Stop mounting `/proc` in the various containers once this is feasable.
All three containers currently used by sandboxed-tor-browser
(tor, firefox, and the updater) currently mount /proc
. Once it's been verified that relevant versions of the software shipped do not require such, this mount should be removed to reduce fingerprinting and to close an attack vector.
In the mean time, stopgap solutions such as AppArmor could be investigated as well, though that is not a good long term solution as it is not ubiquitous.