Firefox seccomp sandbox

Discussion in 'all things UNIX' started by SuperSapien, Aug 13, 2015.

  1. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
    There something that I've been wanting to know the answer to for a while now and that's if Firefox on Linux has a native sandbox or not? And from what I've read from the Mozilla wiki it sounds like it does but I'm not sure if its enabled or not by default. Also does this mean that App Armor has a sandbox profile for Firefox finally?:doubt:
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It doesn't look to be enabled for Firefox. I run Arch and this what I get:

    $ grep Seccomp /proc/22336/status
    Seccomp: 0

    22336 is PID of Firefox at the time I checked.

    For the Chromium Renderers I get:

    grep Seccomp /proc/22271/status
    Seccomp: 2

    0 = not enabled, 2 = seccomp-bpf is enabled.

    source: https://wiki.mozilla.org/Security/Sandbox/Seccomp

    you can, however, run firefox in Firejail and get seccomp enabled. A thread is on it here:

    https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/
     
  3. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
    Thanks I know FJ has its own seccomp sandbox. But are you saying that the latest version of Firejail enables the Firefox seccomp sandbox as well? So two layers of sandboxing then?
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    No, I think just firejail provides the seccomp filter for Firefox, somehow by attaching a systemcall filter to the process. It's beyond my scope of understanding. There's something on it here where the author describes how he does it in this Firejail link:

    https://l3net.wordpress.com/2015/04/13/firejail-seccomp-guide/
     
  5. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    They are still resolving issues with the sandbox for FF Linux.

    https://wiki.mozilla.org/Security/Sandbox#Linux_Firefox

    Linux Firefox

    [DONE] Land Library bug 742434
    [ON TRACK] Enable sandbox

    Permissions burndown

    Permission burn down list (see bug 942695 for details):

    ID Summary Status
    742434 Apply seccomp-bpf to desktop Firefox content processes on Linux NEW
    936274 Remove open() from seccomp-bpf whitelist for Linux/Desktop NEW
    942696 Remove access() from seccomp-bpf whitelist for Linux/Desktop RESOLVED
    942698 Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop NEW

    4 Total; 3 Open (75%); 1 Resolved (25%); 0 Verified (0
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    wat0114 is right. Firefox doesn't have its own sandbox yet. So running it firejailed makes sense. The Firefox profile in /etc/firejail that comes with Firejail enables seccomp, drops all capabilities and has the noroot option which creates a user namespace with the current user only - i.e. there is no root (only used on kernels that support user namespaces). In combination with the the rules in the included *.inc files that's pretty tight, IMHO.
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    I edit KDE's launcher for almost all aplications and put this command:

    Code:
    firejail --seccomp --caps.drop=all 
    I don't enable --private for Firefox because by default it will download a tracking cookie from Google. If I actually need --private than I'll disable my connection, open Firefox, configure it so it doesn't allow cookies by default, and then enable my connection.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    722
    Actually those switches are already in most profiles that come with Firejail, among them the one for Firefox. Thus,
    Code:
    firejail firefox
    should be sufficient.
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,983
    Location:
    Brasil
    Oh yes, thanks again! :)
     
  10. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    I prefer firejail --seccomp --debug firefox
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    As summerheat mentions, the --seccomp switch is already in the Firefox profile, so you could just use: firejail --debug firefox
     
Loading...