[SOLVED] How to sandbox Firefox on Linux Mint?

Questions about applications and software
Forum rules
Before you post please read how to get help
User avatar
Pjotr
Level 17
Level 17
Posts: 7922
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

[SOLVED] How to sandbox Firefox on Linux Mint?

Postby Pjotr » Tue Aug 11, 2015 12:31 pm

xenopeek wrote:You won't believe me when I tell you (okay, you might :)) but there are still Linux users that don't use a security sandbox for their web browser, and don't think they need one either. Using Firefox? It's fixed now but an exploit in the wild was stealing files from users' home folders (ssh keys and such) in Firefox on Linux: https://blog.mozilla.org/security/2015/ ... -the-wild/. With snappy this wouldn't have been possible as Firefox wouldn't have had access to those files. Sandboxing applications is not something average users will be able to set up. With snappy they wouldn't need to.

A bit off topic, but how does one sandbox Firefox in Linux Mint? And what are the practical disadvantages of sandboxing Firefox?
Last edited by Pjotr on Sun Feb 14, 2016 6:15 pm, edited 2 times in total.
Tip: 10 things to do after installing Linux Mint 18.2 Sonya
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to sandbox Firefox on Linux Mint?

Postby xenopeek » Tue Aug 11, 2015 1:09 pm

There are various ways. You could install apparmor and apparmor-profiles and enable it and the policy for Firefox.

Another is to install https://l3net.wordpress.com/projects/firejail/. It's not yet in the repositories (it is in Debian testing so it is coming to future Linux Mint/LMDE release). It also comes with a policy for Firefox and you launch it with "firejail firefox". The default policy already protects secret keys like ssh and it is easy to customize the default policy or write your own for further confinement. It uses standard Linux kernel functionality and doesn't require any policy daemons or similar to run in the background. The website might be a bit confusing to navigate, but the included manpages are very well written.

I'm using Firejail with a custom profile for all my web browsers and I'll be extending to include my feed reader. I could perhaps write up a tutorial for Linux Mint if there is interest.

Edit: I did write a tutorial, it is here: viewtopic.php?f=42&t=202735&p=1053327#p1053327
Image

User avatar
phd21
Level 11
Level 11
Posts: 3790
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: How to sandbox Firefox on Linux Mint?

Postby phd21 » Tue Aug 11, 2015 2:18 pm

xenopeek wrote:I'm using Firejail with a custom profile for all my web browsers and I'll be extending to include my feed reader. I could perhaps write up a tutorial for Linux Mint if there is interest.


Hi xenopeek,

I would be very interested in this. I'm sure others would be too. Sounds like a very useful tool.

Thank you in adavance ...
Phd21: Mint KDE 17.3 & 18.1, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,3gb Ram,160gb hdd, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

niowluka
Level 5
Level 5
Posts: 733
Joined: Tue May 27, 2014 6:28 pm
Location: Krakow, Poland

Re: How to sandbox Firefox on Linux Mint?

Postby niowluka » Tue Aug 11, 2015 2:27 pm

A crude and simple 'sandbox' would be simply running Firefox as another user, with no privileges or access to anything else. You could very simply run it purely within RAM, on top of that.

Still across the border with paranoid, if you ask me, but ... whatever makes you happy.
Mint 17 Openbox (MATE) 64bit | Linux 4.1.6 (Vanilla)

Gigabyte GA-880GA-UD3H | AMD Phenom II X4 965 3.4Ghz | G.Skill 8GB DDR3-1600 RipjawsX, F3-12800CL8D-8GBXM | MSI R7 260X 2048 MB GDDR5 OC

lurkatron
Level 3
Level 3
Posts: 124
Joined: Tue Nov 01, 2011 2:18 pm

Re: How to sandbox Firefox on Linux Mint?

Postby lurkatron » Tue Aug 11, 2015 3:35 pm

id be very interested in a tutorial

User avatar
phd21
Level 11
Level 11
Posts: 3790
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: How to sandbox Firefox on Linux Mint?

Postby phd21 » Tue Aug 11, 2015 4:56 pm

Hi Everyone,

Thank you "xenopeek" for providing that web link to the "Firejail" "sandbox" program. I'm looking forward to your tutorial on this.

I went to that "Firejail" website and downloaded the "Firejail" and "Firetools" installation programs (32-bit ".deb" for my Linux Mint & for my current computer(s), others users might need 64-bit), and just double clicked the "Firejail" ".deb" file I saved to install it, then I double clicked the "Firetools" ".deb" file to install that too, easy. Then, I ran the Firetools program from my menu which automatically had my FireFox browser in there. I did not have to setup anything for FireFox. So, I clicked Firefox from the Firetools launcher (panel), and I'm running a more secure FireFox browser right now to do this. Firejail (& firetools) doesn't seem to slow my system down either, nor does it take up much Ram memory either 9632 KB.

Although Linux and Linux Mint are far more secure than Ms Windows, or Macs, it could be possible for some bad people or their malware program creations to access your system through your browser; extremely rare, but possible. Using a "SandBox" type program will prevent those "bad" people and their "bad" programs from accessing anything else in your system.

Firejail is a sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications, or any application(s)


Sandbox (computer security)
https://en.wikipedia.org/wiki/Sandbox_%28computer_security%29

Thanks again ...
Phd21: Mint KDE 17.3 & 18.1, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,3gb Ram,160gb hdd, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
Fred Barclay
Level 11
Level 11
Posts: 3846
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: How to sandbox Firefox on Linux Mint?

Postby Fred Barclay » Tue Aug 11, 2015 5:26 pm

xenopeek wrote:I'm using Firejail with a custom profile for all my web browsers and I'll be extending to include my feed reader. I could perhaps write up a tutorial for Linux Mint if there is interest.

Interest! :)
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

User avatar
killer de bug
Level 14
Level 14
Posts: 5209
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: How to sandbox Firefox on Linux Mint?

Postby killer de bug » Sat Aug 15, 2015 7:03 am

xenopeek wrote:I could perhaps write up a tutorial for Linux Mint if there is interest.

It could indeed interest a lot of users. And I'm one of them :mrgreen:
Image
If it ain't broke, fix it until it is.

User avatar
Chiefahol
Level 4
Level 4
Posts: 474
Joined: Thu Jun 11, 2015 12:32 am

Re: How to sandbox Firefox on Linux Mint?

Postby Chiefahol » Sat Aug 15, 2015 10:46 am

Using firejail right now, very cool!

Cheers xeno! Definitely interested in that guide too! :D
Donate to your favourite distros!

kromaz
Level 2
Level 2
Posts: 82
Joined: Sat Oct 26, 2013 10:52 pm

Re: How to sandbox Firefox on Linux Mint?

Postby kromaz » Sat Aug 15, 2015 8:04 pm

xenopeek wrote:I'm using Firejail with a custom profile for all my web browsers and I'll be extending to include my feed reader. I could perhaps write up a tutorial for Linux Mint if there is interest.


Would really appreciate a tutorial. Thanks in advance.
Last edited by kromaz on Sun Aug 16, 2015 6:24 am, edited 1 time in total.
Debian 7.6 Wheezy (i386) Xfce 4.8
Linux Mint 13 Maya (i386) Xfce 4.10

GeneBenson
Level 4
Level 4
Posts: 341
Joined: Fri Sep 17, 2010 9:55 pm

Re: How to sandbox Firefox on Linux Mint?

Postby GeneBenson » Sun Aug 16, 2015 2:33 am

Nice find xenopeek. Firejail is working nicely here. It's just a pity that firetools is so UGLY!! :shock:

And thanks to Pjotr also for asking the question in the first place. :wink:

User avatar
killer de bug
Level 14
Level 14
Posts: 5209
Joined: Tue Jul 08, 2008 1:49 pm
Location: Graz, Austria

Re: How to sandbox Firefox on Linux Mint?

Postby killer de bug » Sun Aug 16, 2015 1:18 pm

Thanks a lot for this nice tutorial! Really appreciated!
Image
If it ain't broke, fix it until it is.

User avatar
phd21
Level 11
Level 11
Posts: 3790
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: How to sandbox Firefox on Linux Mint?

Postby phd21 » Sun Aug 16, 2015 2:51 pm

Hi xenopeek,

Thank you so much for this very nice tutorial. :)
Phd21: Mint KDE 17.3 & 18.1, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,3gb Ram,160gb hdd, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
Chiefahol
Level 4
Level 4
Posts: 474
Joined: Thu Jun 11, 2015 12:32 am

Re: How to sandbox Firefox on Linux Mint?

Postby Chiefahol » Mon Aug 17, 2015 10:14 am

Copied, thanks! ;D
Donate to your favourite distros!

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to sandbox Firefox on Linux Mint?

Postby xenopeek » Mon Aug 17, 2015 10:22 am

I've split my comment off as a new tutorial: viewtopic.php?f=42&t=202735
Image

xdicey
Level 4
Level 4
Posts: 463
Joined: Wed Sep 16, 2015 2:42 pm

Re: How to sandbox Firefox on Linux Mint?

Postby xdicey » Tue Dec 22, 2015 8:52 pm

xenopeek wrote:There are various ways. You could install apparmor and apparmor-profiles and enable it and the policy for Firefox.

Another is to install https://l3net.wordpress.com/projects/firejail/. It's not yet in the repositories (it is in Debian testing so it is coming to future Linux Mint/LMDE release). It also comes with a policy for Firefox and you launch it with "firejail firefox". The default policy already protects secret keys like ssh and it is easy to customize the default policy or write your own for further confinement. It uses standard Linux kernel functionality and doesn't require any policy daemons or similar to run in the background. The website might be a bit confusing to navigate, but the included manpages are very well written.

I'm using Firejail with a custom profile for all my web browsers and I'll be extending to include my feed reader. I could perhaps write up a tutorial for Linux Mint if there is interest.



Just following up. Did Firejail make it to 17.3 or one should just follow the tutorial and posts to install?
Rafaela Cinnamon 17.2, V 2.16, 64 bit, Kernel: 4.4.0-45
DELL Inspiron2350
-AIO TouchScreen
-QUAD CORE Intel Core i7-4700MQ CPU (-HT-MCP-) 2.40GHz x4
-12GB RAM, 1 TB SSHD
-Graphics Card: Intel 4th Gen Core Processor Integrated Graphics Controller

zolar1
Level 4
Level 4
Posts: 259
Joined: Fri Oct 05, 2012 9:07 pm

Re: How to sandbox Firefox on Linux Mint?

Postby zolar1 » Sun Jan 24, 2016 3:09 pm

I downloaded firejail and tried to install it but it won't install?
I opened a terminal then
cd ./directory where firejail

then chmod +x install.sh

then sh install.sh

it says installing then goes back to the command line

I tried the mkdeb.sh one too and it posts lots of errors (directory not found type).

I want to install firejail but cannot seem to get it right somehow.

I tried it with and without sudo but to no avail.

Also once I get it installed I want an open download directory where I can download to through the sandbox where I can save things I download.

Can someone please post a workable (aka exact step by step assuming nothing) tutorial on where to download firejail to, how to install firejail, and set it up for normal people to use?

Adding a few shortcuts to automatically launch it in the program list and desktop for point and click use would be terrific (no typing!)
Freedom isn't free. It has a HIGH price.

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to sandbox Firefox on Linux Mint?

Postby xenopeek » Sun Jan 24, 2016 3:30 pm

You could just install the Linux Mint 18 version of Firejail. That will work fine with Linux Mint 17.x. Download the package for your architecture from here: http://packages.ubuntu.com/xenial/firejail
Image

zolar1
Level 4
Level 4
Posts: 259
Joined: Fri Oct 05, 2012 9:07 pm

Re: How to sandbox Firefox on Linux Mint?

Postby zolar1 » Sun Jan 24, 2016 3:38 pm

Thank you but permission denied?

Hmmm.... seems it cannot access firefox profile.
Freedom isn't free. It has a HIGH price.

zolar1
Level 4
Level 4
Posts: 259
Joined: Fri Oct 05, 2012 9:07 pm

Re: How to sandbox Firefox on Linux Mint?

Postby zolar1 » Sun Jan 24, 2016 3:40 pm

Your Firefox profile cannot be loaded. It may be missing or inaccessible.
Freedom isn't free. It has a HIGH price.


Return to “Software & Applications”

Who is online

Users browsing this forum: No registered users and 4 guests