Thanks for the clarifications, Tom and Yawning.
I'm curious what the long term plans for the sandbox are
It seems there are different threats due to browser exploits we are discussing here: (1) pwnage of the whole computer, (2) modifying the browser or tor binaries, (3) modifying the torrc or otherwise launching tor in a malicious way, and (4) one-time deanonymization via the ControlPort. So I wonder if it would make send to take a gradual approach in which defenses are deployed one by one, starting with the low-hanging fruit and working upwards. Something like:
Step 1: Containerize the whole bundle to defend against pwnage of the whole computer. Step 2: Create a external update mechanism and prevent firefox.exe from writing to its own directory or the tor directory. Step 3: Patch tor so that tor-launcher doesn't need to write to torrc at all to configure tor. Launch tor independently of the browser, but still configure tor using the tor-launcher extension UI, via a filtered control port. Prevent firefox from accessing tor directory or launching tor. Step 4: Write a new tor-controller UI in QT or similar that replaces functionality in tor-launcher and maybe the circuit display.
Am I right in thinking that there is a substantial security benefit to each step? And would it be feasible to deploy each step to users in standard Tor Browser without waiting for the next step to be ready?