Jailing Firefox .....Getting error .... Can't proceed

[T-Daemon]

Have you mounted the hosts X unix socket to the jail?

# mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix

 

[john_rambo]

Have you mounted the hosts X unix socket to the jail?

# mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix

Now Firefox is launching but web pages are not loading.

 

[T-Daemon]

In /etc/rc.conf:

cloned_interfaces="lo1"

#delete ifconfig_lo1_aliases="10.0.0.1-6/29", set

ipv4_addrs_lo1="10.0.0.1-6/29"

 

[john_rambo]

In /etc/rc.conf:

cloned_interfaces="lo1"

#delete ifconfig_lo1_aliases="10.0.0.1-6/29", set

ipv4_addrs_lo1="10.0.0.1-6/29"

hostname="home"
ifconfig_re0="DHCP"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
kld_list="i915kms"
pf_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="asia.pool.ntp.org"
cloned_interfaces=lo1
##ifconfig_lo1_aliases="10.0.0.1-6/29"

ipv4_addrs_lo1="10.0.0.1-6/29"

Still webpages are not loading

 

[T-Daemon]

Have you restarted the hosts netif service?

# service netif restart

 

[john_rambo]

Finally its working ! Which commands will have to enter after each boot ?
Also, is there a way to copy my existing .mozilla folder to the Jail ?

 

[T-Daemon]

Which commands will have to enter after each boot ?

Following will suffice:

# mount_nullfs /tmp/.X11-unix  /zroot/jails/firefox/root/tmp/.X11-unix

# xhost +

Also, is there a way to copy my existing .mozilla folder to the Jail ?

Sure, just cp -r .mozilla host to jail/firefox user and chown -R firefox:firefox jail/firefox/.mozilla.

Also have a look at the chapter "A few gotchas for maintainance" in the wiki, especially about updating the system.

Previously the file system was set to read/write, revert to read-only, after system update:

# zfs set readonly=on zroot/jails/firefox/root

 

[john_rambo]

Following will suffice:

# mount_nullfs /tmp/.X11-unix  /zroot/jails/firefox/root/tmp/.X11-unix

Sure, just cp -r .mozilla host to jail/firefox user and chown -R firefox:firefox jail/firefox/.mozilla.

Also have a look at the chapter "A few gotchas for maintainance" in the wiki, especially about updating the system.

Previously the file system was set to read/write, revert to read-only, after system update:

# zfs set readonly=on zroot/jails/firefox/root

Old profile successfully copied to jail.
About maintanance I did jexec -l firefox then freebsd-update fetch and pkg update/pkg upgrade. After the process complete I set the filesystem of the Jail to read only again.

I will start using the jailed Firefox from today & see if I face any issues. In case of any complications I will write back here.

Thanks a lot.

 

[john_rambo]

T-Daemon
I use multiple profiles of Firefox. I had edited the Firefox launcher and made the exec line look like this

Exec=firefox -P

Suppose I am working on the profile named Work and I want to use the profile Social all I do is click on the (edited) Firefox icon and a Profile Selector window appears and I select Social.

How do I do this for the Firefox which is running inside this Jail ?

At the moment I am closing FF which is terminating the jail automatically and then I then starting the jail again which is launching the Profile Selector.

Problem is while using a specific profile I cant launch another profile.

 

[Cath O'Deray]

… for the Firefox which is running inside this Jail ? …

I guess that for this, you need not think about jailing. Simply:

1. about:profiles
2. aim
3. click Launch profile in new browser
   

 

[T-Daemon]

Problem is while using a specific profile I cant launch another profile.

You can launch another Firefox session in the same jail using jexec(8):

NAME
     jexec – execute a command inside an existing jail

SYNOPSIS
     jexec [-l] [-u username | -U username] jail [command ...]

Execute from jailed environment as user 'firefox', inside jail 'firefox', command 'firefox -P <profile>':

# jexec -U firefox firefox firefox -P Social

This can be wrapped on the host in a script, combined with sudo/doas/super to be executable as normal user, saved in a users ~/bin directory, executed from command line or clickable Firefox icon, menu item, etc.

 

[Cath O'Deray]

Also, you might like Open With.

I have it set to work with a number of profiles and configurations:

 

[T-Daemon]

Which commands will have to enter after each boot ?

Following will suffice:

# mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix

I see in the wiki that can be automated as well:

A few gotchas for maintenance
   ...
   3. The X unit socket will have to be re-mounted after reboot, ZFS datasets are mounted automatically.
      An exec.prestart could be added to the jail's config (jail.conf):
      
exec.prestart = "mount | grep ' on /zroot/jails/${name}/root/tmp/.X11-unix` || mount_nullfs /tmp/.X11-unix /zroot/jails/${name}/root/tmp/.X11-unix"

Remains xhost + executed only.

 

[john_rambo]

T-Daemon
Every time I want to launch the Firefox inside Jail I need to use su and then run
jail -c firefox which starts the jail with the default profile and then in order to launch the Firefox Profile Chooser window I do
jexec -U firefox firefox firefox -P.

I want to create an icon on the desktop clicking on which will launch the Profile Chooser window of Firefox running inside this jail without using su. How do I do that ?

Note(1): The command jexec -U firefox firefox firefox -P only works after using the jail -c firefox command. Otherwise it complains that the jail is not running.

Note(2): I have not installed or configured sudo. When I need root privileges I use su.

 

[john_rambo]

T-Daemon
While using this jailed Firefox whenever I want to download a file or even save a jpg image the Firefox window just vanishes instantly with the following error

Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Segmentation fault

Q1) The official guide says to make the jail read only. This is for security, right ? So do you have any tricks about what I can do when I want to download a file ? Any temporary measure I can take ? After the download is finished I will revert it back to read only.

Q2) I do understand that Jails have their own separate base and its isolated from the host so my plan is to copy downloaded files from the jail's filesystem to host's /home/username/. Is this possible ?

 

[Cath O'Deray]

… jail read only … any tricks about what I can do when I want to download a file ? …

tmpfs(5), maybe?

---

Jails aside, I do often download to my

tmpfs on /tmp (tmpfs, local)

 

[john_rambo]

grahamperrin
I read that man page but how to implement that in a Jail frankly I have no idea.

 

[Cath O'Deray]

One of these, maybe? In no particular order:

• <https://serverfault.com/a/678708/91969>
• <https://github.com/sebcat/small-freebsd-jails#nullfs-tmpfs>
• <https://forums.freebsd.org/threads/47691/> post 5 in particular
• <https://forums.freebsd.org/threads/62192/>

All via <https://www.google.com/search?q=tmpfs+jail+FreeBSD&tbs=li:1#unfucked>

 

[john_rambo]

grahamperrin
The thing is I am not really sure if tmpfs is needed for this. My reasoning is if you read this post I was able to copy my Firefox profile (.mozilla) from the host to the jail. So if that's possible the opposite should be possible too. I mean once the download is complete I open a terminal cd into the jail's Downloads folder and copy the file to the host.

 

[Cath O'Deray]

… I was able to copy my Firefox profile (.mozilla) from the host to the jail. …

Understood, thanks, however (please correct me if I'm wrong) that was with a jail not read-only.

In the jail: is your preference to always save to a preset path, or always ask?



If preset: what's the path?

(To help understand the segmentation fault.)

 

[john_rambo]

Understood, thanks, however (please correct me if I'm wrong) that was with a jail not read-only.

In the jail: is your preference to always save to a preset path, or always ask?

View attachment 13062

If preset: what's the path?

(To help understand the segmentation fault.)

No path is set. Its "Always ask you where to save files". I tried changing it to ~/Downloads and just as an experiment as soon as I tried saving the image you attached Firefox vanished like before.

Note : When I press CTRL+O same thing happens. Firefox just disappears.

 

[T-Daemon]

Every time I want to launch the Firefox inside Jail I need to use su and then run
jail -c firefox which starts the jail with the default profile and then in order to launch the Firefox Profile Chooser window I do
jexec -U firefox firefox firefox -P.

I want to create an icon on the desktop clicking on which will launch the Profile Chooser window of Firefox running inside this jail without using su. How do I do that ?

Install security/doas, edit /usr/local/etc/doas.conf

permit nopass <user name> as root cmd jail

In host users home directory, create ~/bin dir, create file, e.g. startjailfirefox:

#!/bin/sh

xhost +
doas jail -c firefox

Make script executable:

# chmod 700 startjailfirefox

Edit /zroot/jails/firefox/root/home/firefox/run-firefox, add '-P' option

/usr/local/bin/firefox -P > /dev/null &

For launcher (icon) on desktop search in your DE's/WM's documentation, point the execution of the program (shell script in this case) to ~/bin/startjailfirefox.

While using this jailed Firefox whenever I want to download a file or even save a jpg image the Firefox window just vanishes instantly with the following error

Apparently pixel buffers from icon themes are not rendered/cached, I don't know exactly. Because of this error Firefox core dumps. In user firefox's home you might find a more or less big core file.

Reinstalling following package should correct. Execute from host:

# pkg -c /zroot/jails/firefox/root install -f gdk-pixbuf2

Q1) The official guide says to make the jail read only. This is for security, right ? So do you have any tricks about what I can do when I want to download a file ? Any temporary measure I can take ? After the download is finished I will revert it back to read only.

Only the jails root dataset is read only. The jails home dataset and following automatically created directory and sub-directory firefox/Downloads are writable:

# zfs get -r readonly zroot/jails/firefox
NAME                      PROPERTY  VALUE   SOURCE
zroot/jails/firefox       readonly  off     default
zroot/jails/firefox/home  readonly  off     default
zroot/jails/firefox/root  readonly  on      local
zroot/jails/firefox/tmp   readonly  off     default
zroot/jails/firefox/var   readonly  off     default

Q2) I do understand that Jails have their own separate base and its isolated from the host so my plan is to copy downloaded files from the jail's filesystem to host's /home/username/. Is this possible ?

Yes. One possible solution:

Example setup (host):

# zfs create zroot/jails/Shared
# zfs set setuid=off exec=off zroot/jails/Shared

# mkdir /zroot/jails/firefox/root/home/Shared
# chmod 777 /zroot/jails/firefox/root/home/Shared

Host /etc/jail.conf

firefox {
         ...
         exec.prestart = "mount | grep home/Shared || mount_nullfs /zroot/jails/Shared /zroot/jails/${name}/root/home/Shared";
         ...

Start jail, set in Firefox setting "Save files to /home/Shared".

Make of the /zroot/jails/Shared directory a symbolic link in the host users directory where the jail has been started, a bookmark/shortcut in a file browser, etc.

 

[john_rambo]

T-Daemon
All issues solved leaving the shared folder but I want solve that after sometime.

This is the list of commands needed for jailing Firefox. Can you please have look and tell me if I have missed anything ?

zfs create -o compress=lz4 -o atime=off zroot/jails
zfs create zroot/jails/basejail
fetch https://download.freebsd.org/releases/amd64/13.0-RELEASE/base.txz ; tar xf base.txz -C /zroot/jails/basejail
env PAGER=cat freebsd-update -b /zroot/jails/basejail fetch install
Configure inside jail /etc/resolv.conf
zfs snapshot zroot/jails/basejail@latest
zfs create zroot/jails/firefox
zfs clone zroot/jails/basejail@latest zroot/jails/firefox/root
zfs create zroot/jails/firefox/var
zfs create zroot/jails/firefox/tmp
zfs create zroot/jails/firefox/home
rsync -a /zroot/jails/firefox/root/var/ /zroot/jails/firefox/var/
zfs set mountpoint=/zroot/jails/firefox/root/var zroot/jails/firefox/var
zfs set mountpoint=/zroot/jails/firefox/root/tmp zroot/jails/firefox/tmp
zfs set mountpoint=/zroot/jails/firefox/root/usr/home zroot/jails/firefox/home
zfs set setuid=off exec=off zroot/jails/firefox/var
zfs set setuid=off exec=off zroot/jails/firefox/tmp
zfs set setuid=off exec=off zroot/jails/firefox/home
pkg -c /zroot/jails/firefox/root install firefox xauth liberation-fonts-ttf
pkg -c /zroot/jails/firefox/root install -f gdk-pixbuf2


### ON HOST

/etc/jail.conf

allow.nomount;
exec.clean;
mount.devfs;
host.hostname = "$name.your-host-name.lan";
path = "/zroot/jails/${name}/root";
#securelevel = 3;

firefox {
    ip4.addr = "10.0.0.2";
    #exec.start = "/bin/sh /home/firefox/run-firefox";
    #exec.jail_user = "firefox";
    persist;
    devfs_ruleset = 5;
}




At this point, we comment out the exec. directives, and uncomment the persist directive because we want to get inside the jail with no processes running, to bootstrap it. But before we do that, there are two more undefined items here, the devfs ruleset and jail's ip address. So, let's handle those first.

Configure inside jail /etc/resolv.conf













ON HOST
# cat /etc/jail.conf                   
/etc/jail.conf
allow.nomount;
exec.clean;
mount.devfs;
host.hostname = "$name.your-host-name.lan";
path = "/zroot/jails/${name}/root";
#securelevel = 3;

firefox {
    ip4.addr = "10.0.0.2";
    #exec.start = "/bin/sh /home/firefox/run-firefox";
    #exec.jail_user = "firefox";
    persist;
    devfs_ruleset = 5;
}

ON HOST

 # /etc/rc.conf

#
# Among other thigns you set up in rc.conf, the following is minimum required for jail networking.
#
# We use the 10.0.0.0/29 range just as an example for up to 6 jails
#
cloned_interfaces=lo1
ifconfig_lo1_aliases="10.0.0.1-6/29"

# And this to enable pf rules for NAT
pf_enable="YES"
pf_rules="/etc/pf.conf"
ON HOST

# /etc/pf.conf

extif = "re0"
intif = "lo1"
set skip on lo
set state-policy if-bound
nat on $extif inet from ($intif) to ! ($intif) -> ($extif)
block all
pass out proto { tcp udp } to port { 53 80 443 995 6697 123 }
pass out inet proto icmp icmp-type { echoreq }








ON HOST

# /etc/devfs.rules

[devfsrules_desktop_jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'mixer*' unhide
add path 'dsp*' unhide


# Start the jail
jail -c firefox

# jexec into it (the commands listed here after this are done inside the jail)
jexec -l firefox

# First, create a user for firefox (note the exec.jail_user = "firefox" in the jail.conf, so that's the user)
pw useradd firefox -w random -m

# Write out the "init" script (note the exec.start path in jail.conf, so that's the init script)
cat << EOF > /home/firefox/run-firefox
#!/bin/sh

export DISPLAY=:0.0
/usr/local/bin/firefox > /dev/null &
EOF

# We did all this as root, so:
chown firefox:firefox /home/firefox/run-firefox
chmod u+x /home/firefox/run-firefox

# Prepare the mountpoint for host's X unix socket
mkdir /tmp/.X11-unix
chmod 777 /tmp/.X11-unix

# Done!
Exit
We stop the jail with jail -r firefox, uncomment the exec. bits from jail.conf, comment the persist bit, and the jail is almost ready to run.





ON HOST
Allow jails to talk to xorg
xhost +

# Mount the host's X unix socket into the jail
mount_nullfs /tmp/.X11-unix /zroot/jails/firefox/root/tmp/.X11-unix

# And finally make the jail's root readonly:
zfs set readonly=on zroot/jails/firefox/root

We start firefox by starting the jail itself:
Toggle line numbers
jail -c firefox

ON HOST

Install security/doas, edit /usr/local/etc/doas.conf

permit nopass <user name> as root cmd jail

ON HOST

In host users home directory, create ~/bin dir, create file, e.g. startjailfirefox

#!/bin/sh

xhost +
doas jail -c firefox

Make script executable

# chmod 700 startjailfirefox

ON HOST

Edit /zroot/jails/firefox/root/home/firefox/run-firefox, add '-P' option

For launcher (icon) on desktop search in your DE's/WM's documentation, point the execution of the program (shell script in this case) to ~/bin/startjailfirefox
## Update Jail
freebsd-update -b /zroot/jails/basejail fetch install

 

[T-Daemon]

Looks good, only

cloned_interfaces=lo1
ifconfig_lo1_aliases="10.0.0.1-6/29"

should be

ipv4_addrs_lo1="10.0.0.1-6/29"

and

export DISPLAY=:0.0
/usr/local/bin/firefox > /dev/null &

should be

/usr/local/bin/firefox -P > /dev/null &

 

[john_rambo]

T-Daemon
I have applied the arkenfox custom user.js in one of my Firefox profiles. The arkenfox user.js uses a script called updater.sh for updating the script. When I cd into the Firefox's profile folder which is inside the Jail I am getting

$ pwd
/zroot/jails/firefox/root/home/firefox/.mozilla/firefox/hpd0xx49.default-release

$ ./updater.sh
sh: ./updater.sh: Permission denied

How do I run this script ?