Personal Sandboxed Tor Browser development repo. https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/

Yawning Angel 4feaed1881 Bug 24171: Create the `Caches` directory properly. 1 week ago
data 980ba5a624 Bump the version to 0.0.16-dev. 2 weeks ago
src 4feaed1881 Bug 24171: Create the `Caches` directory properly. 1 week ago
vendor 710c78e325 Use Config.Clone() to clone TLS configs when available. 7 months ago
.gitignore c3a280dc12 Bug 21093: Go back to using gosecco for seccomp rule compilation. 10 months ago
CODE_OF_CONDUCT.md 02f611d519 Add one of these, before I get one I don't like forced on me. 5 months ago
ChangeLog 4feaed1881 Bug 24171: Create the `Caches` directory properly. 1 week ago
LICENSE 0b52de2ab4 Relicense to something "Libre". 1 year ago
Makefile c3a280dc12 Bug 21093: Go back to using gosecco for seccomp rule compilation. 10 months ago
README.md 701c0656be Bug 22910: Deprecate the volatile extension dir option. 4 months ago

README.md

sandboxed-tor-browser

Yawning Angel (yawning at schwanenlied dot me)

WARNING: Active development is on indefinite hiatus.

I would build a great sandbox. And nobody builds sandboxes better than me, believe me. I will build a great, great sandbox on our application border. And I will have Tor Browser pay for that sandbox.

Tor Browser sandboxed somewhat correctly using bubblewrap. Obviously only works on Linux, and will NEVER support anything else since sandboxing is OS specific.

There are several unresolved issues that affect security and fingerprinting. Do not assume that this is perfect, merely "an improvement over nothing".

Runtime dependencies:

  • A modern Linux system on x86_64 architecture.
  • bubblewrap >= 0.1.3 (https://github.com/projectatomic/bubblewrap).
  • Gtk+ >= 3.14.0
  • (Optional) PulseAudio
  • (Optional) Adwaita Gtk+-2.0 theme
  • (Optional) libnotify and a Desktop Notification daemon

Build time dependencies:

  • Make
  • A C compiler
  • gb (https://getgb.io/ Yes I know it's behind fucking cloudflare)
  • Go (Tested with 1.7.x)
  • libnotify

Things that the sandbox breaks:

  • Audio (Unless allowed via the config)
  • DRI
  • X11 input methods (IBus requires access to the host D-Bus)
  • Installing addons (Addons are whitelisted)
  • Tor Browser's updater (launcher handles keeping the bundle up to date)

Places where the sandbox could be better:

  • The updater container still mounts /proc.
  • PulseAudio is likely unsafe without a protocol filter like X11.
  • X11 is still X11, and despite mitigations is likely still unsafe.

Upstream Bugs:

Notes:

  • Follows the XDG Base Dir specification.
  • Questions that could be answered by reading the code will be ignored.
  • Unless you're capable of debugging it, don't use it, and don't contact me about it.
  • By default the sandbox ~/Desktop and ~/Downloads directories are mapped to the host ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/[Desktop,Downloads] directories.
  • https://git.schwanenlied.me/yawning/sandboxed-tor-browser/wiki has something resembling build instructions, that may or may not be up to date.