Home > Net >  Running Firefox As An Isolated Linux User
Running Firefox As An Isolated Linux User

Time:11-14

I just did this guide to run Firefox as an isolated user - https://www.burnison.ca/articles/running-firefox-as-an-isolated-linux-user It's a nice idea for security and also I don't like .mozilla directory in my home. Mozilla Firefox developers won't add support for XDG Base Directory unfortunately.

Everything looks fine but speakers and mic doesn't work. I've got some warnings about it:

ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
mesa: for the --simplifycfg-sink-common option: may only occur zero or one times!
mesa: for the --global-isel-abort option: may only occur zero or one times!
mesa: for the --amdgpu-atomic-optimizations option: may only occur zero or one times!
ATTENTION: default value of option mesa_glthread overridden by environment.
mesa: for the --simplifycfg-sink-common option: may only occur zero or one times!
mesa: for the --global-isel-abort option: may only occur zero or one times!
mesa: for the --amdgpu-atomic-optimizations option: may only occur zero or one times!
[Child 101772, MediaDecoderStateMachine #1] WARNING: 7f463372f020 OpenCubeb() failed to init cubeb: file /build/firefox/src/firefox-94.0.1/dom/media/AudioStream.cpp:324
[Child 101772, MediaDecoderStateMachine #1] WARNING: Decoder=7f4643c11c00 [OnMediaSinkAudioError]: file /build/firefox/src/firefox-94.0.1/dom/media/MediaDecoderStateMachine.cpp:4001

Do anyone have any idea how to fix it? Your suggestions will be greatly appreciated.

CodePudding user response:

I believe the best way to isolate firefox, if what you want is real isolation, you have to isolate filesystem, cpu and mem, anything else is partial isolation like snaps on ubntu/lxc/lxd/firejail/flathub/appimage. Full isolation requires what I told you, full isolation requires a Virtual Machine, like qemu, in a fresh installed lightweight linux OS like Alpine Linux or any other, with a strong firewall, running qemu network as user, to be able to use the host firewall as well. All other options like the one you are using and also thin containers like the ones used on snap, or lxd will not take into account full isolation, from shared objects/dynamic linked libraries, user space binaries, kernel and their use by on host third parties, and isolation of kernel functions - and more - from your data. The best way I have found for partial isolation is to use firejail and snaps as they use something similar to lxc/lxd, but with firejail you can control more like use of kernel functions, that will be allowed/refused for you program to use, but still, that does not mean you have full isolation. Also, you need an operating system/kernel and user land programs, code and compilation flags for gcc with fixes for well known security problems, like: PIE, stack protection, heap protection and others like sysctl ASLR, remove access to /dev/mem and /dev/kmem and way more stuff. A good firewall will take into account a lot of stuff. My firewall, which is a single node, leaf computer, no forwarding of any kind (blocked and reinforced), no loopback (blocked and reinforced), tcp-flags restricted to the max (blocked and reinforced), sysctl tweaked to the max I know and can, ipv4 only, has 1202 lines of code and counting. Browsers have the biggest surface for hacker attacks, with new "features" added in each new version, each new feature adds a ton of flaws that will not be corrected to sometimes 3 versions after the buggy version you are not using anymore gets finally corrected, you cannot afford not having a strong firewall these days. Use a browser with a low count on exploits and pray a lot, cos there is a huge amount of chance that your computer will be hacked tomorrow if not today. I am not trying to be negative it is just the reality of things, at least with the amount of information I know, and nobody tells me otherwise.

CodePudding user response:

Thank you for your comprehensive answer.

I just switched to ALSA from Pulseaudio. It works fine.

  • Related