It is well known that flatpak can weaken the sandbox of a web browser. However, the tor team suggests that the installation for the Tor Browser Launcher (Companion for auto-updates) should be installed via flatpak. What are your opinions on this matter? Should I really prefer one after another?
It doesn’t matter because according to the description of the Tor Browser Flatpak, it just pulls and installs the Tor Browser.
The actual Tor Browser is not a Flatpak which you can check by trying to find it with Flatseal and then see that there is only the launcher but not the Tor Browser itself.
Thats what I also initially thought… However, when installing the app, two shortcuts are created on the apps menu. One for the launcher configs and other for the browser itself. Both shortcuts use Exec=flatpak run, and also the browser respects whichever permission has been set on flatseal. For instance, it will not even launch if secureblue’s hardened malloc is set on the overrides, meaning it also runs inside the flatpak sandbox. Removing the malloc override and giving the correct permissions back to the launcher on flatseal fixes the issue, and the browser can run again.
1 Like
This is basically what I said in my deleted comment, but the browser itself does run inside the Flatpak when installed by the Flatpak version of torbrowser-launcher. A Flatpak can’t run applications that aren’t also sandboxed by Flatpak, that would be a sandbox escape vulnerability if it could.
To answer OP, this does weaken Tor Browser’s sandboxing, it will not be able to use user namespaces to isolated its own processes, however all of its processes will be running in the Flatpak sandbox and there is still the seccomp sandboxing in place. The torbrowser-launcher developers likely just consider the risks of using an outdated version more significant than the sandboxing differences.
Whether you agree with that is up to you, there’s no definitive answer.
3 Likes
Do not use the Flatpak version of any browser. Many distros provide a torbrowser-launcher package via their package manager. Use that instead, or, if unavailable, simply download Tor Browser.
2 Likes