User talk:Sakaki/Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (~~~~), and indent successive comments with colons (:). Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.

Issue with linked /tmp and default firefox profile

Talk status
This discussion is still ongoing.

On my installation I have /tmp linked to /var-tmp because I have a read-only mounted root filesystem. As a result the firefox profile does not work unless I comment out private-tmp, is there a better way of dealing with this issue? if so could it be added to this wiki page?

Apologies, I've only just seen this (as the wiki doesn't seem to notify the original creator of page X when a talk page for X is created by someone else). Could you please elaborate a little on what you'd like to achieve on your setup, and how the default profile fails in your case? Many thanks --Sakaki (talk) 19:10, 10 November 2018 (UTC)

Using the default profile
firejail --profile=/home/Gentoo/jonathan-websurfer/.config/firejail/firefox.profile firefox
I get ...
Reading profile /home/Gentoo/jonathan-websurfer/.config/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Warning: noroot option is not available
Parent pid 1214, child pid 1215
Error: invalid whitelist path /tmp/.X11-unix
Error: proc 1214 cannot sync with peer: unexpected EOF
Peer 1215 unexpectedly exited with status 1

If I comment out private-tmp in the firefox.profile then firefox will start.
It looks as though this is due to /tmp being a symlink lrwxrwxrwx 1 root root 11 Oct 27 15:31 tmp -> var/var-tmp

What if you use a bind directive (see man firejail-profile) in your ~/.config/firejail/firefox.profile to bind mount /var/var-tmp over /tmp explicitly (rather then symlinking it); does it fail then? --Sakaki (talk) 22:45, 13 November 2018 (UTC)

Sorry for the delay in responding - bind can only be used as root and I prefer not to start firejail as root user.

Page has reference errors

Talk status
This discussion is done.

https://wiki.gentoo.org/index.php?title=Category:Pages_with_reference_errors 

Cite error: Invalid <ref> tag; name "x11_guide" defined multiple times with different content Cite error: Invalid <ref> tag; name "x11_guide" defined multiple times with different content

Cite error: Invalid <ref> tag; name "Firejail_Documentation:" defined multiple times with different content

--BT (talk) 04:20, 5 January 2019 (UTC)

Thanks, I have fixed the first of these ("x11_guide"), can't find any instances of the second ("Firejail_Documentation:") but I'll have a proper look when back at my workstation early next week. Thanks for bringing this to my attention. --Sakaki (talk) 16:26, 5 January 2019 (UTC)
The second reference is name="Firejail Documentation:" without the underscore.--BT (talk) 03:26, 6 January 2019 (UTC)
Ah, thanks. Fixed that one also now; some underlying issue with my emacs ref snippet possibly, I'll need to check that. --Sakaki (talk) 16:02, 6 January 2019 (UTC)

Issue with Firejail and/or OpenBox seizing exclusive control of all input and terminal screens

Talk status
This discussion is still ongoing.

Really love the security this setup provides, and would like to sandbox my mother's web browser the same way. Only problem is an intermittent bug. I'm not sure if there's some undocumented keypress combination I'm accidentally hitting or something, but at least once per session either Firejail or OpenBox takes complete control of all input devices and will not allow any interaction with the outside Gnome desktop. The cursor will not move outside the Firejail window, keyboard shortcuts only operate within the OpenBox server environment, and even switching to another tty only opens it within the Firejail application window, and only allows me to log into the user account Firejail was opened under, with the same restricted access to files and directories. Ultimately I have to completely shut down OpenBox with the desktop Logout command and then wait for Firejail to close on its own to fix this issue, but for users that are less Linux-savvy (I keep my mother on an almost kiosk-mode account for this reason) it would likely instill panic to suddenly not be able to close the browser window.

Anyone else know what might be causing this problem, or where I might look for a clue why this is happening? When it happens I'm obviously not able to access anything outside of Firejail, and afterward my logs only show typical and expected application startup and shutdown messages.

--Tatterdemalian (talk) 07:07, 23 October 2019 (UTC)

Using nft instead of iptables

Talk status
This discussion is still ongoing.

Iptables is being phased out in a number of systems, and many Gentoo users are also opting for nftables instead of iptables. As such, it would be much appreciated if you could update this excellent tutorial to add nftables-specific instructions for security.

King Mucus (talk) 14:27, 29 March 2020 (UTC)

Retrieved from "https://wiki.gentoo.org/index.php?title=User_talk:Sakaki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail&oldid=887460"