+ true
+ [ /etc/X11/Xsession.d/25xdg-qubes-settings = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/25xdg-qubes-settings
+ [ -x /usr/bin/xsettingsd ]
+ [ /etc/X11/Xsession.d/30x11-common_xresources = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/30x11-common_xresources
+ [ -d  ]
+ has_option allow-user-resources
+ [  !=  ]
+ return 1
+ [ /etc/X11/Xsession.d/35x11-common_xhost-local = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/35x11-common_xhost-local
+ type xhost
+ id -un
+ xhost +si:localuser:sandbox-torbrowser
localuser:sandbox-torbrowser being added to access control list
+ [ /etc/X11/Xsession.d/40open_link_confirmation = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40open_link_confirmation
+ [ -x /usr/lib/open-link-confirmation/open-link-confirmation.sh ]
+ . /usr/lib/open-link-confirmation/open-link-confirmation.sh
+ export BROWSER=/usr/lib/open_link_confirmation
+ [ /etc/X11/Xsession.d/40open_link_confirmation_kde = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40open_link_confirmation_kde
+ [ -z  ]
+ XDG_CONFIG_DIRS=/etc/xdg
+ export XDG_CONFIG_DIRS=/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/40x11-common_xsessionrc = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/40x11-common_xsessionrc
+ [ -r  ]
+ [ /etc/X11/Xsession.d/50anon-apps-config = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50anon-apps-config
+ [ -z /usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ -z  ]
+ XDG_DATA_DIRS=/usr/local/share/:/usr/share/
+ export XDG_DATA_DIRS=/usr/share/anon-apps-config/share/:/usr/local/share/:/usr/share/
+ [ /etc/X11/Xsession.d/50default_editor = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50default_editor
+ [ -x /usr/lib/default-editor/default_editor.sh ]
+ . /usr/lib/default-editor/default_editor.sh
+ [  =  ]
+ command -v mousepad
+ VISUAL=mousepad
+ export VISUAL
+ [ /etc/X11/Xsession.d/50panic_on_oops = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50panic_on_oops
+ [ -x /usr/lib/security-misc/panic-on-oops ]
+ sudo --non-interactive /usr/lib/security-misc/panic-on-oops
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
+ [ /etc/X11/Xsession.d/50security-misc = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50security-misc
+ [ -z /usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/50tb_default_browser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50tb_default_browser
+ [ -x /usr/lib/tb-default-browser/tb_default_browser.sh ]
+ . /usr/lib/tb-default-browser/tb_default_browser.sh
+ export BROWSER=/usr/bin/x-www-browser
+ [ /etc/X11/Xsession.d/50torbrowser_default_browser = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50torbrowser_default_browser
+ [ -z /usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg ]
+ export XDG_CONFIG_DIRS=/usr/share/torbrowser-default-browser/:/usr/share/security-misc/:/usr/share/anon-apps-config/:/usr/share/open-link-confirmation/:/etc/xdg
+ [ /etc/X11/Xsession.d/50x11-common_determine-startup = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/50x11-common_determine-startup
+ [ -z  ]
+ has_option allow-user-xsession
+ [  !=  ]
+ return 1
+ [ -z  ]
+ [ -x /usr/bin/x-session-manager ]
+ [ -x /usr/bin/x-window-manager ]
+ [ -x /usr/bin/x-terminal-emulator ]
+ STARTUP=x-terminal-emulator
+ [ -z x-terminal-emulator ]
+ [ /etc/X11/Xsession.d/75dbus_dbus-launch = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/75dbus_dbus-launch
+ STARTDBUS=
+ DBUSLAUNCH=/usr/bin/dbus-launch
+ has_option use-session-dbus
+ [  !=  ]
+ return 1
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90gpg-agent = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90gpg-agent
+ gpgconf --list-dirs agent-socket
+ agent_sock=/home/sandbox-app-launcher-appdata/torbrowser/.gnupg/S.gpg-agent
+ export GPG_AGENT_INFO=/home/sandbox-app-launcher-appdata/torbrowser/.gnupg/S.gpg-agent:0:1
+ gpgconf --list-options gpg-agent
+ awk -F: /^enable-ssh-support:/{ print $10 }
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90qubes-keymap = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90qubes-keymap
+ /usr/bin/qubesdb-read /qubes-keyboard
Failed connect to local daemon
+ QUBES_KEYMAP=
+ /bin/echo -e
+ QUBES_KEYMAP=
+ cat /home/sandbox-app-launcher-appdata/torbrowser/.config/qubes-keyboard-layout.rc
+ QUBES_USER_KEYMAP=
+ [ -n  ]
+ [ -n  ]
+ [ /etc/X11/Xsession.d/90x11-common_ssh-agent = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/90x11-common_ssh-agent
+ STARTSSH=
+ SSHAGENT=/usr/bin/ssh-agent
+ SSHAGENTARGS=
+ has_option use-ssh-agent
+ [  !=  ]
+ return 1
+ [ -n  ]
+ [ /etc/X11/Xsession.d/95dbus_update-activation-env = /etc/X11/Xsession.d/99x11-common_start ]
+ . /etc/X11/Xsession.d/95dbus_update-activation-env
+ [ -n  ]
+ [ /etc/X11/Xsession.d/99x11-common_start = /etc/X11/Xsession.d/99x11-common_start ]
+ continue
+ set -e
+ /home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser

Some stuff broken. Did not investigate this one yet:


This one we might not want?


Trivial issue, easy to fix / skip:

This would could probably fix/patch to be skipped upstream:


Maybe useful:


Useful stuff:

1 Like

(Not only useful for torbrowser. Any application.)
(Generic parsing of /etc/X11/Xsession.d also results in dbus-launch which is run by /etc/X11/Xsession.d/75dbus_dbus-launch.)

Created a branch xsession-parsing.

GitHub - Kicksecure/sandbox-app-launcher at xsession-parsing

The only commit so far:

Is generic parsing of /etc/X11/Xsession.d worth going for? Or do you see risks with that?
Could there be even security features implemented in /etc/X11/Xsession.d which would be missed if we don’t do this?

Or better just manually hard code, i.e. add more lines similar to this:

if [ -x /etc/X11/Xsession.d/20torbrowser ]; then
  source /etc/X11/Xsession.d/20torbrowser
fi
1 Like

I don’t think executing a whole load of files we don’t strictly need is a good idea. This would probably only cause more issues. Do you have any examples of files we actually need other than the Tor Browser one?

I doubt it.

1 Like

Could you check please if it’s better to use /etc/X11/Xsession.d/75dbus_dbus-launch than running dbus-launch manually?

1 Like
1 Like

From usability perspective it seems a bit weird that one has to run:

sudo sandbox-app-launcher program [OPTIONS]

I.e. weird that user has to use sudo.

I however understand that from a technical perspective, sandbox-app-launcher needs to run

sudo -H -u "${app_user}" bash -c "
  bwrap

which requires sudo.

Could we somehow simplify things for the user so the user could just run

sandbox-app-launcher program [OPTIONS]

instead of

sudo sandbox-app-launcher program [OPTIONS]

?

This seems specifically useful since sandbox-app-launcher cannot support running applications as root anyhow. Running sudo sandbox-app-launcher program [OPTIONS] implies that the application runs as root which it doesn’t.

From a usability perspective, running sudo sandbox-app-launcher should actually tell:

ERROR: Running applications as root with sandbox-app-launcher is unsupported.

Could we add a sudo wrapper for sandbox-app-launcher? Here is the idea:

  • rename /usr/bin/sandbox-app-launcher to /usr/lib/sandbox-app-launcher
  • introduce /usr/bin/sandbox-app-launcher with contents
#!/bin/bash
sudo /usr/lib/sandbox-app-launcher ${@}
  • introduce /etc/sudoers.d/sandbox-app-launcher with contents
## All sudoers to run without a password.
%sudo ALL=NOPASSWD: /usr/bin/sandbox-app-launcher *

Or even…

## All users in group 'user' to run sandbox-app-launcher without a password.
%user ALL=NOPASSWD: /usr/bin/sandbox-app-launcher *

But now we need to think about the security issues of that. The asterisk (“*”) in /usr/bin/sandbox-app-launcher * could be an issue? Attack surface?

  • A compromised user account could run each and every application under sandbox-app-launcher and thereby generate a lot useless app_user sandbox-${app_name} linux user accounts. This could be ignored for now since there are probably many opportunities for denial of service attacks from a locally compromised user account.
  • Do you see any other issues? Would this give access to things which would otherwise not be accessible without sudo access?

This is important in context of PERSISTENT mode USER

…which will be a boot mode where there is no sudo/root access for the user. In such a boot mode, sandbox-app-launcher would also be most useful.

What kind of security issues I am having in mind…

Currently we use:

if [ -f "/etc/sandbox-app-launcher/${app_name}.conf" ]; then
  . "/etc/sandbox-app-launcher/${app_name}.conf"
fi

Which seems fine.

However, if we had source /home/user/.sandbox-app-launcher/config that would be really bad, because then user user without access to sudo / root would get the ability the execute commands as root.

Also if we didn’t use quotes for "/etc/sandbox-app-launcher/${app_name}.conf" there might be a possibility to specifically craft variable app_name (using ../ or similar) to make it source a file writeable in user home folder too. However, we already sanitize variable app_name so we wouldn’t have this issue either.

Also putting a fake (attacker) binary into ~/bin for purpose of getting a malicious variable app_name is not possible either since sudo sanitizes environment variables among PATH (which of course removes user’s ~/bin from PATH).

Similar threat model as restricted APT, rapt.

That kind of security issues I am having in mind. Do you see any of these?

1 Like
1 Like
1 Like
1 Like
1 Like
1 Like

find /home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser -executable -type f

List of executable files in Tor Browser folder:

/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/start-tor-browser.desktop
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libmozavcodec.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libplds4.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libplc4.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/libssl.so.1.1
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/tor
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/libevent-2.1.so.7
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/libstdc++/libstdc++.so.6
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/libcrypto.so.1.1
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/updater
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libmozsqlite3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libnss3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libnssutil3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/firefox.real
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/abicheck
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libfreeblpriv3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/gtk2/libmozgtk.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libmozgtk.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/execdesktop
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libmozsandbox.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/plugin-container
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/start-tor-browser.desktop
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libnssckbi.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libssl3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libsmime3.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/liblgpllibs.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libnspr4.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libmozavutil.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/firefox
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libxul.so
/home/sandbox-app-launcher-appdata/torbrowser/.tb/tor-browser/Browser/libsoftokn3.so

Therefore the following is likely creating issues for Tor Browser:

  if ! [ "$(stat -c %a "${app_homedir}")" = "700" ]; then
    chmod 700 -R "${app_homedir}"
  fi
1 Like