Easiest way to harden firefox?

For debian as an example, i was thinking modify the template it self, then any new qube based on it will have the hardenee browser, do i need librefox? Or just a config file?, if so if anything will i still see the app in the application list?

Also another thing, how can i make it so that some package or app i installed that doesn’t come with the template shows on the ui of applications list?

The easier way would be to use Librewolf. It’s based on Arkenfox with some modifications, but it’s very close to the original. It will be updated like any other program on your template with the package manager, so you don’t have to do anything manually after installing it.

When you install a program, a post task will create an entry in the application list. For example, if you install Librewolf using its deb repo, apt will create the entry and you will be able to select it in the application menu of all qubes linked to that template.

1 Like

Do i need to do anything with libre wolf configuration? Or bare metal config sort of thing?, how do i remove firefox completely from the debian template?, so that it doesn’t also display application missing

Easiest way to harden firefox is downloading and using Mullvad Browser.

For debian-12-xfce, create a disposable template. Download Mullvad Browser, set it up. And then use it in dispXXXX qubes.

Librewolf is already configured. You have some things you can decide to change in the settings menu. They have a custom tab with some options you can enable or disable.

The Debian template includes FirefoxESR. Use this command to remove it:

sudo apt remove firefox-esr

Thank you

There are a few things you can do to harden Firefox on qubes and have those changes apply throughout AppVMs and DispVMs:

1. Add a hardened user.js config to firefox.

  1. In a DispVM, start the Firefox with the --ProfileManager flag to create a new profile. Name the profile hardened and then close the profile manager.
firefox --ProfileManager
  1. Download Arkenfox’s hardened config. The most recent one for Firefox ESR 115 (the version of FF in the Debian package repo) is v115-1:
wget https://github.com/arkenfox/user.js/archive/refs/tags/115.1.tar.gz
tar -xvf ./115.1.tar.gz
  1. Move the user.js file to the hardened profile:
mv ./user.js-115.1/user.js ~/.mozilla/firefox/*.hardened/
  1. Copy the ~/.mozilla/ directory to a TemplateVM with Firefox installed:
qvm-copy ~/.mozilla/
  1. In the TemplateVM, move the .mozilla directory to /etc/skel/. Now, when you create new DispVMs off of that TemplateVM, the DispVM will copy the hardened config to $HOME and use it when running firefox. New AppVMs will also use the hardened config, but for existing AppVMs you’ll have to copy the config to your firefox profiles manually.
mv ~/QubesIncoming/disp*/.mozilla/ /etc/skel/

2. Use firejail to sandbox the Firefox process

user.js hardens Firefox at the application level. To sandbox applications at the system level, use a sandboxing tool such a firejail.

  1. In the TemplateVM, download firejail:
sudo apt-get install -y firejail
  1. Alias the firefox command by adding a bash alias in /etc/skel/.bash_aliases.
echo 'alias firefox="firejail firefox"' >> /etc/skel/.bash_aliases
echo 'alias firefox-esr="firejail firefox-esr"' >> /etc/skel/.bash_aliases

After this modification, the firefox and firefox-esr commands will be wrapped in firejail when running them from the command line for DispVMs and new AppVM. For existing AppVMs, you’ll have to manually copy the .bash_aliases file to $HOME.

  1. Modify the firefox desktop file to wrap it in firejail.
sudo sed -i 's|Exec=/usr/lib/firefox-esr/firefox-esr|Exec=firejail /usr/lib/firefox-esr/firefox-esr|g' /usr/share/applications/firefox-esr.desktop

After this modification, when launching firefox from the application menu, it will be launched using firejail.

Firejail is quite complicated and can be configured in many different ways using firejail profiles. Debian’s default firejail installation comes with profiles for many applications, including firefox, and includes global configurations.