Properly document how to "Drastically reduce security for profiles which need to open stuff in [browser name]"

[ssokolow]

Regarding this:

Cannot open hyperlink with web browser using another application

It is recommended to copy-paste links from with application with the hyperlink into an already running web browser. This will always be the safest bet, allbeit not very user-friendly. See #2228 and #2047

I consider copy-pasting links from within the application an unacceptable workflow regression, even without the Qt bug in Kubuntu 16.05 LTS that causes clipboard functionality in Qt apps to die once uptime hits 50 days, and the paste URLs in #2228 time out, so I can't work from those.

Please consider providing proper documentation for what one must take into account when writing a custom "Firefox, locked down as far as can be done without compromising workflow" profile as a defense-in-depth strategy.

(At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.)

(My goal is to have apps, Firejail'd or not, using a Firejaild Firefox as an HTTP/HTTPS handler, and Firejail'd Firefox and Chromium using a Firejaild Deluge as a magnet link handler.)

EDIT: Sorry for the (repeated) typo in the old version of the previous paragraph. I'm not fully alert right now.

[SkewedZeppelin]

Offtopic:

causes clipboard functionality in Qt apps to die once uptime hits 50 days

There are kernel updates every single week with many security patches. Please reboot your machine more often. 😉

[ssokolow]

I will as soon as I finish writing the improved tooling so it doesn't take me 15 minutes of acute time after each reboot and another ~15 of "diffuse waste" over the rest of the day whenever I have to rebuild my desktop session state after logging out.

(And no, "as soon as I finish writing the improved tooling" is not a joke. At the moment, the first thing in line for completion is something half-way between Leafpad and desktop sticky notes, which auto-saves, remembers all geometry and state for each window, and treats manually-specified filenames as optional. After that, maybe a Vim plugin which does something similar for open Vim windows without the workflow warts I see in existing options. ...neither of which are tools that get along with DE-level session-persistence functionality. Then probably something which jerry-rigs some smarter window-geometry persistence onto multi-window Firefox sessions using my prior experience using libwnck and python-xlib to write "non-desktop-specific window manager extensions". Having the budget for an SSD and a CPU faster than an Athlon II X2 270 would probably also help.)

[glitsj16]

(At the moment, having no idea where I'm going wrong and I'm waffling between abandoning Firejail, using Rust to write an "expose Firefox remoting on the D-Bus session bus" daemon which could get launched alongside Firefox in its jail, or checking how onerous it would be to use Bubblewrap or locally-customized Flatpaks to achieve the desired effect.)

Perhaps exposing Firefox remoting on the D-Bus session bus can be integrated into the recent D-Bus work (see #3265, #3326 and #3406)?

[rusty-snake]

Assuming firefox is already running, I think it would look like this.

# IF HAS_WHITELIST
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
read-only ${HOME}/.mozilla/firefox/profiles.ini
# ELSE
noblacklist ${HOME}/.mozilla
read-only ${HOME}/.mozilla
# FI

# IF DBUS_USER_NONE
ignore dbus-user none
dbus-user filter
dbus-user.talk org.mozilla.firefox.* // or own?
# ELIF DBUS_USER_FILTER
dbus-user.talk org.mozilla.firefox.* // or own?
# FI

# IF HAS_PRIVATE_BIN
private-bin firefox,bash,sh,mkdir,…
# FI

# IF HAS_PRIVATE_LIB
private-lib mozilla
# FI

[rusty-snake]

The customizations differ between firefox-x11 and firefox-wayland.

[ssokolow]

Sorry for not responding. I've been sleeping terribly the last couple of days, so I haven't done anything with Firejail.

I'll give you a proper response as soon as I'm in a proper state of mind again.

[ssokolow]

...and now I'm getting signs of impending hardware failure, so I need to deal with that before I can respond.

[glitsj16]

@ssokolow Hoping you're okay, including the hardware. As a FYI I've recently put together a few basic shell scripts to open stuff in a firejailed web browser that might be helpful/inspirational. See this for more context.

[ssokolow]

Better than I was before.

My sleep is still on and off, and I still have to finish with the hardware work, but I've made sure the backups of everything on the potentially failing drive are up to date and viable, ordered and received the replacement hardware (I'm taking the opportunity to expand my storage and finally get an SSD), and I'm now just making preparations to get my upgrade from Kubuntu 16.04 LTS to 20.04 LTS done as part of the hardware upgrade to save time and effort.