[tbb-dev] So, about the Linux sandbox in the long term?

Arthur D. Edelstein arthuredelstein at gmail.com
Sat May 27 03:35:24 UTC 2017

On Fri, May 26, 2017 at 8:05 PM, Yawning Angel <yawning at schwanenlied.me> wrote:
> On Fri, 26 May 2017 17:45:03 -0700
> "Arthur D. Edelstein" <arthuredelstein at gmail.com> wrote:

>> Step 1: Containerize the whole bundle to defend against pwnage of the
>> whole computer.
>> Step 2: Create a external update mechanism and prevent firefox.exe
>> from writing to its own directory or the tor directory.
>> Step 3: Patch tor so that tor-launcher doesn't need to write to torrc
>> at all to configure tor. Launch tor independently of the browser, but
>> still configure tor using the tor-launcher extension UI, via a
>> filtered control port. Prevent firefox from accessing tor directory or
>> launching tor.
>> Step 4: Write a new tor-controller UI in QT or similar that replaces
>> functionality in tor-launcher and maybe the circuit display.
> The existing Linux sandbox does all of this already.  Re-doing
> something that already exists (twice), seems somewhat silly to me.

Of course it would be! :) For Linux, I was envisioning adopting your
work into the standard TBB distribution. Not writing it again from

But we also need these steps on Windows and OS X. And my understanding
is that on Linux there's more work to be done for step 4 and maybe
some for the stopgap approach in step 3. Rather than waiting for a
whole new tor-launcher UX in QT, maybe we can adopt your work from the
earlier steps in standard TBB sooner.

> Might be tricky for other reasons, but I guess?  The big gotcha is that
> containerization is a privileged operation on sensible Linux systems.

That does indeed sound like a big problem. Any workarounds you know of?

More information about the tbb-dev mailing list