Sunday, November 1, 2015

Sandboxing Firefox with Firejail

I typically run about five or six different instances of Firefox with different profiles for different tasks or groups of websites (like one for dev work, one for my "daily driver", one for financial accounts, one for each organization I work for, etc). I've started using Firejail to better isolate each instance — not only from each other, but from the rest of my system.

Separate Home Directories

To run each profile with a separate home directory, I first created a new ~/fj dir, with a separate directory in it for each Firefox profile (like ~/fj/ff-dev, ~/fj/ff-company-x, etc). Then I moved the existing profile for each into its own .mozilla/firefox sub-directory (like ~/fj/ff-dev/.mozilla/firefox/abc123.dev), and added a single-profile profiles.ini into the same dir, containing just the entry for the single profile:

[General]
StartWithLastProfile=1

[Profile0]
Name=dev
IsRelative=1
Path=abc123.dev

Then I adjusted my startup script for each profile to use Firejail with the separate home dir:

#!/bin/sh
firejail --private=~/fj/ff-dev firefox

Minimum Filesystem Access

I've also been experimenting with custom Firejail profiles to give Firefox just the minimum access to the filesystem it needs to work. I've found that the following profile (saved as ~/.config/firejail/firefox.profile) on Ubuntu 15.04 enables Firefox to use the system's fonts (private-etc fonts), timezone settings (private-etc localtime), and DNS (private-etc resolve.conf and noblacklist /run/resolveconf); my custom DNS overrides from etc/hosts (private-etc hosts,nsswitch.conf); and DRM flash videos from Hulu, Amazon, etc (private-etc alternatives and noblacklist /run/dbus,/var/cache/hald):

noblacklist /run/dbus
noblacklist /run/resolvconf
noblacklist /run/user
noblacklist /var/cache/hald
noblacklist /var/run
blacklist /boot
blacklist /cdrom
blacklist /lost+found
blacklist /media
blacklist /mnt
blacklist /opt
blacklist /proc
blacklist /run/*
blacklist /sbin
blacklist /srv
blacklist /sys
blacklist /usr/sbin
blacklist /var/*
private-dev
private-etc alternatives,firefox,fonts,hosts,localtime,nsswitch.conf,resolv.conf
read-only /bin
read-only /lib
read-only /lib64
read-only /usr
tmpfs /tmp
caps.drop all
seccomp
netfilter
noroot

I've also built a similar custom Firejail profile for Chrome (saved as ~/.config/firejail/google-chrome.profile) which allows for the same (needing a little less access to run its own built-in version of flash):

noblacklist /opt/google
noblacklist /run/resolvconf
noblacklist /run/user
blacklist /boot
blacklist /cdrom
blacklist /lost+found
blacklist /media
blacklist /mnt
blacklist /opt/*
blacklist /proc
blacklist /run/*
blacklist /sbin
blacklist /srv
blacklist /sys
blacklist /usr/sbin
blacklist /var
private-dev
private-etc alternatives,chromium-browser,fonts,hosts,localtime,nsswitch.conf,resolv.conf
read-only /bin
read-only /lib
read-only /lib64
read-only /usr
tmpfs /tmp
caps.drop all
seccomp
netfilter
noroot