Feature #12105

Adjust chrooted browsers to overlayfs

Added by intrigeri 2017-01-02 09:36:51 . Updated 2020-01-28 09:06:17 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Unsafe Browser
Deliverable for:


Their setup script currently relies on aufs.


Related issues

Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed


#1 Updated by Anonymous 2018-01-16 13:45:14

  • Assignee set to anonym

The parent ticket seems to be part of our roadmap, so assigning this ticket to the person responsible for the parent ticket. I’ll let you verify if this is correct or if somebody else is responsible for this, or nobody.

#2 Updated by intrigeri 2018-07-09 08:13:30

It may actually be simpler to get rid of unionfs entirely here:

  1. configure_chroot_browser_profile: generate the chroot’ed browser profile in a new tmpfs outside of the chroot
  2. set_chroot_browser_name, delete_chroot_browser_searchplugins:
    1. copy the langpacks from $TBB_EXT to a new tmpfs outside of the chroot and modify them there
    2. copy $TBB_INSTALL/browser/omni.ja from $TBB_EXT to a new tmpfs outside of the chroot and modify it there
  3. set up the chroot:
    1. bind-mount read-only the host system’s / to $chroot; compared to what we do now, that means we get all the changes that were made there since booting, as opposed to having a pristine stack of SquashFS
    2. to hide sensitive data in the chroot, mount brand new (and empty) tmpfs’es on $chroot/home/amnesia; that’s the ugly part (for those wondering, no need to do the same in $chroot/lib/live/mount/persistence as long as we bind-mount / as opposed to rbind it)
    3. bind-mount the profile tmpfs read-write to the right place inside the chroot
    4. bind-mount the modified $TBB_EXT tmpfs read-only to $chroot/$TBB_EXT
    5. bind-mount the modified $TBB_INSTALL/browser/omni.ja read-only to $chroot/$TBB_INSTALL/browser/omni.ja


  • It becomes very clear what is read-write inside the chroot (the profile directory and nothing else; or perhaps the full /home/clearnet if needed); everything else is read-only.
  • We can keep the modified extensions and omni.ja and reuse them accross Unsafe Browser sessions. The profile (or /home/clearnet) directory is another matter, having a clean one on every start is probably a good idea.
  • This allows us to use bwrap or systemd-nspawn, which simplifies setting up the chroot… and provide stricter confinement.


  • We expose runtime system config & data from the host to the Unsafe Browser and have to carefully single-out the bits we want to hide from it.

#3 Updated by intrigeri 2018-09-12 06:50:08

  • Assignee changed from anonym to segfault
  • Target version set to Tails_3.11

#4 Updated by intrigeri 2018-09-12 06:50:18

#5 Updated by intrigeri 2018-11-06 15:04:45

  • Target version changed from Tails_3.11 to Tails_3.13

#6 Updated by intrigeri 2018-12-02 21:53:34

#7 Updated by intrigeri 2018-12-02 21:53:39

  • blocked by deleted (Feature #15506: Core work 2018Q4: Foundations Team)

#8 Updated by intrigeri 2019-02-06 14:01:13

#9 Updated by intrigeri 2019-02-06 14:01:16

  • blocked by deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#10 Updated by intrigeri 2019-02-06 14:01:25

  • Target version changed from Tails_3.13 to 2019

#11 Updated by intrigeri 2019-04-05 16:07:58

  • Assignee deleted (segfault)

#12 Updated by segfault 2019-11-23 15:04:28

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|5a7a6f02cfd6feadd14b8dce089a35fc0dc4cbe9.

#13 Updated by segfault 2019-11-23 17:52:34

  • Assignee set to segfault
  • Feature Branch changed from feature/8415-overlayfs-stretch to feature/8415-overlayfs+force-all-tests

#14 Updated by segfault 2019-11-23 19:00:42

  • Status changed from In Progress to Resolved
  • Assignee deleted (segfault)

#15 Updated by intrigeri 2020-01-28 09:06:17

  • % Done changed from 0 to 100