Pages: About | Home | My Jotter | PFT

Disposable Firefox

dacav - 2019-7-4
Tags: [ GNU/Linux ] [ security ] [ SELinux ]

Second take on the problem of defending against the Evil Internets.

Last time I took some notes about how to use the sandbox(1) command to put Firefox in a security jail. With the following script I'm refining the technique further.

A temporary directory is created and populated with a healthy Firefox configuration, based on pyllyukko's user.js.

The script relies on the fact that a clone of the user.js repository exists in $PATH_TO_USER_JS. On my system such path is updated daily by means of a cronjob.

Once the sandboxed Firefox process is dead, the script removes recursively the temporary directories by means of the trap shell built-in.

#!/bin/sh

set -xe

tempdir="$(mktemp -d /tmp/browser-XXXXX)"
trap "rm -rvf '$tempdir'" EXIT

# -- Profile creation --
profile_name=$(printf '%0.8s.sandboxed' "$(date +%s | md5sum)")
profile_dir="$tempdir/.mozilla/firefox/$profile_name"
mkdir -p "$profile_dir"

cat >"$tempdir/.mozilla/firefox/profiles.ini" <<EOF
[Profile0]
Name=sandboxed
IsRelative=1
Path=$profile_name

[General]
StartWithLastProfile=1
Version=2

[Install11457493C5A56847]
Default=$profile_name
Locked=1
EOF

cp "$PATH_TO_USER_JS/user.js/user.js" "$profile_dir"

sandbox \
    -M -T "$tempdir" -H "$tempdir" \
    -X -w 1600x900 \
    -t sandbox_web_t \
    firefox \
    "$@"

It is of course possible to blend in some useful Firefox extensions (like NoScript or HTTPS Everywhere) by installing the corresponding xpi files under the $profile_dir/extensions directory.

In my case they are not needed, as they're enabled system-wide.

As for Ad Blocking I'm currently relying on DNS-level filtering by means of the (still experimental) myofb toolkit.