[ubuntu-hardened] Firefox and Firejail - use together at the same time?

[daniel curtis]

Hello.

As we know, Firejail is a simple SUID sandbox program that
reduces the risk of security incidents by using plenty of techniques
such as Linux namespaces, capabilities and seccomp-bpf etc. It
can be used alone or, for example, with Grsecurity and other
kernel hardening features to increase system security.

So, according to Firejail and its possibilities to restricting the
running environment of untrusted applications and the fact that
Firejail can be used with e.g. browsers etc., I would like to ask if I
can use it with Firefox (which is already confined with an
AppArmor profile) at the same time?

Generally, I mean Seccomp. Firefox's 'about:support' shows that
Seccomp-BPF (System Call Filtering) and Media Plugin Sandboxing
are set to TRUE. But Seccomp status via '/proc/*status/' shows 0.
It looks completely different when Firefox running with Firejail:

>> Firefox launched directly:
$ grep Seccomp /proc/$(pidof firefox/status
Seccomp:       0

>> Firefox launched via Firejail:
$ grep Seccomp /proc/$(pidof firefox/status
Seccomp:       2

Looks much better, right? There are some security filters enabled
by default. But what about problems between AppArmor and Firejail? Can they
be used at the same time? Firejail is pretty interesting: there are no
complicated files to configure/edit, no socket connections open, no daemons
running etc. Of course, AppArmor is also an amazing implementation.

What is your opinion?

* Firejail website: https://firejail.wordpress.com/
* Firefox guide:
https://firejail.wordpress.com/documentation-2/firefox-guide/

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160110/f0f45a9d/attachment.html>