1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
torbrowser-launcher launcher scripts
====================================
These scripts show how to run torbrowser-launcher (and thus torbrowser),
confined with AppArmor, in Xephyr (a virtual Xserver running on another
Xserver) as another user. This, using AppArmor and Xephyr, shall have two
effects:
- the browser process (and it's subprocesses) can - thanks to AppArmor
confinement - only access a tiny part of the filesystem
- the real Xserver is not exposed to the browser application, so hopefully
that application cannot exploit bugs to grab keyboard input from other
applications.
They assume the following packages are installed:
- torbrowser-launcher
- apparmor
- xserver-xephyr, awesome
- sudo, slay, psmisc
AppArmor should be enabled, but doesn't have to. I followed the HowTo from
https://wiki.debian.org/AppArmor, which can be summed up as just adding one
parameter to the kernel to enable it, followed by a reboot.
Using Apparmor has the advantage that the browser process cannot most of the
filesystem, eg saving downloads only works in ~/.torbrowser/tbb/x86_64/tor-browser_en-US/Desktop/
On wheezy, I'm using backports for torbrowser-launcher and apparmor.
The scripts assume they have been copied to /usr/local/bin/ and that there is
a user called "foo" (for running the actuall torbrowser(-launcher) process,
and that the current user has sudo rights for the following commands:
- sudo -i -u foo /usr/local/bin/tbb-l-wrapper
- sudo slay foo
There are two scripts, tbb-in-xephyr and tbb-l-wrapper. Only tbb-in-xephyr is
to be called directly and will result in torbrowser running in Xephyr.
Known problems:
---------------
- dbus is not started, so some input methods won't work. (Personally I don't
want/need dbus though, so I'm awaiting a solution to
https://trac.torproject.org/projects/tor/ticket/10014)
- not everybody likes awesome as the window manager being used ;)
Ideas, questions and ToDo:
--------------------------
- maybe all of this functionality could be integrated into.
torbrowser-launcher itself, just writing this in shell was so easy.
- or for the time being, merge these two scripts into one, called tbbll, doing
both, depending on how its called. Also make them run from everywhere.
- run this in an unprivileged LXC container, which is also apparmor confined.
- use Xpra additionally to or instead of Xephyr? (or not at all?)
- (when) does this double confinement make sense?
- use a more sensible named default user (instead of foo).
- there should really be an option, so torbrowser-launcher doesn't detach
itself, so that this "while;ps fax|grep" hack can go away.
- ship an usable sudoers.d example too.
- support for more users / instances.
Feedback welcome, especially accompanied by patches!
Last words:
-----------
If you desire more seperation, use Tails (from https://tails.boum.org/) on a
computer without a harddrive.
-- Holger Levsen, holger@debian.org, last updated: 2014-08-10
|
