I’m not aware of any way for a website to detect the browser is in a sandbox unless the sandbox is poorly implemented or the website attempts to give you malware.
No, bubblewrap is in C and doesn’t use AppArmor. sandboxed-tor-browser is in golang so that’s probably where you got confused.
The sandboxing wouldn’t affect that. The Tor Browser displays the same set of fonts regardless of the environment it’s in and the sandboxing doesn’t do anything with hardware.
There’s a gap between issue being identified, and fixed. On top of that, the firejail-profile package from packages.debian.org is only upgraded during Debian release upgrades, such as from Debian buster to Debian bullseye.
Checked Debian changelog. I haven’t seen any upgrades of package apparmor-profiles or firejail-profiles ever that were uploaded to any other Debian suite other than unstable first, i.e. require a release upgrade until these flow into testing and the next stable release of Whonix.
Debian doesn’t ship Tor Browser. So is not responsible for that application which is upgraded outside of its repository.
Also very much dependent on the Debian maintainer. A lot variables. Too many.
But how will a remote site be able to differentiate between performance loss caused by an allocator vs one attributable to just running TBB on a crappy computer?
*If stacking Firejail and Apparmor us any better than just using firejail for TBB
*Find out who maintains the most current profile and see if we can cooridante with TPO to provide an officially maintained/unit tested version from their repos.
Speculation: Could be because an allocator might influence non-linearly some feature more than another while a crappy computer influences it in a more linear way.
firejail man page talks a lot about apparmor.
Upstream firejail has a few Tor Browser related issues (might already be most if not all closed by now). Looks like upstream is quick to fix such. Looks like with apparmor upstream gives apparmor but leaves applications to application developers while firejail upstream provides a ton of firejail profiles. I might be wrong about this.
It is. Firejail doesn’t offer nearly as good file path whitelisting than AppArmor does. Firejail also can’t do many things AppArmor can such as managing ptrace or signals.
It’s also good defense in depth. If there’s a vulnerability in Firejail which isn’t unlikely then AppArmor will still restrict the application or vice versa.