Firefox profiles versus Firejail profiles

[Boruch-Baum]

Hi. This topic started as a question or feature request, but it needs to be preceded by a terminology observation.

• Firejail refers to collections of rules as 'profiles'.

• Firefox refer to isolated environments as 'profiles'.

So, when I did my due-diligence and attempted to search github issues and discussions regarding how to use firejail rules to control access to firefox profiles, the search engines all conflated the two meanings of 'profile' and gave me useless search results.

So, with that in mind, here's my discussion opener / issue / question / feature request:

Firefox users who care about their privacy (even if they are not using firejail at all) are apt to be using firefox (not firejail) profiles to isolate the access certain categories of websites have to the cookies and other browser information of other categories of websites. All the data for each profile is stored in a dedicated directory (for linux it ~/.mozilla/firefox/profiles/foo).

In order for firefox to function within a firejail sandbox, it needs access to the firefox profile directory being used, but has no legitimate reason to access the other firefox profile directories. In fact, if it is possible for a malicious web page or extension to read the contents of the .mozilla/firefox tree, it could snarf up any data from any other firefox profile.

While I don't have a proof-of-concept of a remote exploit for this, you can easily see this for yourself locally: 1) create a second firefox profile, if you don't already have one; 2) From within firefox, type Ctrl-o (open file); 3) Type Ctrl-h to reveal hidden folders; 4) Navigate to $HOME/.mozilla/firefox/profiles; 5) Enter the directory for the not-currently-being-used profile; 5) See, open, examine any file you like in that other firefox profile.

The way users typically select a firefox profile, AFAIK, is to run 'firefox -P' and select from the list. That's how I have been using it in conjunction with firejail. In such a case, there is no way for firejail to know in advance which firefox profile the user is going to select, so is there a way for firejail to get information during run-time of the sandbox to apply a new rule to that sandbox? In other words, somehow detect the users choice, and blacklist access to other firefox profiles.

It might be possible if firejail has a mechanism to observe the files being accessed by a process. Firejail could note the access to some contents of one of the firefox profile directories. That would definitely indicate the profile chosen by the user. Then the issue would be could firejail blacklist access to the sister directories during run time.

I'm not familiar with other browsers to know whether the issue is relevant beyond firefox, but even so, firefox and its forks are popular choices among privacy conscious people, so I thought it would be worth exploring this.

An alternative method

I can think of a work-around that seems to me ought to work but involves manual work for each and every firefox profile that any particular user has.

1. Create a separate .desktop file for each firefox profile

   $ cd ~/.local/share/applications
   $ cp firefox.desktop firefox-profile-{foo,bar}.desktop

2. Modify each desktop file to:

   • Explicitly launch a specific firefox profile
   • Explicitly identify itself in GUI menus as "Firefox (profile: foo)"

One disadvantage with this approach is that user lose the ability to launch firefox with a single keybinding. This could be avoided by associating the keybinding with a shell script that selects which .desktop file to run.