Tor Browser vs NOEXEC - Where should the Tor Browser folder be placed?

Firejail can make something noexec but it shouldn’t be able to make something exec again*. Which means Browser must start off exec. Should it be read-only before login, or is it enough to be read-only to the sandboxed Browser itself?

*Except it can. Just playing around, with noexec bind mount on browser/data,

user@host:~$ ./browser/data/ok
bash: ./browser/data/ok: Permission denied
user@host:~$ firejail --quiet --overlay-tmpfs ./browser/data/ok
ok

The filesystem is sandboxed now but firejail --overlay-tmpfs ignores the bind mounts completely. Actually it ignores regular mounts too. I guess it does something like a bind mount on / instead of an rbind. (It also doesn’t stack, which may be an issue if one sandboxed application wants to launch another one.)

Maybe Tor Browser could be run normally with a disposable overlay, whitelisting Downloads etc.
If you’re running in the default private mode then maybe you don’t want anything else to stick around anyway.
Unfortunately user settings changed through the browser are stored in prefs.js, along with other settings. But they can be manually pulled out and set in user.js, and probably not changed much. But this might be too much for a normal user.
Bookmarks unfortunately are in places.sqlite which is rather opaque. They might be rewritten into tracking redirects or proxies with typo or homographic domains. Apparently browser.places.importBookmarksHTML and browser.bookmarks.autoExportHTML allow usage of plain html but I haven’t tried.
Search engines are in a mozlz4 file to prevent tampering by malware, ironically making it very difficult for a user to detect tampering.

1 Like

Since (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security? - #18 by Patrick was recently implemented… (And after the recent firejail controversy in thread Tor Browser Hardening (hardened malloc, firejail, apparmor) vs Web Fingerprint …) Any idea ideas for this issue?

Remounting /home/user/.tb with exec (rather than noexec) for Tor Browser is possible. I am experimenting successfully wit that in Qubes-Whonix DispVM already. But remounting /home/user/.tb with exec or “don’t use Tor Browser anymore”, i.e. pick one “noexec or Tor Browser” isn’t a great solution.

That threat model I am having in mind here is an attacker who reached local code execution who would be blocked from exploiting from user to root or kernel thanks to noexec. This currently can be circumvented in a target attack:
(A script, not program, but easily reproducible to make the point.)

file /home/user/.tb/evil-program

#!/bin/bash
echo "evil program"

chmod +x /home/user/.tb/evil-program

run

/home/user/.tb/evil-program

I would like to somehow restrict that not “all of user user” can create and run executable in folder /home/user/.tb.

2 Likes

apparmor-profile-everything can give fine-grained execute permissions and already does for /home. It only allows the user to execute /home/*/.tb/tor-browser/Browser/{,start-tor-browser,firefox} and write permission for .tb/tor-browser/ is denied (so an attacker can’t overwrite those files).

Any other things TB needs to execute is handled by apparmor-profile-torbrowser (which is a dependency).

2 Likes