@adrelanos ~How is TB started in whonix?~

noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser

FYI: I use my own TBB profile https://github.com/rusty-snake/firejailed-tor-browser/blob/master/tor-browser.profile.

PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so.

I played a little bit in whonix:

firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher torbrowser

firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser

Thank you very much for your reply!

PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so.

Not rhetorical. It's a balance of my eagerness to know vs your valuable time, hence split into TLDR and long part.

Priority for me is having a profile shipped by default in firejail (so it makes its way into firejail-profiles Debian packages in next Debian release)

firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher torbrowser

I am not requesting a profile for /usr/bin/torbrowser, which is a wrapper shipped by the tb-starter package developed by Whonix (not The Tor Project). The most important thing here it does is starting Tor Browser. The rest shouldn't be security sensitive. Another reason why I did not request it is to avoid the added work required for it. (My request is supposed to be "small" while an /usr/bin/torbrowser profile is "bigger".)

Tor Browser (the real ${HOME}/.tb/tor-browser/Browser/start-tor-browser / the forked firefox) should not inherit these extra permissions (whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).

My idea was to keep things simple, compartmentalized. /usr/bin/torbrowser should stay out of the way as much as possible. (That's always been tb-starter package goal independent of this.)

What about teh following (to test it):
$HOME/.config/firejail/start-tor-browser.desktop.local:

noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser

Run:
firejail /home/user/.tb/tor-browser/start-tor-browser.desktop
If you see Reading profile /etc/firejail/start-tor-browser.desktop.profile the right profile is loaded. (You need firejail 0.9.58 or higher)

That would be my preferred solution. (Ultimately translated to an /etc/firejail profile.)

Unfortunately still gives Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found error.

ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop
-rwx------ 1 user user 1682 Jan  1  2000 /home/user/.tb/tor-browser/start-tor-browser.desktop

user@host:~$ cat $HOME/.config/firejail/start-tor-browser.desktop.local
noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser
user@host:~$ 
user@host:~$ firejail /home/user/.tb/tor-browser/start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.desktop.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2381, child pid 2382
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping asound.conf for private /etc
Private /etc installed in 13.99 ms
48 programs installed in 65.30 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 120.41 ms
Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Parent is shutting down, bye...
user@host:~$ 

Debian buster based.

dpkg -l | grep firejail
ii  firejail                                       0.9.58.2-2                   amd64        sandbox to restrict the application environment
ii  firejail-profiles                              0.9.58.2-2                   all          profiles for the firejail application sandbox

A manual cd ~/.tb/tor-browser beforehand also does not help.

working:

firejail /home/user/.tb/tor-browser/Browser/start-tor-browser

not working:

firejail /home/user/.tb/tor-browser/start-tor-browser.desktop

However /home/user/.tb/tor-browser/start-tor-browser.desktop is preferred since that is the canonical way to start Tor Browser expected by upstream, The Tor Project. What /home/user/.tb/tor-browser/Browser/start-tor-browser or contents of /home/user/.tb/tor-browser/start-tor-browser.desktop might change but /home/user/.tb/tor-browser/start-tor-browser.desktop has a higher likelihood of staying the canonical starter.

@adrelanos working with firejail 0.9.60 and newer:

firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop

If I see right, torbrowser (in whonix) call at some point start-tor-browser.desktop (with a bit more env-vars around, ...). Where should came firejail? in torbrowser (like firejail $SOMETHING/start-tor-browser.desktop? or as symlink (firecfg)?

If I see right, torbrowser (in whonix) call at some point start-tor-browser.desktop (with a bit more env-vars around, ...).

[1] Yes kinda but but currently actually /home/user/.tb/tor-browser/Browser/start-tor-browser which is a bug, since not the canonical way to start Tor Browser.

Where should came firejail? in torbrowser (like firejail $SOMETHING/start-tor-browser.desktop? or as symlink (firecfg)?

That is a good question.

Our wrapper /usr/bin/torbrowser shouldn't cause work for other upstreams such as firejail. At least that was my original idea. Usually upstream are like "not our issue" understandably. Appreciate the thought.

So from my compartmentalization perspective could we see this as a bug or feature request:

"firejail should be able to execute .desktop files such as start-tor-browser.desktop"?

/usr/bin/torbrowser supports configuration or environment variable tb_starter_bin_pre.

tb_starter_bin_pre=firejail torbrowser will currently result in

cd /home/user/.tb/tor-browser/
firejail /home/user/.tb/tor-browser/Browser/start-tor-browser

Or in future when [1] is fixed (waiting to see how we deal with firejail here) would result in:

cd /home/user/.tb/tor-browser/
firejail /home/user/.tb/tor-browser/start-tor-browser.desktop

I was also considering to implement a command line parameter torbrowser --firejail (or --hardening) (and configuration option) doing this for the user.

Neither solution seems very standard conform. Should not be surprising though. The root cause of this is the absence of a deb package of Tor Browser.

• https://trac.torproject.org/projects/tor/ticket/3994
• https://trac.torproject.org/projects/tor/ticket/5236

What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail?

Related: I am also considering to combine firejail with apparmor and hardened malloc. Related: https://github.com/netblue30/firejail/issues/2689 Mentioning this here since that consideration might change the best way forward.

So from my compartmentalization perspective could we see this as a bug or feature request:

"firejail should be able to execute .desktop files such as start-tor-browser.desktop"?

~/.tor-browser/start-tor-browser.desktop 
/usr/bin/env: „./Browser/execdesktop“: No such file or directory

Doesn't look like firejail related.

What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail?

possibilities

1. firejail profile for torbrowser + firecfg
   Contra:
   
   
   
   • Lesser security as you write above
   
   

should not inherit these extra permissions
(whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).
* issues with firejail if users/distros provied own scripts with this name
2. add firejail to torbrowser

for now:

firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser

when it has firejail >= 0.9.60

firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop

I would prefer 2. + adding ${HOME}/.tb/tor-browser (or ${HOME}/.tb) to https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.desktop.profile

1. also sounds good to me!

FYI:

firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop

Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Reason: firejail automatically loads start-tor-browser.desktop.profile which is a whitelisting profile

Can we avoid using --private?

In general: yes

firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop

Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Reason: torbrowser-launcher.profile is a whitelisting profile.

ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop

-rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop

If you want to debug such situations, you need to be in firejail:
firejail --ignore=private-bin --profile=torbrowser-launcher bash

firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop

Reason: tor-browser-en-us.profile is just an alias for torbrowser-launcher

Why were we able to drop --whitelist=$HOME/.tb/tor-browser?

Reason: start-tor-browser.profile does not whitelist in $HOME

possibilities

1. firejail profile for torbrowser + firecfg
   Contra:
   
   
   
   • Lesser security as you write above
   
   

should not inherit these extra permissions
(whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).
* issues with firejail if users/distros provied own scripts with this name

Actually, there might also be a middle ground which we can call 3.

1. tb-starter package can add yet another wrapper script. Our "complex" wrapper /usr/bin/torbrowser can stay as is unconfined doing whatever required but ultimately it could hand over control to /usr/lib/tb-starter/wrapper which would be a simple shell script.

#/bin/sh
"$@"

Still have to think if there is any security issue with that.

/usr/bin/torbrowser would call /usr/lib/tb-starter/tb-starter-wrapper and the latter would be much easier to confine. It would not need these extra permissions (whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).

Would 3. would solve all the contra of 2.?

You mean that /usr/bin/torbrowser call fierjail /usr/lib/tb-starter/tb-starter-wrapper?
Where tb-starter-wrapper.profile

# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
quiet
# This file is overwritten after every install/update
# Persistent local customizations
include tb-starter-wrapper.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.tb

mkdir ${HOME}/.tb
whitelist ${HOME}/.tb

# Redirect
include torbrowser-launcher.profile

That should work.

You mean that /usr/bin/torbrowser call fierjail /usr/lib/tb-starter/tb-starter-wrapper?

Not sure

Maybe just call /usr/lib/tb-starter/tb-starter-wrapper without firejail.

In this case could firecfg take responsibility for prepending firejail as it is done for other applications too?

Calling tb-starter-wrapper (no absolut path) with placing tb-starter-wrapper in /usr/bin (or symlinking /usr/bin/tb-starter-wrapper to /usr/lib/tb-starter-wrapper) would work with firecfg.

Or adding /usr/lib/tb-starter/ into $PATH. :smile: _not realy suggesting that_

/usr/bin/tb-starter-wrapper could also be in /usr/bin indeed.

/usr/bin/tb-starter-wrapper:

#/bin/sh
"$@"

Then we could make firecfg work.

How do you want it to be?
/usr/bin/tb-starter-wrapper + tb-starter-wrapper.profile
or
firejail --profile=start-tor-browser.desktop --x11=xorg --quiet TOR-BROWSER + noblacklist ${HOME}/.tb, whitelist ${HOME}/.tb/tor-browser in start-tor-browser.desktop.profile + blacklist ${HOME}/.tb in disable-programs.inc

rusty-snake:

How do you want it to be?
/usr/bin/tb-starter-wrapper + tb-starter-wrapper.profile

This looks better long term.

tb-starter-wrapper.profile:

# Firejail profile for tb-starter-wrapper
# Description: wrapper-script used by whonix to start the tor browser
quiet
# This file is overwritten after every install/update
# Persistent local customizations
include tb-starter-wrapper.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.tb

mkdir ${HOME}/.tb
whitelist ${HOME}/.tb

x11 xorg

# Redirect
include torbrowser-launcher.profile

+ adaptations in firecfg.config & disable-programs.inc

tb-starter-wrapper.profile looks good. Will test soon.

Should we ship that profile? Probably won't matter either way unless there would be some syntax change which we'd miss. But I guess we have to re-check this at every Debiain release (buster -> bullseye) upgrade anyhow.

• adaptations in firecfg.config & disable-programs.inc

Wouldn't know.

Should we ship that profile?

I would add it into firejail.

adaptations in firecfg.config & disable-programs.inc

Wouldn't know.

Only adding tb-starter-wrapper to firecfg.config so firecfg creates symlinks
and adding blacklist ${HOME}/.tb to disable-programs.inc so other firejailed programms can't access ${HOME}/.tb

Sounds great! Please proceed.

@adrelanos 50fc318db4d4c0109573d7e1f82cd577ad654928

Looks perfect, thanks so much!

Trying to emulate your change.

(Cannot find src/firecfg/firecfg.config on Debian buster with similar contents.)

user@host:~$ sudo ln -s /usr/bin/firejail /usr/local/bin/tb-starter-wrapper

user@host:~$ ls -la /usr/local/bin/tb-starter-wrapper 
lrwxrwxrwx 1 root root 17 Aug 14 02:00 /usr/local/bin/tb-starter-wrapper -> /usr/bin/firejail

user@host:~$ ls -la /usr/bin/tb-starter-wrapper 
-rwxrwxr-x 1 root root 14 Aug 14 01:49 /usr/bin/tb-starter-wrapper

Did I emulate the symlink correctly?

tb-starter-wrapper  /home/user/.tb/tor-browser/Browser/start-tor-browser --allow-remote  /usr/share/homepage/whonix-welcome-page/whonix.html
Error: no suitable /usr/bin/tb-starter-wrapper executable found

Do you know why it does not work?

Uhh I forgot to update private-bin.

diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
index 7cf85b38..ffe9605b 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/tb-starter-wrapper.profile
@@ -13,5 +13,7 @@ noblacklist ${HOME}/.tb
 mkdir ${HOME}/.tb
 whitelist ${HOME}/.tb

+private-bin tb-starter-wrapper
+
 # Redirect
 include torbrowser-launcher.profile

Cannot find src/firecfg/firecfg.config on Debian buster with similar contents.

This is the path in the git repo, on your system it should be /usr/lib64/firecfg/firecfg.config or simelary (Don't know for debian).