Yes, that is necessary. I question, however, whether it is sufficient.
Sufficient for what purpose?
It *is* sufficient for the purpose of preventing Subgraph sandboxed applications from escaping it's sandbox via the Tor control port. Actually, one of the Subgraph guys figured this out and that's why they wanted a Tor control port filter.
I can see how our intentions for this tool (roflcoptor) could have been misleading since we never explicitly/publicly stated the above as the motivation for tor control port filtration.
I think now that the other "Tor integrated Linux distributions" have more or less caught up with Subgraph, I feel comfortable telling people how easy it is to get tor to run arbitrary programs via the control port.
Looks like as per usual Yawning Angel did the exact correct thing and made the Tor hardened browser bundle filter the control port to disallow SETCONF. Further, he mentioned to me on irc that the tor proc is also sandboxed.. so yeah that sounds thorough and proper.
cheers from Montreal!
David Stainton