Firejail – A Security Sandbox for Mozilla Firefox, Part 3

In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.

I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.

The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.

A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

High security browser setup

In this article, Mozilla developers try to make the case for multiple profile support in Firefox. They describe how different family members would benefit from having different bookmarks, addons, and different browsing histories, and how web developers need a different setup than QA people. With all due respect, I think we need to differentiate the profiles based on security. I would say we need a profile for accessing high security websites such as banks, and another one for everything else.

In the case of the bank we are concerned about the software running inside the browser. This software is installed as extensions or addons in Firefox, and it raises lots of privacy questions. In the words of Mozilla’s Jorge Villalobos:

Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.

The second problem comes from inside our network. We all have these small routers connecting us to our Internet service provider. The routers are ridiculously insecure. All an attacker has to do is change the DNS setting in the router, and redirect our traffic to a fake bank website.

The solution to the first problem is to set the home directory in a partial chroot. Using –private option, Firejail mounts an empty, temporary filesystem as your home directory, basically running Firefox on factory defaults. The DNS problem is resolved using –dns option:

$ firejail --private --dns=8.8.8.8 firefox

In the example above I configure sandbox DNS to a well know server owned by Google. I do trust this server to give me the correct IP address for my bank. However, I need to mention that Google logs all your requests, and at least one national security agency has access to the data.

Everyday browser setup

For non-bank browsing, our addons and bookmarks are invaluable. The information is stored in ~/.mozilla directory, so we have to bring this directory in the partial chroot described above. We’ll also bring in ~/Downloads directory. We use it to download and upload files. As for Google DNS, it becomes a liability due to the aggressive tracking – we might be better off just using the DNS server supplied by our router!

$ firejail --whitelist=~/.mozilla --whitelist=~/Download firefox
Empty home directory while running Mozilla Firefox

Empty home directory while running Mozilla Firefox

Network namespace

Did you notice that every time people start a server in a container they always create a new network namespace? This is a new TCP/IP networking stack used only by their server. In the GUI world, we never use network namespaces. I don’t really know why, but the setup is pretty easy:

$ firejail --net=eth0 --whitelist=~/.mozilla --whitelist=~/Download firefox

Assuming eth0 is your main Ethernet interface, Firejail creates a new TCP/IP stack, connects it to the Ethernet network, and starts the browser as before.

Network namespace configured in a Firejail sandbox

Network namespace configured in a Firejail sandbox

To assign an IP address to the sandbox, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:

$ firejail --net=eth0 --ip=192.168.1.155 [...]

or we can specify a range of IP addresses outside DHCP server scope:

$ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150 [...]

I use such an –iprange setup on my home network. Every browser/mail/BitTorrent application in the family is fighting for addresses in this range. It does require you to take a look at your router configuration, to see what addresses are covered by DHCP. If you are lazy you can go without a range, and use random addresses from across the network – DHCP servers are required to detect devices present on the network and not assign existing addresses.

Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible in the sandbox network namespace. Add –dns option to the command:

$ firejail --net=eth0 --dns=8.8.8.8 [...]

I think this is the easiest way to secure a browser. Try it out and let me know if you run into problems.

More Information

  • Firejail Project Homepage
  • Development Page on GitHub
  • Firejail – A Security Sandbox for Mozilla Firefox, Part 1
  • Firejail – A Security Sandbox for Mozilla Firefox, Part 2
  • Advertisements

47 thoughts on “Firejail – A Security Sandbox for Mozilla Firefox, Part 3

    1. netblue30 Post author

      The reason is the TCP/IP stack in the sandbox is isolated from the TCP/IP stack on the host, you cannot connect from one to another over the network. Somebody breaking into the sandbox will not be able to see any server running on the host. For him, the IP address of the host is not even on the network.

      Reply
  1. Name

    Hi netblue30!
    I created “browser-home” in home and copied the iceweasel profile inside it to use already existent profile with it. And started it with “firejail –private=~/browser-home iceweasel” command. I entered about:support page in iceweasel an hit the “Open Directory”. It opens the actual profile directory, not the /browser-home/.mozilla/ dir. Shouldn’t it open /browser-home one instead?

    Reply
      1. Name

        But it opens the real “/home/username/.mozilla/firefox/whatever.default”, not the “/browser-home/.mozilla/firefox/whatever.default”

        Shouldn’t firejail prevent accessing to the real home when in private mode? Doesn’t it mean that it has access to the real home somehow? If it has ability opening the real home directory, this means it has access to it with Firefox/Iceweasel’s “Open Profile” mechanism. A vulnerability. Because it is able to open a directory that it is not even suppose to see it.

        I am using firejail 0.9.28 backported from unstable.

      2. netblue30 Post author

        > I created “browser-home” in home and copied the iceweasel profile

        What do you mean by iceweasel profile? Is this ~/.mozilla directory or ~/.config/firejail/iceweasel.profile?

      3. netblue30 Post author

        > But it opens the real “/home/username/.mozilla/firefox/whatever.default”, not the “/browser-home/.mozilla/firefox/whatever.default”

        It should open “/home/username//browser-home/.mozilla/firefox/whatever.default”. This file is mounted in the sandbox as “/home/username/.mozilla/firefox/whatever.default”, so it appears to be the original file, but it isn’t.

        If you put in url bar in iceweasel “/home/username”, it will give you all the files visible in the sandbox. The .mozilla directory there is in reality ~/browser-home/.mozilla, just a simple name change because of the filesystem mount.

  2. Pingback: Sandbox Firefox with Firejail (3) | 0ddn1x: tricks with *nix

  3. Name

    > If you put in url bar in iceweasel “/home/username”, it will give you all the files visible in the sandbox. The .mozilla directory there is in reality ~/browser-home/.mozilla, just a simple name change because of the file system mount.

    You are right. I can only see the sanboxed home dir. when i browse inside iceweasel. If i blacklist some dir. it can’t access etc… it looks like work. But…

    > This file is mounted in the sandbox as “/home/username/.mozilla/firefox/whatever.default”, so it appears to be the original file, but it isn’t.

    It is the “original” file (by original means; it is the old iceweasel profile that i used to use when there was no firejail installed which is in real home). I can say that by looking at the content of the directory. According to you i should see “/browser-home/.mozilla/firefox/whatever.default” as “/home/username/.mozilla/firefox/whatever.default” when i hit “Open Profile” and its content suppose to be the sandboxed profile. But it is not! You can observe this by creating some folder in the “original” iceweasel directory.

    Reply
    1. netblue30 Post author

      I’ve just tested it here, it doesn’t happen on my setup. I have copied .mozilla into a new directory (cp -a ~/.mozilla ~/mybrowser/.) and run firejail with the new directory (firejail –private=~/mybrowser firefox). In another xterm I go and create a new file in the original .mozilla directory (touch ~/.mozilla/foo). The new file is not visible from inside firefox.

      Something else might be going on: make sure when you start the sandbox you don’t have another firefox instance already running. By default firefox will not start a new browser instance, instead it will open a new window in the old instance.

      Reply
      1. Name

        > I’ve just tested it here, it doesn’t happen on my setup. I have copied .mozilla into a new directory (cp -a ~/.mozilla ~/mybrowser/.) and run firejail with the new directory (firejail –private=~/mybrowser firefox). In another xterm I go and create a new file in the original .mozilla directory (touch ~/.mozilla/foo). The new file is not visible from inside firefox.

        Have you entered about:support and hit “Open Directory”? Could you tell me which directory you see after that?

      2. sorcerer

        I did what you did and additionally created a directory ~/test with a file “testfile”. After executing firejail –private=~/mybrowser firefox I opened about:support and clicked “open directory” . The filemanager (dolphin) opened and I saw all directories *outside* the sandbox. I navigated to ~/test but was not able to open “testfile”. However, I was able to delete ~/test! I don’t think that’s the expected behavior. In your documentation you wrote:”Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox.” But this is obviously not the case. A bug?

      3. sorcerer

        I did what you did and additionally created a directory ~/test with a file “testfile”. After executing firejail –private=~/mybrowser firefox I opened about:support and clicked “open directory” . The filemanager (dolphin) opened and I saw *all* directories outside the sandbox. I navigated to ~/test but was not able to open “testfile”. However, I was able to delete ~/test! I don’t think that’s the expected behavior. In your documentation you wrote:”Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox.” But this is obviously not the case. A bug?

      4. netblue30 Post author

        Indeed, it opens the real directory! This is what is happening:

        When you try to open the directory in URL bar, firefox opens the right directory.

        If you open it with “Open Directory”, firefox starts the file manager by sending a message over dbus. The system receives the message and opens a file manager outside the sandbox. The window you see on your screen comes from the file manager, not from Firefox.

      5. Name

        Dude! It took so long :p

        I had never tried it with –net option so i did “firejail –private=~/browser-home –net=wlan0 iceweasel” entered about:support and hit the “Open Directory”. It works in this way. It opens the sandboxed one, not the real home directory.

        Thank you for your efforts.

      6. netblue30 Post author

        I’ll try it out, thanks!

        I’ve just found out another manifestation of the same problem: you start a download, and in the download pull-down menu in firefox you hit “Open Containing Folder”, it opens the original download directory, not the one in the sandbox. However, the download file goes into the sandbox.

        Play with it, if you see something strange let me know. I guess –net is the way to go for now.

      7. Name

        Yes. Download pull-down menu opens the original directory just like the “Open Directory”.

        So far my observations:

        If i use “firejail iceweasel” it opens the real directory again. It has access to real home. I can see other partitions in nautilus. If i blacklist accessing to these partitions, again i can see the partitions in nautilus, but when i click on them i can’t access it. So it looks like blacklisting like /mnt, /media etc… is working. But the real home is accessible.

        If i use “firejail –private=~/browser-home iceweasel”, it opens the real home. I can see the partitions in nautilus. And i can access partitions whether they are blacklisted or not. I can access all directories whether they are blacklisted or not. Completely broken.

        If i use “firejail –private=~/browser-home –net=eth0 iceweasel” works as expected. I can’t even see other partitions let alone accessing it. And i can’t access blacklisted directories under /root. Everything works as expected.

        Is it possible to use wlan interface with –net? Because i can’t access internet when using –net=wlan0. If i start it with –net=wlan0, it shows me Interface as eth0-some_number and Status is down.

      8. netblue30 Post author

        No, the browser itself doesn’t have access outside the sandbox. Firefox is sending a message over dbus and the system opens the file manager outside the sandbox. Once the file manager is started, there can be no communication between the file manager and Firefox. The separation between the two is imposed by the kernel namespaces.

        wlans are not supported by –net option. More code is necessary in the kernel for it to work.

    1. netblue30 Post author

      Give it a try without a profile, just in case the profile disables the directory where the plugin is located.

      $ firejail –noprofile firefox

      If this is working, we can then go and find out what exactly disables the plugin.

      Reply
      1. nthfxguy

        Okay, it works now, even with using the profile. I’m not sure what was changed, but I guess I had to log out and back in for this to work again…

  4. Paolo

    Hello netblue30, first thanks for Your work! Just a simple question: it is possible to use wildcard in the profile configuration file in such a way: “blacklist /bin/[a-f]*”.
    Currently i’m gettin the error “Error: line 8 in the custom profile is invalid”

    Reply
  5. GNUser

    Using the whitelist option works… to an extent.
    If i add in the profile “whitelist /home/user/path/tor-browser_en-US/” it will prevent my tor browser from accessin other folders in home, but it still allows access to /etc and others. I tried adding blacklist /etc/ but it messed up some fonts in the browser.

    Reply
  6. netblue30 Post author

    Whitelist option applies strictly to /home/user directory. For /etc you’ll need to use –private-etc. Yes, there could be some information regarding fonts in /etc.

    Reply
  7. David Bushnell

    Many thanks for your fine work…!

    Using Firejail version 0.9.32 with Mint 17.1 3.13.0-37-generic
    When I issue the command:
    $ firejail –net=eth0 firefox

    …the child process initializes correctly:
    Interface MAC IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    eth0-4354 2e:83:fb:8d:6a:8c 192.168.1.85 255.255.255.0 UP
    Default gateway 192.168.1.1
    Child process initialized

    HOWEVER:
    (firefox:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-xtDKW03Asj: Connection refused

    After a bit of a delay, firefox appears with a dialog box stating that dbus-daemon is not running.
    ps aux | grep shows dbus-daemon running.

    Any suggestions?
    Regards…

    Reply
    1. David Bushnell

      Is anyone else having this problem using $ firejail –net=eth0 firefox with Mint Firefox?
      I will try downgrading to a much earlier version of Firefox within Mint 17.1 and report back…

      Reply
      1. David Bushnell

        Ok, I installed Firefox v.20.0 en-us 64-bit from the Mozilla public archive (no mention of Mint in Help | About FF). Still get the error popup message in Firefox complaining that dbus-daemon is not running.

        Just pondering: netblue30’s blog states that the –net option is really intended for existing br0 connections, but that eth0 would work also. I’m starting to doubt the eth0 connection unless someone here tells me that it works (and with which OS and Firefox version).

        Thinking that the error popup box as Firefox starts was just for info and not a deal-breaker, I successfully accessed a DD-WRT server on my network — sigh — my assigned IP doesn’t seem blocked. Perhaps a deal-breaker after all…

        Any comments?

      2. netblue30 Post author

        –net disables abstract unix sockets, and dbus is one of them. You shouldn’t worry about it, Firefox is build to work just fine when dbus is not available.

      3. netblue30 Post author

        –net disables abstract unix sockets, and dbus is one of them. Firefox is built to work fine when dbus is not available, you shouldn’t worry about it.

  8. David Bushnell

    Thanks for your reply re: Firefox and –net. I won’t be concerned with the FF error popup.
    As for –net’s practical application:

    1) Should –net be used alone? or in combination with –private? or along with –whitelist?

    2) If –net is in effect, and assuming that 192.168.1.200 is assigned, shouldn’t a hacker be unable to access the local network outside of that IP address? For example, suppose I am a hacker inside my Firefox session: I can still access a server on 192…203 from Firefox on 192…200.

    I thought that I would be prevented from accessing any IP outside 192…200.
    Regards

    Reply
  9. David Bushnell

    FWIW — and hopefully of use to others to improve on — I followed up on your netfilter iptables suggestion by adding the following line to the end of the default netfilter, prior to the COMMIT line:
    -A OUTPUT -d 192.168.0.0/16 -j DROP
    I am now prevented from accessing any other servers on my local network, and it’s sufficient for my needs.
    With your help, I’ll continue learning about this remarkable package…

    Reply
  10. David Bushnell

    — CONFLICT between –net=eth0 and active VPN (OpenVPN) client —

    When my OpenVPN client is active, I lose all –dns capability, as if the Dynamic Network Service isn’t there.

    As stated in netblue30’s blog, using –net=eth0 requires –dns=x.x.x.x also.
    This works well for me, whether –private is employed or not.
    However, activating my OpenVPN client and then calling $ firejail –net=eth0 –dns=8.8.8.8 firefox results in Firefox loading without any DN Service whatsoever.

    On the other hand, losing my network isolation above (-A OUTPUT -d 192.168.0.0/16 -j DROP) because –netfilter can’t be active during VPN sessions isn’t a loss, because I’m not concerned with hackers coming through the encrypted VPN door to access other servers on my local network.

    Reply
  11. james gordon

    Addons are certainly a security risk, but I still prefer to use certain settings (which are all more restrictive than even Firefox’s defaults–for example, Firefox collects telemetry data by default, cookies are allowed (i.e. cross-site tracking is possible and are associated to the services you use when you login), etc. and these benefit third parties regardless of whether your sandboxed session is discarded at the end of the Firefox session.

    How about being able to copy your bookmarks and Firefox settings over to the tmpfs every time a new session is started? The idea is: 1) create the tmpfs, 2) copy over the bookmarks and Firefox’s settings to the tmpfs, 3) launch Firefox, which will use these bookmarks and settings. Or something along those lines.

    Is this possible currently and if not, is it a consideration to be implemented in the future?

    Reply
    1. netblue30 Post author

      What I do in these cases, I use different directories for different browsing purposes, and pass them to firejail using –private=directory.

      For example I have ~/dir1 and ~/dir2, and I run “firejail –private=dir1 firefox” or “firejail –private=dir2 firefox”. Each directory holds a different firefox configuration.

      Reply
  12. james gordon

    Also, I believe I read that wireless network interfaces are not currently supported–does that mean they won’t benefit from being able to create new stacks on a laptop the way ethernet interfaces allow?

    Reply
  13. jake

    I’m having issues installing xpra on both Arch and Raspbian. On Arch, I need to install a couple of dependencies from the AUR. For one of them, python2-gtkglext 1.1.0-7, I’m getting: “checking for C compiler default output file name… configure: error: C compiler cannot create executables” when I run makepkg -si on the dependency. For another, python-lz4 0.8.2-1, I’m getting the error: “gcc: error: unrecognized command line option ‘-fstack-protector-strong,-fno-plt’; did you mean ‘-fstack-protector-strong’? error: command ‘gcc’ failed with exit status 1”.

    On Raspbian, I did “sudo apt install xpra” and it says: “The following packages have unmet dependencies: xpra : Depends: xserver-xorg-video-dummy but it is not going to be installed
    E: Unable to correct problems, you have held broken packages”. I googled this problem and came across this potential solution: http://raspberrypi.stackexchange.com/questions/50000/cannot-install-xpra-unmet-dependancies/59747. I followed this and xserver-xorg-video-dummy is successfully installed. Then I try to install once again and it seems to be in dependency hell now.

    Reply
    1. netblue30 Post author

      There are problems with the way xpra was packaged in Arch. I don’t think anybody managed to get it running with or without firejail. Your best option on Arch would be to install Xephyr and start it in firejail as follows: “firejail –x11=xephyr appname”.

      Firejail should run fine on Rasbian, there are people using it on ARM platform. About xpra I don’t know.

      Reply
  14. Kyle

    Firefox doesn’t work on my desktop without setting the –dns option. I am using the default firefox profile and ran with no options, i.e. `firejail firefox`. I’m on a fresh install of Arch on ethernet with the only internet configuration between enabling systemd-networkd.service and systemd-resolved.service enabled.

    How can I get it to work without the –dns option? I want to use whatever defaults I’m using for the rest of my system. Thanks.

    Reply
    1. netblue30 Post author

      I guess it all depends how your platform is configured to handle dns. On my Debian system, the servers are set by DHCP in /etc/resolv.conf. Systemd departed from the regular setting and implemented something different.

      I’ve heard from other Arch users that systemd dns doesn’t work nicely with sandboxes when you enable a network namespace, but for regular sandboxes works fine.

      The best way would be to ask a question on github (https://github.com/netblue30/firejail), there are a number of Arch users there.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s