Bastille jail: no sound in firefox

john_rambo · Nov 1, 2021

I have successfully created a jail & installed Firefox inside the jail problem Firefox is completely mute. I can't watch Youtube. How do I enable sound in the jailed Firefox ?

SirDice · Nov 1, 2021

john_rambo said:
I have successfully created a jail & installed Firefox inside the jail problem Firefox is completely mute. I can't watch Youtube. How do I enable sound in the jailed Firefox ?

Jails, by default, have limited access to devices. You'll need to set up proper devfs.rules(5) to allow the jail access to the audio devices.

zirias@ · Nov 1, 2021

I think a jail for a browser is slightly off-topic here?

john_rambo · Nov 1, 2021

SirDice said:
Jails, by default, have limited access to devices. You'll need to set up proper devfs.rules(5) to allow the jail access to the audio devices.

I have added devfs_ruleset = 4 to

/usr/local/bastille/jails/ffjailed/jail.conf

Code:

# cat jail.conf
ffjailed {
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/ffjailed_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = ffjailed;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/ffjailed/fstab;
  path = /usr/local/bastille/jails/ffjailed/root;
  securelevel = 2;

  interface = wlan0;
  ip4.addr = 192.168.225.10;
  ip6 = disable;
  devfs_ruleset=4;
}

What else can I do ?

SirDice · Nov 1, 2021

john_rambo said:
I have added devfs_ruleset = 4 to

That's the default (look at the first line of the jail configuration).

Rule 4 limits access to pretty much everything except a few necessary devices.

Code:

[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide

john_rambo · Nov 1, 2021

SirDice said:
That's the default (look at the first line of the jail configuration).

Rule 4 limits access to pretty much everything except a few necessary devices.

Code:

[devfsrules_jail=4] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path fuse unhide add path zfs unhide

If somehow I can manage to enable the sound in Firefox then its a success. Any ideas ? So what number should I try ?

SirDice · Nov 1, 2021

Zirias said:
I think a jail for a browser is slightly off-topic here?

Agreed. Posts split off to its own thread.

sidetone · Nov 1, 2021

Copy that section of the ruleset to /etc/devfs.rules, then change the name and make it any number that's not used. Set your jail to this number. Unhide additional devices.

Code:

[bastille=20]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide

Try adding mixer0, mixer1, mixer2, sndstat, music0. Restart the jail, then see that they show up in your jail, and try it.

For some reason, when I tried replacing the first 3 lines with add include $devfsrules_jail, it unhid everything which defeated the purpose of restricting dev access.

john_rambo · Nov 1, 2021

sidetone
That worked now I have sound. I know nothing about FreeBSD Jails. So I have some questions.
Q1) Inside the Jail the only user is root. Is there any risks in running Firefox as root inside a Jail ?
Q2) By just looking at how FreeBSD jails work I see Jails as headless VMs with a minimum FreeBSD base install. It has its own IP address. So if a Jail has its own IP that means the host's firewall is not protecting the Jail. Now when I tried to enable PF inside the Jail I failed. So how does Jails handle network security ?
Q3) I want to copy my Firefox's profile to the Jail's /home. I mean the hidden .mozilla folder. Is this possible ? If yes, whats the procedure ?
Q4) In order to enable sound for Firefox we just made the Jail comparitively less secure/isolated. Correct ? Exactly what how much isolation have we lost ?

SirDice · Nov 1, 2021

A1) Think about it this way, if your Firefox starts running malware, it's going to be able to do anything it can do that the account it runs on. Running Firefox as root is a bad idea, regardless if this is in a jail or not. Bad habits are hard to break, better not get accustomed to it in the first place.

A2) There are two types of jails. The 'regular' jail, which uses the hosts network stack. From the jail you cannot change anything, you can't change the IP and you can't run a firewall. This is all controlled from the host. The second type of jail is a so-called VNET jail. That jail has it's own virtualized network stack, from within the jail you can configure it, set the IP and run a firewall on it.

A3) They're files. Just copy them. Note that Firefox typically creates a profile directory with a random name.

A4) Yes, sort of. How much did you lose? Well, you gave the jail access to the audio devices. That's the security you've lost, a jail normally doesn't have access to those devices. Is this a big risk? Probably not.

john_rambo · Nov 1, 2021

SirDice said:
A1) Think about it this way, if your Firefox starts running malware, it's going to be able to do anything it can do that the account it runs on. Running Firefox as root is a bad idea, regardless if this is in a jail or not. Bad habits are hard to break, better not get accustomed to it in the first place.

A2) There are two types of jails. The 'regular' jail, which uses the hosts network stack. From the jail you cannot change anything, you can't change the IP and you can't run a firewall. This is all controlled from the host. The second type of jail is a so-called VNET jail. That jail has it's own virtualized network stack, from within the jail you can configure it, set the IP and run a firewall on it.

A3) They're files. Just copy them. Note that Firefox typically creates a profile directory with a random name.

A4) Yes, sort of. How much did you lose? Well, you gave the jail access to the audio devices. That's the security you've lost, a jail normally doesn't have access to those devices. Is this a big risk? Probably not.

(1) So should I create a regular user inside the Jail that I have created & use it to run Firefox ?
(2) I read that two descriptions very carefully but still I want to be sure the Jail that I have created by following that tutorial, is it a regular jail or a VNET jail ?
(3) Found the path its /usr/local/bastille/jails/ffjailed/ but since you are saying running Firefox as root is not good even inside a Jail I will learn how to create a regular user using the CLI under FreeBSD & then copy the Firefox profile.
(4) That's good news.

SirDice · Nov 1, 2021

1) Yes
2) the fact that loading PF failed inside the jail tells me this is a 'regular' jail. Your jail.conf doesn't show vnet either. Note that bastille(8) has specific options for this. https://bastille.readthedocs.io/en/latest/chapters/networking.html#virtual-network-vnet

Code:

     vnet    Create the jail with its own virtual network stack, with its own
             network interfaces, addresses, routing table, etc.  The kernel
             must have been compiled with the VIMAGE option for this to be
             available.  Possible values are “inherit” to use the system
             network stack, possibly with restricted IP addresses, and “new”
             to create a new network stack.

john_rambo · Nov 1, 2021

SirDice
I have created a new regular user account inside the jail. When I use the command sudo bastille console ffjailed I get the root account of the jail by default. The prompt looks like this root@ffjailed:~ #. Now when I type the exit command I am out of the jail & back to my host. How do I login to my newly created account ?

Edit : I found the answer just by experimenting. The command to use is login.

john_rambo · Nov 1, 2021

I added setenv DISPLAY :1 to .cshrc of my new user account exactly the same way I did for the root account & rebooted the Jail but I am still getting

Code:

~ $ firefox
Error: no DISPLAY environment variable specified

Note : Xnest is running on the host using the command Xnest :1 -listen tcp

So Firefox is running using the root account of the jail but printing that error using the regular user account.

john_rambo · Nov 2, 2021

sidetone
Any ideas ?

zirias@ · Nov 2, 2021

john_rambo said:
By just looking at how FreeBSD jails work I see Jails as headless VMs with a minimum FreeBSD base install.

Actually, no. A jail is the logical consequence of the idea to use chroot(8) for "secure" isolation. It wasn't designed for that, but was just a nice tool to be able to do something "inside" a userland mounted on a path prefix (instead of /). For isolation, the first problem was protection against trickeries with paths (like, very simple symlinks) allowing file access outside the chroot. This was solved in many implementations, but there were still other things missing like restricted device access, resource limits, networking restrictions etc, and all these things were added to create FreeBSD's "jails".

Still, it's an extended chroot at its core. This means you can just run a single process inside a jail, and you only need to make sure everything this process needs (e.g. shared libraries) is available from inside the jail. Installing a complete FreeBSD userland for a jail is common and often practical, but not really a necessity.

Now with the availability of VNET jails (that add a complete private networking stack to a jail), you could call that a "userspace VM" or a "container". I don't think you'd need that feature for running a browser in a jail.

In either case, giving the jail its own packet filter isn't a good idea. You already have one! And jail traffic must pass there, either because it uses the host's interface anyways (regular jail) or because your host would be the next hop (routed VNET jail) or because traffic would need to pass through a bridge(4) on your host (bridged VNET jail). So, just make your host a "real" firewall for your jail.

john_rambo · Nov 2, 2021

Zirias
Thanks for that. Learned a lot but problem is I am stuck. SirDice told me not to run Firefox as root even inside a Jail so created a regular user account but I can't launch Firefox despite applying the same steps that I had used for the root account. By looking at the number of people participating in Jail related topics like this one for example my guess is not many poeple who uses FreeBSD are familiar with Jails. FreeBSD Jails seems like an advanced topic. This is only a guess.

chrbr · Nov 2, 2021

Dear john_rambo,
I have followed the howtodo https://forums.freebsd.org/threads/...-in-a-jail-using-iocage-and-ssh-jailme.53362/ and I am happy with firefox and audio. Please see below the related lines of my /etc/dev.rules.

Code:

[devfsrules_desktop_jail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path 'mixer*' unhide
add path 'dsp*' unhide

My /etc/jail.conf shows

Code:

allow.raw_sockets = 1;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
devfs_ruleset = 5;
mount.devfs;

fox {
    path = "/usr/jails/fox";
    host.hostname = "fox";
    ip4.addr = "10.0.0.3";
    interface = "lo1";
    mount.fstab = "/etc/fstab.fox";
 }

It works with the ssh method but also with jailme which requires the same user id in the jail and the most. I do not use NAT but squid and unbound as proxies for web content and DNS. The jail itself is not managed by iocage but created by FreeBSD tools as described in the handbook. I hope it helps.

Bastille jail: no sound in firefox

john_rambo

SirDice

Administrator

zirias@

john_rambo

SirDice

Administrator

john_rambo

SirDice

Administrator

sidetone

john_rambo

SirDice

Administrator

john_rambo

SirDice

Administrator

john_rambo

john_rambo

john_rambo

zirias@

john_rambo

chrbr