# How to sandbox firefox?

## Leonardo.b

See: Firerox - Gentoo wiki

See: Simple Sandbox - Gentoo wiki 

See: Sandboxing with Firejail - Sakaki guide

<<Sandboxing Firefox is mandatory>> is written there.

Should I use firejail from "Sakaki guide", or follow the "Simple sandbox" topic in the wiki?

I'm not an expert user. I'll just pick up the laziest solution if there isn't a good reason to not do so - but I learn quickly, if it's needed.

What do you suggest me, if you?

----------

## gengreen

Firefox as the other browser are just too insecure to be run on your system, even with sandbox... it's an opendoor to your machine

Create a virtual system with qemu just for Firefox is a safer choice.

If you are too lazy then go for https://wiki.gentoo.org/wiki/Simple_sandbox but I won't call it secure or even safe

----------

## Leonardo.b

Ah, really? I was far too naive.

I'll keep in mind. Thanks for the advice.

Leonardo

----------

## mike155

 *Quote:*   

> Firefox as the other browser are just too insecure to be run on your system, even with sandbox...

 

I think that that is excessive.

----------

## Zucca

 *mike155 wrote:*   

> I think that that is excessive.

 ++

But you can go deeper into the rabbit hole by replacing the browser to Tor browser.

Anyway, I think using virtual machine to run just a web browser is waste of resources and silly.

----------

## Leonardo.b

Intresting to see different opinions. Nice to hear you.

I'm using the simple sandbox now.

Firejail seems easier to adapt to diffent programs. Firejail seems to have some nice features.

I haven't tried Quemu yet.

Tor is slow. Tor is good, but it doesn't fit my usage.

Have a good day,

Leonardo.

P.S. - I have the very bad habit to ask for help and then to not listen to anyone, to make wrong by my own.

I should stop. I'll do.

----------

## Juippisi

If you want, you can run it from an unprivileged container. That should be as safe as it can get.

----------

## figueroa

Beware of paranoia. Be safe, be secure, be appropriate to the threat. Don't do silly things on the web.

----------

## mike155

I run Firefox under a different user. That's my sandbox. My Firefox start script basically runs

```
sudo -u firefoxuser /usr/bin/firefox "$@"
```

The first reason is: I don't want Firefox to have access to my files. Running Firefox under a different user prevents Firefox or downloaded files (viruses) from reading, changing or sending any of my files.

But wait! There's more!

I don't want any of my programs (other than Firefox) to phone home or to open unwanted connections to the internet. In order to achieve that, I have a firewall rule that disables internet access for my main user. Well, there are some additional rules that allow traffic to the mail server, etc. - but the default action for packets from my main user is: DENY. So if one my programs starts to phone home, it will fail due to the firewall.

Firefox, on the hand, has access to the internet, because it runs under a different user.

----------

## Etal

Yet another option is bubblewrap, to run in a separate namespace:

https://wiki.archlinux.org/index.php/Bubblewrap#Firefox

The example provided is a bit excessive though, IMO.

----------

## Tom_

This thread is instructive  :Smile:  Maybe a bit excessive but anyway it's good to know that such solutions are available.   :Smile: 

Does sandboxing Firefox with Firejail or Bubblewrap have any negative impact on performance? What about html5 video ? 

@gengreen, do you  run Firefox in Qemu yourself? How do you access Firefox from the host ? SSH X11 Forwarding ?

----------

## Leonardo.b

Everyone has his own needs and opinions. The world is wide.

I see several ways to achive the same reslut now. I'll find mine,  thanks for all the advices.

Any Figueroa,

your words are wise.

mike155,*

do you provide some sort of GUI isolation (if Xorg)?

*EDIT: I put the wrong name

----------

## gengreen

Being excessive ?

https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452

Now you should compare the difference of resource being use by Firefox installed on your system and inside a virtual system qemu

I just want to point nothing is excessive when it's about security (hardened system philosophy, the only limit it is what you are considering as acceptable)

 *Quote:*   

> 
> 
> This thread is instructive  Maybe a bit excessive but anyway it's good to know that such solutions are available. 
> 
> Does sandboxing Firefox with Firejail or Bubblewrap have any negative impact on performance? What about html5 video ? 
> ...

 

Edit : Yes I use qemu a lot on my system (around 8 to 10 virtual img) for each app that I considerer unsafe. I currently using Spice, sticking with spice-gtk 0.35 (custom patch to add qmp / patch cve...) as the development after this version took a turn I didn't like, I would not recommand you this protocol.

I'm planning to change for VNC in few month

Here a screenshot

https://github.com/g3ngr33n/g3ngr33n.github.io/raw/main/nowaste.png

----------

## Etal

 *Etal wrote:*   

> Yet another option is bubblewrap, to run in a separate namespace:
> 
> https://wiki.archlinux.org/index.php/Bubblewrap#Firefox
> 
> The example provided is a bit excessive though, IMO.

 

To clarify, by "excessive" I was referring to example in the Arch wiki link above. I don't think it makes any sense to selectively bind specific directories in /usr/share (rather than /usr/share or even /usr itself).

----------

## GrandeGrabois

 *Juippisi wrote:*   

> If you want, you can run it from an unprivileged container. That should be as safe as it can get.

 

Isn't this more efficient and just as secure (or just slightly less secure) as using a full blown VM for each sensitive software? And, if you don't use it for anything else, you won't have to compile the VM related code into your kernel.

I also found this thread very informative and felt like we should explore the unprivileged container option a bit more.

----------

## gengreen

It late I should probably read it again and fix the typo :

Easy and fast way to sandbox using qemu -> https://g3ngr33n.github.io/qemusandbox/index.html

Edit : I wrote the basis (user / group qemu / kvm), but you can tight the security of the virtual system qemu, by writing an apparmor profile for qemu-system-x86_64 / remote-viewer for example...

----------

## gengreen

I would like to add that except the sandbox, to "increase the security" (more correct term would be reduce the attack surface), by using apparmor with a profile limiting as much a possible access and permission of Firefox in the system

https://dpaste.com/9TEHFCVMZ

This is an old one I made.

I think apparmor is a more serious security tool than bubblewrapper and other toy of the kind

----------

## pietinger

 *gengreen wrote:*   

> I think apparmor is a more serious security tool than bubblewrapper and other toy of the kind

 

Yes, I think the same ! (I am just writing an installation guide for AA in this forum)

 *gengreen wrote:*   

> [...] by using apparmor with a profile limiting as much a possible access and permission of Firefox in the system [... link ...]

 

I have read it. It must have been hard work, because you didnt use any abstractions (ony variables from tunables/global). Let me say some points:

1. For now "#include" is deprecated, please use "include" instead.

2. You dont need a "deny /boot" if you dont allow any access to it. (You need a deny only when you want allow access to a whole directory (e.g. /home) BUT NOT for a specific file or dir (e.g. .ssh))

3. Yes, this is really needed "owner /dev/shm/org.chromium.* rw,"

4. I dont know if it would run under AA 3.0.0 (I miss some allows for links; also I dont know whether firefox has an external WebEngine like Falkon or Konqueror has).

5. You must have an "abi"-definition with AA 3.0.0

I like paranoid people ...    :Wink: 

(I am too)

----------

## gengreen

 *pietinger wrote:*   

>  *gengreen wrote:*   I think apparmor is a more serious security tool than bubblewrapper and other toy of the kind 
> 
> Yes, I think the same ! (I am just writing an installation guide for AA in this forum)
> 
>  *gengreen wrote:*   [...] by using apparmor with a profile limiting as much a possible access and permission of Firefox in the system [... link ...] 
> ...

 

Ho yes those are over deprecated :p I use to write from scratch line by line those profile...

I have less time than before now so recent profile I wrote are less raw... an example for qemu can be see here : https://github.com/g3ngr33n/apparmor-profiles-hardened/blob/master/apparmor.d/usr.bin.qemu-system-x86_64

I didn't study enough apparmor 3 to consider my actual profile as serious (example  owner @{HOME}/*.sock wk, # Allow read/write access to spice socket is way to permissive when apparmor offer deeper control as see in the manual "Unix socket rule")

If you are writting something about apparmor, will read it with pleasure

Ps : I'm rationally paranoid

----------

## pietinger

 *gengreen wrote:*   

> If you are writting something about apparmor, will read it with pleasure

 

Sorry, I forget to mention its a german guide (because of my poor english; google translator is better than me; it is already here in the folder "Deutsche Dokumentation")

 *gengreen wrote:*   

> Ps : I'm rationally paranoid

 

Yes, I have mean so (I didnt mean it in a bad way).

----------

## gengreen

None taken ! I was making a joke

"Paranoia  is the  irrational  and persistent..."

But in info sec, being paranoid is a rational behavior

----------

## pietinger

gengreen,

first of all, I found your thread from 2019 about apparmor in this forum  :Smile: 

May I ask you which window manager do you use (I am a kde user) ?

Do have much experience in using firefox ?

If yes, do you know if this excerpt from an old AA-profile for firefox is outdated or even with 83.0 currently needed:

```
# Apparmor 2.13.1 -  Copyright (C) 2009-2018 Canonical Ltd.

#

# Hardened profile for firefox 60.5.0

[...]

   # Enforce denied read/write to datareporting and to the whole .cache/ directory, for the following reasons :

   #

   # /safebrowsing/ - Related file of the safebrowsing

   # activity-stream.tippytop.json - Log your browsing history, even with "never remember history" or "private browsing" enabled.

   # /startupCache/ - Include binary format as cache

   deny @{HOME}/.cache/mozilla/firefox/*.default/* rw,

   deny @{HOME}/.mozilla/firefox/*.default/datareporting/* w
```

I never used firefox (only konqueror and falcon from kde) and would need this info for my aa-profile you will find here:

https://forums.gentoo.org/viewtopic-p-8544745.html#8544745

(this profile needs some base profiles you will find here:

5. AppArmor Basis Profile I.

8. AppArmor Profile + BP für X11

9. AppArmor Basis Profile II. )

----------

## papu

hi all,

i has been using simple sandbox for firefox and for me is nice but since i starts using pipewire the sound diden't work nevermore because https://wiki.gentoo.org/wiki/Simple_sandbox#Configure_Firefox_to_output_sound_to_larry.27s_PulseAudio_daemon   is already not efective.

any ideas about that? 

thanks you so much!

 :Embarassed: 

----------

