Automatically Firejailing Tor Browser

Patrick · July 19, 2019, 2:50pm

Anyone managed to make firejail gui isolation work?

firejail --x11

madaidan · July 19, 2019, 2:54pm

I have. It’s pretty simple but it might be a bit annoying to use as the external X server has to be set at a specific resolution which may be better or worse depending on the users monitor.

Patrick · July 19, 2019, 2:55pm

Which helper package (required as far as I understand) would be better/recommended/easier/safer/whatnot?

xpra
xserver-xephyr

Which did you use?

madaidan · July 19, 2019, 3:00pm

I prefer to use Xephyr. Xpra seems a bit more complicated.

Patrick · July 19, 2019, 4:49pm

What about…?

--x11=xorg

Seems to have zero usability impact?

Patrick · July 19, 2019, 4:58pm

--x11=xephyr --xephyr-screen=1366x768 is also interesting since then we could get a better web fingerprint by using the most popular screen resolution on desktop computers? But xephyr looks weird in Qubes. All window contents on the left and then a lot black area on the right side. Looks incompatible. And xephyr breaks copy/paste of text from and to the browser window?

--x11=xpra crashed for me in a Qubes VM.

So for Qubes --x11=xorg seems like the way to go for now.

Patrick · July 19, 2019, 5:04pm

madaidan · July 19, 2019, 5:04pm

--x11=xorg uses the X security extension which is poorly documented.

https://www.x.org/wiki/Development/Documentation/Security/

It will also allow applications which both use the security extension to interact with eachother as if there was no sandbox at all.

I found some discussion here What is up with the X11 SECURITY extension? : linux

Patrick · August 2, 2019, 3:39am

madaidan · August 2, 2019, 2:06pm

That’s to be expected since X handles the clipboard.

Patrick · August 14, 2019, 1:48am

github.com/netblue30/firejail

remove x11 xorg

netblue30:master ← adrelanos:patch-1

opened 01:48AM - 14 Aug 19 UTC

adrelanos

+0 -2

https://forums.whonix.org/t/automatically-firejailing-tor-browser/4767/29 I…f your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. If you make a PR for new profiles or changeing profiles please do the following: - The ordering of options follow the rules descripted in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). > Hint: The profile-template is very new, if you install firejail with your package-manager, it maybe missing, therefore, and to follow the latest rules, it is recommended to use the template from the repository. - Order the arguments of options alphabetical, you can easy do this with the [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). The path to it depends on your distro: | Distro | Path | | ------ | ---- | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | local git clone | `contrib/sort.py` | Note also that the sort.py script exists only since firejail `0.9.61`. See also [CONTRIBUTING.md](/CONTRIBUTING.md).

Patrick · September 16, 2019, 12:17pm

github.com/netblue30/firejail

firejail should follow symlinks for private-etc?

opened 12:17PM - 16 Sep 19 UTC

closed 03:11PM - 11 Mar 22 UTC

adrelanos

enhancement

Had a difficult to debug issue with SecBrowser and firejail. (Using torbrowser-l…auncher profile since SecBrowser is a derivative of Tor Browser.) This line in torbrowser-launcher was the cause: > private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache /etc/resolv.conf was a symlink to /etc/resolv.conf.kicksecure ls -la /etc/resolv.conf* lrwxrwxrwx 1 root root 22 Sep 15 13:25 /etc/resolv.conf -> resolv.conf.kicksecure -rw-r--r-- 1 root root 311 Sep 16 06:46 /etc/resolv.conf.kicksecure -rw-rw-r-- 1 root root 0 Sep 15 13:24 /etc/resolv.conf.kicksecure-orig Similar to `resolvconf` which also uses symlinks. Appending `,resolv.conf.kicksecure` to that line fixed the issue. Therefore DNS was broken. Therefore would ti be good if firejail would follow symlinks?

Patrick · September 16, 2019, 12:20pm

madaidan · October 12, 2019, 11:24pm

I’ve been messing around with xpra and bubblewrap and xpra seems to be a better choice than xephyr. It allows for near seamless X11 sandboxing.

Although xpra has really large attack surface. It has webcam forwarding, mic forwarding, mDNS, its own web server, printing support, it can be accessed over SSH, TCP, UDP and a whole bunch of other things.

Luckily, many of these things can be disabled through flags. e.g. the --mdns=no flag can be used to disable mDNS. There doesn’t seem to be a flag to explicitly disallow any connections over the network so I used an AppArmor profile to explicitly deny network access.

Dunno how firejail deals with these.

madaidan · October 12, 2019, 11:28pm

It doesn’t look like firejail disables any of these which is a bit worrying firejail/src/firejail/x11.c at master · netblue30/firejail · GitHub

Patrick · August 21, 2023, 10:29am