Project Description
Running a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events.
So, we want to be able to run a sandboxed Firefox web browser inside a container. The web browser should [obviously] share the PC's display and provide sound. It should behave as if the browser was installed on the PC.
Goal for this Hackweek
Run a fully sandboxed Firefox web browser, on a PC that doesn't have Firefox installed.
Resources
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Comments
-
about 1 year ago by dfaggioli | Reply
Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.
This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.
For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197
Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.
-
about 1 year ago by nguyens | Reply
Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.
-
about 1 year ago by dfaggioli | Reply
Mmm... Cool and interesting! Can I ask you which tricks?
-
7 months ago by nguyens | Reply
Sorry, I missed your reply... Didn't see or get any notification.
Here is the command line to run the firefox container in a podman container:
sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox
All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.
-
-
Similar Projects
Package MONAI Machine Learning Models for Medical Applications by jordimassaguerpla
Project Description
MONAI Deploy aims to ...
Forklift - Text based GUI utility for dealing with containers by andreabenini
[comment]: # (Please use the project descriptio...
A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon
[comment]: # (Please use the project descriptio...
Hangar: tool for mirror container images & generate rancher image lists. by StarryWang
Project Description
Hangar is a tool for ...
Exploring DPDK within containers by paolodepa
Project Description
Containerization is h...
Predefined app security policy template for NeuVector by feih
Project Description
Idea is to predefin...
Port NeuVector zero-trust security functions to host/VM by feih
Project Description
Today, NeuVector on...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...