Changing any folders can break MAC (apparmor, firejail).
Possibly most users would do that, yes.
Tor Browser started security restricted ([A] with ro,nosuid,nodev executable files and rw browser profile) → get exploited → MAC confines it into its folder → modified firefox binary → terminated → later restarted using [B] (internal updater allowed) → browser updated, still compromised. Gained little except nosuid,nodev. Maybe breaking some malware requiring exec inside browser binary folder.
Maybe before starting the browser using [A] it could run Dev/VirusForget - Kicksecure to checksum the browser binary folder. On any startup, all changes to any files in browser binary folder are undone and only changes in user profile folder are kept. That would make exploits harder. Malware could no longer persist in browser binary folder. But malware could persist in browser profile folder perhaps as a malicious browser add-on.
A Dev/VirusForget - Kicksecure checksum mechanism might also set the browser binary folder immutable. That’s no noexec but the same result as noexec. Perhaps don’t care so much about noexec for Tor Browser folder but just make it non-writeable (as good as noexec - no new binaries since no write access). And the browser profile folder can be noexec. Should be as good as complete noexec.
Sounds nice in theory but in practice can’t work since Tor Browser mixes application data and browser data folder. I.e. some anonymity related settings reside in browser profile folder and need to be updated as well. So by updating while moving the untrusted profile folder out of the way, the update may result in a different web fingerprint.
Folder should stay stay as is unless a strong rationale is provided.
Splitting the folder seems fragile on Tor Browser updates.
Moving to other folders breaks MAC.
Maybe higher security may be possible for users who are ok to purge their browser profile on each upgrade. I.e. install a new Tor Browser version using tb-updater (should be renamed to tb-downloader) rather than updating using Tor Browser internal updater.
I don’t see any better solution unless things are improved upstream.
We could also say that VMs using Tor Browser shouldn’t be used for anything else due to this mess vs noexec. Always results in lower security level.
Just the one thing. One thing at a time. (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? is about changing proc-hidepid.service into a more generalized service that gets all mount options enhanced.
startup scripts, user .desktop files are for later work → Dev/VirusForget - Kicksecure
Not sure yet about noexec.
Since noexec does not block scripts execution… See also
Chromium OS Docs - Shell scripts & noexec mounts
I was considering to contact apparmor / firejail developers to ask if we can get that under control somehow. noexec is also worth its own forum thread.