[dmortin]

Does it a help in this case if one runs the browser in a sandbox? E.g. in docker?

They can then break out from the browser, but only get to docker with that exploit, and it's unlikely they have a docker exploit too at hand, is it?

[microtonal]

They can then break out from the browser, but only get to docker with that exploit, and it's unlikely they have a docker exploit too at hand, is it?

If you are running Firefox on X11 (which most Linux users probably still do), you do not need to escape Docker. You can make screenshot, capture keystrokes, and send keystrokes, all through the X11 socket.

(Furthermore, you do not need a Docker exploit, a Linux kernel exploit can be enough to break out of a container. This is one of the reasons for e.g. gVisor to implement syscalls in userland and in a safer language.)

Using VMs as e.g. Qubes OS does is probably a bit safer than a Docker container.

[MrRadar]

> If you are running Firefox on X11 (which most Linux users probably still do), you do not need to escape Docker. You can make screenshot, capture keystrokes, and send keystrokes, all through the X11 socket.

Also, this is why Wayland is much more restrictive about these types of operations. People love to complain that "I could do thing with X without special privileges" but the world has moved on since X was designed and it absolutely has not kept up.

[Avamander]

People are totally right to complain about basic features being left out, not not having a standard secured low-overhead video recording and screenshotting is simply stupid and harmful for Linux.

[gnufx]

I don't know how effective it is, but firejail can use xpra or xephyr to firewall X.

[dragonwriter]

As I understand it, Docker isn't intended to be, and shouldn't be relied on as, a security sandbox.

It creates boundaries, but, like a typical suburban garden fence, they aren't hardened security boundaries.

[viraptor]

You've got two cases here: breaking out of default Docker config, or breaking out of kernel namespaces. The first one is very common now and really well tested. The second one is definitely security sandbox worthy. Docker also integrates with selinux and seccomp.

Basically what I'm saying is, it's very much a security boundary. It's far from a decorative fence.

[kccqzy]

Breaking out of a docker container with default settings is hard. You would be making the headlines if you could do so.

Now breaking out of a docker container with --privileged or even just CAP_SYS_ADMIN is much easier.

[shakna]

There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.

Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.

[0] https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-fr...

[1] https://seclists.org/oss-sec/2019/q1/119

[kccqzy]

The very fact that there's a CVE for breaking out of docker shows that it's a big deal :)

[oldstrangers]

Having two 0-days for one of the most popular browsers tells me they probably have access to whatever they want.

[dmortin]

For high value targets, probably. For average spear phising I don't think they spend more resources to break out from docker.

Since default docker runs linux, running the browser in a linux docker can be enough, because they usually have windows exploits.

[yjftsjthsd-h]

One of the benefits to ex. firejail is precisely that a Firefox exploit does not compromise ex. ~/.ssh

[mnbvkhgvmj]

Docker is not intended as or very useful for security isolation - especially for GUI applications. I would suggest a VM if you want to isolate your browser.