Hi,
Tom Ritter:
But wait a minute. If firefox.exe can't launch a process that can talk to the network... how's it supposed to launch tor.exe?
With Micah Lee's Tor Browser Launcher (TBL) on Linux with AppArmor enabled, this is not a problem: the sandboxing is done by the kernel and thus different confinement rules can be (and actually are) applied to the Firefox and Tor processes.
This requires admin privileges to set the whole thing up initially (which is done e.g. by the torbrowser-launcher Debian package), but then no special privileges are needed when *running* Tor Browser.
This approach makes a lot of sense to me on Linux, where the "download an app via a tarball and then double-click it" model is not the most common way to install and run software: most software people need is available in their distro's package repositories.
The way this works currently has several drawbacks, that will be easy to fix once architectural issues raised on this thread are addressed in Tor Browser:
* It requires the update mechanism to live inside Firefox (as the update code was dropped from TBL), which makes the confinement rules way too lax for my taste. But once there's an external update mechanism, then this will be easy to fix.
* It depends on Tor Browser for the configuration of little-t-tor. But here again, once this is handled by a GUI outside of Firefox, TBL can use it and confine Firefox more strictly.
* It depends on AppArmor for confinement. That's already the case on Ubuntu and SUSE, and my plan is to have AppArmor enabled by default in Debian 10 (Buster); Red Hat -based distros are out though, until the LSM stacking patches make their way to the mainline Linux kernel.
After reading this thread, it seems to me that both architectural issues need to be fixed anyway on the long term, regardless of TBL. And once they are, having TBL (or similar) in common Linux distros will be a great way to provide a good (and perhaps safe enough?) sandboxed-TB user experience on Debian, Ubuntu, Mint and their derivatives. And as a bonus, TBL verifies the initial download of TB better than what most users are able to do.
Cheers!