Firefox and bubblewrap?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












I have asked this question on the bubblewrap issue tracker, but no one has been able to provide an answer, so I'm hoping this is a more appropriate place to ask.



1. I do not have much experience with bubblewrap yet, but I have read all the documentation I could find and tried to create a profile for Mozilla Firefox:



#!/bin/sh 

(exec bwrap
--proc /proc
--dev /dev
--ro-bind /usr /usr
--ro-bind /bin /bin
--ro-bind /etc /etc
--ro-bind /lib /lib
--ro-bind "$HOME"/.Xauthority "$HOME"/.Xauthority
--bind "$HOME"/.cache/mozilla "$HOME"/.cache/mozilla
--bind "$HOME"/.mozilla "$HOME"/.mozilla
--dev-bind /dev/snd /dev/snd
--unshare-all
--share-net
firefox "$@")


--dev-bind /dev/snd /dev/snd is needed for ALSA sound to work.



The main goal is to protect files in my home folder in case of a browser exploit and the profile I have created so far, actually seems to work like I want, if tested in a virtual machine. I'm unable to browse files in my home folder from within the browser, and there is not much access to the rest of the system.



However, I would really appreciate if someone more experienced with bubblewrap could review my profile and tell if I have done something completely wrong, as it would not be good if I have made the security worse than without bubblewrap. Any ideas for enhancing the profile is also welcomed.



2. The brwap binary on my system has the setuid bit set, but I have found out that I can remove it and the profile seems to work just as before, so are there any reasons for me not doing that?







share|improve this question



























    up vote
    0
    down vote

    favorite












    I have asked this question on the bubblewrap issue tracker, but no one has been able to provide an answer, so I'm hoping this is a more appropriate place to ask.



    1. I do not have much experience with bubblewrap yet, but I have read all the documentation I could find and tried to create a profile for Mozilla Firefox:



    #!/bin/sh 

    (exec bwrap
    --proc /proc
    --dev /dev
    --ro-bind /usr /usr
    --ro-bind /bin /bin
    --ro-bind /etc /etc
    --ro-bind /lib /lib
    --ro-bind "$HOME"/.Xauthority "$HOME"/.Xauthority
    --bind "$HOME"/.cache/mozilla "$HOME"/.cache/mozilla
    --bind "$HOME"/.mozilla "$HOME"/.mozilla
    --dev-bind /dev/snd /dev/snd
    --unshare-all
    --share-net
    firefox "$@")


    --dev-bind /dev/snd /dev/snd is needed for ALSA sound to work.



    The main goal is to protect files in my home folder in case of a browser exploit and the profile I have created so far, actually seems to work like I want, if tested in a virtual machine. I'm unable to browse files in my home folder from within the browser, and there is not much access to the rest of the system.



    However, I would really appreciate if someone more experienced with bubblewrap could review my profile and tell if I have done something completely wrong, as it would not be good if I have made the security worse than without bubblewrap. Any ideas for enhancing the profile is also welcomed.



    2. The brwap binary on my system has the setuid bit set, but I have found out that I can remove it and the profile seems to work just as before, so are there any reasons for me not doing that?







    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have asked this question on the bubblewrap issue tracker, but no one has been able to provide an answer, so I'm hoping this is a more appropriate place to ask.



      1. I do not have much experience with bubblewrap yet, but I have read all the documentation I could find and tried to create a profile for Mozilla Firefox:



      #!/bin/sh 

      (exec bwrap
      --proc /proc
      --dev /dev
      --ro-bind /usr /usr
      --ro-bind /bin /bin
      --ro-bind /etc /etc
      --ro-bind /lib /lib
      --ro-bind "$HOME"/.Xauthority "$HOME"/.Xauthority
      --bind "$HOME"/.cache/mozilla "$HOME"/.cache/mozilla
      --bind "$HOME"/.mozilla "$HOME"/.mozilla
      --dev-bind /dev/snd /dev/snd
      --unshare-all
      --share-net
      firefox "$@")


      --dev-bind /dev/snd /dev/snd is needed for ALSA sound to work.



      The main goal is to protect files in my home folder in case of a browser exploit and the profile I have created so far, actually seems to work like I want, if tested in a virtual machine. I'm unable to browse files in my home folder from within the browser, and there is not much access to the rest of the system.



      However, I would really appreciate if someone more experienced with bubblewrap could review my profile and tell if I have done something completely wrong, as it would not be good if I have made the security worse than without bubblewrap. Any ideas for enhancing the profile is also welcomed.



      2. The brwap binary on my system has the setuid bit set, but I have found out that I can remove it and the profile seems to work just as before, so are there any reasons for me not doing that?







      share|improve this question













      I have asked this question on the bubblewrap issue tracker, but no one has been able to provide an answer, so I'm hoping this is a more appropriate place to ask.



      1. I do not have much experience with bubblewrap yet, but I have read all the documentation I could find and tried to create a profile for Mozilla Firefox:



      #!/bin/sh 

      (exec bwrap
      --proc /proc
      --dev /dev
      --ro-bind /usr /usr
      --ro-bind /bin /bin
      --ro-bind /etc /etc
      --ro-bind /lib /lib
      --ro-bind "$HOME"/.Xauthority "$HOME"/.Xauthority
      --bind "$HOME"/.cache/mozilla "$HOME"/.cache/mozilla
      --bind "$HOME"/.mozilla "$HOME"/.mozilla
      --dev-bind /dev/snd /dev/snd
      --unshare-all
      --share-net
      firefox "$@")


      --dev-bind /dev/snd /dev/snd is needed for ALSA sound to work.



      The main goal is to protect files in my home folder in case of a browser exploit and the profile I have created so far, actually seems to work like I want, if tested in a virtual machine. I'm unable to browse files in my home folder from within the browser, and there is not much access to the rest of the system.



      However, I would really appreciate if someone more experienced with bubblewrap could review my profile and tell if I have done something completely wrong, as it would not be good if I have made the security worse than without bubblewrap. Any ideas for enhancing the profile is also welcomed.



      2. The brwap binary on my system has the setuid bit set, but I have found out that I can remove it and the profile seems to work just as before, so are there any reasons for me not doing that?









      share|improve this question












      share|improve this question




      share|improve this question








      edited Jul 29 at 7:39









      slm♦

      232k65479649




      232k65479649









      asked Jul 29 at 7:32









      cae3uax

      11




      11

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f459141%2ffirefox-and-bubblewrap%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f459141%2ffirefox-and-bubblewrap%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?