I have decided to opensource this project & it is now available on github.
tl-dr: this script downloads & runs torbrowser in a sandbox within a seperate windowed X session using Xephyr
This started as a simple Xephyr script which sandboxed torbrowser to enable seccomp. It then evolved to include ramdisk opreation. I then found torbrowser used by some of my VMs were not kept up to date using the OS package managers so I extended it again to include installing of torbrowser into its own folder within the users home directory. The final addition was checksum & GPG verification (ref: tor gpg verification)
The script sets up a working env within ~/.torjail It then downloads torbrowser bundle from tor (also has a update function) Downloads and verifies files are valid using GPG key and sha256 checksum. Extracts torbrowser into ~/.torjail Sets up the env for a WM (am using DWM as it is small & self-contained) Runs torbrowser in a firejail sandbox in memory inside of a xephyr session. Once finished it kills the Xephyr session.
If anything doesn't pass the checksum or GPG checks it tells the user, removes the files & exits.
Main components used
firejail https://firejail.wordpress.com/ xephyr https://wiki.freedesktop.org/www/Software/Xephyr/ dwm http://dwm.suckless.org/ torbrowser https://www.torproject.org/projects/torbrowser.html.en
The script is released under MIT license. (other components have various licenses) You can download it from github