Firefox security and integration

[silvestron]

I'm currently running Firefox with bubblejail because it doesn't seem to compromise Firefox' own sandbox like flatpak does. At least, according to Firefox' about:support Sandbox section, everything is true/level 4. Is my assumption correct or am I missing something in bubblejail that compromises Firefox' security as well?

This is the instance config:

[common]
executable_name = "/usr/bin/firefox"
share_local_time = false
filter_disk_sync = false
dbus_name = "org.mozilla.*"

[x11]

[wayland]

[network]

[pulse_audio]

[home_share]
home_paths = [
    "downloads",
]

[direct_rendering]
enable_aco = false

[notify]

[gnome_toolkit]
gnome_portal = true

Everything works fine, the only lacking feature compared to flatpak is that protocol handlers would launch applications that handle that protocol inside the Firefox instance. Also, if I download a file, I'm not able to open it directly from Firefox, but if I open the file location, that launches nautilus outside of the sandbox (I'm assuming because of portals?).

[igo95862]

(I'm assuming because of portals?)

This is correct. There is an 'org.freedesktop.portal.OpenURI portal which can open files and URLs within an application selection screen.

I do plan on looking into the portal integration at some point.

Sandbox section, everything is true/level 4. Is my assumption correct or am I missing something in bubblejail that compromises Firefox' security as well?

I an unfamiliar with the Firefox sandbox levels so I am not sure what they correspond to.

[rusty-snake]

If about:support does not report any problems everything should be fine.

The Firefox sandbox basically needs namespaces, chroot syscall and seccomp filters. That's it.

[silvestron]

This is correct. There is an 'org.freedesktop.portal.OpenURI portal which can open files and URLs within an application selection screen.

I do plan on looking into the portal integration at some point.

That would be great! I'm okay with things being limited to the sandbox and not "escaping," portals are more of a convenience thing. The only reason I have portals enabled at all at the moment is because I wanted the same mouse cursor to be the same as in the rest of the desktop.

Sandbox section, everything is true/level 4. Is my assumption correct or am I missing something in bubblejail that compromises Firefox' security as well?

I an unfamiliar with the Firefox sandbox levels so I am not sure what they correspond to.

If about:support does not report any problems everything should be fine.

The Firefox sandbox basically needs namespaces, chroot syscall and seccomp filters. That's it.

This is what about:support Sandbox section says:

.	.
Seccomp-BPF (System Call Filtering)	true
Seccomp Thread Synchronization	true
User Namespaces	true
Content Process Sandboxing	true
Media Plugin Sandboxing	true
Content Process Sandbox Level	4
Effective Content Process Sandbox Level	4

It reports the same values when running Firefox both with and without bubblejail. When using the flatpak version of Firefox instead, User Namespaces is false. I was just wondering if there was more to it or if I was missing something but thanks for the clarification.

[igo95862]

When using the flatpak version of Firefox instead, User Namespaces is false.

I believe the Flatpak disables the user namespaces by default. Firefox runs each worker subprocess in its own user and network namespace for better isolation. However, there were some nasty kernel exploits related to the network namespaces combined with user namespaces and were is always a possibility that were are multiple not yet discovered ones still in the kernel. User namespaces provide a lot of powerful features that carry the risk of exploits.

Bubblejail has a separated service that can limit the namespaces but it is not turned on by default.

[rusty-snake]

FYI my current firefox.jail for crabjail uses namespaces-limits user:inf,net:inf,ipc:inf,pid:4.
So firefox unshares the pid-namespace once and the user,net,ipc-namespace for each worker.

[igo95862]

The most dangerous combination I would say is allowing network namespaces and user namespaces. This allows manipulating the firewall tables and in the past has been a source of vulnerabilities like CVE-2024-1086.

I am thinking about disabling access to the AF_NETLINK socket type as it will prevent sandboxes from manipulating the firewall of new network namespaces but still be able to use network namespaces as an isolation tool.