Has we have seen already in my previous article about sandboxing on Mac OS X, letβs write our sandbox configuration file for Tor browser. Here is my script (you can improve it yourself if you want, I encourage you to hack it!):
;; Tor WEB Browser Bundle sandbox
;; by Paolo Fabio Zaino
;; License GPL v2
;; Get this file and hack it to perfection π
(version 1)
(debug deny)
;; allow processes to traverse symlinks
(allow file-read-metadata)
(allow file-read-data file-read-metadata
(regex
; Allow reading system dylibs and frameworks
#"^/usr/lib/.*\.dylib$"
#"^/usr/lib/info/.*\.so$"
#"^/System/"
#"^/private/var/db/dyld/"
#"^(/private)?/etc/hosts\.(allow|deny)$"
))
(allow file-read-data file-write-data
(regex
; Allow files accessed by system dylibs and frameworks
#"^/dev/null$"
#"^(/private)?/var/run/syslog$"
#"^/dev/u?random$"
#"^/dev/autofs_nowait$"
#"^/dev/dtracehelper$"
#"/\.CFUserTextEncoding$"
#"^(/private)?/etc/localtime$"
#"^/usr/share/nls/"
#"^/usr/share/zoneinfo/"
))
(allow file-ioctl
(regex
; Allow access to dtracehelper by dyld
#"^/dev/dtracehelper$"))
(allow mach-lookup
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.system.DirectoryService.libinfo_v1")
(global-name "com.apple.system.DirectoryService.membership_v1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm) ; Libnotify
;; (allow sysctl-read)
(allow signal (target self))
(deny default)
(allow file-write* file-read-data file-read-metadata
(regex "^/Users/<your-username>/Downloads")
(regex "^/Users/<your-username>/Library/Application Support/Mozilla")
(regex "^/Users/<your-username>/Library/Application Support/Firefox")
(regex "^/Users/<your-username>/Library/Preferences")
(regex "^/Users/<your-username>/Library/PreferencePanes")
(regex "^/Users/<your-username>/Library/Caches/Firefox")
(regex "^/Users/<your-username>/Library/Caches/TemporaryItems")
(regex "^/Users/<your-username>/Library/Application Support/TorBrowser-Data/")
(regex "^/Library/Application Support/CrashReporter")
(regex "^/Applications/TorBrowser.app")
(regex "^(/private)?/tmp/"))
(allow file-read-data file-read-metadata
(regex "^/dev/autofs.*")
(regex "^/Library/Preferences")
(regex "^/Library/Fonts")
(regex "^/Library/Internet Plug-Ins")
(regex "^/Library/PreferencePanes")
(regex "^/usr/share/icu")
(regex "^/usr/share/locale")
(regex "^/System/Library")
(regex "^/Applications/TorBrowser.app")
(regex "^/usr/lib")
(regex "^/usr/local/lib")
(regex "^/var")
(regex "^/private/var/tmp/")
(regex "^/private/tmp/")
(regex "^/Users/<your-username>")
(regex #"Frameworks/SDL.framework"))
(allow mach* sysctl-read)
(deny file-write-data
(regex #"^(/private)?/etc/localtime$"
#"^/usr/share/nls/"
#"^/usr/share/zoneinfo/"))
;; (allow process-exec*
;; (regex "^/Applications/TorBrowser.app"))
(allow process-exec*)
(allow network*)
(allow iokit-open)
(allow ipc-posix-shm)
(allow process-fork)
So, copy and paste the script above in your terminal window after you started creating your own configuration file by executing:
$ vi torbrowser.sb
Please note: once you past the source code from here remember to change each instance of <your-username> with just your user name on your Mac (LITERALLY JUST YOUR USERNAME).
Save your file ( Press ESC and then type :wq ) and you are ready to go to the next step which is execute your tor bundle browser using the following instruction (on your terminal window):
$ sandbox-exec -f torbrowser.sb /Applications/TorBrowser.app/Contents/MacOS/firefox
If you have followed all the instructions correctly and, no mistakes happened during previous steps, youβll see classic Tor Browser window appearing on the screen. You can use it as usual, the only difference is that the Tor browser now is being executed in a sandbox instead on your full account. This protect your Mac more from possible exploits that you may encounter while browsing the web.
Please Note: To get the latest version of the script please check it’s new github repository here.
Happy SAFE and ANONYMOUS browsing everyone! π
Please Note:
- Although Mac has a fame of being a quite secure OS, I always recommend a good antivirus!
- DO NOT FORGET that MacOS is a proprietary Operating System, and even if Apple seems to be concerned about their customer privacy they still manage to state how many pictures have been taken in a year using their technology! (How do they know that if their products are built with the privacy of their customers in mind?) So, for better anonymous browsing, I always recommend to use Linux (either Tails OS which is an already built and setup distro for anonymous browsing or use Debian and/or fully open source based Linux distro for TOR browsing).
- Also please don’t forget that proper anonymous browsing is quite hard to achieve, so DO NOT base your solution only on articles like this one or on low cost security courses on sites like Udemy/Lynda/Coursera etc. (I do think these resources are a good starting point to begin learning about cyber security.) There are continuous attempts by companies, Gov’t and cyber criminals to steal data, so they may use your MAC address, zero-days/exploits for that particular version of your browser, scripts and other techniques to still manage to break your anonymity!
Thanks for reading and, if you enjoyed this post, please support my blog by visiting my on-line hacking and engineering merchandise shop on redbubble.com by clicking here, thank you! π
Pingback: How to run your Applications in a Mac OS X sandbox to enhance security | Paolo Fabio Zaino's Blog
Hi Fabio
I followed your steps literally one by one, still when I kickstart it I get the following pop-up:
Tor Browser Problem
Tor Browser does not have permission to access the profile. Please adjust your file system permissions and try again.
OS version: El Capitan 10.11.6 (15G1212)
Warm thanks for any help, you’re brilliant and a saviour!
ciao
stefano
LikeLike
Hi Stefano,
The issue you had is being caused by a newer release of tor-browser that uses new directories for which you need to enable red/write permissions, here is what I quickly found for you:
(regex “^/Library/Application Support/CrashReporter”)
(regex “^/Users//Library/Application Support/TorBrowser-Data/”)
These two lines needs to be added to the list:
(allow file-write* file-read-data file-read-metadata
So, you can just add these to your existing file or generate a new one from the script above because I updated now the script above too.
In general, every new release of tor-browser may use new directories to store its temporary data and such, so to get what went wrong you can simply run it as you did and when you get an error message then check your Mac’s dmseg output as follow:
sudo dmesg
You will read in clear the directories path tor-browser tried to access and so you just need to add them to the list “(allow file-write* file-read-data file-read-metadata” using the same regex syntax used for other paths.
Hope this helps!
Cheers π
LikeLike
Sorry little typo caused by wordpress string checks (it deleted what I typed), so i retype it here:
(regex β^/Users/your-username/Library/Application Support/TorBrowser-Data/β)
your-username needs to be replaced with your username on your Mac…
LikeLike
Worked flawlessly!!
Only suggestion to other occasional users as I am, don’t cut/paste the 1 or 2 lines from Fabio’s text above within his replies to me, but rather rebuild torbrowser.sb straight off the end-to-end code portion, since the former returned an error to me due to funny double quotes (rendered as curled quotes by Safari as β and β in the replies, while they should just be straight ones “).
Grazie infinite Paolo Fabio, thanks to you my panopticlick fingerprint went down by an order of magnitude (1/10th of the non-sandboxed version)!
Cheers-
LikeLike
No problem, glad it helped you!
Yes wordpress comments are really bad to share code, so I updated the original script. Soon there will be a full repository on which people can collaborate to keep it up-to-date, I am working on it these days…
Cheers! π
LikeLike