| 106 | | Assuming your system is running PulseAudio (`pulseaudio --check -v`), |
| 107 | | enable it via the sandbox config. PulseAudio is required due to the |
| 108 | | sandbox container not having direct access to hardware. |
| 109 | | |
| 110 | | For what it's worth, Firefox also requires PulseAudio in recent versions. |
| 111 | | https://bugzilla.mozilla.org/show_bug.cgi?id=1247056 |
| | 106 | '''WARNING: This is likely unsafe against sophisticated adversaries.''' |
| | 107 | |
| | 108 | As it stands right now, if PulseAudio is enabled in the sandbox, Firefox |
| | 109 | will get direct access to the host system's socket. There are likely |
| | 110 | non-trivial ways to use this to read files from the host filesystem. |
| | 111 | |
| | 112 | (Thanks to "Jann Horn of Google Project Zero" for pointing out that this |
| | 113 | is a possibility.) |
| | 114 | |
| | 115 | If you don't care about this possibility, assuming your system is |
| | 116 | running PulseAudio (`pulseaudio --check -v`), enable it via the sandbox |
| | 117 | config. PulseAudio is required due to the sandbox container not having |
| | 118 | direct access to hardware, and there being basically nothing better |
| | 119 | despite the potential escape vectors. |
| | 120 | |
| | 121 | For what it's worth, un-sandboxed Tor Browser also requires PulseAudio as |
| | 122 | of version 7.0, due to it being made a requirement for Firefox (See: |
| | 123 | https://bugzilla.mozilla.org/show_bug.cgi?id=1247056) |
| 146 | | === How do I protect myself from X exploits? === |
| 147 | | |
| 148 | | Good question. "Sit there and pray that Wayland will fix everything" or |
| 149 | | "Use a nested X11 implementation like Xephyr or Xpra" seem to be the |
| 150 | | popular options. An advanced configuration option for setting the |
| 151 | | `DISPLAY` that Firefox will use is provided for convenience. |
| | 158 | === Wait, Firefox uses X11, isn't security basically hopeless? === |
| | 159 | |
| | 160 | Yes. The current implementation of the sandbox does little to nothing |
| | 161 | to defend against Firefox doing evil things to or via the X socket. |
| | 162 | |
| | 163 | If you want to attempt to mitigate this, the best options are: |
| | 164 | |
| | 165 | * Run 0.0.8-dev or newer, where "something, but not likely enough" is |
| | 166 | done to defend against some of the easier evil. |
| | 167 | * Use a nested X11 implementation like Xephyr or Xpra. |
| | 168 | * Sit there and pray that Wayland will fix everything. |
| | 169 | |
| | 170 | The ideal solution at current time is probably to probably do all three. |
| | 171 | |
| | 172 | An advanced configuration option for setting the `DISPLAY` that Firefox |
| | 173 | will use is provided to enable easier nested X11 usage. |
| | 174 | |
| | 175 | (Thanks to "Jann Horn of Google Project Zero" for pointing out that |
| | 176 | the documentation doesn't make it obvious that such things are beyond |
| | 177 | the threat model.) |
