Sandboxing on Ubuntu >= 23.10

Support Tor Browser Desktop
1

Starting with Ubuntu 23.10, unprivileged user namespaces are restricted: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces.

Without an AppLocker profile, about:support sandboxing shows the following:
Seccomp-BPF (System Call Filtering) true
Seccomp Thread Synchronization true
User Namespaces for privileged processes true
User Namespaces false
Content Process Sandboxing true
Media Plugin Sandboxing true
Content Process Sandbox Level 4
Effective Content Process Sandbox Level 4
Win32k Lockdown State for Content Process Win32k Lockdown disabled – Operating system not supported
GPU Process Sandbox Level 0

With the following AppArmor profile

abi <abi/4.0>,
include <tunables/global>

PATH_TO_TBB/firefox.real (unconfined) {
    userns,
    include if exists <local/opt.tor-browser.firefox.real>
}

about:support shows
Seccomp-BPF (System Call Filtering) true
Seccomp Thread Synchronization true
User Namespaces true
Content Process Sandboxing true
Media Plugin Sandboxing true
Content Process Sandbox Level 4
Effective Content Process Sandbox Level 4
Win32k Lockdown State for Content Process Win32k Lockdown disabled – Operating system not supported
GPU Process Sandbox Level 0

Is there any difference in terms of security between privileged and unprivileged user namespaces?

2

Found this: https://discuss.privacyguides.net/t/does-flatpak-weaken-chromium-firefoxs-sandbox/13373/9:

They also never implemented a SUID sandbox, so users with deactivated unprivileged user namespaces have the same problem with missing namespace+chroot sandbox even though the about:support page makes you believe otherwise.

If it is true, then TBB cannot be used safely on latest Ubuntus and potentially on other distros using AppArmor without manually enabling userns support for TBB.

3

See the discussion here, After updating to Tor Browser 14.0, Tor Browser shows a pop-up that I have now less protection