How to Set and use Firefox sandbox

How to Set and use Firefox sandbox

 

This article describes and introduces some common Sandbox Settings of Firefox browsers, which can be used as a reference for operations during leisure time.

On October 16, August 2015, security expert Cody Crews told Mozilla that a Russian news website was implanted with malicious advertisements, which were investigated to launch attacks using vulnerabilities in Firefox's PDF Viewer. The payload vulnerability searches for sensitive files in the local file system and uploads them to the attacker's server. In fact, Firefox also has the corresponding technology to prevent the upload behavior. The default configuration of the Firejail sandbox blocks access to all files in the/home directory by. ssh,. gnupg, And. filezilla. More advanced settings can block access to files by all programs.

Next, let's take a look at the Firejail sandbox operations!

Enable Firefox

First, you can use the following command to enable the sandbox,

$ firejail firefox

Reminder:In the default settings, Firefox uses a single process to process multiple browser windows. Therefore, if you are already running Firefox, you must use the-no-remote Command Option. Otherwise, you can only have a new tag or a new window to connect to the existing browser process, the procedure is as follows:

$ firejail firefox -no-remote

File System container

The Sandbox contains a file system container. The enabling status of the container will be synchronized with the sandbox, that is, it will be enabled as the sandbox is turned on and closed as the sandbox is turned off. The file system container is also based on the local file system of your computer. Therefore, we strongly recommend that you regularly upgrade the operating system. In this case, the sandbox only allows Firefox to access the "one group" files and directories, and the private information of all users will be removed. To whitelist some files and directories in the home path.

 

The default access permissions for directories or files in other file systems are as follows:

? /Boot-blacklist (no operation allowed )? /Bin-read-only? /Etc-read-only; where,/etc/passwd and/etc/group only allow the current user to operate? /Home-only displayed to the current user? /Lib,/lib32,/lib64-read-only? /Proc,/sys-pending and mapped to the new PID namespace? /Sbin-blacklist? /Selinux-blacklist? /Usr-read-only; Where is/usr/sbin blacklisted? /Var-read-only;

Password files, keys, and development tools in the file system are also removed from the sandbox. If Firefox tries to access a blacklist file, the sandbox will generate the log information and send it to syslog. The log sample is as follows,

 

Security Filter

The following security filters are enabled by default to reduce the kernel attack surface and protect the security of File System containers. There are mainly the following security filtering mechanisms:

1. seccomp-bpf (BSD Packet Filter) is a filtering mechanism for network data packets in the Unix kernel. It supports 32/64 bits. It enables a process to enter a "safe" running mode. In this mode, a process can only call four types of system calls (system calls), namely, read (), write (), exit () and sigreturn (), otherwise the process will be terminated; 2. protocol, this filtering mechanism will check the first conflict of socket System calls. It supports IPv4, IPv6, UNIX, and netlink. 3. noroot user namespace. Only one namespace can be allocated to the current user. 4. capabilities. The Sandbox will block all Linux performance, restrict the operations of root users in sandbox.

When a conflict occurs, seccomp forcibly closes the browser process according to the configured default rules. At the same time, the log information is transmitted to syslog. The specific log information is as follows,

 

By now, the default "firejail firefox" setting is sufficient for most users. Next, we will share some specific application scenarios.

High Security Settings

Generally, this configuration can be enabled before accessing a bank account or any other website involving sensitive private information. This application scenario is used when a user accesses a trusted website but does not trust the plug-in installed in the browser. We can use the-private command to restore the default factory configuration of the browser, and then we can see the cleared home directory.

In addition, we also need to pay attention to our DNS settings, because the current household router is less secure, the most common route attack method is to reconfigure DNS and redirect user traffic to a fake bank website. In this case, you can use the-dns command in firejail to specify the DNS configuration of the sandbox: The specific command is as follows,

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote

Here we also need to add the-no-remote Command to prevent the browser from being closed.

Work settings

In this setting, we can perform daily work, email sending, and Webpage Browsing in the/home/username/work directory. You can run the following command to achieve this,

$ firejail --private=/home/username/work thunderbird &$ firejail --private=/home/username/work firefox -no-remote &

Mozilla's Thunderbird and Firefox will ~ /Work path is recognized as the user's home directory. This configuration will be maintained even if the sandbox is closed.

Network Settings

Assume that eth0 is the main Ethernet interface. Run the following command to create a new TCP/IP stack and connect it to the Ethernet of the host. Then open the browser.

$ firejail --net=eth0 firefox

The following describes how to implement the network namespace in the sandbox,

 

Firejail uses the following command to perform ARP scanning on the network and obtain a new IP address.

$ firejail --net=eth0 --ip=192.168.1.207 firefox

Reminder:Run the local DNS server in the host network space in Ubuntu. The server is invisible in the sandbox. Therefore, you need to use the-dns command to configure an additional DNS server. The specific command is as follows,

$ firejail --net=eth0 --dns=8.8.8.8 firefox

Firewall settings

By default, if a network namespace is requested, Firejail configures a network filter for regular network browsing behaviors. This is a regular iptable filter. We can define this filter. The purpose of the following command is to disable access to the local network,

$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox

Traffic Shaping

As a high-cost consumable resource, network bandwidth is shared to multiple sandboxes running on the system. Traffic Shaping can improve network performance by controlling the input and output of data traffic in the sandbox. Firejail, based on the Linux tc command, implements a simple traffic speed limiting function. This shaping function runs on the sandbox layer. The specific setting command is as follows,

$ firejail --name=browser --net=eth0 firefox &$ firejail --bandwidth=browser set eth0 80 20

In this example, we set a receiver with a bandwidth of 80 m per second and a sender with a bandwidth of 20 m per second. Of course, when the sandbox is running, we can change or even reset the above value,

$ firejail --bandwidth=browser set eth0 40 10$ firejail --bandwidth=browser clear eth0