For debian as an example, i was thinking modify the template it self, then any new qube based on it will have the hardenee browser, do i need librefox? Or just a config file?, if so if anything will i still see the app in the application list?
Also another thing, how can i make it so that some package or app i installed that doesn’t come with the template shows on the ui of applications list?
The easier way would be to use Librewolf. It’s based on Arkenfox with some modifications, but it’s very close to the original. It will be updated like any other program on your template with the package manager, so you don’t have to do anything manually after installing it.
When you install a program, a post task will create an entry in the application list. For example, if you install Librewolf using its deb repo, apt will create the entry and you will be able to select it in the application menu of all qubes linked to that template.
Do i need to do anything with libre wolf configuration? Or bare metal config sort of thing?, how do i remove firefox completely from the debian template?, so that it doesn’t also display application missing
Easiest way to harden firefox is downloading and using Mullvad Browser.
For debian-12-xfce, create a disposable template. Download Mullvad Browser, set it up. And then use it in dispXXXX qubes.
Librewolf is already configured. You have some things you can decide to change in the settings menu. They have a custom tab with some options you can enable or disable.
The Debian template includes FirefoxESR. Use this command to remove it:
sudo apt remove firefox-esr
Thank you
There are a few things you can do to harden Firefox on qubes and have those changes apply throughout AppVMs and DispVMs:
--ProfileManager flag to create a new profile. Name the profile hardened and then close the profile manager.firefox --ProfileManager
wget https://github.com/arkenfox/user.js/archive/refs/tags/115.1.tar.gz
tar -xvf ./115.1.tar.gz
user.js file to the hardened profile:mv ./user.js-115.1/user.js ~/.mozilla/firefox/*.hardened/
~/.mozilla/ directory to a TemplateVM with Firefox installed:qvm-copy ~/.mozilla/
.mozilla directory to /etc/skel/. Now, when you create new DispVMs off of that TemplateVM, the DispVM will copy the hardened config to $HOME and use it when running firefox. New AppVMs will also use the hardened config, but for existing AppVMs you’ll have to copy the config to your firefox profiles manually.mv ~/QubesIncoming/disp*/.mozilla/ /etc/skel/
user.js hardens Firefox at the application level. To sandbox applications at the system level, use a sandboxing tool such a firejail.
sudo apt-get install -y firejail
/etc/skel/.bash_aliases.echo 'alias firefox="firejail firefox"' >> /etc/skel/.bash_aliases
echo 'alias firefox-esr="firejail firefox-esr"' >> /etc/skel/.bash_aliases
After this modification, the firefox and firefox-esr commands will be wrapped in firejail when running them from the command line for DispVMs and new AppVM. For existing AppVMs, you’ll have to manually copy the .bash_aliases file to $HOME.
sudo sed -i 's|Exec=/usr/lib/firefox-esr/firefox-esr|Exec=firejail /usr/lib/firefox-esr/firefox-esr|g' /usr/share/applications/firefox-esr.desktop
After this modification, when launching firefox from the application menu, it will be launched using firejail.
Firejail is quite complicated and can be configured in many different ways using firejail profiles. Debian’s default firejail installation comes with profiles for many applications, including firefox, and includes global configurations.