Here's a pretty cool app, FireJail - https://l3net.wordpress.com/projects/firejail/ I've been looking for a simple effective way ( outside of a VM ) to sandbox my browser in Linux. Found it... "Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces." EDIT: Killer feature - In private mode Firejail mounts empty temporary filesystems (tmpfs) on top of user home directory and /tmp. Closing the sandbox will discard any new files created in these directories. You can use this option when you want to protect all the files in your user account. $ firejail --private firefox
AppArmor, FireJail guarding Chrome, I can't imagine anything could escape those policy/virtualisation/sandbox layers
Forgive my ignorance... so your saying a kernel exploit could bypass Firejail? I have just stumbled across this app today and haven’t had time to poke at it yet. EDIT: After a quick look I would say this goes a good way to reducing the attack surface as Firejail uses seccomp filters, limiting system calls and limiting arguments to them.
It uses seccomp? Nice. Perhaps I'll try it out... I have to admit I've been less into client-side and desktop security since the Shellshock embarrassment though.
I roll my own version of this, though it's not feature-complete yet. A kernel exploit will still bypass this - for example, the futex_requeue vulnerability would bypass the sandbox as the system call futex is allowed. An application at *minimum* will require at least mmap, brk, and a few other syscalls - and more to be useful. That's plenty of attack surface, which is why you still need to take care and secure your kernel.
Chrome/Chromium already uses the SUID sandbox - https://code.google.com/p/chromium/wiki/LinuxSandboxing
Hi all, Is there a good tutorial of this program? I want to know how to install and how to use it, my pc runs manjaro. Thanks!!!
FYI, best as I can tell on Manjaro, the firejail package is not in the official repositories. You have to build from the AUR.
Hi all. I installed firejail this way: yaourt firejail, then I installed Opera. Now to start firejail I do this in the Terminal: firejail, then I do this:firejail opera, and it says: Child process initialized parent is shutting down, bye... And Opera appears, is it sandboxed now? Is that the way to use it? Thanks, this is the first time I do it.
I have learned how to run the sandbox: open the terminal and write "firejail --private opera" and the opera browser opens sandboxed, it is good. I like too much manjaro, everything runs in this distro.
Does anybody know how to use the Tor Browser with this? firejail tor/tor-browser/start-tor-browser don't work...
Hi all, do you know "minijail"? Opening Terminal and wirting "jail" it appears: aur/minijail R37.5978-1 (0) Tool to run a process in jailed environment And there's another one: appjail aur/appjail 2-1 (2) Sandboxing tool to protect private data from untrusted applications Thanks for the answears.
Excellent stuff - looks like firejail is acting as a front-end to seccomp-bpf with a sensible default set of filters for dangerous system calls, is that your interpretation? Sandboxie for Linux anyone? Modern Chrome/Chromium are already using seccomp-bpf filtered to what they require. Hopefully, it's a bit easier to use than Apparmor.
I'm liking Firejail – (currently using it for my browser only) firejail --seccomp --debug firefox provides a nice concise readout of what's restricted. Too bad there's no 32 bit installer.
Me too - trying it on Linux Mint 17 It looks quite mature and functional to me, with switches to add/remove system calls or create custom profiles. I like that. As noted, I'd also like a tutorial to help with when/how to use namespaces, private, overlayFS and the bridging functions, although the project site itself is pretty good if your read the documentation. I've tried opening straight, with seccomp and with --caps (Linux capabilities which is, I think, a thread user permissions thing), on Firefox and LibreOffice, worked fine. It seems to be using a combination of system controls, not just seccomp. So, I like this very much indeed and will continue using it. I think it's crying out for a graphical front-end/controller, and it's reminding me of Sandboxie (but more controllable?). I would like it to do things like visually mark applications which are firejailed (the way Qubes and Sandboxie do), but I don't know how easy it would be to do this.
I'm running Google Chrome, Thunderbird and QuiteRSS under Firejail on Arch Linux right now. Looks good, so far no problems. I will try to finetune the profiles in the next days. An enhanced blacklist option in future Firejail versions would be welcome.
Yes, and seccomp-bpf and Yama LSM (the latter not on Debian Wheezy and Jessie, though - why?). However, the blacklist option is still useful - sort of "Apparmor light".
Hi tlu, what are the additional advantages to sandboxing Chrome/Chromium with this, over that of the sandboxing Linux already provides?