There something that I've been wanting to know the answer to for a while now and that's if Firefox on Linux has a native sandbox or not? And from what I've read from the Mozilla wiki it sounds like it does but I'm not sure if its enabled or not by default. Also does this mean that App Armor has a sandbox profile for Firefox finally?
It doesn't look to be enabled for Firefox. I run Arch and this what I get: $ grep Seccomp /proc/22336/status Seccomp: 0 22336 is PID of Firefox at the time I checked. For the Chromium Renderers I get: grep Seccomp /proc/22271/status Seccomp: 2 0 = not enabled, 2 = seccomp-bpf is enabled. source: https://wiki.mozilla.org/Security/Sandbox/Seccomp you can, however, run firefox in Firejail and get seccomp enabled. A thread is on it here: https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/
Thanks I know FJ has its own seccomp sandbox. But are you saying that the latest version of Firejail enables the Firefox seccomp sandbox as well? So two layers of sandboxing then?
No, I think just firejail provides the seccomp filter for Firefox, somehow by attaching a systemcall filter to the process. It's beyond my scope of understanding. There's something on it here where the author describes how he does it in this Firejail link: https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/
They are still resolving issues with the sandbox for FF Linux. https://wiki.mozilla.org/Security/Sandbox#Linux_Firefox Linux Firefox [DONE] Land Library bug 742434 [ON TRACK] Enable sandbox Permissions burndown Permission burn down list (see bug 942695 for details): ID Summary Status 742434 Apply seccomp-bpf to desktop Firefox content processes on Linux NEW 936274 Remove open() from seccomp-bpf whitelist for Linux/Desktop NEW 942696 Remove access() from seccomp-bpf whitelist for Linux/Desktop RESOLVED 942698 Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop NEW 4 Total; 3 Open (75%); 1 Resolved (25%); 0 Verified (0
wat0114 is right. Firefox doesn't have its own sandbox yet. So running it firejailed makes sense. The Firefox profile in /etc/firejail that comes with Firejail enables seccomp, drops all capabilities and has the noroot option which creates a user namespace with the current user only - i.e. there is no root (only used on kernels that support user namespaces). In combination with the the rules in the included *.inc files that's pretty tight, IMHO.
I edit KDE's launcher for almost all aplications and put this command: Code: firejail --seccomp --caps.drop=all I don't enable --private for Firefox because by default it will download a tracking cookie from Google. If I actually need --private than I'll disable my connection, open Firefox, configure it so it doesn't allow cookies by default, and then enable my connection.
Actually those switches are already in most profiles that come with Firejail, among them the one for Firefox. Thus, Code: firejail firefox should be sufficient.
As summerheat mentions, the --seccomp switch is already in the Firefox profile, so you could just use: firejail --debug firefox