Personal Sandboxed Tor Browser development repo. https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/

Yawning Angel 04868bf86d Bug 22814: Revert the upstream fix by default. 5 days ago
data 04868bf86d Bug 22814: Revert the upstream fix by default. 5 days ago
src 433e3172da Update the stub's comment blurb. (No functional changes) 3 weeks ago
vendor 710c78e325 Use Config.Clone() to clone TLS configs when available. 5 months ago
.gitignore c3a280dc12 Bug 21093: Go back to using gosecco for seccomp rule compilation. 9 months ago
CODE_OF_CONDUCT.md 02f611d519 Add one of these, before I get one I don't like forced on me. 3 months ago
ChangeLog 04868bf86d Bug 22814: Revert the upstream fix by default. 5 days ago
LICENSE 0b52de2ab4 Relicense to something "Libre". 1 year ago
Makefile c3a280dc12 Bug 21093: Go back to using gosecco for seccomp rule compilation. 9 months ago
README.md 701c0656be Bug 22910: Deprecate the volatile extension dir option. 2 months ago

README.md

sandboxed-tor-browser

Yawning Angel (yawning at schwanenlied dot me)

WARNING: Active development is on indefinite hiatus.

I would build a great sandbox. And nobody builds sandboxes better than me, believe me. I will build a great, great sandbox on our application border. And I will have Tor Browser pay for that sandbox.

Tor Browser sandboxed somewhat correctly using bubblewrap. Obviously only works on Linux, and will NEVER support anything else since sandboxing is OS specific.

There are several unresolved issues that affect security and fingerprinting. Do not assume that this is perfect, merely "an improvement over nothing".

Runtime dependencies:

  • A modern Linux system on x86_64 architecture.
  • bubblewrap >= 0.1.3 (https://github.com/projectatomic/bubblewrap).
  • Gtk+ >= 3.14.0
  • (Optional) PulseAudio
  • (Optional) Adwaita Gtk+-2.0 theme
  • (Optional) libnotify and a Desktop Notification daemon

Build time dependencies:

  • Make
  • A C compiler
  • gb (https://getgb.io/ Yes I know it's behind fucking cloudflare)
  • Go (Tested with 1.7.x)
  • libnotify

Things that the sandbox breaks:

  • Audio (Unless allowed via the config)
  • DRI
  • X11 input methods (IBus requires access to the host D-Bus)
  • Installing addons (Addons are whitelisted)
  • Tor Browser's updater (launcher handles keeping the bundle up to date)

Places where the sandbox could be better:

  • The updater container still mounts /proc.
  • PulseAudio is likely unsafe without a protocol filter like X11.
  • X11 is still X11, and despite mitigations is likely still unsafe.

Upstream Bugs:

Notes:

  • Follows the XDG Base Dir specification.
  • Questions that could be answered by reading the code will be ignored.
  • Unless you're capable of debugging it, don't use it, and don't contact me about it.
  • By default the sandbox ~/Desktop and ~/Downloads directories are mapped to the host ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/[Desktop,Downloads] directories.
  • https://git.schwanenlied.me/yawning/sandboxed-tor-browser/wiki has something resembling build instructions, that may or may not be up to date.