I typically run about five or six different instances of Firefox with different profiles for different tasks or groups of websites (like one for dev work, one for my "daily driver", one for financial accounts, one for each organization I work for, etc). I've started using Firejail to better isolate each instance — not only from each other, but from the rest of my system.
Separate Home Directories
To run each profile with a separate home directory, I first created a new ~/fj dir, with a separate directory in it for each Firefox profile (like ~/fj/ff-dev, ~/fj/ff-company-x, etc). Then I moved the existing profile for each into its own .mozilla/firefox sub-directory (like ~/fj/ff-dev/.mozilla/firefox/abc123.dev), and added a single-profile profiles.ini into the same dir, containing just the entry for the single profile:
[General] StartWithLastProfile=1 [Profile0] Name=dev IsRelative=1 Path=abc123.dev
Then I adjusted my startup script for each profile to use Firejail with the separate home dir:
#!/bin/sh firejail --private=~/fj/ff-dev firefox
Minimum Filesystem Access
I've also been experimenting with custom Firejail profiles to give Firefox just the minimum access to the filesystem it needs to work. I've found that the following profile (saved as ~/.config/firejail/firefox.profile) on Ubuntu 15.04 enables Firefox to use the system's fonts (private-etc fonts), timezone settings (private-etc localtime), and DNS (private-etc resolve.conf and noblacklist /run/resolveconf); my custom DNS overrides from etc/hosts (private-etc hosts,nsswitch.conf); and DRM flash videos from Hulu, Amazon, etc (private-etc alternatives and noblacklist /run/dbus,/var/cache/hald):
noblacklist /run/dbus noblacklist /run/resolvconf noblacklist /run/user noblacklist /var/cache/hald noblacklist /var/run blacklist /boot blacklist /cdrom blacklist /lost+found blacklist /media blacklist /mnt blacklist /opt blacklist /proc blacklist /run/* blacklist /sbin blacklist /srv blacklist /sys blacklist /usr/sbin blacklist /var/* private-dev private-etc alternatives,firefox,fonts,hosts,localtime,nsswitch.conf,resolv.conf read-only /bin read-only /lib read-only /lib64 read-only /usr tmpfs /tmp caps.drop all seccomp netfilter noroot
I've also built a similar custom Firejail profile for Chrome (saved as ~/.config/firejail/google-chrome.profile) which allows for the same (needing a little less access to run its own built-in version of flash):
noblacklist /opt/google noblacklist /run/resolvconf noblacklist /run/user blacklist /boot blacklist /cdrom blacklist /lost+found blacklist /media blacklist /mnt blacklist /opt/* blacklist /proc blacklist /run/* blacklist /sbin blacklist /srv blacklist /sys blacklist /usr/sbin blacklist /var private-dev private-etc alternatives,chromium-browser,fonts,hosts,localtime,nsswitch.conf,resolv.conf read-only /bin read-only /lib read-only /lib64 read-only /usr tmpfs /tmp caps.drop all seccomp netfilter noroot
Posts
No comments:
Post a Comment