In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. Firejail successfully stopped this attack.
This document describes some of the most common Firefox sandbox setups. We start with the default setup, recommended for entertainment and casual browsing.
The easiest way to start the sandbox is to prefix the command with “firejail”:
Note: By default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use
-no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:
If the sandbox was already integrated with your desktop manager by running
"sudo firecfg" as described on our Download page, just click the browser icon in your desktop manager menus.
You can also configure a starter for your desktop. This is a simple text file in your
~/Desktop directory with the following content:
In the example above I show a desktop starter for a browser installed from Mozilla’s download page in
/opt directory. When you click the icon, the browser opens automatically in a sandbox.
The three main attacks we target are ransomware, privilege escalations, and local network attacks. This is a short description of the technologies we use to prevent them.
For privacy purposes we deploy a very restrictive Mandatory Access Control system. The sandbox allows Firefox to access only a small set of system files and directories. All private user information was removed from
home directory. Please remember to save your downloaded files in
Downloads, everything else will evaporate when you close the browser.
Note: The same home directory layout is imposed by Firejail for all networked applications and games. For email we bring in email folders, for media players we add Videos, Music etc. Usually, Documents directory is highly restricted, only few applications have access to it.
Password files, encryption keys and development tools were also removed from the sandbox. If Firefox tries to access such a file, log messages are sent to syslog. Example:
Privilege escalations are handled mainly by seccomp-bpf and nonewprivs. These are two Linux kernel technologies specifically designed for this purpose. A number of other kernel technologies are layered on top of them, such as capability sets, a user namespace without the root user, and mounting partitions and directories using nosuid flag. If available, we also start AppArmor on top of everything. With all these kernel layers upon layers in place, it is hard to tell in a real scenario which layer triggered first and stopped the exploit.
The local network attacks are mostly happening in enterprise settings. After failing a regular ransomware since only Downloads directory is present, and after failing to rise privileges and become root, the attacker will most likely try to exploit servers running on the local network. The way to deal with this situations is described in Network/Incognito setup below.
The video from the beginning of the article describes a full hacking session from the perspective of an attacker, and how the Mandatory Access Control, seccomp-bpf, and a combination of network namespace and netfilter firewall can be used to prevent further escalation.
Private browser setup
Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use
--private Firejail option to start with a factory default browser configuration, and an empty home directory.
Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use
--dns Firejail option to specify a DNS configuration for your sandbox:
Use this setup for remote office work, or when you have a number of programs employed for a specific purpose. Start by creating a new directory, let’s say /home/username/work, and segregate your applications in this directory. Pass this directory to
--private when you start your apps:
Both Mozilla Thunderbird and Firefox think ~/work is the user home. The configuration is preserved when the sandbox is closed.
Assuming eth0 is the main Ethernet interface, we create a new TCP/IP stack, and we connect it to the wired Ethernet interface. Then, we automatically ARP-scan the network and pick up a random, unused IP address:
Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use
--dns option to configure an external DNS server:
By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter, you can customize it, or you can bring in your own.
nolocal.net filter above allows only traffic from outside, all local traffic is dropped.
On top of that, you can add a hosts file implementing an adblocker:
Firejail replaces the regular X11 server with Xpra or Xephyr servers (apt-get install xpra xserver-xephyr on Debian/Ubuntu), preventing X11 keyboard loggers and screenshot utilities from accessing the main X11 server.
The command is as follows:
A network namespace initialized with
--net is necessary in order to disable the abstract X11 socket. If for any reasons you cannot use a network namespace, the socket will still be visible inside the sandbox, and hackers can attach keylogger and screenshot programs to this socket.
Tor Browser is the ultimate tool for protecting privacy while browsing online. All the traffic that passes through Tor network is encrypted, and it is virtually impossible to track the IP address back to its user.
These are our recommended steps to set up the browser in Firejail sandbox. The setup should work on all Linux distributions.
1. Download Tor Browser from https://torproject.org
2. Assuming the archive was downloaded in ~/Downloads directory, extract the files:
3. Find the name of your Ethernet interface:
4. Create a desktop starter in ~/Desktop directory:
Replace USERNAME with your user name, and INTERFACE with the name of your Ethernet interface you found on step 3.
5. Start the browser by clicking the tor icon on your desktop. This is the default setup, also available for older Firejail versions.
6. Optionally, lock down your network by adding
--netlock on your exec line in the starter.
This is the simplest VPN setup ever: Linux workstation running Firefox browser under Firejail, and a virtual machine in the cloud running an SSH server. The tunnel uses SOCKS5 feature of OpenSSH. This setup should work with any other application supporting SOCKS5 protocol.
OpenSSH protects the traffic with strong, industry standard encryption algorithms such as Advanced Encryption Standard (AES). Due to the large number of enterprise users using SSH in the cloud, you are very likely to go through a VPN blockade undetected. Fly under the radar and have fun!
- Sakaki’s EFI Install Guide/Sandboxing the Firefox Browser with Firejail – probably the best X11 sandboxing guide out there!
- All About Tor – removing personally identifiable information, setup, network firewall, using Tor as a DNS proxy
- Firejail BitTorrent Sandboxing Guide – how to use a DNS over HTTPS proxy to stop DNS-based attacks for a browser/BitTorrent client setup
- A Survey of Public DNS over HTTPS Servers – how to choose a DoH service