This was posted in /r/linux.
Preparing for Rule 41: Protecting against 0-day vulnerabilities in tor with firejail
Official Site: https://firejail.wordpress.com/
Firejail is a security sandbox that can be used to restrict access to system calls, limit the files a process an view, and give processes a private view of shared kernel resources.
It is simple to install and configure (instructions for Arch):
$ sudo pacman -S firejail $ mkdir -p ~/.config/firejail $ echo 'include /etc/firejail/firefox.profile' > ~/.config/firejail/start-tor-browser.profile' $ # if tor-browser is not set up in your Downloads folder: $ # echo 'whitelist FOLDER_WHERE_TOR_BROWSER_RESIDES' >> ~/.config/firejail/start-tor-browser.profile $ cd ~/Downloads/tor-browser_en-US/ $ firejail ./start-tor-browser.desktop
Check out the man pages if you wish to set more restrictive settings (defaults are pretty good, though). Also, firejail is very lightweight. On my machine, there is no performance difference of the application running with firejail or without.
Check out firecfg if you wish to sandbox programs running on your system without explicitly prepending the command with firejail.
Sorry for horrible formatting, I know it looks unprofessional, but I new to this :)
Best of luck, darkies.
I'm a huge advocate of always learning more about opsec. But it doesn't like like now is the time to start implementing a beta release sandboxing program. The problem is the local concern, not the online concern. As mentioned in the thread that you linked, Rule 41 allows a legal seizure if TOR is used. I legitimately don't understand how VPNs can be off-limits since they're regularly used by remote clients in business professional settings but what do I know?
Now I don't wanna knock this right out of the gate. Am I gonna sit down and read through the documentation later? Absolutely. If it seems cool will I toy around with it. Maybe and I'm not ruling it out. But I so strongly doubt that anybody here is even using Arch, so I'm really gonna want to see a lot more about it before I add it to the daily driver y'know?