Run sandboxed Firefox with image and sound inside a container
an invention by nguyens
Updated over 2 years ago. 1 hackers ♥️. 2 followers.

Project Description

Running a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events.

So, we want to be able to run a sandboxed Firefox web browser inside a container. The web browser should [obviously] share the PC's display and provide sound. It should behave as if the browser was installed on the PC.

Goal for this Hackweek

Run a fully sandboxed Firefox web browser, on a PC that doesn't have Firefox installed.

Resources

  • https://en.wikipedia.org/wiki/DirectRenderingInfrastructure

Looking for hackers with the skills:

containers security

This project is part of:

Hack Week 22

Activity

  • over 2 years ago: nguyens started this project.
  • almost 3 years ago: dfaggioli liked this project.
  • almost 3 years ago: nguyens added keyword "containers" to this project.
  • almost 3 years ago: nguyens added keyword "security" to this project.
  • almost 3 years ago: nguyens originated this project.


    • Comments

    • dfaggioli
      almost 3 years ago by dfaggioli | Reply

      Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.

      This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.

      For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197

      Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.

    • nguyens
      over 2 years ago by nguyens | Reply

      Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.

      • dfaggioli
        over 2 years ago by dfaggioli | Reply

        Mmm... Cool and interesting! Can I ask you which tricks?

        • nguyens
          about 2 years ago by nguyens | Reply

          Sorry, I missed your reply... Didn't see or get any notification.

          Here is the command line to run the firefox container in a podman container:

          sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox

          All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.

    Similar Projects

    Technical talks at universities by agamez

    Description

    This project aims to empower the next generation of tech professionals by offering hands-on workshops on containerization and Kubernetes, with a strong focus on open-source technologies. By providing practical experience with these cutting-edge tools and fostering a deep understanding of open-source principles, we aim to bridge the gap between academia and industry.

    For now, the scope is limited to Spanish universities, since we already have the contacts and have started some conversations.

    Goals

    • Technical Skill Development: equip students with the fundamental knowledge and skills to build, deploy, and manage containerized applications using open-source tools like Kubernetes.
    • Open-Source Mindset: foster a passion for open-source software, encouraging students to contribute to open-source projects and collaborate with the global developer community.
    • Career Readiness: prepare students for industry-relevant roles by exposing them to real-world use cases, best practices, and open-source in companies.

    Resources

    • Instructors: experienced open-source professionals with deep knowledge of containerization and Kubernetes.
    • SUSE Expertise: leverage SUSE's expertise in open-source technologies to provide insights into industry trends and best practices.