In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.
I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.
The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.
A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.
High security browser setup
In this article, Mozilla developers try to make the case for multiple profile support in Firefox. They describe how different family members would benefit from having different bookmarks, addons, and different browsing histories, and how web developers need a different setup than QA people. With all due respect, I think we need to differentiate the profiles based on security. I would say we need a profile for accessing high security websites such as banks, and another one for everything else.
In the case of the bank we are concerned about the software running inside the browser. This software is installed as extensions or addons in Firefox, and it raises lots of privacy questions. In the words of Mozilla’s Jorge Villalobos:
Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.
The second problem comes from inside our network. We all have these small routers connecting us to our Internet service provider. The routers are ridiculously insecure. All an attacker has to do is change the DNS setting in the router, and redirect our traffic to a fake bank website.
The solution to the first problem is to set the home directory in a partial chroot. Using –private option, Firejail mounts an empty, temporary filesystem as your home directory, basically running Firefox on factory defaults. The DNS problem is resolved using –dns option:
$ firejail --private --dns=8.8.8.8 firefox
In the example above I configure sandbox DNS to a well know server owned by Google. I do trust this server to give me the correct IP address for my bank. However, I need to mention that Google logs all your requests, and at least one national security agency has access to the data.
Everyday browser setup
For non-bank browsing, our addons and bookmarks are invaluable. The information is stored in ~/.mozilla directory, so we have to bring this directory in the partial chroot described above. We’ll also bring in ~/Downloads directory. We use it to download and upload files. As for Google DNS, it becomes a liability due to the aggressive tracking – we might be better off just using the DNS server supplied by our router!
$ firejail --whitelist=~/.mozilla --whitelist=~/Download firefox
Empty home directory while running Mozilla Firefox
Network namespace
Did you notice that every time people start a server in a container they always create a new network namespace? This is a new TCP/IP networking stack used only by their server. In the GUI world, we never use network namespaces. I don’t really know why, but the setup is pretty easy:
$ firejail --net=eth0 --whitelist=~/.mozilla --whitelist=~/Download firefox
Assuming eth0 is your main Ethernet interface, Firejail creates a new TCP/IP stack, connects it to the Ethernet network, and starts the browser as before.
Network namespace configured in a Firejail sandbox
To assign an IP address to the sandbox, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:
$ firejail --net=eth0 --ip=192.168.1.155 [...]
or we can specify a range of IP addresses outside DHCP server scope:
$ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150 [...]
I use such an –iprange setup on my home network. Every browser/mail/BitTorrent application in the family is fighting for addresses in this range. It does require you to take a look at your router configuration, to see what addresses are covered by DHCP. If you are lazy you can go without a range, and use random addresses from across the network – DHCP servers are required to detect devices present on the network and not assign existing addresses.
Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible in the sandbox network namespace. Add –dns option to the command:
$ firejail --net=eth0 --dns=8.8.8.8 [...]
I think this is the easiest way to secure a browser. Try it out and let me know if you run into problems.
l3net - a layer 3 networking blog 
Can you explain what the benefit is of using the –net option, particular with something like Firefox? Thanks!
The reason is the TCP/IP stack in the sandbox is isolated from the TCP/IP stack on the host, you cannot connect from one to another over the network. Somebody breaking into the sandbox will not be able to see any server running on the host. For him, the IP address of the host is not even on the network.
Hi netblue30!
I created “browser-home” in home and copied the iceweasel profile inside it to use already existent profile with it. And started it with “firejail –private=~/browser-home iceweasel” command. I entered about:support page in iceweasel an hit the “Open Directory”. It opens the actual profile directory, not the /browser-home/.mozilla/ dir. Shouldn’t it open /browser-home one instead?
If I understand correctly the question, this is because /home/username/browser-home is mounted by the sandbox as /home/username.
But it opens the real “/home/username/.mozilla/firefox/whatever.default”, not the “/browser-home/.mozilla/firefox/whatever.default”
Shouldn’t firejail prevent accessing to the real home when in private mode? Doesn’t it mean that it has access to the real home somehow? If it has ability opening the real home directory, this means it has access to it with Firefox/Iceweasel’s “Open Profile” mechanism. A vulnerability. Because it is able to open a directory that it is not even suppose to see it.
I am using firejail 0.9.28 backported from unstable.
> I created “browser-home” in home and copied the iceweasel profile
What do you mean by iceweasel profile? Is this ~/.mozilla directory or ~/.config/firejail/iceweasel.profile?
I copied ~/.mozilla directory to ~/browser-home.
> But it opens the real “/home/username/.mozilla/firefox/whatever.default”, not the “/browser-home/.mozilla/firefox/whatever.default”
It should open “/home/username//browser-home/.mozilla/firefox/whatever.default”. This file is mounted in the sandbox as “/home/username/.mozilla/firefox/whatever.default”, so it appears to be the original file, but it isn’t.
If you put in url bar in iceweasel “/home/username”, it will give you all the files visible in the sandbox. The .mozilla directory there is in reality ~/browser-home/.mozilla, just a simple name change because of the filesystem mount.
Pingback: Sandbox Firefox with Firejail (3) | 0ddn1x: tricks with *nix
> If you put in url bar in iceweasel “/home/username”, it will give you all the files visible in the sandbox. The .mozilla directory there is in reality ~/browser-home/.mozilla, just a simple name change because of the file system mount.
You are right. I can only see the sanboxed home dir. when i browse inside iceweasel. If i blacklist some dir. it can’t access etc… it looks like work. But…
> This file is mounted in the sandbox as “/home/username/.mozilla/firefox/whatever.default”, so it appears to be the original file, but it isn’t.
It is the “original” file (by original means; it is the old iceweasel profile that i used to use when there was no firejail installed which is in real home). I can say that by looking at the content of the directory. According to you i should see “/browser-home/.mozilla/firefox/whatever.default” as “/home/username/.mozilla/firefox/whatever.default” when i hit “Open Profile” and its content suppose to be the sandboxed profile. But it is not! You can observe this by creating some folder in the “original” iceweasel directory.
I’ve just tested it here, it doesn’t happen on my setup. I have copied .mozilla into a new directory (cp -a ~/.mozilla ~/mybrowser/.) and run firejail with the new directory (firejail –private=~/mybrowser firefox). In another xterm I go and create a new file in the original .mozilla directory (touch ~/.mozilla/foo). The new file is not visible from inside firefox.
Something else might be going on: make sure when you start the sandbox you don’t have another firefox instance already running. By default firefox will not start a new browser instance, instead it will open a new window in the old instance.
> I’ve just tested it here, it doesn’t happen on my setup. I have copied .mozilla into a new directory (cp -a ~/.mozilla ~/mybrowser/.) and run firejail with the new directory (firejail –private=~/mybrowser firefox). In another xterm I go and create a new file in the original .mozilla directory (touch ~/.mozilla/foo). The new file is not visible from inside firefox.
Have you entered about:support and hit “Open Directory”? Could you tell me which directory you see after that?
I did what you did and additionally created a directory ~/test with a file “testfile”. After executing firejail –private=~/mybrowser firefox I opened about:support and clicked “open directory” . The filemanager (dolphin) opened and I saw all directories *outside* the sandbox. I navigated to ~/test but was not able to open “testfile”. However, I was able to delete ~/test! I don’t think that’s the expected behavior. In your documentation you wrote:”Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox.” But this is obviously not the case. A bug?
I did what you did and additionally created a directory ~/test with a file “testfile”. After executing firejail –private=~/mybrowser firefox I opened about:support and clicked “open directory” . The filemanager (dolphin) opened and I saw *all* directories outside the sandbox. I navigated to ~/test but was not able to open “testfile”. However, I was able to delete ~/test! I don’t think that’s the expected behavior. In your documentation you wrote:”Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox.” But this is obviously not the case. A bug?
Indeed, it opens the real directory! This is what is happening:
When you try to open the directory in URL bar, firefox opens the right directory.
If you open it with “Open Directory”, firefox starts the file manager by sending a message over dbus. The system receives the message and opens a file manager outside the sandbox. The window you see on your screen comes from the file manager, not from Firefox.
Dude! It took so long :p
I had never tried it with –net option so i did “firejail –private=~/browser-home –net=wlan0 iceweasel” entered about:support and hit the “Open Directory”. It works in this way. It opens the sandboxed one, not the real home directory.
Thank you for your efforts.
I’ll try it out, thanks!
I’ve just found out another manifestation of the same problem: you start a download, and in the download pull-down menu in firefox you hit “Open Containing Folder”, it opens the original download directory, not the one in the sandbox. However, the download file goes into the sandbox.
Play with it, if you see something strange let me know. I guess –net is the way to go for now.
Yes. Download pull-down menu opens the original directory just like the “Open Directory”.
So far my observations:
If i use “firejail iceweasel” it opens the real directory again. It has access to real home. I can see other partitions in nautilus. If i blacklist accessing to these partitions, again i can see the partitions in nautilus, but when i click on them i can’t access it. So it looks like blacklisting like /mnt, /media etc… is working. But the real home is accessible.
If i use “firejail –private=~/browser-home iceweasel”, it opens the real home. I can see the partitions in nautilus. And i can access partitions whether they are blacklisted or not. I can access all directories whether they are blacklisted or not. Completely broken.
If i use “firejail –private=~/browser-home –net=eth0 iceweasel” works as expected. I can’t even see other partitions let alone accessing it. And i can’t access blacklisted directories under /root. Everything works as expected.
Is it possible to use wlan interface with –net? Because i can’t access internet when using –net=wlan0. If i start it with –net=wlan0, it shows me Interface as eth0-some_number and Status is down.
No, the browser itself doesn’t have access outside the sandbox. Firefox is sending a message over dbus and the system opens the file manager outside the sandbox. Once the file manager is started, there can be no communication between the file manager and Firefox. The separation between the two is imposed by the kernel namespaces.
wlans are not supported by –net option. More code is necessary in the kernel for it to work.
Hi netblue30, is there something in the way firejail sandboxes firefox that inhibits the freshplayerplugin from finding libpepflashplayer.so (https://github.com/i-rinat/freshplayerplugin/blob/master/doc/known-issues.md)? I need flash to watch the videos on fxguide (http://www.fxguide.com/featured/going-off-model-hotel-transylvania-2/)
Thanks
Give it a try without a profile, just in case the profile disables the directory where the plugin is located.
$ firejail –noprofile firefox
If this is working, we can then go and find out what exactly disables the plugin.
Okay, it works now, even with using the profile. I’m not sure what was changed, but I guess I had to log out and back in for this to work again…
Hello netblue30, first thanks for Your work! Just a simple question: it is possible to use wildcard in the profile configuration file in such a way: “blacklist /bin/[a-f]*”.
Currently i’m gettin the error “Error: line 8 in the custom profile is invalid”
The wildcard support in blacklist command is pretty basic. It does not support in this moment […] construct.
Using the whitelist option works… to an extent.
If i add in the profile “whitelist /home/user/path/tor-browser_en-US/” it will prevent my tor browser from accessin other folders in home, but it still allows access to /etc and others. I tried adding blacklist /etc/ but it messed up some fonts in the browser.
Whitelist option applies strictly to /home/user directory. For /etc you’ll need to use –private-etc. Yes, there could be some information regarding fonts in /etc.
Many thanks for your fine work…!
Using Firejail version 0.9.32 with Mint 17.1 3.13.0-37-generic
When I issue the command:
$ firejail –net=eth0 firefox
…the child process initializes correctly:
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0-4354 2e:83:fb:8d:6a:8c 192.168.1.85 255.255.255.0 UP
Default gateway 192.168.1.1
Child process initialized
HOWEVER:
(firefox:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-xtDKW03Asj: Connection refused
After a bit of a delay, firefox appears with a dialog box stating that dbus-daemon is not running.
ps aux | grep shows dbus-daemon running.
Any suggestions?
Regards…
Yes, in a network namespace the dbus sockets are deactivated. What version of firefox are you running? Is your firefox working without dbus?
Firefox version 41
Mozilla Firefox for Linux Mint
mint – 1.0
Yes, it works fine without dbus after giving popup error message
Is anyone else having this problem using $ firejail –net=eth0 firefox with Mint Firefox?
I will try downgrading to a much earlier version of Firefox within Mint 17.1 and report back…
Ok, I installed Firefox v.20.0 en-us 64-bit from the Mozilla public archive (no mention of Mint in Help | About FF). Still get the error popup message in Firefox complaining that dbus-daemon is not running.
Just pondering: netblue30’s blog states that the –net option is really intended for existing br0 connections, but that eth0 would work also. I’m starting to doubt the eth0 connection unless someone here tells me that it works (and with which OS and Firefox version).
Thinking that the error popup box as Firefox starts was just for info and not a deal-breaker, I successfully accessed a DD-WRT server on my network — sigh — my assigned IP doesn’t seem blocked. Perhaps a deal-breaker after all…
Any comments?
–net disables abstract unix sockets, and dbus is one of them. You shouldn’t worry about it, Firefox is build to work just fine when dbus is not available.
–net disables abstract unix sockets, and dbus is one of them. Firefox is built to work fine when dbus is not available, you shouldn’t worry about it.
Thanks for your reply re: Firefox and –net. I won’t be concerned with the FF error popup.
As for –net’s practical application:
1) Should –net be used alone? or in combination with –private? or along with –whitelist?
2) If –net is in effect, and assuming that 192.168.1.200 is assigned, shouldn’t a hacker be unable to access the local network outside of that IP address? For example, suppose I am a hacker inside my Firefox session: I can still access a server on 192…203 from Firefox on 192…200.
I thought that I would be prevented from accessing any IP outside 192…200.
Regards
1) You can use –net in combination with any other command line option.
2) Not necessarily, but you can prevent him from accessing the local network using an iptable filter (–netfilter option).
I added a request for an option to disable access to the local network, probably it will go in the next release. Thanks.
https://github.com/netblue30/firejail/issues/142
FWIW — and hopefully of use to others to improve on — I followed up on your netfilter iptables suggestion by adding the following line to the end of the default netfilter, prior to the COMMIT line:
-A OUTPUT -d 192.168.0.0/16 -j DROP
I am now prevented from accessing any other servers on my local network, and it’s sufficient for my needs.
With your help, I’ll continue learning about this remarkable package…
Yes, this should work. I’ll put something similar in the next version of firejail.
— CONFLICT between –net=eth0 and active VPN (OpenVPN) client —
When my OpenVPN client is active, I lose all –dns capability, as if the Dynamic Network Service isn’t there.
As stated in netblue30’s blog, using –net=eth0 requires –dns=x.x.x.x also.
This works well for me, whether –private is employed or not.
However, activating my OpenVPN client and then calling $ firejail –net=eth0 –dns=8.8.8.8 firefox results in Firefox loading without any DN Service whatsoever.
On the other hand, losing my network isolation above (-A OUTPUT -d 192.168.0.0/16 -j DROP) because –netfilter can’t be active during VPN sessions isn’t a loss, because I’m not concerned with hackers coming through the encrypted VPN door to access other servers on my local network.
I have an ongoing open bug report for OpenVPN here:
https://github.com/netblue30/firejail/issues/59
It is on my todo list. Thanks.
Addons are certainly a security risk, but I still prefer to use certain settings (which are all more restrictive than even Firefox’s defaults–for example, Firefox collects telemetry data by default, cookies are allowed (i.e. cross-site tracking is possible and are associated to the services you use when you login), etc. and these benefit third parties regardless of whether your sandboxed session is discarded at the end of the Firefox session.
How about being able to copy your bookmarks and Firefox settings over to the tmpfs every time a new session is started? The idea is: 1) create the tmpfs, 2) copy over the bookmarks and Firefox’s settings to the tmpfs, 3) launch Firefox, which will use these bookmarks and settings. Or something along those lines.
Is this possible currently and if not, is it a consideration to be implemented in the future?
What I do in these cases, I use different directories for different browsing purposes, and pass them to firejail using –private=directory.
For example I have ~/dir1 and ~/dir2, and I run “firejail –private=dir1 firefox” or “firejail –private=dir2 firefox”. Each directory holds a different firefox configuration.
Also, I believe I read that wireless network interfaces are not currently supported–does that mean they won’t benefit from being able to create new stacks on a laptop the way ethernet interfaces allow?
Currently wireless configurations are not supported – missing support in the kernel.
You can try to set up a routed configuration:
In that picture you would need to replace eth0 with your wireless interface. You also need to modify your iptables configuration … kind of ugly.
I’m having issues installing xpra on both Arch and Raspbian. On Arch, I need to install a couple of dependencies from the AUR. For one of them, python2-gtkglext 1.1.0-7, I’m getting: “checking for C compiler default output file name… configure: error: C compiler cannot create executables” when I run makepkg -si on the dependency. For another, python-lz4 0.8.2-1, I’m getting the error: “gcc: error: unrecognized command line option ‘-fstack-protector-strong,-fno-plt’; did you mean ‘-fstack-protector-strong’? error: command ‘gcc’ failed with exit status 1”.
On Raspbian, I did “sudo apt install xpra” and it says: “The following packages have unmet dependencies: xpra : Depends: xserver-xorg-video-dummy but it is not going to be installed
E: Unable to correct problems, you have held broken packages”. I googled this problem and came across this potential solution: http://raspberrypi.stackexchange.com/questions/50000/cannot-install-xpra-unmet-dependancies/59747. I followed this and xserver-xorg-video-dummy is successfully installed. Then I try to install once again and it seems to be in dependency hell now.
There are problems with the way xpra was packaged in Arch. I don’t think anybody managed to get it running with or without firejail. Your best option on Arch would be to install Xephyr and start it in firejail as follows: “firejail –x11=xephyr appname”.
Firejail should run fine on Rasbian, there are people using it on ARM platform. About xpra I don’t know.
Firefox doesn’t work on my desktop without setting the –dns option. I am using the default firefox profile and ran with no options, i.e. `firejail firefox`. I’m on a fresh install of Arch on ethernet with the only internet configuration between enabling systemd-networkd.service and systemd-resolved.service enabled.
How can I get it to work without the –dns option? I want to use whatever defaults I’m using for the rest of my system. Thanks.
I guess it all depends how your platform is configured to handle dns. On my Debian system, the servers are set by DHCP in /etc/resolv.conf. Systemd departed from the regular setting and implemented something different.
I’ve heard from other Arch users that systemd dns doesn’t work nicely with sandboxes when you enable a network namespace, but for regular sandboxes works fine.
The best way would be to ask a question on github (https://github.com/netblue30/firejail), there are a number of Arch users there.
Greetings, I have a question regarding adding exceptions to firejail or terminating firejail itself temporarily. My problem with firejail is Firefox and BleachBit. In Firefox when I try to download file from the internet, or import bookmarks using it’s built-in explorer navigator I can only access a limited number of folders and they are empty as well, and when using the Downloads folder or any other folder it only says that directory is not accessible. And I thought this issue was relating to Firefox only. I also clean the system with BleachBit using custom settings but I have noticed it does not clean the recycle bin as directed. When I deleted firejail from my system my problems disappeared as well. My question is; is it possible to fully and permanently add an exclusion to firejail to ignore the actions of Firefox and BleachBit until the exclusion is undone? If so, what are the commands for it. At the same time I would like to know how to suspend or even terminate firejail itself and launching it again in case I would need to do more system configuration for the duration that firejail otherwise it would might prevent. I did an extensive research online regarding my issue to no avail. Please help. Regards.
I run
firejail –net=eth0 firefox
and get:
[ERROR audio_thread_priority::rt_linux] setrlimit64: 1
while firefox opens with a blank page.
Any help?
Pingback: a layer 3 networking blog · Website Hosting Reviews & Online Biz Tips