Security advantage of private-tmp (in firefox.profile)

[BreakfastSerial]

The provided profile for Firefox includes private-tmp. Coming from other discussions (#4103 and #3146), my approach would include multiple active instances of Firefox, with --ignore=private-tmp.

I could not find a reason for the enabled private-tmp option for Firefox. /tmp/ is generally seen as world-writeable, so I don't see much of a security concern with Firefox having access to /tmp/.

However, I do not want to establish a setup with possible security concerns, thus the question:

What was the reason to include private-tmp in the default Firefox profile (/etc/firejail/firefox-common.profile) and what implications would --ignore=private-tmp entail?

Environment

• Ubuntu 20.04.2 LTS
• Firefox 86.0 (from Ubuntu focal repository)
• firejail version 0.9.62

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

[rusty-snake]

It's safe to ignore private-tmp if you use whitelist /tmp/foo:

ignore private-tmp
whitelist /tmp/.X11-unix
whitelist /tmp/firefox

I could not find a reason for the enabled private-tmp option for Firefox.
What was the reason to include private-tmp in the default Firefox profile

You will hardly never find a reason why restriction foo is in profile bar. private-tmp isolates /tmp inside the sandbox from /tmp of the system. And isolation between your system and the sandbox is that what you want if you use firejail.

/tmp/ is generally seen as world-writeable, so I don't see much of a security concern with Firefox having access to /tmp/.

Replace tmp with D-Bus:
   D-Bus is generally seen as interprocess-communication, so I don't see much of a security concern with Firefox having access to it.

Some programs may have sockets in /tmp, store files in /tmp which are executed later (e.g. cargo install IIRC) and there are

• CWE-377: Insecure Temporary File
• CWE-378: Creation of Temporary File With Insecure Permissions
• CWE-379: Creation of Temporary File in Directory with Insecure Permissions

what implications would --ignore=private-tmp entail?

Access to /tmp might open another sandbox escape vector.

[BreakfastSerial]

Thank you very much for the elaborate answer! I appreciate it!

[BreakfastSerial]

A follow-up question, closely related.

If private-tmp and whitelist=/tmp/foo works, how come private-home does not work with ~/foo?

[rusty-snake]

private-tmp is just syntasic sugar for:

whitelist /tmp/<Xauth>
whitelist /tmp/.X11-unix
read-only /tmp/.X11-unix
whitelist /tmp/pulse-*

Historical it was required because whitelist had no globing support.

It's implementation just adds such whitelist commands:

firejail/src/firejail/fs.c

Lines 1222 to 1269 in 09673cd

	// this function is called from sandbox.c before blacklist/whitelist functions
	void fs_private_tmp(void) {
	if (arg_debug)
	printf("Generate private-tmp whitelist commands\n");
	// check XAUTHORITY file, KDE keeps it under /tmp
	const char *xauth = env_get("XAUTHORITY");
	if (xauth) {
	char *rp = realpath(xauth, NULL);
	if (rp && strncmp(rp, "/tmp/", 5) == 0) {
	char *cmd;
	if (asprintf(&cmd, "whitelist %s", rp) == -1)
	errExit("asprintf");
	profile_check_line(cmd, 0, NULL);
	profile_add(cmd); // profile_add does not duplicate the string
	}
	if (rp)
	free(rp);
	}
	// whitelist x11 directory
	profile_add("whitelist /tmp/.X11-unix");
	// read-only x11 directory
	profile_add("read-only /tmp/.X11-unix");
	// whitelist any pulse* file in /tmp directory
	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
	DIR *dir;
	if (!(dir = opendir("/tmp"))) {
	// sleep 2 seconds and try again
	sleep(2);
	if (!(dir = opendir("/tmp"))) {
	return;
	}
	}
	struct dirent *entry;
	while ((entry = readdir(dir))) {
	if (strncmp(entry->d_name, "pulse-", 6) == 0) {
	char *cmd;
	if (asprintf(&cmd, "whitelist /tmp/%s", entry->d_name) == -1)
	errExit("asprintf");
	profile_check_line(cmd, 0, NULL);
	profile_add(cmd); // profile_add does not duplicate the string
	}
	}
	closedir(dir);
	}

While private-home is a complete other command. (Except for private-{bin,etc,opt,srv} all private-* share not really more then the prefix).

[BreakfastSerial]

I appreciate the detailed answer and swift response. Thank you very much!