Tag Archives: firefox

Secure Containerized Browser

By default Chromium on OpenBSD (not so) recently got OpenBSD’s unveil(2) support. That means that of you run Chromium with --enable-unveil flag then it will be prevented from accessing anything other than the ~/Downloads directory. No such thing on FreeBSD exists. Firefox or Chromium have access to all files user can read – even to your system sshd(8) keys or even worse to your private keys laying in the ~/.ssh dir. On FreeBSD thanks to its FreeBSD Jails technology we can create secure containerized browser with only access to the specified directory. On my system its the ~/download dir.

You may want to check other desktop related articles in the FreeBSD Desktop series on the FreeBSD Desktop page.

Configuration

We will start with /etc/jail.conf file configuration. For the record – we will be using /jail for our FreeBSD Jails main dir. I will also use /jail dir for the ‘base’ FreeBSD versions tarballs as a convenient place. As I use 10.0.0.0/24 address space I will use 10.0.0.200 for our containerized browser. Feel free to pick other IP from which you will be able to reach the Internet. The /etc/jail.conf is shown below. One thing to note here. As I am using WiFi wlan0 interface I have put that into the Jail configuration. If you use LAN interface (for example em0) then put that instead into this Jail config. As you see from the example below we will be using Firefox browser in out example.

root@host # cat /etc/jail.conf

# GLOBAL
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.clean;
  exec.consolelog = "/var/log/jail_${name}_console.log";
  mount.devfs;
  host.hostname = ${name};
  path = /jail/${name};

# JAILS
  firefox {
    devfs_ruleset = 30;
    ip4.addr = 10.0.0.200;
    interface = wlan0;
    allow.raw_sockets;
    allow.sysvipc;
    mount.fstab = "/jail/firefox/etc/fstab";
  }

As you can see we will also be using devfs(8) rules in the /etc/devfs.rules file – shown below. This configuration is needed to have access to sound(4) in our FreeBSD Jail. If you do not need sound then you can delete devfs_ruleset = 30; from the /etc/jail.conf file and also do not add anything in the /etc/devfs.rules file.

root@host # cat /etc/devfs.rules
[sound=30]
add path 'mixer*' unhide
add path 'dsp*'   unhide

If we are about to share the ~/download dir with our containerized browser then we need to somehow add that information to our FreeBSD Jail. We will use the FreeBSD’s mount_nullfs(8) command to mount our currently existing ~/download dir into our FreeBSD Jail. We will use following /jail/firefox/etc/fstab for that purpose.

root@host # cat /jail/firefox/etc/fstab
#SOURCE         #MNT                                      #TYPE   #OPTS       #DUMP/PASS
/data/download  /jail/firefox/usr/home/vermaden/download  nullfs  rw,noatime  0 0

Of course you do not have to share any directory with your containerized browser.

You may as well would want to make this jails start everytime you boot your system. To do that add below lines to the /etc/rc.conf file as shown below.

jail_enable=YES
jail_parallel_start=YES
jail_list="firefox"

Create the Jail

As I use FreeBSD 13.0-RELEASE I would be using also the FreeBSD 13.0-RELEASE Jail for that purpose. If you are running for example FreeBSD 12.3-RELEASE then make sure that you will use FreeBSD 12.3-RELEASE Jail. The Jail version needs to be lower then the host system version. We will now fetch needed FreeBSD ‘base’ file and unpack it within /jail/firefox dir where our container would live. We will also configure several other basic files such as /etc/resolv.conf or /etc/hosts files.

root@host # mkdir -p /jail/BASE /jail/firefox /jail/firefox/usr/home/vermaden/download

root@host # fetch -o /jail/BASE/13.0-RELEASE-base.txz \
    http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/13.0-RELEASE/base.txz

root@host # tar -xvpf /jail/BASE/13.0-RELEASE-base.txz -C /jail/firefox

root@host # echo nameserver 1.1.1.1 > /jail/firefox/etc/resolv.conf

root@host # echo 10.0.0.200 firefox >> /jail/firefox/etc/hosts

root@host # cat << EOF > /jail/firefox/etc/fstab
#SOURCE         #MNT                                      #TYPE   #OPTS       #DUMP/PASS
/data/download  /jail/firefox/usr/home/vermaden/download  nullfs  rw,noatime  0 0
EOF

We will now start our fresh FreeBSD Jail.

root@host # service jail onestart firefox

We can now also see two new mounts in the mount(8) output.

root@host # mount | tail -2
/data/download on /jail/firefox/usr/home/vermaden/download (nullfs, local, noatime)
devfs on /jail/firefox/dev (devfs)

root@host # mount -p | tail -2 | column -t
/data/download /jail/firefox/usr/home/vermaden/download nullfs rw,noatime 0 0
devfs /jail/firefox/dev devfs rw 0 0

You may want to update the FreeBSD version to the most up to date one with freebsd-update(8) commands.

root@host # freebsd-update -b /jail/firefox fetch
root@host # freebsd-update -b /jail/firefox install

Install Needed Packages

Before installing anything we will first switch to the latest branch for the pkg(8) packages to have most up to date software. We will then process to installing the Firefox package. We will also need x11/xauth package for X11 Forwarding process.

root@host # sed -i '' s.quarterly.latest.g /jail/firefox/etc/pkg/FreeBSD.conf

root@host # grep latest /jail/firefox/etc/pkg/FreeBSD.conf
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

root@host # jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.200      firefox                       /jail/firefox

root@host # jexec 1

(root@jail) # pkg install -y firefox xauth

Create Matching User and Configure sshd(8) Daemon

We will now enter our FreeBSD Jail again for several other needed tasks for our containerized browser to be working. First is creating inside similar user as you currently use inside. Especially with the same UID/GID to have files with proper permissions in your real ~/download directory instead of files with other UID/GID that you will have to chown(8) with root user. As my vermaden user uses UID/GID 1000 I will also use that inside. I will also set simple password that You will only use once – to copy your public SSH key there.

root@host # jexec 1

(root@jail) # echo your-username-password-goes-here | pw user add -u 1000 -n vermaden -m -s /bin/sh -h 0

Now we need to run /usr/local/bin/dbus-uuidgen --ensure once to make sure DBUS is initialized properly. Firefox and many other apps would not start if we omit that step.

(root@jail) # /usr/local/bin/dbus-uuidgen --ensure

Now the sshd(8) daemon. The only thing we need to do is to add it to the system startup and also add X11UseLocalhost no option to its config file.

(root@jail) # sysrc sshd_enable=YES
sshd_enable: NO -> YES

(root@jail) # echo X11UseLocalhost no >> /etc/ssh/sshd_config

(root@jail) # service sshd start
Generating RSA host key.
2048 SHA256:VnrvItf0tl738C5Oc2St6T63/6o8zaDlfUskB+NrElo root@firefox (RSA)
Generating ECDSA host key.
256 SHA256:ZAjcAGqlrVwvY+J9MuVzErx9QUOqIOJE3nJX/Oqwtpk root@firefox (ECDSA)
Generating ED25519 host key.
256 SHA256:JdzUql2D2+X8iBn3c1jWDHQRNQMKqWGOcL4J16fIX0E root@firefox (ED25519)
Performing sanity check on sshd configuration.
Starting sshd.

Copy Public SSH Key and Start

Copying your public SSH key is optional but if you omit this step then you would have to type your FreeBSD Jail user password every time you would want to start your secure Firefox instance.

vermaden@host % ssh-copy-id -i ~/.ssh/id_rsa vermaden@10.0.0.200
Password:

Now you can start your containerized browser. I have added some useful flags for ssh(1) client like compression with -C and fastest supported encryption with -c aes128-ctr option. The -X is for X11 Forwarding option. I also added GDK_SYNCHRONIZE=1 to make Firefox yell less πŸ™‚

vermaden@host % ssh -C -c aes128-ctr -X vermaden@10.0.0.200 env GDK_SYNCHRONIZE=1 firefox --new-instance

Now without password you should see fresh Firefox instance.

firefox-fresh

I will now try to play some random video. I can not show you that from an image but the sound also works πŸ™‚

firefox-youtube

Similar setup can be created for other browser if Firefox is not your browser of choice of course. If you are curious how much space it uses its about this:

root@host # du -smx /jail/BASE/13.0-RELEASE-base.txz /jail/firefox 
181 /jail/BASE/13.0-RELEASE-base.txz
1603 /jail/firefox

root@host # du -smx -A /jail/BASE/13.0-RELEASE-base.txz /jail/firefox
181 /jail/BASE/13.0-RELEASE-base.txz
2601 /jail/firefox

I also added the -A flag in second the du(1) command to show you how much more space would be used without the ZFS LZ4 compression.

UPDATE 1 – Use XPRA Instead of X11 Forwarding

Some people complained that this is quite good setup but they were not happy with using X11 Forwarding for the connection method. I decided to add additional XPRA method to connect to our secure containerized browser. First thing you need to do is to install the x11/xpra package on both the host system and also inside the jail container.

root@host # pkg install -y xpra
(root@jail) # pkg install -y xpra

Now – after logging into your user in the Jail container – vermaden in may case – we will use the xpra commands to create new session with Firefox browser.

Lets see if any xpra sessions currently exists.

(vermaden@jail) % xpra list
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
No xpra sessions found

Seems not. We can not start our Firefox session.

(vermaden@jail) % xpra start --bind-tcp=:14500 --start='firefox --new-instance'
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
Entering daemon mode; any further errors will be reported to:
  /tmp/xpra/S19958.log
Actual display used: :0
Actual log file name is now: /tmp/xpra/:0.log

We can see in the xpra list command that new session appeared.

(vermaden@jail) % xpra list
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
Found the following xpra sessions:
/home/vermaden/.xpra:
        LIVE session at :0

We can also see that xpra is now listening on the 14500 port.

(vermaden@jail) % sockstat -l4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
vermaden python3.8  20781 3  tcp4   10.0.0.200:14500      *:*
root     sshd       58454 3  tcp4   10.0.0.200:22         *:*
root     syslogd    48568 5  udp4   10.0.0.200:514        *:*

We will now move to out host and start graphical xpra client to connect to our FreeBSD Jail with Firefox process.

update1-xpra-main

After clicking the large Connect button we can now enter our Jail address.

update1-xpra-connect

After again clicking the Connect button on the bottom this time we can now se our Firefox browser from our secure environment.

update1-xpra-firefox

After we done our job at more secure Firefox we can now end our xpra session on the jail system.

(vermaden@jail) % xpra stop
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
xpra initialization error:
 cannot find any live servers to connect to

(vermaden@jail) % xpra list
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
No xpra sessions found

As XPRA provides OpenGL acceleration you may verify that fact from your host system using below command.

vermaden@host % xpra opengl
Warning: XDG_RUNTIME_DIR is not defined
 and '/run/user/1000' does not exist
 using '/tmp'
Warning: cannot handle window transparency
 screen is not composited
Warning: vendor 'Intel Open Source Technology Center' is greylisted,
 you may want to turn off OpenGL if you encounter bugs
Warning: window 0xffffffff changed its transparency attribute
 from False to True, behaviour is undefined
GLU.version=1.3
GLX=1.4
accelerate=3.1.5
accum-alpha-size=0
accum-blue-size=0
accum-green-size=0
accum-red-size=0
alpha-size=0
aux-buffers=0
blue-size=8
buffer-size=24
depth=24
depth-size=0
direct=True
display_mode=ALPHA, DOUBLE
double-buffered=True
green-size=8
level=0
max-viewport-dims=16384, 16384
opengl=3.0
pyopengl=3.1.5
red-size=8
renderer=Mesa DRI Intel(R) HD Graphics 3000 (SNB GT2)
rgba=True
safe=True
shading-language-version=1.30
stencil-size=0
stereo=False
success=True
texture-size-limit=8192
transparency=True
vendor=Intel Open Source Technology Center
zerocopy=True

You can also use VNC or other methods of course.

Hope that helps πŸ™‚

EOF

FreeBSD Desktop – Part 16 – Configuration – Pause Any Application

Many desktop oriented operating systems try to provide various usability improvements and features, like quite useful Expose or Dashboard in Mac OS X or useless Tiles concept in recent editions of Microsoft Windows systems.

pause.key.jpg

After using UNIX for so many years I knew that I could freeze (or pause) any process in the system with kill -17 (SIGSTOP) signal and then unfreeze it with with kill -19 (SIGCONT) signal as I described in the Process Management section of the Ghost in the Shell – Part 2 article. Doing it that way for the desktop applications is PITA to say the least. Can you imagine opening xterm(1) terminal and searching for all Chromium or Firefox processes and then freezing them one by one every time you need it? Me neither.

Fortunately with introduction of so called X11 helper utilities – like xdotool(1) – it is now possible to implement it in more usable manner.

Today I will show you how to freeze any X11 application with single keyboard shortcut or mouse gesture if you utilize them in any way with small simple script.

When such feature can be useful (or what for)?

Lets say you have Firefox started with many tabs open (50+) and you know that it drains battery life from your laptop. You can close it but when You will need information from any of those tabs, then You will have to start Firefox again (even more battery usage) and load all needed tabs (battery …). The alternative is to pause all Firefox processes when You do not use them. This will freeze all its processes and subprocesses and it will not use any CPU (or battery) power. When you will need it, then you will unpause it without the need to load all tabs again.

Other example may be some heavy processing. For example you started RawTherapee or Darktable processing of large amount of photos and you are not able to smoothly watch a video. Just pause it, watch the video and unpause it again to finish its work.

Its also usable in single player gaming when You can REALLY pause the game, literally πŸ™‚

You may want to check other articles in the FreeBSD Desktop series on the FreeBSD Desktop – Global Page where you will find links to all episodes of the series along with table of contents for each episode’s contents.

First we need to install the so called X11 helpers. Do that with this pkg(8) command.

# pkg install xprop xdotool zenity xbindkeys

Now for the script that would make all this magic happen. The desktop-pause.sh script is available on GitHub as its syntax is nicely colored there. Save it in some place where its searchable through ${PATH} variable like ~/bin or ~/script directory and make it executable.

% fetch -O ~/scripts/desktop-pause.sh https://raw.githubusercontent.com/vermaden/scripts/master/desktop-pause.sh
% chmod +x ~/scripts/desktop-pause.sh
% echo $PATH | grep scripts
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/home/vermaden/scripts

It has three ways of usage.

% desktop-pause.sh
usage: desktop-pause.sh OPTION [ARGUMENT]

OPTIONS:
  -a  -  Do pause/resume active window.
  -s  -  Do pause/resume interactively selected window.
  -p  -  Do pause/resume specified PID.
  -l  -  Do list paused processes/windows.
  -L  -  Do list paused processes/windows with PIDs.

ARGUMENT:
  PID for '-p' option.

If started with -a option, then it would pause/unpause the currently active window. This option is best used with keyboard shortcut or mouse gesture. It you start desktop-pause.sh script with -s argument, then the cursor will change and you will be able to select which window to freeze (or unfreeze). The -p option is usable in terminal directly as you may want to freeze/unfreeze a process without X11 environment or for some debugging purposes for example. The last -l option will list applications that are currently paused.

pause.key.thinkpad

Most present-day generation laptops have island type limited keyboards so you will have to choose for yourself which keyboard shortcut to use. As I still use 2011 ThinkPad T420s laptop with 7-row keyboard I have little more options. The [Pause Break] key seems to be the best candidate for such feature πŸ™‚ I will use it for the ‘active window freeze/unfreeze’ with -a option and [SHIFT]-[Pause Break] key for the more interactive -s option.

To create such new keyboard shortcut we will use handy xbindkeys(1) tool.

Lets see what code we will have to put into the ~/.xbindkeysrc configuration file.

% xbindkeys --help
xbindkeys 1.8.6 by Philippe Brochard
usage: xbindkeys [options]
  where options are:
  -V, --version           Print version and exit
  -d, --defaults          Print a default rc file
  -f, --file              Use an alternative rc file
  -p, --poll-rc           Poll the rc/guile configs for updates
  -h, --help              This help!
  -X, --display           Set X display to use
  -v, --verbose           More information on xbindkeys when it run
  -s, --show              Show the actual keybinding
  -k, --key               Identify one key pressed
 -mk, --multikey          Identify multi key pressed
  -g, --geometry          size and position of window open with -k|-mk option
  -n, --nodaemon          don't start as daemon

As its single key we will need --key option. Lets do it then.

% xbindkeys --key
Press combination of keys or/and click under the window.
You can use one of the two lines after "NoCommand"
in $HOME/.xbindkeysrc to bind a key.
"(Scheme function)"
    m:0x0 + c:110
    Pause

Now lets read the [SHIFT]-[Pause Break] sequence.

% xbindkeys --key
Press combination of keys or/and click under the window.
You can use one of the two lines after "NoCommand"
in $HOME/.xbindkeysrc to bind a key.
"(Scheme function)"
    m:0x1 + c:110
    Shift + Pause

We now have all needed information for the ~/.xbindkeysrc configuration file. Here is how it looks configured.

% cat ~/.xbindkeysrc

# [Pause Break] FOR ACTIVE WINDOW
"~/scripts/desktop-pause.sh -a"
  Pause

# [Shift]-[Pause Break] FOR INTERACTIVE WINDOW
"~/scripts/desktop-pause.sh -s"
  Shift + Pause

Now lets start xbindkeys(1) and verify that it works.

% xbindkeys

Press the [Pause Break] key when you are in the terminal where you started xbindkeys(1) utility. Now hit [ENTER] several times, the terminal should be frozen. Now hit [Pause Break] key again. The entered [ENTER] keys have been passed to it as it was unfrozen.

Lets check the Firefox example.

When processes run like usual they have on of the I*/S*/R* state like shown below.

% ps ax | grep firefox | grep -v grep
67981  -  S       3:28.66 /usr/local/lib/firefox/firefox -contentproc -childID 58 -isForBrowser -prefsLen 31209 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab
41124  0- S      68:44.94 firefox
43940  0- S      25:52.43 /usr/local/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27620 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab

When you will now freeze Firefox with [Pause Break] key its processes will have T state.

% ps ax | grep firefox | grep -v grep
67981  -  T       3:28.66 /usr/local/lib/firefox/firefox -contentproc -childID 58 -isForBrowser -prefsLen 31209 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab
41124  0- T      68:45.17 firefox
43940  0- T      25:52.85 /usr/local/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27620 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab

After you unfreeze them again with [Pause Break] key they will get back to normal I*/S*/R* state.

% ps ax | grep firefox | grep -v grep
67981  -  S       3:28.67 /usr/local/lib/firefox/firefox -contentproc -childID 58 -isForBrowser -prefsLen 31209 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab
41124  0- S      68:45.54 firefox
43940  0- S      25:53.01 /usr/local/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27620 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab

You may of course specify by hand the Firefox PID which is 41124 in current state.

% desktop-pause.sh -p 41124
INFO: kill -17 41124
INFO: kill -17 67981
INFO: kill -17 43940

The Firefox browser will be paused again.

% ps ax | grep firefox | grep -v grep
67981  -  T       3:28.68 /usr/local/lib/firefox/firefox -contentproc -childID 58 -isForBrowser -prefsLen 31209 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab
41124  0- T      68:46.68 firefox
43940  0- T      25:56.22 /usr/local/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27620 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab

Use it again to unpause it.

% desktop-pause.sh -p 41124
INFO: kill -19 41124
INFO: kill -19 67981
INFO: kill -19 43940

And viola! Firefox runs again.

% ps ax | grep firefox | grep -v grep
67981  -  S       3:28.68 /usr/local/lib/firefox/firefox -contentproc -childID 58 -isForBrowser -prefsLen 31209 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab
41124  0- S      68:46.72 firefox
43940  0- S      25:56.28 /usr/local/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27620 -schedulerPrefs 0001,2 -appdir /usr/local/lib/firefox/browser 41124 tab

There are no downsides to this feature but one has to remember paused applications will not refresh themselves as their processes are frozen. Below you can see frozen Epiphany browser upon which the xterm(1) window was moved. Pretty Windows like effect.

epiphany.paused

After you unpause the Epiphany it gets back to normal as shown below.

epiphany.unpaused.png

Remember to add xbindkeys(1) command to your ~/.xinitrc (or ~/.xsession file) to make it permanent.

UPDATE 1

One of the Hacker News users named rhn_mk1 explained the lack of window contents refresh while application is frozen. I will just cite his comment below.

That depends on the window manager. The application state is not really affected, it just stops updating (redrawing its area). When another window moves away, the window manager asks the “underlying” application to update that area of the screen. It’s dead, so the WM keeps displaying the last thing that was there, until something else happens in that spot.

On the other hand, compositing window managers will dedicate a separate buffer to each application, where they have exclusive access. That kind of a window manager would not have to ask the application to update anything – it would just take the image from the dedicated application’s buffer and update the screen with it. Since the application’s buffer can’t be modified by anything else, it would have the last state of the application in it. That would in turn find its way to the screen. No glitches.

UPDATE 2

One of the Reddit users 89luca89 pointed me to the browser-suspender solution that ‘simply suspends the browser when not in focus using STOP/CONT’ signals.

UPDATE 3

The Lobsters user seschwar pointed out that there is Stoppable Layout functionality for XMonad which automatically pauses the processes of all windows except for the active one and it also uses SIGCONT and SIGSTOP signals.

UPDATE 4

One of the Hacker News users named imglorp suggested that my “command could also iconify/minify the app’s windows”.

This is really good idea.

I just added -A and -S options that also minimize a window.

% desktop-pause.sh 
usage: desktop-pause.sh OPTION [ARGUMENT]

OPTIONS:
  -a  -  Do pause/resume active window.
  -A  -  Do pause/resume active window and minimize it.
  -s  -  Do pause/resume interactively selected window.
  -S  -  Do pause/resume interactively selected window and minimize it.
  -p  -  Do pause/resume specified PID.
  -l  -  Do list paused processes/windows.
  -L  -  Do list paused processes/windows with PIDs.

ARGUMENT:
  PID for '-p' option.

Here is the changelog for the desktop-pause.sh script:
https://github.com/vermaden/scripts/commit/03591a138b14cededa15a05fe9c77bf1a941795d

UPDATE 5

Several times I found myself in the situation that I just wanted to ‘resume’ the frozen processes and was not able to do that. For that ‘edge’ case I have added the -r option to RESUME all processes that are frozen currently.

This is how the diff looks like.

pause.resume

The updated script can be found in the same place:
Example output:
% desktop-pause.sh -r
IN: process '29222' resumed.
IN: process '42385' resumed.
EOF