Run sandboxed Firefox with image and sound inside a container
an invention by nguyens
Updated 8 months ago. 1 hackers ♥️. 2 followers.

Project Description

Running a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events.

So, we want to be able to run a sandboxed Firefox web browser inside a container. The web browser should [obviously] share the PC's display and provide sound. It should behave as if the browser was installed on the PC.

Goal for this Hackweek

Run a fully sandboxed Firefox web browser, on a PC that doesn't have Firefox installed.

Resources

Looking for hackers with the skills:

containers security

This project is part of:

Hack Week 22

Activity

  • 8 months ago: nguyens started this project.
  • 8 months ago: dfaggioli liked this project.
  • 8 months ago: nguyens added keyword "containers" to this project.
  • 8 months ago: nguyens added keyword "security" to this project.
  • 8 months ago: nguyens originated this project.


    • Comments

    • dfaggioli
      8 months ago by dfaggioli | Reply

      Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.

      This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.

      For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197

      Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.

    • nguyens
      8 months ago by nguyens | Reply

      Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.

      • dfaggioli
        7 months ago by dfaggioli | Reply

        Mmm... Cool and interesting! Can I ask you which tricks?

        • nguyens
          8 days ago by nguyens | Reply

          Sorry, I missed your reply... Didn't see or get any notification.

          Here is the command line to run the firefox container in a podman container:

          sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox

          All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.