Second take on the problem of defending against the Evil Internets.
Last time I took some notes about how to use the
sandbox(1) command to put Firefox in a security jail. With the following
script I'm refining the technique further.
A temporary directory is created and populated with a healthy Firefox configuration, based on pyllyukko's user.js.
The script relies on the fact that a clone of the user.js repository
exists in $PATH_TO_USER_JS. On my system such path is updated daily by
means of a cronjob.
Once the sandboxed Firefox process is dead, the script removes recursively
the temporary directories by means of the trap shell built-in.
#!/bin/sh
set -xe
tempdir="$(mktemp -d /tmp/browser-XXXXX)"
trap "rm -rvf '$tempdir'" EXIT
# -- Profile creation --
profile_name=$(printf '%0.8s.sandboxed' "$(date +%s | md5sum)")
profile_dir="$tempdir/.mozilla/firefox/$profile_name"
mkdir -p "$profile_dir"
cat >"$tempdir/.mozilla/firefox/profiles.ini" <<EOF
[Profile0]
Name=sandboxed
IsRelative=1
Path=$profile_name
[General]
StartWithLastProfile=1
Version=2
[Install11457493C5A56847]
Default=$profile_name
Locked=1
EOF
cp "$PATH_TO_USER_JS/user.js/user.js" "$profile_dir"
sandbox \
-M -T "$tempdir" -H "$tempdir" \
-X -w 1600x900 \
-t sandbox_web_t \
firefox \
"$@"
It is of course possible to blend in some useful Firefox extensions (like
NoScript or HTTPS Everywhere) by installing the corresponding xpi
files under the $profile_dir/extensions directory.
In my case they are not needed, as they're enabled system-wide.
As for Ad Blocking I'm currently relying on DNS-level filtering by means of the (still experimental) myofb toolkit.