Firefox sandbox

Discussion in 'all things UNIX' started by BoerenkoolMetWorst, Aug 31, 2016.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,769
    Location:
    Outer space
    I'm currently running Firefox 48.0.1 and discovered that even though the new multiprocess is not yet enabled for me, the sandbox apparently already is, according to about:support, which shows this:

    Sandbox
    Seccomp-BPF (System Call Filtering): true
    Seccomp Thread Synchronization: true
    User Namespaces: true
    Media Plugin Sandboxing: true

    Quote from Arstechnica on the roadmap
    Note that the quote is from June. I read that the goal for per-tab processes is already first half of 2017.
     
    Last edited: Aug 31, 2016
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    According to this site the content sandbox is only enabled in trunk while the GeckoMediaPlugin sandbox is already enabled in the release version.

    You can already manually enable it by setting dom.ipc.processCount in about:config to something > 1, say 4. After a restart you'll see 4 processes in the task manager (provided that 4 tabs are open, of course). Precondition right now is that browser.tabs.remote.autostart and browser.tabs.remote.force-enable are both set to true.

    EDIT: See my remarks here and here.
    EDIT2: The need to restart Firefox even if restartless add-ons are installed or updated is explained here and temporary.
     
    Last edited: Aug 31, 2016
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,769
    Location:
    Outer space
    Thanks, I got it working to your instructions.
    Anyway, it's nice that Firefox on Linux already supports Seccomp-BPF and User Namespaces. I thought Firefox on Linux didn't use any sandboxing/hardening mechanisms.(Except for it's own upcoming sandbox of course.)
     
  4. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    194
    Having done research on this earlier, so did I. I was content to use Firejail as all the online documentation made it sound as if the Linux platform would be the last to get a sandbox. As it turns out, it didnt take long for them to turn that around.

    Im still on single-process atm- I think maybe next weekend ill work on creating a new profile, tweaking AppArmor, etc. Given I have lots of RAM I think the pluses outweigh the negatives.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    You're welcome :)

    Btw, in the meantime I found out that you don't need to restart the browser anymore after installing/updating restartless extensions if you set extensions.e10sBlocksEnabling to false.
     
  6. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    194
    Update for me: went ahead and enabled multiprocess for firefox on a new profile, tweaked my apparmor profile, setup my extensions, etc. Works great! Some things fail like view page source and it uses much more memory, but wow is the interface smoother! Some relevant stuff:

    I set the thread count to 45 (so I get one thread per tab) and no issues. Firejail --tree lists each content process as a container beneath the main firefox process and lists all of them. I think at this point FF is more secure on Linux than Chromium is with the exception of malware that exploits one tabs content and tries to gain info from another- FF devs will likely need time to get stronger sandbox isolation here. As far as reduced attack surface, im not sure if running firejail+ FF's innate seccomp-bpf is better or worse than FF's sandbox alone; I do know that Firejail more effectively limits access to the underlying filesystem (for Chromium or Firefox), so I'll roll with what I have now.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Firefox 49 is now available from the Mozilla FTP server. No doubt it will be offered via the internal updater soon. Multi-process still not available in the UI for me, but I'm using a number of extensions. It may be enabled for those who don't use extensions ( ? )
     
  8. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    194
    FYI you can force enable it. Im running 10 extensions and they all work fine with e10s firefox. Stylish has an annoying bug where I cant edit any of the userstyles, but I can copy over the styles from another profile or install them from userstyles.org.
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I tried enabling it following these instructions:

    http://techdows.com/2016/08/firefox-48-e10s-enabled-or-disabled-if-disabled-enable.html

    Unfortunately what I see now in about:support is

    Multiprocess Windows 0/2 (Disabled by add-ons)
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    This is what you need:

    browser.tabs.remote.autostart=true
    browser.tabs.remote.force-enable=true

    In order to avoid restarting FF after installing/updating restartless addons:

    extensions.e10sBlocksEnabling=false

    More than one content process:

    dom.ipc.processCount=4 (or 8 or whatever you want)
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Thanks! About:Support is now reporting 1/1 (Enabled by user). In task manager I only see one process though with multiple tabs open. Is that correct?
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Haven't you changed the number for dom.ipc.processCount ?
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Yes, I have an "integer" type entry "dom.ipc.processCount = 8"
     
  14. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    I changed the above settings and now i can see one process per one opened tab/website.
     
  15. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    194
    The only thing strange is that for me, I dont see processes for plugins. I see the main firefox process, and I see a bunch of "Web Content" processes (matching the number of tabs I have open). Im guessing this hasnt been released yet...

    Still, e10s firefox has been awesome to me- no crashes and the interface is much much smoother.
     
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    I opened one website (=1xFirefox + 1x plugin-container), and after opening a flash-video i see an additional process: (=1xFirefox + 2x plugin-container)
    Yes, it's much smoother. I think i'll leave "e10s" enabled.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Are you seeing the threads in the Windows task manager or some other process viewer?
     
  18. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    The last time i executed Windows Task Manager was a long time ago. I use a different Process Manager.
    But i see them both in Process Hacker and Process Explorer:
    Firefox_task-manager_e10s.png
    2 Plugin-container, one for the website and the other one for the plugin (this has low integrity)
    (left=PH, right=Process Explorer)
     
  19. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    194
    Im sorry, I wasnt using the right terminology- my addons (extensions) dont appear to be separate processes. As I dont have flash or any other plugins (except x264), perhaps im not supposed to see separate processes? I know Chrome/Chromium has separate processes for addons, but they use Web Extensions...
    Just FYI- im on Linux and I see a firefox process, and then "Web Content" processes for each webpage I have open. Currently have dom.ipc.processCount set to 45. Ill prolly just make it 500 or something so I have a separate process per tab no matter how many I have open. I have 16GB of RAM and a lean desktop so FF can have as much as it wants.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Thanks for the details. I checked with Process Explorer and it's not showing additional threads either, so I'm missing something somewhere.

    Edit: I checked about:support again and now I'm seeing this

    "Multiprocess Windows 0/1 (Disabled by accessibility tools)"

    I don't have any accessibility tools enabled in Firefox advanced settings; not sure what to look for next...
     
    Last edited: Sep 20, 2016
  21. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    880
    Maybe try this:
    http://techdows.com/2015/02/fix-enable-e10s-multi-process-disabled-an-accessibility-tool-is-active.html
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    OK, finally got it working. I think the problem was one of the about:config entries was a string instead of a boolean value. I replaced it and now I'm seeing multiple Plugin Container for Firefox processes in task manager :thumb:
     
  23. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
    Thanks for sharing BoerenkoolMetWorst thats great news.:thumb:
     
Loading...