Tor Browser on Silverblue

Has anyone ever installed Tor Browser on Fedora Silverblue?

  • on Fedora Workstation there was an rpm packet. This is useful, because it provided a downloader and (what is more important!) SELinux rules to secure the Tor Browser installation.
  • There is a ticket on Tor Browser’s issue tracker for creating an (official) flatpak of the Tor Browser, but unfortunately they did not show much interest in it. (Though you can possibly upvote/comment it!)
  • of course, you could always just download the binaries from https://www.torproject.org/ and place them in /opt or so, but then you miss SELinux rules, it’s not such a nice 8clean) installation method and obviously you don’t ahve any (better) sandboxing via flatpak.

So what is your recommend way? I could only also imagine using rpm-ostree to layer the original torbrowser-launcher rpm, but is it really worth it?

I use it on two of my Silverblue workstations, what I did was grab the browser binaries, extract them to ~/.local/opt/torbrowser and then let it make it’s .desktop file however it wanted to on first run.

This tends to me my standard practice - if I can’t run it in Flatpak, and it isn’t something for which I want to bother with running it via toolbox, I’ll usually compile/extract it somewhere in my ~/.local structure rather than a system folder.

Okay, though you loose the SELinux sandboxing then AFAIK. (it’s in the rpm package of torbrowser-launcher)

So my idea now was:

  • make a new container with podman
  • in it install torbrowser-launcher.
  • I then have a double sandboxing and SELinux rules inside the container for Tor Browser
  • going forward, maybe there is a way to move the files and even prevent home dir access

So installing and even downloading worked, but in the end it seems to launch the Firefox browser it uses in some strange way and I cannot see it:

$ torbrowser-launcher
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.3.1
https://github.com/micahflee/torbrowser-launcher
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
Launching Tor Browser.
Running /home/rugk/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Launching './Browser/start-tor-browser --detach'...

Sandboxing with podman is definitely a good way to go. I’ve done that for a whole handful of other untrusted apps (now I just need to find a way to make .desktop files for them to automagically launch in podman!)

If you can’t see it, explore the options in that warning. Sounds like it may be having an issue with wayland?

There is no warning.(?)

FYI SELinux doesn’t apply normally inside containers, the container can’t set any custom SELinux policies. The only way that SELinux takes effect afaik is when you mount volumes into the container.

Thanks, that is an important information, because then using Tor Browser in toolbox hardly brings any security advantage.

Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.

I was referring to this one!

AFAIK that warning just means it does not use Wayland (because Qt does have bad Wayland support, AFAIK that is from Qt??), but the x server. So AFAIK it is not really the root cause, at least.

BTW funny, but I indeed did not yet ask the package maintainer whether they could possibly package the launcher (and Tor Browser) as a flatpak. Done now:
https://bugzilla.redhat.com/show_bug.cgi?id=1731284

(This obviously be the optimal solution.)

Oh, did not notice that, but actually there is already a proposed Flatpak manifest for Tor Browser (Lauchner): Package and distribute Tor Browser using Flatpak (#25578) · Issues · Legacy / Trac · GitLab

Maybe this can be more officially supported/maintained (AFAIK they’ve asked for a maintainer there).

Anyway, I’ve also asked the TorBrowser-Launcher (upstream) makers:

@rugk

I know this is a thread on Silverblue, but with what you are trying to do with sandboxing the Tor Browser, could you use policycoreutils-sandbox ? I actually use firefox in this fashion.

sandbox -X -w 1920x1080 -H temphome -T tmp -t sandbox_web_t firefox

This instance of Firefox has only access to files in sandbox/temphome, sandbox/tmp . I actually have a Downloads folder and have a firefox profile .mozilla file as well. You are running a virtual X server so copy and paste from that sandboxed firefox won’t work. I do have my vpn plugin for firefox and that works as well. This type of setup works for me for now. Although I have been intrigued by silverblue so far, I’m just not ready to move over completely.

Hope this helps

1 Like