Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Run Firefox in a protected sandbox Web Browsers
OS X has a built-in sandbox feature for applications, which can restrict their access to certain parts of the system. There isn't a lot of documentation available on the sandboxing system, but I've successfully been able to sandbox Firefox. It has some limitations, but my plug-ins and add-ons work though yours may not.

If you have issues, you'll have to search for the directories where your plug-ins are housed, and give read or read/write access permissions in the firefox-sandbox file. There is only write permission to the ~/Downloads directory, so if you want to save files in a different location, you will have to change the firefox-sandbox file or move them after the download has finished. First, create the following file and save it somewhere as firefox-sandbox:
;; http://codereview.chromium.org/379019/diff/1/2
(version 1) 
(deny default)

(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/Downloads")
  (regex "^/Users/user_name/Library/Application Support/Mozilla")
  (regex "^/Users/user_name/Library/Application Support/Firefox")
  (regex "^/Users/user_name/Library/Preferences")
  (regex "^/Users/user_name/Library/PreferencePanes")
  (regex "^/Users/user_name/Library/Caches/Firefox")
  (regex "^/Users/user_name/Library/Caches/TemporaryItems")
  (regex "^/Applications/Firefox.app")
  (regex "^(/private)?/tmp/"))

(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Internet Plug-Ins")
  (regex "^/Library/PreferencePanes")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Firefox.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex #"Frameworks/SDL.framework")
; Our Module Directory Services cache
  (regex "^/private/var/tmp/mds/")
  (regex "^/private/var/tmp/mds/[0-9]+(/|$)")
  (regex "^/Users/user_name"))
 
(allow mach* sysctl-read)

(import "/usr/share/sandbox/bsd.sb")
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
	 #"^/usr/share/zoneinfo/"))

(allow process-exec 
  (regex "^/Applications/Firefox.app"))
  
(allow network*)
Replace the /Applications/Firefox.app.... parts with the path to Firefox on your system. Also replace user_name with your username. Next, open up a Terminal and execute this command:
sandbox-exec -f firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin
Make sure the firefox-sandbox file is in the directory where you run the above command, and Firefox should launch in a protected sandbox.

[robg adds: I haven't tested this one.]
    •    
  • Currently 3.07 / 5
  You rated: 1 / 5 (15 votes cast)
 
[33,489 views]  

Run Firefox in a protected sandbox | 17 comments | Create New Account
Click here to return to the 'Run Firefox in a protected sandbox' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Run Firefox in a protected sandbox
Authored by: diamondsw on Mar 19, '10 09:05:52AM

I sense an opportunity for a great freeware/shareware app to collect and enforce sandbox policies like this from a simple point-and-click interface. Ship it with several sandbox policies (fully examinable/tweakable, of course) and the user could just check a box next to the apps they want to secure, and it does all of this dirty work for them.

That's opportunity for someone with more Cocoa skills than I. :)



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: Geobunny on Mar 19, '10 09:45:05AM

Now, as a developer, that's quite an intriguing idea....



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: Geobunny on Mar 19, '10 09:43:59AM

Wow, this is really quite cool. I never knew this feature existed until now. Looks like there's a bunch of predefined sandbox files available for use too. Have a look in /usr/share/sandbox/



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: pwc on Mar 19, '10 07:48:31PM
I found fonts didn't work properly when using this. I added the following lines and it fixed the issue (from this post):
(allow file-read-data (regex #"^/System/Library/Fonts"))  ; 10.5.6
(allow file-read-data (regex #"^/Library/Fonts"))  ; 10.6
(allow mach-lookup (global-name "com.apple.FontObjectsServer"))  ; 10.5.6
(allow mach-lookup (global-name "com.apple.FontServer"))  ; 10.6
I noticed Firefox starts in Offine Mode. There must be another setting you can add to fix that.

[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: xxkrnplayaxx on Jun 05, '10 01:09:10PM

"go to about:config, find browser.offline-apps.notify and set it to false"

found at http://support.mozilla.com/tiki-view_forum_thread.php?comments_parentId=11503&forumId=1#threadId111026



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: Mac Berry on Mar 19, '10 10:10:26PM

Could I just ask, why?

I can see the point if you're developing, but why would anyone else want to sandbox an app?

Mark



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: changcheh on Mar 20, '10 12:58:02AM

Sandboxing provides additional protection from malicious programs, which are rampant on the internet today. Firefox by default, gives write access to the whole of your home folder, sandboxing restricts this to areas where it needs write access and gives read only access for others. Flash security is a very hot topic right now, it can store cookies and other information in several places on your system, outside of Firefox's control. Sandboxing can prevent this.

Google's Chrome browser has sandboxing of the application and all the plugins! That's why it's regarded as quite secure.



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: mmnw on Mar 20, '10 01:26:18AM

I agree it's not for everyone, but there are some real world scenarios. For example if you have setup Firefox in kiosk mode as a surfing station. Or you just know you're visiting dubious websites.
This is no foolproof sandbox, but it can add some layer of security.



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: ezgranny420 on Mar 20, '10 12:35:38AM

 

I'd really like to get this working, however, the following error is occurring.

Brendon@Brendon-Maragias-MacBook-Pro /u/s/sandbox> cd /usr/share/sandbox/
Brendon@Brendon-Maragias-MacBook-Pro /u/s/sandbox> sandbox-exec -f firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin
sandbox-exec: profile not found
Brendon@Brendon-Maragias-MacBook-Pro /u/s/sandbox>

Here is firefox-sandbox

;; http://codereview.chromium.org/379019/diff/1/2
(version 1)
(deny default)


(allow file-write* file-read-data file-read-metadata
(regex "^/Users/Brendon/Downloads")
(regex "^/Users/Brendon/Library/Application Support/Mozilla")
(regex "^/Users/Brendon/Library/Application Support/Firefox")
(regex "^/Users/Brendon/Library/Preferences")
(regex "^/Users/Brendon/Library/PreferencePanes")
(regex "^/Users/Brendon/Library/Caches/Firefox")
(regex "^/Users/Brendon/Library/Caches/TemporaryItems")
(regex "^/Applications/Firefox.app")
(regex "^(/private)?/tmp/"))


(allow file-read-data file-read-metadata
(regex "^/dev/autofs.*")
(regex "^/Library/Preferences")
(regex "^/Library/Internet Plug-Ins")
(regex "^/Library/PreferencePanes")
(regex "^/usr/share/icu")
(regex "^/usr/share/locale")
(regex "^/System/Library")
(regex "^/Applications/Firefox.app")
(regex "^/usr/lib")
(regex "^/var")
(regex #"Frameworks/SDL.framework")
; Our Module Directory Services cache
(regex "^/private/var/tmp/mds/")
(regex "^/private/var/tmp/mds/[0-9]+(/|$)")
(regex "^/Users/Brendon"))


(allow mach* sysctl-read)


(import "/usr/share/sandbox/bsd.sb")
(deny file-write-data
(regex #"^(/private)?/etc/localtime$"
#"^/usr/share/nls/"
#"^/usr/share/zoneinfo/"))


(allow process-exec
(regex "^/Applications/Firefox.app"))

(allow network*)

 



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: miggins on Mar 23, '10 08:35:25PM

Try changing your line: sandbox-exec -f firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin

to be:

sandbox-exec -f /path/to/firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: chsnyder on Mar 20, '10 11:18:14AM
More info about sandboxes, from the manual page:
The sandbox facility allows applications to voluntarily restrict their access to operating system resources. This safety mechanism is intended to limit potential damage in the event that a vulnerability is exploited. It is not a replacement for other operating system access controls.

New processes inherit the sandbox of their parent.
Sandboxing Firefox or any other application that fetches data from untrusted sources will prevent an exploit in FF or in any of its plugins to read or write data outside of the sandbox.

That's a layer of protection we should all have, given well-publicized issues with plugins recently. It would be ideal for developers to "self-sandbox" their internet-enabled apps, as they know exactly which resources the app needs to touch. Perhaps some do?

[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: osxpounder on Mar 09, '11 04:21:30PM

Dang, not well-publicized enough for me. I don't know about security issues with Firefox plugins.

What are 1 or 2 good sites I could check regularly that would keep me up to date on that kind of news?



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: macubergeek on Feb 10, '11 02:44:14AM

On 10.6.6
This hint does not work
I put the firefox-sandbox file here: /Applications/Firefox.app/Contents/MacOS/

and ran
sandbox-exec -f /Applications/Firefox.app/Contents/MacOS/firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin

nothing happened.
Firefox did not launch.



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: afingal on Feb 10, '11 08:49:37AM

I gather that this kind of sandbox does not address the main reason why I want to run a web browser in an isolated environment. That is to have separate instances of the web browser such that different sites can not access information from other sites. Web developers are using ever more sophisticated ways to track people and bypass the originally intended privacy standards which were supposed to be part of html (e.g. cookies only sent back to the same site.) You have to use something like virtual machines to prevent this. The only thing is that they are a lot less convenient to set up and use a lot more resources than the kind of sandbox in this hint.

The situation now is that, for example, if you are logged into Facebook in one tab and go to some other site in a second tab and there is an advertiser common to both sites, the second site can get and correlate information from your Facebook profile with what they have, including non-public information. Facebook allows you to choose items to keep private from other Facebook users but you can't hide anything from advertisers (or, more precisely, anyone using Facebook's developer tools.) I'm only picking on Facebook because they are such a popular site. Many other sites do the same sort of thing or worse.



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: Anonymous on Mar 02, '11 01:01:38PM

So basically, you want to run each tab as a separate sandbox.

This would tend to be possible: there's an extension for Windows that allows IE to run as the renderer inside each Firefox tab.

The same principles could apply for your purposes, substituting IE for a sandboxed Firefox instance.

Or you could run an ad blocker... just sayin'.



[ Reply to This | # ]
IronFox
Authored by: idontcare on Mar 02, '11 06:17:37PM

There's an app for that.

http://www.romab.com/ironfox/



[ Reply to This | # ]
Run Firefox in a protected sandbox
Authored by: _aeon on Mar 03, '11 03:02:35AM
Wish I could use this in my standard account...

When I type:

sandbox-exec -f /Users/aeon/firefox-sandbox/firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin

it shows the following message:

Process spawn failed with code 1!

:(

[ Reply to This | # ]