Category Archives: Firefox

Firejail – A Security Sandbox for Mozilla Firefox

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR. The command to start Mozilla Firefox is:

$ firejail firefox
or
$ firejail --debug firefox

Firejail mounts read-only the main filesystem directories, and blocks the access to /sbin, /usr/sbin and /boot directories. It also blocks several files storing encryption keys and certificates in user home directory. This is the current list:

(from /etc/firejail/firefox.profile)
blacklist ${HOME}/.ssh
blacklist ${HOME}/.gnome2_private
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/kde4/share/apps/kwallet
blacklist ${HOME}/kde/share/apps/kwallet
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.gnupg

You can add and remove files or directories as needed in /etc/firejail/firefox.profile. Firejail restricts the processes visible in the sandbox by making the sandboxed program PID 1. Only processes started by this program and its descendants will be visible in the sandbox.

Firefox browser running in a Firejail sandbox

Firefox browser running in a Firejail sandbox

Continue reading