[GH-ISSUE #160] Tor profile

gitea-mirror commented

2026-05-05 05:03:36 -06:00

Owner

Originally created by @rogshdo on GitHub (Nov 26, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/160

Has anyone used firejail to jail Tor? If so, I would be curious to see what your profile looks like! I have seen some discussion of using firejail to run the Tor browser, but I want to run the actual Tor daemon in a jail so that I can proxy other applications through it.

Originally created by @rogshdo on GitHub (Nov 26, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/160 Has anyone used firejail to jail Tor? If so, I would be curious to see what your profile looks like! I have seen some discussion of using firejail to run the Tor browser, but I want to run the actual Tor daemon in a jail so that I can proxy other applications through it.

gitea-mirror

2026-05-05 05:03:36 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:03:45 -06:00

Author

Owner

@ghost commented on GitHub (Nov 27, 2015):

I'll write a profile for Tor today.
I already have one for Tor Browser that I'll just drop here:

include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
#tmpfs /etc/
private-etc fonts
private-dev
whitelist ~/.torbrowser/
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot

I keep my Tor Browser in ~/.torbrowser/, so I whitelist that.
I keep /etc/fonts/. I don't know if it's relevant to anonymity. If you don't enable JS, which you shouldn't anyway, it should not matter.

Btw, I have not found a way to start Tor Browser directly as an argument to firejail. And that's because the script makes it --detach, so it returns immediately and firejail ends, killing Tor Browser.

@ghost commented on GitHub (Nov 27, 2015): I'll write a profile for Tor today. I already have one for Tor Browser that I'll just drop here: ``` include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc #tmpfs /etc/ private-etc fonts private-dev whitelist ~/.torbrowser/ caps.drop all seccomp protocol unix,inet,inet6 netfilter noroot ``` I keep my Tor Browser in ~/.torbrowser/, so I whitelist that. I keep /etc/fonts/. I don't know if it's relevant to anonymity. If you don't enable JS, which you shouldn't anyway, it should not matter. Btw, I have not found a way to start Tor Browser directly as an argument to firejail. And that's because the script makes it --detach, so it returns immediately and firejail ends, killing Tor Browser.

gitea-mirror commented

2026-05-05 05:03:48 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 27, 2015):

For Tor I usually start with the regular firefox profile where I change "whitelist ~/.mozilla" with the place where I keep Tor. Let's say I have it in ~/tor-browser_en-US, this is how I start it:

$ cd ~/tor-browser_en-US
$ firejail --profile=~/tor.profile Browser/start-tor-browser & disown

This takes care of --detach.

Support for running other programs using the gateway is in the works. It involves setting a network namespace and bringing in the traffic. This is the open issue: https://github.com/netblue30/firejail/issues/108 - it will be very generic, will work for all kind of other programs.

@netblue30 commented on GitHub (Nov 27, 2015): For Tor I usually start with the regular firefox profile where I change "whitelist ~/.mozilla" with the place where I keep Tor. Let's say I have it in ~/tor-browser_en-US, this is how I start it: ``` $ cd ~/tor-browser_en-US $ firejail --profile=~/tor.profile Browser/start-tor-browser & disown ``` This takes care of --detach. Support for running other programs using the gateway is in the works. It involves setting a network namespace and bringing in the traffic. This is the open issue: https://github.com/netblue30/firejail/issues/108 - it will be very generic, will work for all kind of other programs.

gitea-mirror commented

2026-05-05 05:03:52 -06:00

Author

Owner

@rogshdo commented on GitHub (Nov 27, 2015):

Thanks avoidr. Netblue, I'm looking for a profile for Tor, not the Tor Browser.

If I start Tor with firejail, should I also use a Tor chroot like what is described in the Arch wiki or does that not give me anything over what firejail will already do?

https://wiki.archlinux.org/index.php/Tor#Running_Tor_in_a_Chroot

@rogshdo commented on GitHub (Nov 27, 2015): Thanks avoidr. Netblue, I'm looking for a profile for Tor, not the Tor Browser. If I start Tor with firejail, should I also use a Tor chroot like what is described in the Arch wiki or does that not give me anything over what firejail will already do? https://wiki.archlinux.org/index.php/Tor#Running_Tor_in_a_Chroot

gitea-mirror commented

2026-05-05 05:03:54 -06:00

Author

Owner

@ghost commented on GitHub (Nov 27, 2015):

I am currently working on making Tor work.

I'd say chrooting Tor in firejail won't give any extra benefit, because firejail is already more powerful and does more. Not to mention that chroot is not really a security feature and it's possible to break out. Sure you can still chroot, but you'd probably benefit more by hardening the kernel, for example.

@ghost commented on GitHub (Nov 27, 2015): I am currently working on making Tor work. I'd say chrooting Tor in firejail won't give any extra benefit, because firejail is already more powerful and does more. Not to mention that chroot is not really a security feature and it's possible to break out. Sure you can still chroot, but you'd probably benefit more by hardening the kernel, for example.

gitea-mirror commented

2026-05-05 05:03:57 -06:00

Author

Owner

@ghost commented on GitHub (Nov 28, 2015):

So I created a branch for Tor support, but it's incomplete. If you could look at it, @netblue30.
There's a new profile and I mounted /var/lib/tor/ on a new tmpfs to make it writable, but what's missing is that we want to keep the files and not redownload the Tor network consensus every time. I naively thought that I'd just hardlink, but that's impossible across different devices.

Also, I merged in that branch and I'm not sure if that should be done in branches or not.

@ghost commented on GitHub (Nov 28, 2015): So I created a branch for Tor support, but it's incomplete. If you could look at it, @netblue30. There's a new profile and I mounted /var/lib/tor/ on a new tmpfs to make it writable, but what's missing is that we want to keep the files and not redownload the Tor network consensus every time. I naively thought that I'd just hardlink, but that's impossible across different devices. Also, I merged in that branch and I'm not sure if that should be done in branches or not.

gitea-mirror commented

2026-05-05 05:03:59 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 29, 2015):

@rogshdo

If I start Tor with firejail, should I also use a Tor chroot like what is described in the Arch wiki or does that not give me anything over what firejail will already do?

The difference is firejail creates the chroot on the fly and applies namespaces and seccomp on top of it.

@avoidr
Stay on a branch, I'll merge you when you are done. I'll reopen the issue to keep track of it.

Thanks.

@netblue30 commented on GitHub (Nov 29, 2015): @rogshdo > If I start Tor with firejail, should I also use a Tor chroot like what is described in the Arch wiki or does that not give me anything over what firejail will already do? The difference is firejail creates the chroot on the fly and applies namespaces and seccomp on top of it. @avoidr Stay on a branch, I'll merge you when you are done. I'll reopen the issue to keep track of it. Thanks.

gitea-mirror commented

2026-05-05 05:04:01 -06:00

Author

Owner

@rogshdo commented on GitHub (Dec 12, 2015):

@avoidr were you able to make any progress on this?

@rogshdo commented on GitHub (Dec 12, 2015): @avoidr were you able to make any progress on this?

gitea-mirror commented

2026-05-05 05:04:04 -06:00

Author

Owner

@ghost commented on GitHub (Dec 13, 2015):

I were, the difficulty is not the problem. I whitelisted /var/lib/tor/, created a (restrictive) profile and now all that's left to do is copy existing files to the sandbox and then back. But Tor already starts and works correctly. It's just not complete, yet.

I'm sorry I took so long, I had and have shit to deal with. I'll try and complete it by the end of tomorrow's week. Thanks for asking.

@ghost commented on GitHub (Dec 13, 2015): I were, the difficulty is not the problem. I whitelisted /var/lib/tor/, created a (restrictive) profile and now all that's left to do is copy existing files to the sandbox and then back. But Tor already starts and works correctly. It's just not complete, yet. I'm sorry I took so long, I had and have shit to deal with. I'll try and complete it by the end of tomorrow's week. Thanks for asking.

gitea-mirror commented

2026-05-05 05:04:06 -06:00

Author

Owner

@rogshdo commented on GitHub (Jan 14, 2016):

was any progress made on this?

@rogshdo commented on GitHub (Jan 14, 2016): was any progress made on this?

gitea-mirror commented

2026-05-05 05:04:08 -06:00

Author

Owner

@ghost commented on GitHub (Jan 31, 2016):

I am ashamed to say "no". I'm having a really tough time getting motivation to do anything at all. But I seem to get better and I'll fucking get to it soon, once I get some other old shit done, or something. I want to. Yeah. I'm sorry.

@ghost commented on GitHub (Jan 31, 2016): I am ashamed to say "no". I'm having a really tough time getting motivation to do anything at all. But I seem to get better and I'll fucking get to it soon, once I get some other old shit done, or something. I want to. Yeah. I'm sorry.

gitea-mirror commented

2026-05-05 05:04:11 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 1, 2016):

No problem, the default Firefox profile will do for now.

@netblue30 commented on GitHub (Feb 1, 2016): No problem, the default Firefox profile will do for now.

gitea-mirror commented

2026-05-05 05:04:14 -06:00

Author

Owner

@rogshdo commented on GitHub (Jul 30, 2016):

Just checking if there is any progress on this. I'd love to run Tor (not the Tor Browser Bundle) with firejail.

@rogshdo commented on GitHub (Jul 30, 2016): Just checking if there is any progress on this. I'd love to run Tor (not the Tor Browser Bundle) with firejail.

gitea-mirror commented

2026-05-05 05:04:17 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 30, 2016):

It didn't go anywhere, I guess every tor user has a different view of how the profile should be. This is not necessarily bad.

@netblue30 commented on GitHub (Jul 30, 2016): It didn't go anywhere, I guess every tor user has a different view of how the profile should be. This is not necessarily bad.

gitea-mirror commented

2026-05-05 05:04:19 -06:00

Author

Owner

@ghost commented on GitHub (Sep 13, 2016):

Sorry guys. I was just afk being all miserable and shit. Shame on fucking me.

@ghost commented on GitHub (Sep 13, 2016): Sorry guys. I was just afk being all miserable and shit. Shame on fucking me.

gitea-mirror commented

2026-05-05 05:04:21 -06:00

Author

Owner

@acrobat1 commented on GitHub (Dec 21, 2016):

Is the method outlined in comment 160160384 still the way to go, i.e. starting from the default firefox profile and just replacing whitelist ~/.mozilla with the path to the actual TOR browser directory?

Don't we need some other tweaks too?

@acrobat1 commented on GitHub (Dec 21, 2016): Is the method outlined in [comment 160160384 ](https://github.com/netblue30/firejail/issues/160#issuecomment-160160384) still the way to go, i.e. starting from the default firefox profile and just replacing `whitelist ~/.mozilla` with the path to the actual TOR browser directory? Don't we need some other tweaks too?

gitea-mirror commented

2026-05-05 05:04:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 21, 2016):

Nothing changed in a long time in that area, so try it out. There is also a profile for tor browser here on git on the development version, maybe it will get some fixes before release, I didn't try it yet: https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.profile

@netblue30 commented on GitHub (Dec 21, 2016): Nothing changed in a long time in that area, so try it out. There is also a profile for tor browser here on git on the development version, maybe it will get some fixes before release, I didn't try it yet: https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.profile

gitea-mirror commented

2026-05-05 05:04:26 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 25, 2017):

For what it's worth, there are a couple of Tor Browser profiles in my repo: https://github.com/chiraag-nataraj/firejail-profiles. As for Tor itself, since I just started using it full-time, I'll look into it!

@chiraag-nataraj commented on GitHub (Mar 25, 2017): For what it's worth, there are a couple of Tor Browser profiles in my repo: https://github.com/chiraag-nataraj/firejail-profiles. As for Tor itself, since I just started using it full-time, I'll look into it!

gitea-mirror commented

2026-05-05 05:04:30 -06:00

Author

Owner

@acrobat1 commented on GitHub (Mar 28, 2017):

Thanks, I'll have a look. In the meantime I've put something together based on the firefox profile with more restrictive options and it (apparently) works, but yours looks way more refined.

@acrobat1 commented on GitHub (Mar 28, 2017): Thanks, I'll have a look. In the meantime I've put something together based on the firefox profile with more restrictive options and it (apparently) works, but yours looks way more refined.

gitea-mirror commented

2026-05-05 05:04:32 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 28, 2017):

Alright, I've uploaded an experimental tor profile to the same repository. Give it a whirl and open an issue in that repo if you're having issues!

@chiraag-nataraj commented on GitHub (Mar 28, 2017): Alright, I've uploaded an experimental `tor` profile to the same repository. Give it a whirl and open an issue in that repo if you're having issues!

Rows
Columns

[GH-ISSUE #160] Tor profile #109