Pages: About | Home | My Jotter | PFT

Disposable Firefox

dacav - 2019-7-4
Tags: [ GNU/Linux ] [ security ] [ SELinux ]

Second take on the problem of defending against the Evil Internets.

Last time I took some notes about how to use the sandbox(1) command to put Firefox in a security jail. With the following script I'm refining the technique further.

A temporary directory is created and populated with a healthy Firefox configuration, based on pyllyukko's user.js.

The script relies on the fact that a clone of the user.js repository exists in $PATH_TO_USER_JS. On my system such path is updated daily by means of a cronjob.

Once the sandboxed Firefox process is dead, the script removes recursively the temporary directories by means of the trap shell built-in.


set -xe

tempdir="$(mktemp -d /tmp/browser-XXXXX)"
trap "rm -rvf '$tempdir'" EXIT

# -- Profile creation --
profile_name=$(printf '%0.8s.sandboxed' "$(date +%s | md5sum)")
mkdir -p "$profile_dir"

cat >"$tempdir/.mozilla/firefox/profiles.ini" <<EOF



cp "$PATH_TO_USER_JS/user.js/user.js" "$profile_dir"

sandbox \
    -M -T "$tempdir" -H "$tempdir" \
    -X -w 1600x900 \
    -t sandbox_web_t \
    firefox \

It is of course possible to blend in some useful Firefox extensions (like NoScript or HTTPS Everywhere) by installing the corresponding xpi files under the $profile_dir/extensions directory.

In my case they are not needed, as they're enabled system-wide.

As for Ad Blocking I'm currently relying on DNS-level filtering by means of the (still experimental) myofb toolkit.