> The most important change is that content processes — which render Web pages and execute JavaScript — are no longer allowed to directly connect to the Internet, or connect to most local services accessed with Unix-domain sockets (for example, PulseAudio).
Finally, some process isolation! That's something to celebrate!
Being able to wrap Firefox in an unprivileged chroot makes for a really nice addition to its security.
If I am not mistaken, Tor Browser has already been using this technique for some time to thwart malicious connections from leaving the browser. All traffic is communicated to the tor client via a unix socket.
>Unprivileged user namespaces had some security bugs in their initial Linux implementation, and some Linux distribution maintainers are still wary of keeping them enabled.
Unsurprising. These are all a pile of hacks to try and fail at making up for the fact Linux doesn't support capabilities (not to be confused with POSIX Capabilities).
Fortunately, projects such as seL4 and Genode do exist, so it might be possible to, at some point, run a browser on an actually sane environment.
You're going to need to be more specific. Linux does indeed have a feature called "capabilities", so it's not clear exactly which OS feature you are taking about.
I'm curious why chroot is used instead of mount namespace and pivot_root(2). This would let them get away without CAP_SYS_CHROOT, while also providing stronger filesystem isolation.
Last year, afer a firejail local root exploit got released [0], I've completely quit following their project.
I don't want to discomfort the developers and I think it's stunning what they are creating...
But under the aspect that they are working on a security product, I'm concerned by their overall code quality and testing strategy.
They might want to consider taking a step back and reevaluating how they are going to direct their development in terms of secure (c-)coding practices.
*Disclaimer: Not a developer, just a sysadmin, but reviewing some of their code/profiles/CI-jobs in their git repo [1] leaves a bad feeling.
I don't know much about this topic, and appreciate sane levels of protection.
But when I use the menu in Snap Firefox (59) to open a file in another partition so I can read it ... and I can't do that because of 'permissions' ... I get irritated.
While I'm on this general topic ... I also don't like the fact that javascript won't let me write to a file. That would be VERY USEFUL.
In short, these long-term accumulation of these 'hardwired' restrictions is severely cramping my use of (and enjoyment of using) computers. If I want it, I have time to change a preference, but not to earn a PhD.
Javascript can write to a file.. see jsshell, node and a number of other runtimes. However, you do not want browsers to have unfettered filesystem access. The language is perfectly able. You could possibly write an extension to do what you want.
Interesting. Sandboxing in Chrome is something I turn off when I write my headless bots as it requires extra privileges. Would be nice to see a comparison between it and FF.
> In this context, we'd like to remark that an application like Firefox only needs CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SET(UG)ID to achieve most effect
I hope they also drop those capabilities once they have achieved what they need. I also which other namespaces they use, the article only mentions user namespaces.
CAP_SYS_ADMIN is a catch-all where they dump all the things root has that didn't fall into another bucket. So if a program needs CAP_SYS_ADMIN then basically you haven't really got any meaningful sandboxing so far as I understand it.
> The one exception to the network policy, for now, is the X11 protocol which is used to display graphics and receive keyboard/mouse input
Well, this makes everything else moot, since you can just inject keystrokes and thus trivially take over the system... (in addition to probably many other vulnerabilities in the X11 server)
They should try to do a proper isolation job (meaning no I/O other than shared memory and pipes to another Firefox process), not this apparently useless effort.
If you have 10 problems to fix, the effort spent fixing the first 9 of them isn't "useless" as you say, just because you haven't fixed the 10th one yet. And they couldn't fix all of the issues by blindly proxying all IO through the main Firefox process, either, because that wouldn't fix the problem. It has to be able to _selectively_ proxy IO through the main process, and that takes time and effort to implement.
You have a good point, but the way you are writing is unnecessarily aggressive. Emphasis on the unnecessary, it doesn't add anything so you should leave it out of your writing.
[+] [-] shakna|8 years ago|reply
Finally, some process isolation! That's something to celebrate!
Being able to wrap Firefox in an unprivileged chroot makes for a really nice addition to its security.
[+] [-] xnyanta|8 years ago|reply
If I am not mistaken, Tor Browser has already been using this technique for some time to thwart malicious connections from leaving the browser. All traffic is communicated to the tor client via a unix socket.
[+] [-] snvzz|8 years ago|reply
Unsurprising. These are all a pile of hacks to try and fail at making up for the fact Linux doesn't support capabilities (not to be confused with POSIX Capabilities).
Fortunately, projects such as seL4 and Genode do exist, so it might be possible to, at some point, run a browser on an actually sane environment.
[+] [-] AnIdiotOnTheNet|8 years ago|reply
[+] [-] ajross|8 years ago|reply
[+] [-] _0w8t|8 years ago|reply
[+] [-] civodul|8 years ago|reply
User namespaces slowly but surely help retrofit the "principle of least privilege" to GNU/Linux, and that is good.
[+] [-] kalmar|8 years ago|reply
[+] [-] severine|8 years ago|reply
Linux sandboxing improvements in Firefox 57 (morbo.org)
276 points, 6 months ago, 103 comments
https://news.ycombinator.com/item?id=15678492
[+] [-] zaphirplane|8 years ago|reply
[+] [-] esaym|8 years ago|reply
[+] [-] IronBacon|8 years ago|reply
I haven't followed the development, would this also prevent WebRTC IP address leakage?
Here IIRC I've simply disable it (media.peerconnection.enabled) and forgot about it...
[+] [-] chupasaurus|8 years ago|reply
[+] [-] app4soft|8 years ago|reply
[0] https://twitter.com/app4soft/status/994938745072832512
[1] https://firejail.wordpress.com/documentation-2/appimage-supp...
[2] https://firejail.wordpress.com/documentation-2/firefox-guide...
[+] [-] miduil|8 years ago|reply
I don't want to discomfort the developers and I think it's stunning what they are creating...
But under the aspect that they are working on a security product, I'm concerned by their overall code quality and testing strategy.
They might want to consider taking a step back and reevaluating how they are going to direct their development in terms of secure (c-)coding practices.
*Disclaimer: Not a developer, just a sysadmin, but reviewing some of their code/profiles/CI-jobs in their git repo [1] leaves a bad feeling.
[0]: https://www.exploit-db.com/exploits/43359/ [1]: https://github.com/netblue30/firejail/tree/6830065197cc57489...
[+] [-] muvek|8 years ago|reply
[+] [-] owaislone|8 years ago|reply
[+] [-] 8bitsrule|8 years ago|reply
But when I use the menu in Snap Firefox (59) to open a file in another partition so I can read it ... and I can't do that because of 'permissions' ... I get irritated.
While I'm on this general topic ... I also don't like the fact that javascript won't let me write to a file. That would be VERY USEFUL.
In short, these long-term accumulation of these 'hardwired' restrictions is severely cramping my use of (and enjoyment of using) computers. If I want it, I have time to change a preference, but not to earn a PhD.
[+] [-] tracker1|8 years ago|reply
[+] [-] d33|8 years ago|reply
[+] [-] jbroman|8 years ago|reply
https://chromium.googlesource.com/chromium/src/+/master/docs...
[+] [-] staticassertion|8 years ago|reply
[+] [-] the8472|8 years ago|reply
I hope they also drop those capabilities once they have achieved what they need. I also which other namespaces they use, the article only mentions user namespaces.
[+] [-] tialaramex|8 years ago|reply
[+] [-] shmerl|8 years ago|reply
Would apparmor be a better solution?
[+] [-] sp332|8 years ago|reply
[+] [-] neolefty|8 years ago|reply
[+] [-] rebelwebmaster|8 years ago|reply
[+] [-] canuckistani|8 years ago|reply
[+] [-] devit|8 years ago|reply
Well, this makes everything else moot, since you can just inject keystrokes and thus trivially take over the system... (in addition to probably many other vulnerabilities in the X11 server)
They should try to do a proper isolation job (meaning no I/O other than shared memory and pipes to another Firefox process), not this apparently useless effort.
[+] [-] db48x|8 years ago|reply
[+] [-] upofadown|8 years ago|reply
From javascript in a browser? That would indeed be a serious issue. How would this work exactly?
[+] [-] icebraining|8 years ago|reply
[+] [-] ars|8 years ago|reply
[+] [-] jpetso|8 years ago|reply