firefox: permissive access to /etc

[Boruch-Baum]

Running firejail for firefox-esr in debian allows me to read any file under /etc using keybinding C-o. That seems needlessly permissive to me. I created a firefox-esr.local file with the following contents that seem to fix the issue for me personally without any noticeable undesirable side-effects so far, but you may want to consider it for universal use

whitelist /etc/firefox-esr
whitelist /etc/mailcap*
blacklist /etc

[rusty-snake]

1. Why do you whitelist stuff in /etc if you blacklist entire /etc?
2. What about resolv.conf
3. There's a comment in firefox.profile about private-etc, if you test on all distros with all possible configurations, we can enabled it.

[Boruch-Baum]

On 2022-12-09 04:16, rusty-snake wrote: 1. Why do you whitelist stuff in /etc if you blacklist entire /etc?

Because those two sub-folders are used by firefox

2. What about resolv.conf

Because firefox isn't directly doing DNS

3. There's a comment in firefox.profile about private-etc, if you test on all distros with all possible configurations, we can enabled it.

Oooh. I wasn't familiar with that feature, and with that option. So the way to test it in debian would be to replace the contents of my firefox local with that line, right? I'll do that now, and complain if any trouble arises.

…

— Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe. You are receiving this because you authored the thread. Message ID: ***@***.***> References 1. #5518 (comment) 2. https://github.com/notifications/unsubscribe-auth/AAOE3KDF5VZNZAFMLQDIMGDWMMPKRANCNFSM6AAAAAASZGEUF4

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

[rusty-snake]

Because those two sub-folders are used by firefox

But how can firejail use them if it can not access them?

[Boruch-Baum]

OK. As an initial follow-up about your default private-etc: 1) it's missing an entry for a firefox-esr folder, which in debian has some system-wide default settings 2) it has some entries that I'm surprised are legitimately needed ever by firefox: group hostname machine-id passwd 3) it has some entries that I suspect firefox itself doesn't need because the related functionality is handled by OS components: alternatives hosts nssswitch.conf resolv.conf selinux ssl X11 4) it also has some entries for which firefox maintains its own data internally, so also likely is unnecessary: ca-certificates crypto-policies 5) many of the other items I'm unsure about, so for now, I'm testing in debian with just the following: private-etc firefox-esr,mailcap,mime.types

…

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

[Boruch-Baum]

I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me:

private-etc firefox-esr,fonts,mailcap,mime.types

Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types

[layderv]

I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me:

private-etc firefox-esr,fonts,mailcap,mime.types

Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types

Did you have to edit settings in Firefox? With a default profile, I need to allow resolv.conf too

[Boruch-Baum]

I don't remember making that change, using Debian's firefox-esr --version "Mozilla Firefox 102.6.0esr". Firefox can be a kind of 'moving target' in that they change defaults, and Debian puts their own layer of patches on everything. With that in mind: From firefox's 'about:config' tab, when I search for 'dns' and 'resolv' I see no changes to the default settings (firefox would display such lines in bold). From the command-line, I could have grepped file prefs.js, I guess. I am glad you mentioned the DNS issue, because it's a subject that I'm finding confusing on one of my machines. See, in addition to using firejail, I'm using a application firewall called 'opensnitch', and I notice that it is logging port 53 and 443 events from firefox to a bunch of websites with names that sound like resolvers, for instance: mozilla.cloudflare-dns.com doh.test use-application-dns.net However, the events aren't anywhere near frequent enough to be individual DNS queries, even considering a firefox local DNS cache. It could be, though, that firefox is keeping a single DOH 443 connection active for as long as firefox remains open, which sounds sensible to me, but I don't know if that's how firefox DOH works, and opensnitch is also logging firefox port 53 event to localhost and a bunch of other destinations.

…

On 2023-01-11 14:23, layderv wrote: I've been using a custom firefox-esr.local file for about a week now, and I can report that the following works fine for me: private-etc firefox-esr,fonts,mailcap,mime.types Note that I needed to add 'fonts' to my original proposal, and also that I did not test using firefox without mailcap or mime.types Did you have to edit settings in Firefox? With a default profile, I need to allow resolv.conf too — Reply to this email directly, [1]view it on GitHub, or [2]unsubscribe. You are receiving this because you authored the thread. Message ID: ***@***.***> References 1. #5518 (comment) 2. https://github.com/notifications/unsubscribe-auth/AAOE3KGZPWAMGJCVL3JRN3DWR4XGJANCNFSM6AAAAAASZGEUF4

-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0

[kmk3]

private-etc is now enabled in firefox-common:

• profiles: firefox-common: fix private-etc in includers #6435

Closing as resolved.

Feel free to open a new issue for bugs or improvements.