Project Description

Running a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events.

So, we want to be able to run a sandboxed Firefox web browser inside a container. The web browser should [obviously] share the PC's display and provide sound. It should behave as if the browser was installed on the PC.

Goal for this Hackweek

Run a fully sandboxed Firefox web browser, on a PC that doesn't have Firefox installed.

Resources

Looking for hackers with the skills:

containers security

This project is part of:

Hack Week 22

Activity

  • about 1 year ago: nguyens started this project.
  • about 1 year ago: dfaggioli liked this project.
  • about 1 year ago: nguyens added keyword "containers" to this project.
  • about 1 year ago: nguyens added keyword "security" to this project.
  • about 1 year ago: nguyens originated this project.

  • Comments

    • dfaggioli
      about 1 year ago by dfaggioli | Reply

      Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.

      This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.

      For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197

      Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.

    • nguyens
      about 1 year ago by nguyens | Reply

      Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.

      • dfaggioli
        about 1 year ago by dfaggioli | Reply

        Mmm... Cool and interesting! Can I ask you which tricks?

        • nguyens
          6 months ago by nguyens | Reply

          Sorry, I missed your reply... Didn't see or get any notification.

          Here is the command line to run the firefox container in a podman container:

          sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox

          All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.

    Similar Projects

    Predefined app security policy template for NeuVector by feih

    Project Description

    Idea is to predefin...


    Exploring DPDK within containers by paolodepa

    Project Description

    Containerization is h...


    A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon

    [comment]: # (Please use the project descriptio...


    Containerized home mirror by lkocman

    I'm running a simple home mirror, but I managed...


    Building a container bootloader by flonnegren

    [comment]: # (Please use the project descriptio...


    Predefined app security policy template for NeuVector by feih

    Project Description

    Idea is to predefin...


    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...


    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a ...