Firefox policy

[lap1nou]

Description

This aim to simplify the maintenance of the Firefox configuration using Firefox policy (https://mozilla.github.io/policy-templates/). Firefox policy can be very powerful to unify the Exegol Firefox configuration into one single file which contributors can easily contribute to.

For example, adding a single bookmark is a tedious task since a contributor would need to download and open the SQLite database and this also means the bookmarks aren't visible easily.

If everything works fine, all we should need to do is place this policies.json file in the Firefox folder, I tested this on an Exegol container and it worked like a charm, this is also what I'm using in my NixOS config and it seems to work fine.

Related issues

N / A

Point of attention

Of course this is a simple example, if you like the idea, I can expand the policy file in order to add already presents bookmarks and extensions.

[ShutdownRepo]

Awesome! @Dramelac and I think this could also be interesting in my-resources as well I would gladly merge an expanded version of this 🙏

[lap1nou]

Hey @ShutdownRepo I updated the policy, it should:

• Install all the already present extension (UA Switcher, Cookie Editor, Dark Reader, FoxyProxy, Wappalyzer)
• Install the Burpsuite certficate
• Add all already present bookmarks and some additional, feel free to tell me if you want to get rid of some or want to add more while we are at it

If you think the policy is fine like that, I can remove the current Firefox install Python script and modify the current install script to copy the policy in the correct folder.

Regards.

[ShutdownRepo]

awesome, @Skileau as you developed the initial firefox integrations, do you mind checking this out and share your pov? whatever the outcome, I'm putting this PR on hold as we are in the process of image release, we will merge afterwards, in order to have this change tested in nightly before release

[Skileau]

Very interesting! This would probably be much more optimized than my basic and functional implementation.

I would be glad to take a look at this next week end.

[QU35T-code]

@lap1nou,

Can you specify into which folder we need to add this file ? I tried and didn't reproduce

[lap1nou]

Hello @QU35T-code,

In /usr/lib/firefox-esr/distribution/policies.json.

Regards.

[Skileau]

@lap1nou Could you please also explain from where/how you extracted the addons names to enter them in the configuration file?

[lap1nou]

Hey @Skileau,

I added a comment in the JSON file for this specific reason:

"ExtensionSettings_Comment": "To get the 'ID' of a plugins, type 'about:memory' in Firefox url bar, source: https://stackoverflow.com/questions/48056506/get-add-on-id-of-extensions-in-firefox"

Basically I manually installed an addon and then looked his "name / id" in the about:memory memory profiler.

This is the only way I found unfortunately.

Regards.

[Skileau]

Thank you for the information @lap1nou 🙂 We have already implemented an automated way to retrieve this ID, I just wanted to make sure that you did not have a more optimised way to do so.

As discussed with @ShutdownRepo on Discord, we will keep our script to retrieve the ID of addons and use it to generate a policy.json file automatically with the structure you suggest (hardcoded values require a manual operation and may cause malfunctions in future updates).

[lap1nou]

Good @Skileau,

Do you want me to do all of this in this PR ?

[Skileau]

Hi @lap1nou as you prefer 🙂 I can work with you on the integration of policy.json in the existing code if you want.

Otherwise here are the next steps:

• update addons installation feature + bookmarks management by replacing "manual" installation with the generation of a Firefox policy.
• integrate this feature to the web installation package as well to install default addons at image build.

You can make all the changes in this PR so that everything related to this subject is centralised here.

[QU35T-code]

Hello @Skileau, @lap1nou and @gbe.

Is this PR ready for you, or are some additions missing ? If you're still working on it, I'll turn to draft. You can reopen it at any time when it's ready.

[lap1nou]

For me, I think it should be ready @QU35T-code

[Skileau]

Hello 🙂 All good for me except the "trust-ca-burp.sh" integration to the web installer package. The first objective of this script was to generate a BurpCommunity CA specific to each Exegol instance and trust it, it was not expected to be run at the image build.

If we run it at build, wouldn't it trust the same CA for everyone and lead to a potential MitM risk for users of Firefox in Exegol?

Also we loose the possibility for users to automatically install their favourite addons via "my-resources".

[lap1nou]

Good catch @Skileau sorry for that mistake, about the my-resources part, do you know what file I should modify so that end users can place their own Firefox policy file in my-resources ? (and thus add their own addon aswell)

[Skileau]

Hello,

I think that you could just replace current my-resources addon install function with your generate policy function using the default policy created at build as a template. It would be overwritten with an upgraded version containing user's custom addons. Also, don't hesitate to add user input validation on the link format to prevent bad input from breaking the whole policy. You can find current function here. Also make sure to update this one as well, it concerns user CA trust at container creation 🙂