Chapter 5. Locked-down, secure Firefox in a container

This section explains how to deploy a secure container that runs Firefox. This container gives you an instance of Firefox, containerized, with the following features:

  • Completely unprivileged - needs no extra SELinux tweaking
  • Only the list of cgroups is passed into the container from the host
  • No port redirection because the container is available only to the host
  • No X11 clipboard events or X events shared with your real host
  • No shared sound hardware
  • Everything runs with normal, non-elevated user permissions except for systemd (and systemd runs only to reap the other processes)
  • unsynced sound, flash, and interactivity.

Running Firefox Securely in a Container

  1. Retrieve the base image that we use to build this container:

    $ curl -o Fedora-Docker-Base-22-20150521.x86_64.tar.xz -L https://download.fedoraproject.org/pub/fedora/linux/releases/22/Docker/x86_64/Fedora-Docker-Base-22-20150521.x86_64.tar.xz
  2. Load the base image you just downloaded into the local Docker registry:

    $ sudo docker load < Fedora-Docker-Base-22-20150521.x86_64.tar.xz
  3. Create a directory to hold the Dockerfile that will map out this container:

    $ mkdir -p isolated_firefox
  4. Retrieve the Dockerfile by using this curl command:

    $ curl -o isolated_firefox/Dockerfile -L http://pastebin.com/raw.php?i=cgYXQvJu
  5. Build the container and tag it with a tag called isolated_firefox:

    $ sudo docker build -t isolated_firefox isolated_firefox .
  6. Run the container:

    $ sudo docker run -v /sys/fs/cgroup:/sys/fs/cgroup:ro isolated_firefox
  7. Retrieve the CONTAINER_ID by using the docker ps command:

    $ sudo docker ps
  8. Retrieve the IP address of the container:

    $ sudo docker inspect CONTAINER_ID| grep IPAddress\":
  9. Open the container in vncviewer:

    $ vncviewer CONTAINER_IP
  10. To hear the audio associated with this container, open a browser and go to the following location:

    http://CONTAINER_IP:8000/firefox.ogg
    Note

    Do not forget to include the port in the URL. That means that you should not forget to type :8000 after the URL. You can also send the address of the container to VLC to play the content in VLC.

  11. Run the following command to launch the VLC instance:

    $ vlc http://CONTAINER_IP:8000/firefox.ogg