Tor + SELinux sandbox = leak proof without VM overhead?

F. Fox kitsune.or at
Sun Aug 22 01:06:16 UTC 2010

It certainly sounds interesting. Full VM environments not only cause 
system resource overhead, but maintenance overhead, too (that's always 
been my biggest gripe about them).

F. Fox

On 08/21/2010 05:55 PM, Gregory Maxwell wrote:
> Has anyone looked into using the SELINUX sandbox
> ( to prevent leaks?   The
> sandbox provides a high degree of application isolation.  It looks
> like it would be pretty much trivial to add an option to the sandbox
> front end program to only allow accesses to the tor socks port from
> the isolated app.
> With this users on a supporting platforms wouldn't have to use
> wireshark to figure out if, say, pidgin, is leaking via DNS. They
> could simply run the app inside the sandbox and be sure of it.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list