wiki:doc/TorBrowser/SmartOS_Sandboxing

Version 2 (modified by dawuud, 20 months ago) (diff)

--

The Tor Browser SmartOS Sandboxing Guide

This page is meant to give you an overview of how to properly sandbox the Linux Tor Browser Bundle using the SmartOS hypervisor with the IllumOS kernel. We make use of native Solaris and Linux zones for isolating components of the Tor Browser Bundle sandbox environment. This means we can run x86 32-bit and 64-bit Linux binaries in a Linux Zone on Solaris which emulates Linux system calls. The Linux Tor Browser binary runs just fine in a Linux zone on Solaris/SmartOS.

Our sandbox environment will have several components which will each be in their own zone. The Tor Browser will run with a X server created by vnc4server. A stealth authenticated onion service will expose an HTTP service via noVNC which will serve an HTML5 VNC client to the browser and it will connect to the zone running the Tor Browser vnc4server.

5 zones:

  • firewall which performs filtering and NAT
  • tor for tbb
  • tor for our onion service
  • tor browser bundle tbb vnc4server
  • the webserver component of noVNC