Yes! I haven't dig deep enough into how Spoiler works (and I'm not sure at all if I would understand it if I had ) - but the famous Spectre vulnerabilty can be used for a remote exploitation via javascript. Hence, running your browser with javascript blocked by default (with e.g., Noscript or, preferably, uBlock Origin in medium mode or with blocking JS altogether) is a good protection - which might also help against Spoiler.
Pale Moon Browser won't launch since updating Firejail and applying command $ sudo firecfg. I can start and run Pale Moon through Firejail Configuration Wizard and select build a custom security profile in FCW. I want to be able to update Pale Moon when updates become available.
Which distro and which Firejail version are you using? Are there any errors if you start Palemoon in the console? I don't understand. How is that related to Firejail?
Running Linux Mint 19 xfce and Firejail version 0.9.58.2_1_amd64.deb. I update Pale Moon out of the sandbox. Similar to when I update browser when running Windows and using Sandboxie. (both unsanboxed when updating)
I've never used Palemoon (and never will). But as far as I've read there are 2 options how to do that: 1. Using its internal updater - this probably assumes that Palemoon is installed in your home directory. palemoon.profile probably needs to be adjusted accordingly but I don't know if the updater works in the sandbox. 2. Add Steve Pusser's repository as suggested here. This has the advantage that Palemoon will be updated via the package manager, and the palemoon.profile that comes with Firejail will work out of the box.
@summerheat Use Pale Moon internal updater already. Had no problem before clicking on Pale Moon without using Firejail and it started and notified me when update was available. Problem occured (browser won't start when clicked on in menu) when I added command in terminal for Firejail profiles. Next time Pale Moon is updated I can see if PM will update in Firejail sandbox. For now if I run PM browser I manually have to enter PM (home directory) line in Firejail Configuration Wizard and choose custom security profile. I'll most likely have to go into Firejail profiles and edit PM command to launch the browser automatically. Hoping it will then notify and update sandboxed. Thx for your input.
Just 2 thoughts: 1. In order to make sudo firecfg work you'll have to add the directory where Palemoon is installed to your PATH. I don't know that directory - let's assume it's ~/palemoon. So you should add something like Code: export PATH="/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:~/palemoon" to your ~/.bashrc, logoff and login again. 2. The palemoon.profile includes firefox-common.profile which in turn includes disable-exec.inc which blocks execution in your home directory, i.e. it also blocks executing palemoon. In order to fix that create the directory ~/.config/firejail and add the file palemoon.profile with the following content: Code: ignore noexec ${HOME} include /etc/firejail/palemoon.profile I guess that should be sufficient. If not, ignoring disable-exec.inc completely might be necessary. I don't know if further adjustments will be needed - you have to try it.
@summerheat Was able to start Pale Moon by changing the command in Edit Launcher. Now PM will run when I click on Mint menu whereas before it wouldn't launch. Still working on firejail configuration as you mentioned earlier. The home directory for PM browser (/home<username>/palemoon) The palemoon.profile file owner is root (no access to permissions) so still learning where apps install and save files in Linux and how to edit them. (Prior Windows user) I can still launch PM manually using Firejail Configuration Wizard to sandbox browser. Firefox browser Firejail's automatically when clicked on.
The Pale Moon internal updater works in the sandbox. I verified this when PM was firejailed at the time of a browser notification update. Installed the update and restarted PM browser which remained sandboxed after the update.
Hm, quite frankly nobody can help you if you don't show us how your custom profile looks like and tell us what exactly you're doing.
PM custom security profile: /home/<user name>/palemoon/palemoon Restrict /dev directory Restrict /temp directory Restrict /mnt and /media system network DNS servers (use different servers. I don't use Googles) Disable video camera devices Disable CD-ROM/DVD devices Disable TV/DVB devices Disable 3D acceleration Enable seccomp-bpf Disable all Linux capabilities Restrict user namespace (noroot) Sandbox monitoring and statisics sometimes used (Debugging) Profile created manually each time and works. example: /usr/bin/firejail--profile=/tmp/firejail-ui-MZ1EdL/ home/<user name>/palemoon/palemoon Pale Moon Forum: Talking about PM browser and Firejail issues on forum.
I'm sorry - but I still cannot replicate what you're doing and, quite frankly, I'm close to giving up. Why don't you show the precise content of your individual palemoon.profile file? Why do you save the profile in /tmp where it will be deleted with every system start and not in ~/.config/firejail? How do you start the firejailed Palemoon? What is an UXP application? Anyway, all this trouble could probably be avoided if you had applied the second option suggested earlier. Palemoon would be updated with the package manager, its executable would be located in /usr/bin (or in another directory of the PATH), and the profile provided by Firejail would work out of the box. The problem is, IMO, that you're doing several things which are not standard in Linux, and since you're not familiar with Linux and Firejail enough you don't know how to fix the consequences.
@summerheat Not doing anything out of the ordinary. That's the way Firejail works when building a custom security profile. Don't want to use 3rd party PPA repository. PM as I said runs fine when updated when sandboxed. (Firejail) Creating a firejail folder in /home/<user>/config/ with palemoon.profile and adding code to it didn't work. That was also a tip others mentioned in other forums. Maybe it did work at one time with older versions. Other tips were to add ignore tracelog, or commenting out private-bin palemoon in palemoon.profile. That also didn't work. The only issue I have is starting PM automatically in the Mint menu. (sandboxed/unsandboxed) The default command in Edit Launcher (palemoon %u) doesn't launch PM browser. I can change the command to /home/<user name>/palemoon/palemoon or /user/bin/palemoon and it will launch browser unsandboxed. NOTE: See spinning Icon (mouse pointer) when I do this. I could probably undo the sudo firecfg command or go back to prior backup, but rather keep things including all updates as they are. UXP is fork of Firefox 52 ESR with significant modifications to be a codebase for creating any number of XUL-based applications. Pale Moon 28 was the first version built on UXP, thereby providing improved support for web standards and video.
As a Firejail user and contributor to its project for years I politely disagree. But anyways ... That's not surprising if you really used that folder. The correct one is: Code: /home/<user>/.config/firejail The dot before config is important. That's expected. Please show the output of Code: which -a palemoon and Code: ls -l /usr/bin | grep palemoon That's not necessary if everything is configured correctly. EDIT: Btw., you still haven't shown the precise content of your palemoon.profile. What you presented in a previous post was verbal description but not the precise rules. They are needed in order to check if it's correct or not.
@summerheat Palemoon.profile (Default) with nothing changed. https://github.com/netblue30/firejail/blob/master/etc/palemoon.profile Please show me what lines you added/changed in palemoon.profile and where. Code: ignore noexec ${HOME} include /etc/firejail/palemoon.profile (any more lines and exact location in palemoon.profile) Again FCW seems to work with launching Pale Moon sandboxed fine. I just select the settings I want in the GUI and away I go. Typo error on my part. Do have .config (/home/<user>/.config/firejail) Code: which -a palemoon /usr/local/bin/palemoon /usr/bin/palemoon Code: ls -l /usr/bin | grep palemoon lrwxrwxrwx 1 root root 31 Oct 14 2018 palemoon -> /home/<user>/palemoon/palemoon
Okay, we're coming closer to a solution: palemoon.profile is a whitelisted profile which means that access to anything in your home is blocked if not explicitly whitelisted. Since the palemoon executable (and libraries etc.) are obviously located in ~/palemoon, this has to be added to the profile as well. So ~/.config/firejail/palemoon.profile should look like this: Code: ignore noexec ${HOME} whitelist {HOME}/palemoon include /etc/firejail/palemoon.profile This should work now. I suggest that you execute sudo firecfg once more to make sure that the entry in the start menu does not contain the full path to the executable (you might want to check that).
@summerheat There are 27 lines of code in palemoon.profile. Where do I place these 3 lines? (location)
As I wrote above: in ~/.config/firejail/palemoon.profile which means /home/<user>/.config/firejail/palemoon.profile. The referenced original profile is in /etc/firejail . Or isn‘t it?
Yes. I added those 3 lines of code to palemoon.profile. (/home/<user>/.config/firejail/) Checked terminal and Firetools GUI and both list PM as sandboxed. (/usr/bin/firejail /usr/bin/palemoon) Same as Firefox when sandboxed. I didn't re-run sudo firecfg command yet. Changed command in start menu so PM is not pointing to full path executable. Now I can launch PM browser automatically Firejailed in the Mint menu. Greatly appreciate your help. Thx. NOTE: Wondering as mentioned before in previous post why when launching PM my mouse cursor pointer also has small icon spinning like its still loading. Spinning does stop, but takes little while. Firefox when launched sandboxed does not do this.
@Compu KTed : I just noticed that the second line contains a typo. It should read ${HOME}, of course. Sorry! BTW, the easiest way to check in an application is running firejailed is by executing Code: firejail --list or: Code: firejail --tree
No problem. I caught it while I was looking at all the code in palemoon.profile. Thx for pointing it out though.
I wonder if Firejail would be able to protect you from the new RIDL and Fallout attacks? Part of me doubts it but I'm curious. https://www.bleepingcomputer.com/ne...fallout-attacks-impact-all-modern-intel-cpus/
Firejail 0.9.60 available for download. You should update ASAP as a serious vulnerability was fixed discussed here. The release notes are not yet quite uptodate.