[tbb-dev] So, about the Linux sandbox in the long term?

intrigeri intrigeri at boum.org
Sat May 27 10:27:21 UTC 2017


Tom Ritter:
> But wait a minute. If firefox.exe can't launch a process that can talk
> to the network... how's it supposed to launch tor.exe?

With Micah Lee's Tor Browser Launcher (TBL) on Linux with AppArmor
enabled, this is not a problem: the sandboxing is done by the kernel
and thus different confinement rules can be (and actually are) applied
to the Firefox and Tor processes.

This requires admin privileges to set the whole thing up initially
(which is done e.g. by the torbrowser-launcher Debian package),
but then no special privileges are needed when *running* Tor Browser.

This approach makes a lot of sense to me on Linux, where the "download
an app via a tarball and then double-click it" model is not the most
common way to install and run software: most software people need is
available in their distro's package repositories.

The way this works currently has several drawbacks, that will be easy
to fix once architectural issues raised on this thread are addressed
in Tor Browser:

 * It requires the update mechanism to live inside Firefox (as the
   update code was dropped from TBL), which makes the confinement
   rules way too lax for my taste. But once there's an external update
   mechanism, then this will be easy to fix.

 * It depends on Tor Browser for the configuration of little-t-tor.
   But here again, once this is handled by a GUI outside of Firefox,
   TBL can use it and confine Firefox more strictly.

 * It depends on AppArmor for confinement. That's already the case on
   Ubuntu and SUSE, and my plan is to have AppArmor enabled by default
   in Debian 10 (Buster); Red Hat -based distros are out though, until
   the LSM stacking patches make their way to the mainline Linux kernel.

After reading this thread, it seems to me that both architectural
issues need to be fixed anyway on the long term, regardless of TBL.
And once they are, having TBL (or similar) in common Linux distros
will be a great way to provide a good (and perhaps safe enough?)
sandboxed-TB user experience on Debian, Ubuntu, Mint and their
derivatives. And as a bonus, TBL verifies the initial download of TB
better than what most users are able to do.


More information about the tbb-dev mailing list