Hi. We aim to make enhanced sandboxing for Tor Browser widely available on Linux that's well maintained in the long term. We would appreciate it if TBB team provides the currently developed Apparmor and firejail profiles below from your repos and run unit testing and check/fix any breakages with updated browser versions.
It turns out there is an advantage to stacking both Apparmor and Firejail. Firejail doesn’t offer nearly as good file path whitelisting as AppArmor. Firejail also can’t do many things AppArmor can such as managing ptrace or signals, yet firejail can use xpra to isolate Tor Browser's access to X, pulseaudio and the clipboard. The Firejail package included in Debian stable cannot keep pace with the needed changes as Tor Browser continues to change.
Stacking is also a good defense in depth. If there’s a vulnerability in Firejail then AppArmor will still restrict the application or vice versa.
Firejail provides a maintained official profile for Tor Browser [0].
We have a Apparmor profile that we've maintained for years [1].
[0] https://github.com/netblue30/firejail/blob/master/etc/start-tor-browser.prof...