jails and browsers

johnjohn

johnjohn

Hello everyone,

I do not want to post in the wrong forum so i picked off-topic. I am sorry if this is also wrong.

I found a webpage that has instructions for running a browser in a jail:
www.tumfatig.net

Web Browser in FreeBSD Jail: Librewolf

While discovering FreeBSD Jails, I wrote on how to run a web browser inside a FreeBSD jail . Time has passed and a couple of testing later, I ended up changing a bit the way I use my Web Browser jails.
www.tumfatig.net

the guide states that it works in FreeBSD 14. I tried it today but i get errors in a couple of places and Firefox will not launch (display environment variable not specified error.) For one thing, the first zfs command fails in my FreeBSD with an error (-o compres=lz4). I just typed what the person has in the guide but i think that we are supposed to have shared folders on the host and in the jail (with the same name). The handbook shows zfs create commands to make directories but he is using mount += commands. I'd like to know how to correct this guide and make it work. I can understand basic French and i have a Downloads folder (Telechargements) but i skipped the Public directory. How can i get xorg to launch with Firefox instead of receiving the display variable error?

Thank you for taking time to read. I hope that you have a pleasant day,
John
 
Nah, you're good with offtopic IMO.. In fact, just my 2 cents (!) but kudo's on being mindfull in my book!

Now, I'm not gonna read all that but... running a browser inside a jail shouldn't be much of an issue. But running an X server otoh... that's a whole different beast and probably the thing which is going wrong here. I mean... easily proven: install www/lynx in a jail, give it a try, done.

Anywhoo... I am not fluent with X but .. in this situation I'd go for forwarding. So: have the process running on the host while sending all the graph data to the client. This is a good read I think:

F

Thread 'Jailed desktop (full desktop environment inside a FreeBSD jail)'

I was hoping to install XFCE inside of a jailed environment. The idea behind this undertaking is to keep the base FreeBSD (jail host) with a very limited set of software and run a desktop client inside a jail. Thank you for replying.

I forgot to mention that I read some ways to do it from few years ago, but I was hoping to get acquainted with other methods.
 
Hello ShelLuser and rbranco,

Thank you for the replies, i appreciate you taking time to help a newbie :)

the link is a good read, thank you. I look at it this way: at least i have gained more experience working with jails and that is a positive experience. I got my first taste of jails and i did it correctly. That stubborn xorg doesn't want to play nice but that is okay. I understand the concept in this situation and it is indeed tricky on the programming side. I'll keep reading about this subject but for now, i am happy to have learned something new.

rbranco podman as root is not a good idea but i appreciate the wisdom. I did not know about podman or docker, so i learned something new from your post. The wheel of wisdom keeps on rollin' and that is a good thing for all of newbies.

Much appreciated! I am hoping that FreeBSD includes unveil(2) in future versions and that will be just as good as jail in many aspects of privacy.

I hope that you find time to relax and enjoy the day :)
 
Hi NapoleanWilson,

Wow! more than i expected. I will run this code as soon as possible and let you know how it goes. I'm sorry for the late reply. I have been quite busy today. I promise to build this jail and test the code. But i still want to learn how to do it on my own, so your code is very helpful to get an understanding of this process. Much appreciated :)

Jails are somewhat easy and difficult at the same time,
John
 
hi mate, no problem

take it step by step
slow and steady wins the race

read the man pages for the commands as you go along
and refer to the handbook

always a good idea to know what commands do before you press return

any problems give me a shout
 
NapoleonWils0n said:
hi mate, no problem

take it step by step
slow and steady wins the race

read the man pages for the commands as you go along
and refer to the handbook

always a good idea to know what commands do before you press return

any problems give me a shout
Click to expand...

works great! I am happy that you are a FreeBSD user and a member of this community. Thank you, NapoleanWilson. I appreciate you very much. You are a smart individual and your wisdom helps newbies like me :)

So aside: I wonder why noone is using VirtualBox or Bhyve over jails in a desktop/laptop setting? I would rather use VirtualBox or Bhyve for gui apps and keep jails for nongui server purposes. Is this not acceptable? The jails are great but it seems to be a bit of work compared to installing a virtual system. One can always save the virtual drive and drag-and-drop to a clean start.

Anyway, your jail work is amazing. I think that you should carry a nickname as The Warden :)

Thanks x decillion, NapoleanWilson. You are Awesome!
 
jails let you use the wayland or the x11 socket so the application is displayed on the hosts screen and use the gpu.

bhyve doesnt let you use the wayland or x11 socket the same way,
and you have to use a vnc connection instead which isnt as good, also to use the gpu with bhyve you need 2 gpus
so you can pass one through to the bhyve vm and use the other one on the host

so jails are better for running gui applications
 
NapoleonWils0n said:
jails let you use the wayland or the x11 socket so the application is displayed on the hosts screen and use the gpu.

bhyve doesnt let you use the wayland or x11 socket the same way,
and you have to use a vnc connection instead which isnt as good, also to use the gpu with bhyve you need 2 gpus
so you can pass one through to the bhyve vm and use the other one on the host

so jails are better for running gui applications
Click to expand...
Hello!

I’m currently experimenting with Firefox an Ungoogled-Chromium in a Jail with X11, and I have questions :)

In FF, what do you read on the «about:support» page about those items?

WebGL 1 Driver Renderer
WebGL 2 Driver Renderer
GPU #1 Description
HARDWARE_VIDEO_DECODING

Inside my jail, FF displays:

WebGL 1 Driver Renderer: Mesa -- llvmpipe (LLVM 19.1.7, 256 bits)
WebGL 2 Driver Renderer: Mesa -- llvmpipe (LLVM 19.1.7, 256 bits)
GPU #1 Description: llvmpipe (LLVM 19.1.7, 256 bits)
HARDWARE_VIDEO_DECODING:
default: available,
user: force_enabled, Force enabled by pref,
env: blocklisted, Blocklisted by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED
runtime: unavailable, Force disabled by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED

On the host, I have:

WebGL 1 Driver Renderer: AMD -- AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
WebGL 2 Driver Renderer: AMD -- AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
GPU #1 Description: AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
HARDWARE_VIDEO_DECODING:
default: available,
user: force_enabled, Force enabled by pref,
env: blocklisted, Blocklisted by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED
runtime: unavailable, Force disabled by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED

thanks!
 
Why are you jailing a browser?
Once that jail has all the permissions it needs to have a 2026 web experience it has absolutely no security benefits over a limited user account.

This is akin to security case of the Steam client, install it and you rely on Valve to do their part to not let some of tens of thousands of hosted stuff there make havoc on your machine. The people who 'port' Steam to FreeBSD rightfully advise the user to run this under a different user account.

If Steam was jailed it would need added access to the video hardware and that means direct access to kernel memory, plus the window server socket, tmpfs and so on.

The primary concern of jails is filesystem and network isolation. These are the virtualized/abstract kernel subsystems, exactly for the reason of hierarchical control of resources. Graphics isn't. Sharing that kernel facility to jails breaks the model. The jail becomes just a fat, managed chroot.

Then again limited user account for a daily driving browser is no security benefit because 99% of the browser exploits go for the browser storage, they do not expect to break the OS sandbox. 99% of web clients are sandboxed by virtue of the underlying OS such as Windows, Android, Mac. The FreeBSD handbook spends zero words on browser isolation.
 
patpro said:
Hello!

I’m currently experimenting with Firefox an Ungoogled-Chromium in a Jail with X11, and I have questions :)

In FF, what do you read on the «about:support» page about those items?

WebGL 1 Driver Renderer
WebGL 2 Driver Renderer
GPU #1 Description
HARDWARE_VIDEO_DECODING

Inside my jail, FF displays:

WebGL 1 Driver Renderer: Mesa -- llvmpipe (LLVM 19.1.7, 256 bits)
WebGL 2 Driver Renderer: Mesa -- llvmpipe (LLVM 19.1.7, 256 bits)
GPU #1 Description: llvmpipe (LLVM 19.1.7, 256 bits)
HARDWARE_VIDEO_DECODING:
default: available,
user: force_enabled, Force enabled by pref,
env: blocklisted, Blocklisted by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED
runtime: unavailable, Force disabled by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED

On the host, I have:

WebGL 1 Driver Renderer: AMD -- AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
WebGL 2 Driver Renderer: AMD -- AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
GPU #1 Description: AMD Radeon 780M Graphics (radeonsi, gfx1103_r1, LLVM 19.1.7, DRM 3.49, 14.4-RELEASE-p6)
HARDWARE_VIDEO_DECODING:
default: available,
user: force_enabled, Force enabled by pref,
env: blocklisted, Blocklisted by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED
runtime: unavailable, Force disabled by gfxInfo, Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED

thanks!
Click to expand...
Hi Mate

this is what i have

Code: 
HARDWARE_VIDEO_DECODING   
default    available       
user    force_enabled    Force enabled by pref   
runtime    unavailable    Force disabled by gfxInfo    Blocklisted; failure code FEATURE_FAILURE_VIDEO_DECODING_TEST_FAILED

i use these setting in a user.js file i add to the firefox profile directory

Code: 
// Mozilla User Preferences

user_pref("gfx.webrender.all", true);
user_pref("media.hardware-video-decoding.force-enabled", true);

which you can also set using about:config

those give me hardware accelerated video
 
Im actually running Firefox in a rocky linux podman container

Podman containers are actually jails on Freebsd


This is the project

github.com

GitHub - NapoleonWils0n/freebsd-cuda: Run Linux command line and gui applications on FreeBSD with full Nvidia Cuda hardware acceleration.

Run Linux command line and gui applications on FreeBSD with full Nvidia Cuda hardware acceleration. - NapoleonWils0n/freebsd-cuda
github.com github.com

and the output from Firefox in the Podman container

WebGL 1 Driver Renderer Mesa -- llvmpipe (LLVM 21.1.8, 256 bits)
WebGL 2 Driver Renderer Mesa -- llvmpipe (LLVM 21.1.8, 256 bits)

GPU #1
Active Yes
Description llvmpipe (LLVM 21.1.8, 256 bits)
Vendor ID Mesa
Device ID llvmpipe (LLVM 21.1.8, 256 bits)
Driver Vendor mesa/llvmpipe
Driver Version 25.2.7.0
RAM 0

Which is done with these settings i mentioned earlier for the user.js

Code: 
// Mozilla User Preferences

user_pref("gfx.webrender.all", true);
user_pref("media.hardware-video-decoding.force-enabled", true);
 
johnjohn said:
So aside: I wonder why noone is using VirtualBox or Bhyve over jails in a desktop/laptop setting? I would rather use VirtualBox or Bhyve for gui apps and keep jails for nongui server purposes. Is this not acceptable?
Click to expand...
I don't use jails on desktop, but always thought of VMs being for compatibility, in which case I could just run that OS bare-metal :p

I don't like maintaining complex hosts OS set-ups and wouldn't want guest OSs included in that, and I like max performance :cool: (it's a no-win between slower host with CPU virt enabled, or slower guest without)
 
Zare said:
Why are you jailing a browser?
Once that jail has all the permissions it needs to have a 2026 web experience it has absolutely no security benefits over a limited user account.

.....

Then again limited user account for a daily driving browser is no security benefit because 99% of the browser exploits go for the browser storage, they do not expect to break the OS sandbox.
Click to expand...
In your last paragraph you explained whats wrong with your assumption in your first paragraph. A browser jail does not need "all the permissions" for web experience, in fact it just needs very few.

Why jailing a browser? Because it limits the browsers access on my files. Because I can implement a firewall using pf so I can be sure the browser of my jail can only reach my banking sites. Because I can limit what DNS names can be resolved for my browser in a jail. Filesharing with jails is simple if you have the same UIDs. Other browsers in other jails may have different restrictions. Furthermore, whenever I update my "generalbrowsing" jail and the update breaks my browser I can rollback and be fine with a not-up-to-date version, however, other parts (on the host, and other jails) can be updated independently.
 
rootbert said:
Why jailing a browser? Because it limits the browsers access on my files. Because I can implement a firewall using pf so I can be sure the browser of my jail can only reach my banking sites. Because I can limit what DNS names can be resolved for my browser in a jail. Filesharing with jails is simple if you have the same UIDs. Other browsers in other jails may have different restrictions. Furthermore, whenever I update my "generalbrowsing" jail and the update breaks my browser I can rollback and be fine with a not-up-to-date version, however, other parts (on the host, and other jails) can be updated independently.
Click to expand...

It's all cool if you're not using accelerated graphics in a jail.
If you are, then the security bonus of the jail is thrown out. What remains is the management - you don't have to chroot or mangle accounts / groups and setfib the browser to effectively use virtual networks.

What's with your banking anyways, why are you running it on such a tight network? Need to use some obscure browser?
 
Zare said:
What's with your banking anyways, why are you running it on such a tight network? Need to use some obscure browser?
Click to expand...
No, just a standard browser with hopefully all updates applied. I just want to protect my hard earned money. I also use this browser for my tax declaration and anything relevant for our .gv pages. Browser 0-day exploits may hijack a session, so I'd like to be protected.

Furthermore, I do have one jail per customer, which is also nice because inside the jail I use vpn. In those jails, I only open pages necessary to fulfill my tasks, where logins are of utmost importance, like dns administration or other stuff. Research and general web browsing is done in a completely different jail(ed browser). Thus, I can keep all the sensitive stuff separate.
 
You must log in or register to reply here.
Back
Top