Tor + SELinux sandbox = leak proof without VM overhead?

intrigeri intrigeri at
Sat Aug 28 22:25:45 UTC 2010


Gregory Maxwell wrote (22 Aug 2010 00:55:49 GMT) :
> I think it's obvious that the best way of using tor is running your
> torrified apps in a VM which can only access the outside world via
> TOR.

I doubt there is something like "the" best way of using Tor. One
always needs to balance the risks vs. the efforts needed to get some
protection against it. More practically speaking: there are use cases
the Tor Browser Button is perfect for, but it cannot prevent every
leakage of anonymity to local disks. Then come Tor-ified VM setups
that protect users a bit more but still somehow rely on the host
operating system. Then comes running a Tor-ified Live system such as
T(A)ILS [1] on bare metal. Each situation has its best fit solution
but I don't think one solution can be told to be best in any cases.

  [1] https://amnesia.boum.rog/

> This provides the highest protection from network leaks and
> also partially thwarts fingerprinting. But I can only assume that
> the 'cost' (performance, complexity, etc) of using a VM for tor is
> too high for many people— otherwise we would insist that anyone who
> wants anonymity operate that way.

About performance: a five years old laptop with 1.7 GHz processor and
1GB RAM is able to run a fully-fledged Tor-ified desktop system such
as T(A)ILS in VirtualBox. It was also true with qemu+kqemu last time I

About complexity: running a guest OS in a VM is really easy with
VirtualBox (and presumably with its proprietary counterparts). But
maybe I am missing the point. What kind of complexity are you talking

Another "cost" mentioned by coderman was "elevated privs for
accelerated virtualization / para-virtualization". AFAIK VirtualBox
does not need any special privileges (once the kernel part of the
software is installed, and the modules/services loaded).

Please don't misunderstand me. I'm not a fan of VM-based solutions and
pretty much prefer the bare-metal + Live OS approach, but I feel we
need to consider their pros and cons in a more detailed way than
discarding them on the assumption that their cost must be too high
else we would push for their usage much more than we do.

> Has anyone looked into using the SELINUX sandbox
> ( to prevent leaks? The
> sandbox provides a high degree of application isolation. It looks
> like it would be pretty much trivial to add an option to the sandbox
> front end program to only allow accesses to the tor socks port from
> the isolated app.

I'm sure there are use-cases such a sandbox would fit very well, and
am in favour of developing new ways of using Tor when practical
use-cases make it necessary. If it fits a bunch of (potential) users'
needs, I do encourage you to push this idea forward.

On the other hand: if we want to consider ease of use "for many
people" as an important criterion, which we do, which one seems easier
amongst the two following solutions?

1. Download T(A)ILS and burn it on a CD, then boot it when needed
   (possibly in a VM if you can afford it wrt. performance and
2. Replace your current OS with another one that supports SE Linux
   well enough to support the SE Linux enhanced sandbox described
   solution (examples needed), install the sandbox front-end program
   that does not exist yet, and setup the needed sandboxes for the
   apps that need to be Tor-ified and somehow isolated. Then you only
   need to never, ever confuse your nice sandboxed web browser with
   your other non-sandboxed one.

As a T(A)ILS developer I am of course biased but #1 seems pretty much
easier to me.

  intrigeri <intrigeri at>
  | GnuPG key @
  | OTR fingerprint @
  | The impossible just takes a bit longer.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list