[GH-ISSUE #2863] Tor Browser profile for Whonix / tb-updater

gitea-mirror commented

2026-05-05 08:27:22 -06:00

Owner

Originally created by @adrelanos on GitHub (Jul 18, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2863

TLDR:

Could you please provide a firejail profile for use with Tor Browser when using path /home/user/.tb/tor-browser as installation folder?

This would then work for all users of tb-updater (Debian, Qubes and Whonix users).

Long:

Whonix maintainer here.

In Whonix we are using a slightly different folder.

/home/user/.tb/tor-browser/

Full path to start-tor-browser.desktop

/home/user/.tb/tor-browser/start-tor-browser.desktop

Working:

firejail --private=/home/user/.tb/tor-browser ./start-tor-browser.desktop

Not working:

firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop

Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Can we avoid using --private?

Could we somehow use the full path to /home/user/.tb/tor-browser/start-tor-browser.desktop? I would hope that using firejail can become a simple prepend firejail vs not prepend firejail. At the moment our startup wrapper /usr/bin/torbrowser (does various unrelated things) does in essence:

cd ~/.tb/tor-browser
/home/user/.tb/tor-browser/start-tor-browser.desktop

Which is working.

firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop

Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop

-rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop

Also previously running cd ~/.tb/tor-browser does not help.

Also same error:

firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop

start-tor-browser.desktop is special indeed.

cat start-tor-browser.desktop

#!/usr/bin/env ./Browser/execdesktop
....

Might that be confusing firejail?

What does also work: (based on https://github.com/netblue30/firejail/issues/2429#issuecomment-465545751 thanks to @rusty-snake)

firejail --whitelist=$HOME/.tb/tor-browser --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser --detach

What also works:

firejail --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser

Why were we able to drop --whitelist=$HOME/.tb/tor-browser?

Is profile /etc/firejail/start-tor-browser.profile only covering /home/user/.tb/tor-browser/Browser/start-tor-browser or all subsequent execution (i.e. the forked Firefox)?

Originally created by @adrelanos on GitHub (Jul 18, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2863 TLDR: Could you please provide a firejail profile for use with Tor Browser when using path `/home/user/.tb/tor-browser` as installation folder? This would then work for all users of tb-updater (Debian, Qubes and Whonix users). ---- Long: Whonix maintainer here. In Whonix we are using a slightly different folder. /home/user/.tb/tor-browser/ Full path to `start-tor-browser.desktop` /home/user/.tb/tor-browser/start-tor-browser.desktop Working: firejail --private=/home/user/.tb/tor-browser ./start-tor-browser.desktop Not working: firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found Can we avoid using `--private`? Could we somehow use the full path to `/home/user/.tb/tor-browser/start-tor-browser.desktop`? I would hope that using firejail can become a simple prepend firejail vs not prepend firejail. At the moment our startup wrapper /usr/bin/torbrowser (does various unrelated things) does in essence: cd ~/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop Which is working. firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop > -rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop Also previously running `cd ~/.tb/tor-browser` does not help. Also same error: firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop `start-tor-browser.desktop` is special indeed. cat start-tor-browser.desktop > #!/usr/bin/env ./Browser/execdesktop .... Might that be confusing firejail? What does also work: (based on https://github.com/netblue30/firejail/issues/2429#issuecomment-465545751 thanks to @rusty-snake) firejail --whitelist=$HOME/.tb/tor-browser --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser --detach What also works: firejail --profile=/etc/firejail/start-tor-browser.profile $HOME/.tb/tor-browser/Browser/start-tor-browser Why were we able to drop `--whitelist=$HOME/.tb/tor-browser`? Is profile `/etc/firejail/start-tor-browser.profile` only covering /home/user/.tb/tor-browser/Browser/start-tor-browser or all subsequent execution (i.e. the forked Firefox)?

gitea-mirror

2026-05-05 08:27:22 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:27:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 18, 2019):

@adrelanos ~~How is TB started in whonix?~~

outdated

What about the following (to test it) (You need firejail 0.9.58 or higher):
$HOME/.config/firejail/start-tor-browser.desktop.local:

noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser

Run:
firejail /home/user/.tb/tor-browser/start-tor-browser.desktop
If you see Reading profile /etc/firejail/start-tor-browser.desktop.profile thenthe right profile is loaded.

FYI: I use my own TBB profile https://github.com/rusty-snake/firejailed-tor-browser/blob/master/tor-browser.profile.

PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so.

@rusty-snake commented on GitHub (Jul 18, 2019): @adrelanos ~How is TB started in whonix?~ <details><summary>outdated</summary> What about the following (to test it) (You need firejail 0.9.58 or higher): `$HOME/.config/firejail/start-tor-browser.desktop.local`: ``` noblacklist ${HOME}/.tb/tor-browser mkdir ${HOME}/.tb/tor-browser whitelist ${HOME}/.tb/tor-browser ``` Run: `firejail /home/user/.tb/tor-browser/start-tor-browser.desktop` If you see `Reading profile /etc/firejail/start-tor-browser.desktop.profile` thenthe right profile is loaded. </details> FYI: I use my own TBB profile https://github.com/rusty-snake/firejailed-tor-browser/blob/master/tor-browser.profile. PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so.

gitea-mirror commented

2026-05-05 08:27:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 18, 2019):

I played a little bit in whonix:

firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher torbrowser

firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser

@rusty-snake commented on GitHub (Jul 18, 2019): I played a little bit in whonix: ``` firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher torbrowser ``` ``` firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser ```

gitea-mirror commented

2026-05-05 08:27:27 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 19, 2019):

Thank you very much for your reply!

PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so.

Not rhetorical. It's a balance of my eagerness to know vs your valuable time, hence split into TLDR and long part.

Priority for me is having a profile shipped by default in firejail (so it makes its way into firejail-profiles Debian packages in next Debian release)

firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher torbrowser

I am not requesting a profile for /usr/bin/torbrowser, which is a wrapper shipped by the tb-starter package developed by Whonix (not The Tor Project). The most important thing here it does is starting Tor Browser. The rest shouldn't be security sensitive. Another reason why I did not request it is to avoid the added work required for it. (My request is supposed to be "small" while an /usr/bin/torbrowser profile is "bigger".)

Tor Browser (the real ${HOME}/.tb/tor-browser/Browser/start-tor-browser / the forked firefox) should not inherit these extra permissions (whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).

My idea was to keep things simple, compartmentalized. /usr/bin/torbrowser should stay out of the way as much as possible. (That's always been tb-starter package goal independent of this.)

What about teh following (to test it):
$HOME/.config/firejail/start-tor-browser.desktop.local:
noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser
Run:
firejail /home/user/.tb/tor-browser/start-tor-browser.desktop
If you see Reading profile /etc/firejail/start-tor-browser.desktop.profile the right profile is loaded. (You need firejail 0.9.58 or higher)

That would be my preferred solution. (Ultimately translated to an /etc/firejail profile.)

Unfortunately still gives Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found error.

ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop
-rwx------ 1 user user 1682 Jan  1  2000 /home/user/.tb/tor-browser/start-tor-browser.desktop

user@host:~$ cat $HOME/.config/firejail/start-tor-browser.desktop.local
noblacklist ${HOME}/.tb/tor-browser

mkdir ${HOME}/.tb/tor-browser
whitelist ${HOME}/.tb/tor-browser
user@host:~$ 
user@host:~$ firejail /home/user/.tb/tor-browser/start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.desktop.profile
Reading profile /etc/firejail/torbrowser-launcher.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2381, child pid 2382
Warning: skipping pki for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping asound.conf for private /etc
Private /etc installed in 13.99 ms
48 programs installed in 65.30 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 120.41 ms
Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Parent is shutting down, bye...
user@host:~$

Debian buster based.

dpkg -l | grep firejail
ii  firejail                                       0.9.58.2-2                   amd64        sandbox to restrict the application environment
ii  firejail-profiles                              0.9.58.2-2                   all          profiles for the firejail application sandbox

A manual cd ~/.tb/tor-browser beforehand also does not help.

@adrelanos commented on GitHub (Jul 19, 2019): Thank you very much for your reply! > PS: I'm not sure if your questions are rhetorical, if you want/need an answer to all the questions, say so. Not rhetorical. It's a balance of my eagerness to know vs your valuable time, hence split into TLDR and long part. Priority for me is having a profile shipped by default in firejail (so it makes its way into firejail-profiles Debian packages in next Debian release) > firejail --whitelist=${HOME}/.tb --private-bin=torbrowser,whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl --private-etc=passwd --profile=torbrowser-launcher **torbrowser** I am not requesting a profile for [`/usr/bin/torbrowser`](https://github.com/Whonix/tb-starter/blob/master/usr/bin/torbrowser), which is a wrapper shipped by the tb-starter package developed by Whonix (not The Tor Project). The most important thing here it does is starting Tor Browser. The rest shouldn't be security sensitive. Another reason why I did not request it is to avoid the added work required for it. (My request is supposed to be "small" while an `/usr/bin/torbrowser` profile is "bigger".) Tor Browser (the real `${HOME}/.tb/tor-browser/Browser/start-tor-browser` / the forked firefox) should not inherit these extra permissions (`whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl`). My idea was to keep things simple, compartmentalized. `/usr/bin/torbrowser` should stay out of the way as much as possible. (That's always been tb-starter package goal independent of this.) > What about teh following (to test it): > `$HOME/.config/firejail/start-tor-browser.desktop.local`: > ``` > noblacklist ${HOME}/.tb/tor-browser > > mkdir ${HOME}/.tb/tor-browser > whitelist ${HOME}/.tb/tor-browser > ``` > Run: > `firejail /home/user/.tb/tor-browser/start-tor-browser.desktop` > If you see `Reading profile /etc/firejail/start-tor-browser.desktop.profile` the right profile is loaded. (You need firejail 0.9.58 or higher) That would be my preferred solution. (Ultimately translated to an /etc/firejail profile.) Unfortunately still gives `Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found` error. ``` ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop -rwx------ 1 user user 1682 Jan 1 2000 /home/user/.tb/tor-browser/start-tor-browser.desktop ``` ``` user@host:~$ cat $HOME/.config/firejail/start-tor-browser.desktop.local noblacklist ${HOME}/.tb/tor-browser ``` ``` mkdir ${HOME}/.tb/tor-browser whitelist ${HOME}/.tb/tor-browser user@host:~$ user@host:~$ firejail /home/user/.tb/tor-browser/start-tor-browser.desktop Reading profile /etc/firejail/start-tor-browser.desktop.profile Reading profile /etc/firejail/torbrowser-launcher.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 2381, child pid 2382 Warning: skipping pki for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping asound.conf for private /etc Private /etc installed in 13.99 ms 48 programs installed in 65.30 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 120.41 ms Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found Parent is shutting down, bye... user@host:~$ ``` Debian buster based. ``` dpkg -l | grep firejail ii firejail 0.9.58.2-2 amd64 sandbox to restrict the application environment ii firejail-profiles 0.9.58.2-2 all profiles for the firejail application sandbox ``` A manual `cd ~/.tb/tor-browser` beforehand also does not help.

gitea-mirror commented

2026-05-05 08:27:28 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 19, 2019):

working:

firejail /home/user/.tb/tor-browser/Browser/start-tor-browser

not working:

firejail /home/user/.tb/tor-browser/start-tor-browser.desktop

However /home/user/.tb/tor-browser/start-tor-browser.desktop is preferred since that is the canonical way to start Tor Browser expected by upstream, The Tor Project. What /home/user/.tb/tor-browser/Browser/start-tor-browser or contents of /home/user/.tb/tor-browser/start-tor-browser.desktop might change but /home/user/.tb/tor-browser/start-tor-browser.desktop has a higher likelihood of staying the canonical starter.

@adrelanos commented on GitHub (Jul 19, 2019): working: firejail /home/user/.tb/tor-browser/Browser/start-tor-browser not working: firejail /home/user/.tb/tor-browser/start-tor-browser.desktop However `/home/user/.tb/tor-browser/start-tor-browser.desktop` is preferred since that is the canonical way to start Tor Browser expected by upstream, The Tor Project. What `/home/user/.tb/tor-browser/Browser/start-tor-browser` or contents of `/home/user/.tb/tor-browser/start-tor-browser.desktop` might change but `/home/user/.tb/tor-browser/start-tor-browser.desktop` has a higher likelihood of staying the canonical starter.

gitea-mirror commented

2026-05-05 08:27:29 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 19, 2019):

@adrelanos working with firejail 0.9.60 and newer:

firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop

If I see right, torbrowser (in whonix) call at some point start-tor-browser.desktop (with a bit more env-vars around, ...). Where should came firejail? in torbrowser (like firejail $SOMETHING/start-tor-browser.desktop? or as symlink (firecfg)?

@rusty-snake commented on GitHub (Jul 19, 2019): @adrelanos working with firejail 0.9.60 and newer: ``` firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop ``` If I see right, `torbrowser` (in whonix) call at some point `start-tor-browser.desktop` (with a bit more env-vars around, ...). Where should came firejail? in `torbrowser` (like `firejail $SOMETHING/start-tor-browser.desktop`? or as symlink (`firecfg`)?

gitea-mirror commented

2026-05-05 08:27:30 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 19, 2019):

If I see right, torbrowser (in whonix) call at some point start-tor-browser.desktop (with a bit more env-vars around, ...).

[1] Yes kinda but but currently actually /home/user/.tb/tor-browser/Browser/start-tor-browser which is a bug, since not the canonical way to start Tor Browser.

Where should came firejail? in torbrowser (like firejail $SOMETHING/start-tor-browser.desktop? or as symlink (firecfg)?

That is a good question.

Our wrapper /usr/bin/torbrowser shouldn't cause work for other upstreams such as firejail. At least that was my original idea. Usually upstream are like "not our issue" understandably. Appreciate the thought.

So from my compartmentalization perspective could we see this as a bug or feature request:

"firejail should be able to execute .desktop files such as start-tor-browser.desktop"?

/usr/bin/torbrowser supports configuration or environment variable tb_starter_bin_pre.

tb_starter_bin_pre=firejail torbrowser will currently result in

cd /home/user/.tb/tor-browser/
firejail /home/user/.tb/tor-browser/Browser/start-tor-browser

Or in future when [1] is fixed (waiting to see how we deal with firejail here) would result in:

cd /home/user/.tb/tor-browser/
firejail /home/user/.tb/tor-browser/start-tor-browser.desktop

I was also considering to implement a command line parameter torbrowser --firejail (or --hardening) (and configuration option) doing this for the user.

Neither solution seems very standard conform. Should not be surprising though. The root cause of this is the absence of a deb package of Tor Browser.

What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail?

Related: I am also considering to combine firejail with apparmor and hardened malloc. Related: https://github.com/netblue30/firejail/issues/2689 Mentioning this here since that consideration might change the best way forward.

@adrelanos commented on GitHub (Jul 19, 2019): > If I see right, `torbrowser` (in whonix) call at some point `start-tor-browser.desktop` (with a bit more env-vars around, ...). [1] Yes kinda but but currently actually `/home/user/.tb/tor-browser/Browser/start-tor-browser` which is a bug, since not the canonical way to start Tor Browser. > Where should came firejail? in `torbrowser` (like `firejail $SOMETHING/start-tor-browser.desktop`? or as symlink (`firecfg`)? That is a good question. Our wrapper `/usr/bin/torbrowser` shouldn't cause work for other upstreams such as firejail. At least that was my original idea. Usually upstream are like "not our issue" understandably. Appreciate the thought. So from my compartmentalization perspective could we see this as a bug or feature request: "firejail should be able to execute `.desktop` files such as `start-tor-browser.desktop`"? `/usr/bin/torbrowser` supports configuration or environment variable `tb_starter_bin_pre`. `tb_starter_bin_pre=firejail torbrowser` will currently result in cd /home/user/.tb/tor-browser/ firejail /home/user/.tb/tor-browser/Browser/start-tor-browser Or in future when [1] is fixed (waiting to see how we deal with firejail here) would result in: cd /home/user/.tb/tor-browser/ firejail /home/user/.tb/tor-browser/start-tor-browser.desktop I was also considering to implement a command line parameter `torbrowser --firejail` (or `--hardening`) (and configuration option) doing this for the user. Neither solution seems very standard conform. Should not be surprising though. The root cause of this is the absence of a deb package of Tor Browser. * https://trac.torproject.org/projects/tor/ticket/3994 * https://trac.torproject.org/projects/tor/ticket/5236 What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail? Related: I am also considering to combine firejail with apparmor and hardened malloc. Related: https://github.com/netblue30/firejail/issues/2689 Mentioning this here since that consideration might change the best way forward.

gitea-mirror commented

2026-05-05 08:27:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 19, 2019):

So from my compartmentalization perspective could we see this as a bug or feature request:

"firejail should be able to execute .desktop files such as start-tor-browser.desktop"?

~/.tor-browser/start-tor-browser.desktop 
/usr/bin/env: „./Browser/execdesktop“: No such file or directory

Doesn't look like firejail related.

What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail?

possibilities

firejail profile for torbrowser + firecfg
Contra:
- Lesser security as you write above
  
  should not inherit these extra permissions
  (whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).
- issues with firejail if users/distros provied own scripts with this name
add firejail to torbrowser

for now:

firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser

when it has firejail >= 0.9.60

firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop

@rusty-snake commented on GitHub (Jul 19, 2019): > So from my compartmentalization perspective could we see this as a bug or feature request: > >"firejail should be able to execute .desktop files such as start-tor-browser.desktop"? ``` ~/.tor-browser/start-tor-browser.desktop /usr/bin/env: „./Browser/execdesktop“: No such file or directory ``` Doesn't look like firejail related. *** > What do you think is best here? Should this be done in firejail so firecfg creates a wrapper around /usr/bin/torbrowser should should /usr/bin/torbrowser keep care of invoking firejail? possibilities 1. firejail profile for `torbrowser` + firecfg **Contra:** * Lesser security as you write above > should not inherit these extra permissions (`whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl`). * issues with firejail if users/distros provied own scripts with this name 2. add firejail to `torbrowser` for now: ``` firejail --whitelist=${HOME}/.tb/tor-browser --profile=torbrowser-launcher ${HOME}/.tb/tor-browser/Browser/start-tor-browser ``` when it has firejail >= 0.9.60 ``` firejail --whitelist=${HOME}/.tb/tor-browser --private-cwd=${HOME}/.tb/tor-browser ${HOME}/.tb/tor-browser/start-tor-browser.desktop ```

gitea-mirror commented

2026-05-05 08:27:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 19, 2019):

I would prefer 2. + adding ${HOME}/.tb/tor-browser (or ${HOME}/.tb) to https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.desktop.profile

@rusty-snake commented on GitHub (Jul 19, 2019): I would prefer 2. + adding `${HOME}/.tb/tor-browser` (or `${HOME}/.tb`) to https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.desktop.profile

gitea-mirror commented

2026-05-05 08:27:32 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 19, 2019):

also sounds good to me!

@adrelanos commented on GitHub (Jul 19, 2019): 2. also sounds good to me!

gitea-mirror commented

2026-05-05 08:27:33 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 19, 2019):

FYI:

firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop
Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Reason: firejail automatically loads start-tor-browser.desktop.profile which is a whitelisting profile

Can we avoid using --private?

In general: yes

firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop
Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found

Reason: torbrowser-launcher.profile is a whitelisting profile.

ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop
-rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop

If you want to debug such situations, you need to be in firejail:
firejail --ignore=private-bin --profile=torbrowser-launcher bash

firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop

Reason: tor-browser-en-us.profile is just an alias for torbrowser-launcher

Why were we able to drop --whitelist=$HOME/.tb/tor-browser?

Reason: start-tor-browser.profile does not whitelist in $HOME

@rusty-snake commented on GitHub (Jul 19, 2019): FYI: > ``` > firejail --private=/home/user/.tb/tor-browser /home/user/.tb/tor-browser/start-tor-browser.desktop > ``` > > > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found Reason: firejail automatically loads `start-tor-browser.desktop.profile` which is a `whitelist`ing profile > Can we avoid using `--private`? In general: yes > ``` > firejail --profile=/etc/firejail/torbrowser-launcher.profile /home/user/.tb/tor-browser/start-tor-browser.desktop > ``` > > > Error: no suitable /home/user/.tb/tor-browser/start-tor-browser.desktop executable found Reason: `torbrowser-launcher.profile` is a `whitelist`ing profile. > ``` > ls -la /home/user/.tb/tor-browser/start-tor-browser.desktop > ``` > > > -rwx------ 1 user user 1726 Jul 18 16:45 /home/user/.tb/tor-browser/start-tor-browser.desktop If you want to debug such situations, you need to be in firejail: `firejail --ignore=private-bin --profile=torbrowser-launcher bash` > ``` > firejail --profile=/etc/firejail/tor-browser-en-us.profile /home/user/.tb/tor-browser/start-tor-browser.desktop > ``` Reason: tor-browser-en-us.profile is just an alias for torbrowser-launcher > Why were we able to drop `--whitelist=$HOME/.tb/tor-browser`? Reason: start-tor-browser.profile does not `whitelist` in $HOME

gitea-mirror commented

2026-05-05 08:27:34 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 20, 2019):

possibilities

firejail profile for torbrowser + firecfg
Contra:

Lesser security as you write above

should not inherit these extra permissions
(whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).

issues with firejail if users/distros provied own scripts with this name

Actually, there might also be a middle ground which we can call 3.

tb-starter package can add yet another wrapper script. Our "complex" wrapper /usr/bin/torbrowser can stay as is unconfined doing whatever required but ultimately it could hand over control to /usr/lib/tb-starter/wrapper which would be a simple shell script.

#/bin/sh
"$@"

Still have to think if there is any security issue with that.

/usr/bin/torbrowser would call /usr/lib/tb-starter/tb-starter-wrapper and the latter would be much easier to confine. It would not need these extra permissions (whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl).

Would 3. would solve all the contra of 2.?

@adrelanos commented on GitHub (Jul 20, 2019): > possibilities > 1. firejail profile for `torbrowser` + firecfg > **Contra:** > * Lesser security as you write above > > should not inherit these extra permissions > (`whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl`). > * issues with firejail if users/distros provied own scripts with this name Actually, there might also be a middle ground which we can call 3. 3. tb-starter package can add yet another wrapper script. Our "complex" wrapper /usr/bin/torbrowser can stay as is unconfined doing whatever required but ultimately it could hand over control to /usr/lib/tb-starter/wrapper which would be a simple shell script. ``` #/bin/sh "$@" ``` Still have to think if there is any security issue with that. /usr/bin/torbrowser would call /usr/lib/tb-starter/tb-starter-wrapper and the latter would be much easier to confine. It would not need these extra permissions (`whoami,basename,cat,tty,sleep,ps,pstree,touch,systemctl`). Would 3. would solve all the contra of 2.?

gitea-mirror commented

2026-05-05 08:27:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2019):

You mean that /usr/bin/torbrowser call fierjail /usr/lib/tb-starter/tb-starter-wrapper?
Where tb-starter-wrapper.profile

# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
quiet
# This file is overwritten after every install/update
# Persistent local customizations
include tb-starter-wrapper.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.tb

mkdir ${HOME}/.tb
whitelist ${HOME}/.tb

# Redirect
include torbrowser-launcher.profile

That should work.

@rusty-snake commented on GitHub (Jul 20, 2019): You mean that /usr/bin/torbrowser call `fierjail /usr/lib/tb-starter/tb-starter-wrapper`? Where `tb-starter-wrapper.profile` ``` # Firejail profile for PROGRAM_NAME # Description: DESCRIPTION quiet # This file is overwritten after every install/update # Persistent local customizations include tb-starter-wrapper.local # Persistent global definitions # added by included profile #include globals.local noblacklist ${HOME}/.tb mkdir ${HOME}/.tb whitelist ${HOME}/.tb # Redirect include torbrowser-launcher.profile ``` That should work.

gitea-mirror commented

2026-05-05 08:27:36 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 20, 2019):

You mean that /usr/bin/torbrowser call fierjail /usr/lib/tb-starter/tb-starter-wrapper?

Not sure

Maybe just call /usr/lib/tb-starter/tb-starter-wrapper without firejail.

In this case could firecfg take responsibility for prepending firejail as it is done for other applications too?

@adrelanos commented on GitHub (Jul 20, 2019): > You mean that /usr/bin/torbrowser call fierjail /usr/lib/tb-starter/tb-starter-wrapper? Not sure Maybe just call `/usr/lib/tb-starter/tb-starter-wrapper` without firejail. In this case could firecfg take responsibility for prepending firejail as it is done for other applications too?

gitea-mirror commented

2026-05-05 08:27:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2019):

Calling tb-starter-wrapper (no absolut path) with placing tb-starter-wrapper in /usr/bin (or symlinking /usr/bin/tb-starter-wrapper to /usr/lib/tb-starter-wrapper) would work with firecfg.

Or adding /usr/lib/tb-starter/ into $PATH. 😄 not realy suggesting that

@rusty-snake commented on GitHub (Jul 20, 2019): Calling `tb-starter-wrapper` (no absolut path) with placing `tb-starter-wrapper` in `/usr/bin` (or symlinking `/usr/bin/tb-starter-wrapper` to `/usr/lib/tb-starter-wrapper`) would work with firecfg. Or adding `/usr/lib/tb-starter/` into $PATH. :smile: _not realy suggesting that_

gitea-mirror commented

2026-05-05 08:27:37 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 20, 2019):

/usr/bin/tb-starter-wrapper could also be in /usr/bin indeed.

/usr/bin/tb-starter-wrapper:

#/bin/sh
"$@"

Then we could make firecfg work.

@adrelanos commented on GitHub (Jul 20, 2019): `/usr/bin/tb-starter-wrapper` could also be in `/usr/bin` indeed. `/usr/bin/tb-starter-wrapper`: ``` #/bin/sh "$@" ``` Then we could make firecfg work.

gitea-mirror commented

2026-05-05 08:27:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 22, 2019):

How do you want it to be?
/usr/bin/tb-starter-wrapper + tb-starter-wrapper.profile
or
firejail --profile=start-tor-browser.desktop --x11=xorg --quiet TOR-BROWSER + noblacklist ${HOME}/.tb, whitelist ${HOME}/.tb/tor-browser in start-tor-browser.desktop.profile + blacklist ${HOME}/.tb in disable-programs.inc

@rusty-snake commented on GitHub (Jul 22, 2019): How do you want it to be? `/usr/bin/tb-starter-wrapper` + `tb-starter-wrapper.profile` or `firejail --profile=start-tor-browser.desktop --x11=xorg --quiet TOR-BROWSER` + `noblacklist ${HOME}/.tb`, `whitelist ${HOME}/.tb/tor-browser` in `start-tor-browser.desktop.profile` + `blacklist ${HOME}/.tb` in `disable-programs.inc`

gitea-mirror commented

2026-05-05 08:27:38 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 22, 2019):

rusty-snake:

How do you want it to be?
/usr/bin/tb-starter-wrapper + tb-starter-wrapper.profile

This looks better long term.

@adrelanos commented on GitHub (Jul 22, 2019): rusty-snake: > How do you want it to be? > `/usr/bin/tb-starter-wrapper` + `tb-starter-wrapper.profile` This looks better long term.

gitea-mirror commented

2026-05-05 08:27:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 22, 2019):

tb-starter-wrapper.profile:

# Firejail profile for tb-starter-wrapper
# Description: wrapper-script used by whonix to start the tor browser
quiet
# This file is overwritten after every install/update
# Persistent local customizations
include tb-starter-wrapper.local
# Persistent global definitions
# added by included profile
#include globals.local

noblacklist ${HOME}/.tb

mkdir ${HOME}/.tb
whitelist ${HOME}/.tb

x11 xorg

# Redirect
include torbrowser-launcher.profile

+ adaptations in firecfg.config & disable-programs.inc

@rusty-snake commented on GitHub (Jul 22, 2019): tb-starter-wrapper.profile: ``` # Firejail profile for tb-starter-wrapper # Description: wrapper-script used by whonix to start the tor browser quiet # This file is overwritten after every install/update # Persistent local customizations include tb-starter-wrapper.local # Persistent global definitions # added by included profile #include globals.local noblacklist ${HOME}/.tb mkdir ${HOME}/.tb whitelist ${HOME}/.tb x11 xorg # Redirect include torbrowser-launcher.profile ``` \+ adaptations in `firecfg.config` & `disable-programs.inc`

gitea-mirror commented

2026-05-05 08:27:39 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 25, 2019):

tb-starter-wrapper.profile looks good. Will test soon.

Should we ship that profile? Probably won't matter either way unless there would be some syntax change which we'd miss. But I guess we have to re-check this at every Debiain release (buster -> bullseye) upgrade anyhow.

adaptations in firecfg.config & disable-programs.inc

Wouldn't know.

@adrelanos commented on GitHub (Jul 25, 2019): tb-starter-wrapper.profile looks good. Will test soon. Should we ship that profile? Probably won't matter either way unless there would be some syntax change which we'd miss. But I guess we have to re-check this at every Debiain release (buster -> bullseye) upgrade anyhow. > + adaptations in firecfg.config & disable-programs.inc Wouldn't know.

gitea-mirror commented

2026-05-05 08:27:39 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 26, 2019):

Should we ship that profile?

I would add it into firejail.

adaptations in firecfg.config & disable-programs.inc

Wouldn't know.

Only adding tb-starter-wrapper to firecfg.config so firecfg creates symlinks
and adding blacklist ${HOME}/.tb to disable-programs.inc so other firejailed programms can't access ${HOME}/.tb

@rusty-snake commented on GitHub (Jul 26, 2019): > Should we ship that profile? I would add it into firejail. > >adaptations in firecfg.config & disable-programs.inc > > Wouldn't know. Only adding `tb-starter-wrapper` to `firecfg.config` so firecfg creates symlinks and adding `blacklist ${HOME}/.tb` to `disable-programs.inc` so other firejailed programms can't access ${HOME}/.tb

gitea-mirror commented

2026-05-05 08:27:39 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 27, 2019):

Sounds great! Please proceed.

@adrelanos commented on GitHub (Jul 27, 2019): Sounds great! Please proceed.

gitea-mirror commented

2026-05-05 08:27:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 28, 2019):

@adrelanos 50fc318db4

@rusty-snake commented on GitHub (Jul 28, 2019): @adrelanos 50fc318db4d4c0109573d7e1f82cd577ad654928

gitea-mirror commented

2026-05-05 08:27:40 -06:00

Author

Owner

@adrelanos commented on GitHub (Jul 29, 2019):

Looks perfect, thanks so much!

@adrelanos commented on GitHub (Jul 29, 2019): Looks perfect, thanks so much!

gitea-mirror commented

2026-05-05 08:27:41 -06:00

Author

Owner

@adrelanos commented on GitHub (Aug 14, 2019):

Trying to emulate your change.

(Cannot find src/firecfg/firecfg.config on Debian buster with similar contents.)

user@host:~$ sudo ln -s /usr/bin/firejail /usr/local/bin/tb-starter-wrapper

user@host:~$ ls -la /usr/local/bin/tb-starter-wrapper 
lrwxrwxrwx 1 root root 17 Aug 14 02:00 /usr/local/bin/tb-starter-wrapper -> /usr/bin/firejail

user@host:~$ ls -la /usr/bin/tb-starter-wrapper 
-rwxrwxr-x 1 root root 14 Aug 14 01:49 /usr/bin/tb-starter-wrapper

Did I emulate the symlink correctly?

tb-starter-wrapper  /home/user/.tb/tor-browser/Browser/start-tor-browser --allow-remote  /usr/share/homepage/whonix-welcome-page/whonix.html
Error: no suitable /usr/bin/tb-starter-wrapper executable found

Do you know why it does not work?

@adrelanos commented on GitHub (Aug 14, 2019): Trying to emulate your change. (Cannot find src/firecfg/firecfg.config on Debian buster with similar contents.) ``` user@host:~$ sudo ln -s /usr/bin/firejail /usr/local/bin/tb-starter-wrapper user@host:~$ ls -la /usr/local/bin/tb-starter-wrapper lrwxrwxrwx 1 root root 17 Aug 14 02:00 /usr/local/bin/tb-starter-wrapper -> /usr/bin/firejail user@host:~$ ls -la /usr/bin/tb-starter-wrapper -rwxrwxr-x 1 root root 14 Aug 14 01:49 /usr/bin/tb-starter-wrapper ``` Did I emulate the symlink correctly? ``` tb-starter-wrapper /home/user/.tb/tor-browser/Browser/start-tor-browser --allow-remote /usr/share/homepage/whonix-welcome-page/whonix.html Error: no suitable /usr/bin/tb-starter-wrapper executable found ``` Do you know why it does not work?

gitea-mirror commented

2026-05-05 08:27:41 -06:00

Author

Owner

@rusty-snake commented on GitHub (Aug 18, 2019):

Uhh I forgot to update private-bin.

diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
index 7cf85b38..ffe9605b 100644
--- a/etc/tb-starter-wrapper.profile
+++ b/etc/tb-starter-wrapper.profile
@@ -13,5 +13,7 @@ noblacklist ${HOME}/.tb
 mkdir ${HOME}/.tb
 whitelist ${HOME}/.tb
 
+private-bin tb-starter-wrapper
+
 # Redirect
 include torbrowser-launcher.profile

Cannot find src/firecfg/firecfg.config on Debian buster with similar contents.

This is the path in the git repo, on your system it should be /usr/lib64/firecfg/firecfg.config or simelary (Don't know for debian).

@rusty-snake commented on GitHub (Aug 18, 2019): Uhh I forgot to update `private-bin`. ```diff diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile index 7cf85b38..ffe9605b 100644 --- a/etc/tb-starter-wrapper.profile +++ b/etc/tb-starter-wrapper.profile @@ -13,5 +13,7 @@ noblacklist ${HOME}/.tb mkdir ${HOME}/.tb whitelist ${HOME}/.tb +private-bin tb-starter-wrapper + # Redirect include torbrowser-launcher.profile ``` > Cannot find src/firecfg/firecfg.config on Debian buster with similar contents. This is the path in the git repo, on your system it should be /usr/lib64/firecfg/firecfg.config or simelary (Don't know for debian).

Rows
Columns

[GH-ISSUE #2863] Tor Browser profile for Whonix / tb-updater #1786