The Linux desktop has seen great advances in desktop app containerization and process-isolating sandbox-technologies. Keeping programs from getting hold of each other’s environments and files can greatly improve security if something where to go wrong with a program. Flatpak and Snap are the two leading implementations on the desktop.
I’ve previously praised the added security I get when playing Steam games inside a Flatpak container. I’m overdue to extend that protection to the web browser. I believe I’ll sleep better at night knowing there was an additional security layer between my web browser and the rest of my system.
To this end, I wanted to compare the current versions of Firefox Flatpak and Firefox Snap on Fedora 31. Due to the nature of containerized apps, you can expect my experiences to translate to other Linux distributions.
I’ll test Firefox 71 from the Fedora Flatpak repository, and Firefox 71 stable from the Canonical Snapcraft Store. I’ll refer to these as “Firefox Flatpak” and “Firefox Snap” throughout this article. Please note that you can use alternative Flatpak repositories such as Flathub. These alternate repositories may come different variants of Firefox with other default limitations and capabilities.
The below table is a quick comparison of the features and limitations I’ll go through in greater detail in this article.
|File system protection|
|Home directory||Read-only, can revoke||Read-only, irrevocable|
|USB/U2F security token||Blocked||Allowed|
|Webcam / mic||Blocked||Allowed|
|UI & web font||Good defaults||FreeMono-only|
|HiDPI (4K) support||Good||Tiny mouse cursor|
|UI responsiveness||Consistently fast||Some slow-downs|
|Start-up time||720 ms||~11 sec|
|Speedometer 2||-24,9 %||-4,7 %|
|JetStream 2||-11,3 %||-4,6 %|
|MotionMark 1.1||-65,2 %||-10,4 %|
File system access restrictions
Firefox Flatpak sandboxes system-level directories like /etc/ and /var/. Firefox Snap has the same permissions to system-level directories as the user.
By default, Firefox Flatpak has read-access to the entire home directory. It also has read and write access to ~/.mozilla/, ~/.cache/firefox/, and ~/Downloads/. This is where Firefox normally keeps its user data plus the default ephemeral downloads directory.
You can revoke Flatpak’s access to the home directory (while maintaining specific permissions mentioned avoce) by running the below command. You can still access files in your home directory using the File: Open dialog and when choosing which files to upload.
Firefox Snap has irrevocable read-only access non-hidden files and directories in the home directory. Hidden-files are files and directories whose name start with a “.”.
In other words, it restricts access to sensitive areas like ~/.ssh/ and ~/.bitcoin/ but does nothing to restrict access to your ~/Documents/ and ~/Pictures/. At least one of these directories have been the target of an old Firefox exploit.
Anything it wants to write to the home directory or read from a dot-directory is redirected to ~/snap/firefox/common/.
Both variants sandboxes /tmp/ (boot-cycled temporary files) but only Firefox Flatpak sandboxes /var/tmp/ (reboot-persistent ephemeral files).
Firefox Snap has the most restrictive default home directory protection out of the two. However, only Firefox Flatpak limits access to system directories. Firefox Flatpak can also be configured to have the most restrictive configuration by revoking access to the home directory.
Your web browser will need access to your webcam and microphone for video conferencing and the like. It will also need access to U2F devices if you’ve set-up any online accounts with two-factor authentication with a USB security key token.
Snap comes with dedicated hardware device access policies for specific device categories such as USB security key tokens and webcams. Firefox Snap, by default, has access to your webcam, microphone, and USB security tokens.
Firefox Flatpak is by default blocked from accessing any of your hardware devices. This offers stronger security and privacy protections but comes at a loss of functionality. This can be crippling if use services that require U2F like Google Advanced Protection.
Flatpak only has two access policies for devices: allow access to all devices or block access to all devices. You can flip this policy using the following command:
You can change the device-access policies under both Flatpak and Snap. You’ll need to memorize commands and restart the browser if you want to turn these on and off depending on your needs. This is probably too much of a bother for most people.
This comes down to how paranoid you want to be about your device security. Blocking the browser from accessing your camera and microphone may be considered a net benefit unless you use them every day.
Firefox Snap has out-of-the-box support for experience- and security-enhancing hardware devices. This can be a double-edged sword as it also means a potential exploit could get access to your device’s microphone and camera. Firefox Flatpak doesn’t have granular controls for device access. You either give it access to all your devices or none at all (the default).
Firefox Flatpak has the clear advantage when it comes to desktop environment integration. It also uses the expected default system font for user interface elements and looks like any other GTK+ apps. It looks and behaves as Firefox running unconstrained directly on the host system.
Firefox for Flatpak integrates with the FreeDesktop notification system (used by GNOME and KDE) for web notifications. The Snap variant doesn’t integrate with the system-wide notification system.
Its custom notification pop-overs doesn’t respect system settings for notifications (quiet hours, etc.). The custom notifications are easy to miss as they aren’t shown on top of other windows.
Firefox Snaps looks good as well but it has a few minor styling differences from other GTK+ apps. One of the more severe issues is that it uses FreeMono Regular (a fixed-width/monospace font) instead of a sans-serif font.
The font issue extends on to the web as well. Every webpage that doesn’t supply custom Web Fonts uses FreeMono Regular instead. This causes many website designs to break and text legibility goes right out the window compared to a sans-serif font. This issue is fixed in the beta release channel.
You can compare how fonts look in Firefox Flatpak versus Firefox Snap in the above video. You’ll also notice that the Snap version has an issue with the mouse cursor shrinking when entering the window.
The cursor changes the pointer-icon when moving it over the Firefox window. It also shrinks to half the expected size on a high-definition (HiDPI) display. Unfortunately, this isn’t just a cosmetic problem. You need to move the mouse twice the distance to get across the screen.
MPEG-4 (MP4/AAC) is a popular proprietary multimedia codec. Most videos you watch online — outside of YouTube — will probably be encoded with this codec. This is also the most common codec for live-streaming video.
Firefox Snap comes with MPEG-4 support built-in. You shouldn’t have any problems watching videos on the web.
The main Fedora package repository doesn’t come with MPEG-4 video codec support for Firefox or other applications. This codec is patent- and license-encumbered which prevents Fedora from distributing it by default. The Fedora Flatpak repository has the same limitation.
However, you can install additional codecs on Fedora. The Flatpak sandbox prevents Flatpak Firefox from using these extra multimedia codecs. This is the sandbox doing its job. Unfortunately, you can’t install additional codecs into the Flatpak sandbox environment.
The lack of MPEG-4 support is probably the key issue that will get someone to stop using Firefox Flatpak in favor of the unconstrained system default.
You can of course still use a secondary browser to watch videos and still do most of your visits to untrusted websites using Firefox Flatpak. (This is the solution I’m considering.)
Every Snap package I’ve tested have been slow to launch. It generally takes 5–12 seconds from you start a program until it appears on the screen. Firefox Snap takes roughly 11 seconds to start.
Earlier this year, Snap fixed a font-caching issue that caused slow start-up times. I’m running a version with that fix. However, Firefox Snap’s font-cache is notably still broken. This is also what causes the problem with the monospace font. This could still be the root cause of the start-up performance issue.
For comparison, Firefox Flatpak starts up in less than a second. Firefox Flatpak also feels more responsive when scrolling, switching tabs, and other UI operations. Firefox Snap has noticeable lag when performing the same operations.
Firefox Snap sees a much smaller performance penalty in synthetic benchmarks than Firefox Flatpak.
The Speedometer 2 benchmark tries to measure the responsiveness of web apps. Firefox Flatpak is almost 25 % slower than Firefox installed unconstrained on the system. Firefox Snap is only penalized 25 % of that figure.
Firefox Flatpak tanks in the MotionMark 1.1 benchmark. It’s a full 65,2 % slower than Firefox running on the host system. Firefox Snap is only 10,4 % slower. Both variants see the biggest difference in the Canvas painting tests. Firefox Flatpak nearly half the speed (-98,63 %) of Firefox running on the host system.
Perceived performance undoubtedly feels better in Firefox Flatpak despite Firefox Snap crushing it in both graphical and computational synthetic benchmarks.
You may want to stick with an unconstrained installation of Firefox if you’re using older hardware that would be severely affected by the decreased performance. The relaxed sandboxing of Firefox Snap would still protect some of your files. Firefox Flatpak set to block home directory access will likely yield the highest level of protection, however.
Firefox Snap is the clear winner when it comes to capabilities with support for video-conferencing, USB security token, and video playback. These are arguably attack-surfaces you may be better without. You can use a separate browser for these tasks only. It comes down to whether you need these features regularly or not.
The performance story is quite interesting. The Flatpak sandbox hurts Firefox’s web performance badly. But it’s the Snap version that feels slow to use. The perceived performance may vary greatly depending on your hardware and which type of delays annoys you.
Update (): Alexander Larsson from Red Hat pointed out that Firefox Flatpak isn’t built with PGO. This could account for the performance difference. It’s also something concrete that Fedora can improve on to help bring performance on par with Firefox running directly on the host.
I think I’ll migrate to Firefox Flatpak at the start of the new year.
I may find the time to test Qubes OS first, though. It’s a Linux distribution where many tasks of the operating system is independently isolated from everything else. Although, I’m not sure whether I’d sleep better or lose sleep over jumping feet-first into something as complex as Qubes OS.