Giter Site home page Giter Site logo

torjail's Introduction

License

torjail

Sandbox torbrowser using firejail, Xephyr & dwm

This script downloads & sets up torbrowser in a private directory.

It then runs torbrowser in a sandbox using firejail, Xephyr and dwm

firejail   https://firejail.wordpress.com/
xephyr     https://wiki.freedesktop.org/www/Software/Xephyr/
dwm        http://dwm.suckless.org/
torbrowser https://www.torproject.org/projects/torbrowser.html.en

The default directory for install is ~/.torjail

You can install the script wherever you want providing you keep the associated files.

use -x to disable Xephyr + dwm

License: MIT

why?

A few references to why you should use a sandbox & xephyr

torproject:

Wait, Firefox uses X11, isn't security basically hopeless?

If you want to attempt to mitigate this, the best options are:

Use a nested X11 implementation like Xephyr or Xpra.

mozilla:

The one exception to the network policy, for now,
is the X11 protocol which is used to display graphics and receive keyboard/mouse input.

screenshot

variables

TORJAIL_BASE="${HOME}/.torjail"
TORJAIL_RES="800x600"
TORJAIL_DISPLAY=":6"

Most useful variable is probably resolution & possibly display (depending on how many other xephyr sessions you run)

features

  • downloads torbrowser from torproject.org
  • sets up a working env in tmpfs
  • runs tor in a sandbox
  • runs in /tmp/ so any changes are not saved
  • runs in its own xephyr dwm session
  • has sha256 verification
  • works on 32bit & 64bit linux
  • stores everything in ~/.torjail
  • version checking & updating
  • gpg verification of downloads

removal

Remove this script & ~/.torjail

script running

./torbrowser.sh
[ OK ] starting torbrowser script
[ OK ] torbrowser version 5.0.6 found
[ ERROR ] Unable to find torjail home
[ ERROR ] Would you like to download & setup torbrowser [y/n]
y
[ OK ] setting up torjail
[ OK ] creating torjail base folder at ~/.torjail
gpg: error reading key: No public key
[ OK ] Downloading PGP Public Key...
gpg: key 93298290: public key "Tor Browser Developers (signing key) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa4096/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid         [ unknown] Tor Browser Developers (signing key) <[email protected]>
sub   rsa4096/F65C2036 2014-12-15 [expires: 2017-08-25]
sub   rsa4096/D40814E0 2014-12-15 [expires: 2017-08-25]

[ OK ] downloading checksums - sha256sums.txt
######################################################################## 100.0%
[ OK ] downloading GPG asc - tor-browser-linux64-5.0.6_en-US.tar.xz.asc
######################################################################## 100.0%
[ OK ] verifying files
tor-browser-linux64-5.0.6_en-US.tar.xz: OK
[ OK ] verifying gpg key
gpg: Signature made Thu 17 Dec 2015 20:57:01 GMT using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
     Subkey fingerprint: BA1E E421 BBB4 5263 180E  1FC7 2E1A C68E D408 14E0
[ OK ] extracting torbrowser bundle
[ WARN ] dwm does not exist in priv-home
[ WARN ] copying dwm from /usr/bin/dwm
[ OK ] starting session

on update

[ OK ] starting torbrowser script
[ OK ] torbrowser version 7.5.6 found
[ WARN ] torbrowser requires updating
[ WARN ] current ver: 7.5.6
[ WARN ] updating to: 8.0
[ OK ] creating torjail base folder at ~/.torjail

notes

Once you download torbrowser bundle the file is kept in ~/.torjail for future use so you don't have to keep re-downloading the bundle. It also always checks the sha256sum of the file before extraction.

Mozilla References

Security/Sandbox - Mozilla Wiki

Garf's blog: Linux sandboxing improvements in Firefox 60

torjail's People

Contributors

equk avatar fld avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

fld privydg privyera zenny iulmit commandovmgit

torjail's Issues

[ ERROR ] checksum or gpg key did not match though not a checksum glitch

@equk pretty nifty script, but spitting out errors:

The script as it is didn't work by default. Without appending x-hkp:// to the key server pool, it didn't pull the gpg key.

Manual fetch imports the key, but keyserver timed out:

$ gpg  --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290
gpg: requesting key 93298290 from hkp server pool.sks-keyservers.net
gpg: no valid OpenPGP data found.
gpg: key 93298290: public key "Tor Browser Developers (signing key) <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

Fingerprint check reports a valid key:

$ gpg --fingerprint 0x4E2C6E8793298290
pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                  Tor Browser Developers (signing key) <[email protected]>

Regenerating the gpg key database reports alright, too:

$ gpg --list-keys
/home/zenny/.gnupg/pubring.gpg
------------------------------
pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
uid                  Tor Browser Developers (signing key) <[email protected]>

Yet, :(

Despite the correct gpg keys pulled manually, the torjail script errored out:

$ ./torbrowser.sh
[ OK ] starting torbrowser script
[ OK ] creating torjail base folder at /home/zenny/Downloads/.torjail
pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                  Tor Browser Developers (signing key) <[email protected]>

[ OK ] signing key for torbrowser found
[ OK ] Tor Browser Developers (signing key) <[email protected]>
[ OK ] downloading torbrowser - tor-browser-linux64-9.0.10_en-US.tar.xz
###################################################################################################################################################################### 100.0%
[ OK ] downloading GPG asc - tor-browser-linux64-9.0.10_en-US.tar.xz.asc
###################################################################################################################################################################### 100.0%
[ OK ] verifying files
shasum: sha.tmp: no properly formatted SHA checksum lines found
[ ERROR ] checksum or gpg key did not match
[ WARN ] removing file
[ WARN ] corrupt/invalid file removed - please restart torjail

Even tried by appending the TOR_VER="9.5" with the same error.

Checksums does not seem to be a problem when pulled manually:

$ aria2c https://dist.torproject.org/torbrowser/9.5/tor-browser-linux64-9.5_en-US.tar.xz

06/20 08:35:00 [NOTICE] Downloading 1 item(s)

06/20 08:35:01 [NOTICE] Allocating disk space. Use --file-allocation=none to disable it. See --file-allocation option in man page for more details.
[#c745c8 73MiB/75MiB(98%) CN:1 DL:1.9MiB]
06/20 08:35:41 [NOTICE] Download complete: /xtbmr/HOMEPOOL/HOME/VOIDHOME.BAK/zenny/Downloads/.torjail/tor-browser-linux64-9.5_en-US.tar.xz

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
c745c8|OK  |   1.8MiB/s|/home/zenny/Downloads/.torjail/tor-browser-linux64-9.5_en-US.tar.xz

Status Legend:
(OK):download completed.

Checksums does not seem to be a problem as the sha.tmp matches when tallied manually:

$ sha256sum tor-browser-linux64-9.5_en-US.tar.xz
08fca06954b1119291b1d298f59683e9b44bd428db1215a3c562f337bff88e50  tor-browser-linux64-9.5_en-US.tar.xz

$ cat sha.tmp
08fca06954b1119291b1d298f59683e9b44bd428db1215a3c562f337bff88e50  tor-browser-linux64-9.5_en-US.tar.xz

Yet the script fails with:

$ ./torbrowser.sh
[ OK ] starting torbrowser script
[ OK ] creating torjail base folder at /home/zenny/Downloads/.torjail
pub   4096R/93298290 2014-12-15 [expires: 2020-08-24]
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290
uid                  Tor Browser Developers (signing key) <[email protected]>

[ OK ] signing key for torbrowser found
[ OK ] Tor Browser Developers (signing key) <[email protected]>
[ OK ] downloading checksums - sha256sums.txt
###################################################################################################################################################################### 100.0%
[ OK ] downloading GPG asc - tor-browser-linux64-9.5_en-US.tar.xz.asc
###################################################################################################################################################################### 100.0%
[ OK ] verifying files
tor-browser-linux64-9.5_en-US.tar.xz: OK
[ OK ] verifying gpg key
gpg: Signature made Mon 01 Jun 2020 09:54:02 PM CEST using RSA key ID D9FF06E2
gpg: Can't check signature: public key not found
[ ERROR ] checksum or gpg key did not match
[ WARN ] removing file
[ WARN ] corrupt/invalid file removed - please restart torjail

Since it reported the problem with the public key of the "Tor Browser Developers" identified by key ID D9FF06E2, a public key checkup yielded negative output:

$ gpg2 --keyserver https://pgp.mit.edu/ --search-keys "Tor Browser Developers"
gpg: data source: https://pgp.mit.edu:443
gpg: key "Tor Browser Developers" not found on keyserver
gpg: keyserver search failed: Not found

Could not figure out the a chain of glitches? :O Any input?

Cheers, and stay safe,
/z

checksum / gpg not matching

Script seems to run okay however I receive the following error:

[ OK ] starting torbrowser script
[ OK ] creating torjail base folder at /home/owner/.torjail
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key) [email protected]
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

[ OK ] signing key for torbrowser found
[ OK ] Tor Browser Developers (signing key) [email protected]
[ OK ] downloading torbrowser - tor-browser-linux64-6.0.7_en-US.tar.xz
######################################################################## 100.0%
[ OK ] verifying files
tor-browser-linux64-6.0.7_en-US.tar.xz: OK
[ OK ] verifying gpg key
gpg: Signature made Wed 30 Nov 2016 11:17:48 AM CST using RSA key ID D40814E0
gpg: lookup_hashtable failed: eof
gpg: Good signature from "Tor Browser Developers (signing key) [email protected]"
gpg: lookup_hashtable failed: eof
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
[ ERROR ] checksum or gpg key did not match
[ WARN ] removing file
[ WARN ] corrupt/invalid file removed - please restart torjail

torbrowser.filter gets ignored

Why?

Enable the network filter specified by filename in the new net‐
work namespace. The filter file format is the format of ipta‐
bles-save and iptable-restore commands. New network namespaces
are created using --net option. If a new network namespaces is
not created, --netfilter option does nothing.

From: https://firejail.wordpress.com/features-3/man-firejail/

You are doing this: firejail --profile="$TORJAIL.profile" --netfilter="$TORJAIL.filter"
But there is no new "net". So your filter gets ignored.

X11 keyboard isolation

I am having a great time learing about sandboxing and x11 isolation with torjail, thanks for the project.
I did notice that the notorious x11 keylogging exploit is still a vulnerability in the torjail.

Is there a practical solution to this issue?
I know SELinux offers some keyboard isolation but is complicated to implement.

Error: cannot access profile file

Script runs, downloads latest Torbrowser then returns error:

Error: cannot access profile file

Mint 18.2. I tried -x same problem. Same problem on notebook/desktop fresh mint and Ubuntu.

bird@Farow ~ $ '/home/bird/Downloads/torjail-master/torbrowser.sh'
[ OK ] starting torbrowser script
[ OK ] torbrowser version 7.0.2 found
[ OK ] creating torjail base folder at /home/bird/.torjail
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key) [email protected]
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]
sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]
[ OK ] signing key for torbrowser found
[ OK ] Tor Browser Developers (signing key) [email protected]
[ OK ] verifying files
tor-browser-linux64-7.0.2_en-US.tar.xz: OK
[ OK ] verifying gpg key
gpg: Signature made Mon 03 Jul 2017 07:37:05 AM PDT using RSA key ID C3C07136
gpg: Good signature from "Tor Browser Developers (signing key) [email protected]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136
[ OK ] extracting torbrowser bundle
[ WARN ] dwm does not exist in priv-home
[ WARN ] copying dwm from /usr/bin/dwm
[ OK ] starting session
Error: cannot access profile file
Error: cannot access profile file
/home/bird/Downloads/torjail-master/torbrowser.sh: line 236: 8395 Terminated Xephyr -auth "$TORJAIL_XAUTH" -screen "$TORJAIL_RES" "$TORJAIL_DISPLAY"
[ OK ] cleaning up tmpfs
[ OK ] removing /tmp/torjail
[ OK ] session finished ...

Error: cannot open profile file /etc/firejail/disable-programs.inc

Upon running script from extracted torjail directory I get the following error:

Error: cannot open profile file /etc/firejail/disable-programs.inc
Entire dialog included below.

user@user-desktop:~/torjail$ ./torbrowser.sh
[ OK ] starting torbrowser script
[ OK ] torbrowser version 6.0.3 found
[ OK ] creating torjail base folder at /home/user/.torjail
pub 4096R/93298290 2014-12-15 [expires: 2020-08-24]
Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid Tor Browser Developers (signing key) [email protected]
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25]
sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25]

[ OK ] signing key for torbrowser found
[ OK ] Tor Browser Developers (signing key) [email protected]
[ OK ] verifying files
tor-browser-linux64-6.0.3_en-US.tar.xz: OK
[ OK ] verifying gpg key
gpg: Signature made Tue 02 Aug 2016 06:22:05 AM PDT using RSA key ID D40814E0
gpg: Good signature from "Tor Browser Developers (signing key) [email protected]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
[ OK ] extracting torbrowser bundle
[ WARN ] dwm does not exist in priv-home
[ WARN ] copying dwm from /usr/bin/dwm
[ OK ] starting session
Reading profile torbrowser.profile
Error: cannot open profile file /etc/firejail/disable-programs.inc
Reading profile torbrowser.profile
Error: cannot open profile file /etc/firejail/disable-programs.inc
./torbrowser.sh: line 236: 15071 Terminated Xephyr -auth "$TORJAIL_XAUTH" -screen "$TORJAIL_RES" "$TORJAIL_DISPLAY"
[ OK ] cleaning up tmpfs
[ OK ] removing /tmp/torjail
[ OK ] session finished ...
user@user-desktop:~/torjail$

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.