
Linux sandboxing improvements in Firefox 57 - rvern
http://www.morbo.org/2017/11/linux-sandboxing-improvements-in.html
======
alex_duf
I'm so hyped by Firefox 57, haven't felt like that about a webbrowser since
Firefox 1.5

~~~
kevincox
Why, with the ability to write powerful extensions removed it is basically a
second Chrome now.

I think WebExtensions were a good idea, but removing the raw access is
removing what made Firefox great in the first place. Hopefully they will add
an escape hatch in a future release but I'm not holding my breath. I wonder
how long staying on nightly will allow "legacy" extensions.

But sure, a bit of performance is nice I guess.

~~~
s_kilk
>> but removing the raw access is removing what made Firefox great in the
first place.

The raw access is also what made Firefox slow and cumbersome compared to
Chrome. The recent performance improvements would have been impossible with
the legacy extension apis.

Honesty I think this is a good move.

~~~
kevincox
> The raw access is also what made Firefox slow and cumbersome compared to
> Chrome. The recent performance improvements would have been impossible with
> the legacy extension apis.

This is simply not true as evidenced by the fact that Nightly still has the
legacy extension API and the improved performance.

That being said FF was slowing down to keep extensions compatible. This is why
I think WebExtensions are a good idea. They should be the recomended path with
promised future compatibility. Then FF can not worry as much about refactoring
the internals as there are fewer extensions that would be broken and they
"signed up" for it.

I would rather have a faster FF and have to patch VimFX every couple of
releases then have FF show down development for fear of breaking things. That
being said loosing the extensions that gave FF it's magic is not a good
tradeoff in my opinion.

~~~
pitaj
The legacy API is not on nightly. I think they have a similar API in
WebExtension Experiments, but in nightly, legacy add-ons do not work.

~~~
kevincox
[https://wiki.mozilla.org/Add-ons/Firefox57](https://wiki.mozilla.org/Add-
ons/Firefox57)

On nightly the extensions.legacy.enabled can be set to allow instalation of
legacy extensions.

~~~
jtgeibel
> To assist with performance analysis leading up Firefox 57, in Nightly only
> we are turning off add-ons that require shims.

This was for pre-57 and doesn't apply to 57+.

~~~
andrewshadura
That isn't true, I'm running 58.0a1 nightly with legacy add-ons enabled.

~~~
fbender
The point is that many APIs no longer work even though you can "enable" legacy
addons. Pretty soon, this setting will be a no-op.

------
vermaden
People tend to assume that if Firefox 57 or other version will be faster then
Chrome, then a lot people would then start to use Firefox instead of Chrome.

As much as I would like to see that its not gonna happen, and I am writing
this as a Firefox user.

Remember what 'REAL' Opera 12 did in its times comparing to Chrome or Firefox?
It loaded pages faster, used less memory, was most standards compliant and
also came with bundled torrent client, and mail client and RSS client and ...
and having 100+ tabs opened DID NOT EVEN SLOWED IT!

... and guess what, both Firefox and Chrome had more users while Opera had
about 4-5%.

It did not mattered if it was faster or better.

Currently Opera is just a Chrome with different skin, so I moved to Firefox
with Midori and Iridium as 'backups'.

~~~
adwf
I wouldn't be that pessimistic. The key difference is that Firefox used to
have a lot of market share that it lost to Chrome, whereas Opera never really
had any to begin with.

~~~
greenhouse_gas
It had market share when Google gave it free advertising on _every single
Google search_

------
dm319
Can anyone tell me how secure web browsers are on linux generally. I was
looking at the pwn2own results and was quite impressed with the edge
compromise that got out of the host OS it was running in. However, I didn't
see any web browsers on linux being compromised - is that because it is
harder, or no-one bothered?

~~~
lima
Comparable to Windows. Windows is a high-profile target for web browsing so
you're seeing more exploits.

Web browser escapes usually target the operating system kernel in order to
break out of the sandbox. Chrome can reduce its attack surface on Linux using
seccomp, and while there's a win32 syscall filter on Windows 10, I'm not sure
if Chrome uses it. Windows has stronger kernel self protection features than
Linux, but also more attack surface.

Chrome uses Linux namespaces (like LXC/Docker/...) for isolation in addition
to seccomp-bpf.

Chrome is by far the most secure one right now, but as evidenced by this blog
article, Firefox is catching up.

~~~
ryuuchin
Chrome disables all win32k syscalls in its renderer/extension/plugin processes
(at the very least flash and pdf). This has been the default for a while now.

I believe the specific win32k syscall filter you're referring to (where you
can white/black list specific syscalls) is still only accessible to Microsoft
applications (Edge uses it).

------
beefhash
I feel like I should point out that Firefox won't be getting backported to
Debian stable[1]. Until the next Debian stable, it seems that Firefox ESR 52
will be the only version of Firefox.

[1] [https://mozilla.debian.net/](https://mozilla.debian.net/)

~~~
MrRadar
Doesn't Debian follow the ESR releases for their stable branches? E.g. when
support for ESR 52 ends they'll upgrade stable releases to ESR 59?

~~~
beefhash
Normally, yes. However, something on that page concerns me:

"Jessie and Stretch backports of Firefox release and beta are gone because of
the requirement of rust to build them, which is not available in Jessie or
Stretch. Please update your apt sources to use Firefox ESR instead."

I'm not sure how that Rust requirement and ESR 59 will play together; I'll
assume they won't play together very well.

------
k__
OT: Do the Quantum changes get into the Android version or is this a completly
different software?

~~~
r3bl
There's a planned Photon redesign that already landed in Nightly on Android,
but, if I remember correctly, it won't make it on time for 57 desktop version
(probably around 58 mark). I am not familiar with the other improvements.

Disclaimer: Affiliated with Mozilla, but not with the Firefox team.

~~~
abrowne
It's rolled out to Firefox _beta_ (so yes, version 58) on Android now. (FWIW
I've used beta for years and very rarely had any issues.)

------
shmerl
_> We could not block the web content rendering entirely from reading the
filesystem because Firefox still uses GTK directly - we draw webpage HTML
widgets using the same theming as the native desktop._

Is there a way to build Firefox without GTK? For example for something like
Plasma Mobile? It would be good if there was some fallback mode where Firefox
would render UI elements using HTML itself, without relying on UI toolkits.

~~~
Sylos
I don't fully understand this, but I think this is a lot more complicated than
it might seem. Because well, you'd first of all need to set up a separate
Gecko instance to render the UI, which isn't fundamentally different from what
they're doing with tabs, but still an architectural change.

Well, and then you'd probably run into security restrictions, as under normal
circumstances, you don't ever want something from inside Gecko to communicate
with extensions and probably other things, but for this you need that
capability.

Having said that, Mozilla is actually exploring into this direction:
[https://github.com/browserhtml/browserhtml/blob/master/READM...](https://github.com/browserhtml/browserhtml/blob/master/README.md)

And presumably, this is the future, as it would also allow them to get rid of
the XUL UI Toolkit, meaning they can entirely focus on core browser
technologies. (Which is something different from the XUL/XPCOM extension API
that they're deprecating on Tuesday.)

~~~
toyg
I have to say though, having chrome that is virtually indistinguishable from a
webpage is a phisher's dream. You also lose 25 years of low-level graphic
development in platform toolkits, which likely means losing _a lot_ of
performance.

~~~
shmerl
The alternative would be maintaining many toolkit backends. We already see how
well that worked out. Qt backend wasn't maintained in a while, and fell into
bit rot. That basically prevents Firefox from being used Plasma Mobile and the
like. Having HTML backend is better than having none at all.

------
WalterGR
How does this compare to IE's Protect Mode, Enhanced Protection Mode, and
Edge's execution in an app container?

------
ComodoHacker

      security.sandbox.content.read_path_whitelist
    

Are extensions allowed to change that?

~~~
Manishearth
Not WebExtensions (which are the only kind of extension allowed on Firefox 57+
unless you change another pref).

I mean, Firefox even has a
`security.turn_off_all_security_so_that_viruses_can_take_over_this_computer`
pref (used in testing; you won't see it in about:config but IIRC you can
manually add it. Don't.). Prefs that break security are not new :)

~~~
ComodoHacker
Oh, really? I hope not in production builds, at least.

Defense in depth concept is not new either.

~~~
Manishearth
You also need an environment variable to be set for it to work.

But yes, it seems to be something you can flip in production. The argument
being that if you're in a position to flip prefs you already can break
security in a million ways. It's not something you can accidentally flip
either.

(The pref doesn't actually "let viruses take over the computer", it just turns
off all the security checks)

~~~
madez
I feel like having a global switch for all security checks is already not a
good idea.

~~~
bugmen0t
It's unlikely to be abused by am attacker, if it requires starting Firefox
with a certain environment variable. Chrome has the same thing with a command
line switch.

Useful for some internal unit/integration tests for release and test builds,
but really dangerous when pointed to the web.

------
nimbius
I've not been inclined to use this browser since they started with pocket,
moved to offering a voice and video chat service, forced PulseAudio as a
mandatory dependency and eventually enacted mandatory opt-in telemetry in the
browser.

sandboxing is great, but if the site is spooky enough im just going to load it
in elinks/lynx and grok the text. Chromium also has sandboxing, and if youre
really paranoid enough, surf from suckless.org is a webkit style do-it-
yourself browser thats fairly reliable.

