Second take on the problem of defending against the Evil Internets.
Last time I took some notes about how to use the
sandbox(1) command to put Firefox in a security jail. With the following
script I'm refining the technique further.
A temporary directory is created and populated with a healthy Firefox configuration, based on pyllyukko's user.js.
The script relies on the fact that a clone of the
$PATH_TO_USER_JS. On my system such path is updated daily by
means of a cronjob.
Once the sandboxed Firefox process is dead, the script removes recursively
the temporary directories by means of the
trap shell built-in.
#!/bin/sh set -xe tempdir="$(mktemp -d /tmp/browser-XXXXX)" trap "rm -rvf '$tempdir'" EXIT # -- Profile creation -- profile_name=$(printf '%0.8s.sandboxed' "$(date +%s | md5sum)") profile_dir="$tempdir/.mozilla/firefox/$profile_name" mkdir -p "$profile_dir" cat >"$tempdir/.mozilla/firefox/profiles.ini" <<EOF [Profile0] Name=sandboxed IsRelative=1 Path=$profile_name [General] StartWithLastProfile=1 Version=2 [Install11457493C5A56847] Default=$profile_name Locked=1 EOF cp "$PATH_TO_USER_JS/user.js/user.js" "$profile_dir" sandbox \ -M -T "$tempdir" -H "$tempdir" \ -X -w 1600x900 \ -t sandbox_web_t \ firefox \ "$@"
It is of course possible to blend in some useful Firefox extensions (like
NoScript or HTTPS Everywhere) by installing the corresponding
files under the
In my case they are not needed, as they're enabled system-wide.
As for Ad Blocking I'm currently relying on DNS-level filtering by means of the (still experimental) myofb toolkit.