[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Why does the Tor Browser AppArmor profile have sys_admin, sys_chroot and ptrace capabilties?

The Tor Browser AppArmor profile has capability sys_admin,,
capability sys_chroot, and ptrace. This looks pretty insecure.

ptrace will allow the Tor Browser to modify and inspect other running processes.

sys_admin will allow the Tor Browser to do a whole load of things that it probably shouldn’t be able to.

sys_chroot will allow the Tor Browser to chroot which can make an attacker able to put a setuid program inside a chroot jail with a fake /etc/passwd and /etc/shadow which can fool it into giving it root access.

http://man7.org/linux/man-pages/man7/capabilities.7.html

https://en.wikipedia.org/wiki/Chroot#Limitations

Are these needed for anything? I think they should be removed.

1 Like

Why? It was contributed, now unmaintained. Not a good reason to keep is
improvement is possible. Patches welcome.

Could you please compare with other Tor Browser apparmor profiles such
as the one from torbrowser-launcher github?

The one from the torbrowser-launcher github is more locked down than the Whonix one. Most likely because the Whonix one has to be designed specifically for Whonix. It also doesn’t have any capabilities.

The Tails one is very similar to the torbrowser-launcher one. It’s just adapted for Tails.

2 Likes

Thanks!

Sounds good. Patches welcome.

1 Like

Just created a pull request for it.

There are also some other unnecessary permissions such as support for audio, KDE and VPNs. I think these should be disabled by default by commenting them out so it makes it easier for people wanting to re-enable those. What do you think?

1 Like