What I used for LXLE which is Ubuntu/Debian based: Code: sudo dpkg -i firejail_0.9.38_1_i386.deb link: https://askubuntu.com/questions/40779/how-do-i-install-a-deb-file-via-the-command-line You should be able to find the latest stable package for your platform here: https://sourceforge.net/projects/firejail/files/firejail/
Hello wat0114, Thanks for your reply. I was able to install the latest "firejail" version as you suggested. However, there's another problem since I also want to install "firectl": Code: sudo gdebi firectl_1.0-1_debian_all.deb Reading package lists... Done Building dependency tree Reading state information... Done Building data structures... Done Building data structures... Done This package is uninstallable Dependency is not satisfiable: python3-click and... Code: sudo apt-get install python3-click Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package python3-click Any suggestions?
Oh, I see! I should have known this as I'm using Lastpass myself but not that specific feature. It's possible that - when using this feature - a file is created outside the normal ~/.lastpass folder. You can try to find out with inotify. For details see man inotify.
I suggest that you shouldn't. firectl modifies the respective desktop files. But firejail-0.9.40 which will be available in a couple of days will contain its own firectl utility which uses the much better symlink invocation .
Here's an addition to our discussion some pages earlier regarding the question if firejailing Chromium makes really sense. I wrote: Now I've found this document describing IPC used in Chromium/Chrome. The most interesting sentence is this one: The link therein points to a blog post that explains how such a bug was exploited at the Pwnium hacking competition in 2012. This confirms my assumption. And it confirms that firejailing Chromium makes sense, indeed.
Instead of using caps.drop I favor caps.keep which keeps the list much shorter. I chose Code: caps.keep sys_chroot,sys_admin So far I haven't noticed any drawbacks by not allowing sys_time,sys_tty_config,wake_alarm.
Hello summerheat, I installed firejail version 0.9.40-rc1. When 0.9.40 is available, should I remove the rc1 version first, or can I install 0.9.40 directly? I am not sure if "sudo apt-get update" works with a package that's not currently in Jessie's repositories.
IMO you don't need to remove. Just exit all firejailed programs before doing "dpkg -i firejail.xxx". It doesn't
@summerheat Have you made any tests with firejal to see how it prevents exploits and protects against vulnerabilities?
No, I haven't since I'm not experienced enough with that stuff. Have you? Perhaps Gullible Jones has done some more tests in the meantime.
No I'm too paranoid to test these things on my main PC. My other PC is broken so I can't do squat with it. That would be fantastic Right @Gullible Jones ? Gosh, I feel naked when not using Grsec.
@summerheat @amarildojr Probably not. If it works as advertised, and is configured correctly, it should be okay against ITW stuff. Also, to be honest, I'm starting to lose interest in infosec practice. Linux is still woefully insecure by default; Windows and OSX are wastelands of irredeemable awfulness; and various state actors have backdoored almost everything anyway. I see little progress, much regress, and no reason for either to change any time soon. The problems here are IMO much more political and social than technological. Thank you kindly for the mention though.
I'm trying to run Steam with a custom command and with Firejail, but I'm unable to do so. Because Steam can't properly detect/load the Radeon libraries, you either need to delete a few libraries from Steam's runtime, or start it with the following command: Code: LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} steam However, I can't do that with Firejail. I tried editing Steam's profile: Code: noblacklist /usr/$LIB/libstdc++.so.6 noblacklist /usr/$LIB/libgcc_s.so.1 noblacklist /usr/$LIB/libxcb.so.1 noblacklist /usr/$LIB/libasound.so.2 Also, I tried: Code: [amarildo@amarildo ~]$ LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} firejail steam With no luck: Code: [amarildo@amarildo ~]$ LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} firejail steam Reading profile /etc/firejail/steam.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Warning: user namespaces not available in the current kernel. Parent pid 4609, child pid 4610 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable Running Steam on arch 64-bit /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable STEAM_RUNTIME is enabled automatically Installing breakpad exception handler for appid(steam)/version(0) libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: swrast_dri.so libGL error: failed to load driver: swrast Does anyone have any idea how to do this?
I don't share this perspective. It's true that security is not the absolutely highest priority for Linus Torvalds. On the other hand there is grsecurity MAC-systems (AppArmor, SELinux, Tomoyo) many new security features introduced in the past years (namespaces, seccomp, etc.) package hardening in Fedora 23 - other distros will surely implement this, too Combining those readily available technologies provides very high security, IMO. Granted, many of those security technologies are not widely applied (because, realistically, Linux desktop users do not have to fear much right now). That's why, e.g., Firejail is a welcome contribution as it makes seccomp etc. available for many applications. Additonally, sandboxed applications are nearly ready for Gnome - and the KDE deveopers are also interested in that approach. Moreover, an initiative to make the kernel more secure will certainly show up some results in the future. And Wayland will finally replace X11 before long. So, yes, the situation isn't perfect - but it's certainly not as bad as you suggested, and it's going to be much better. That's certainly true. You're very welcome!
Yes, and it worked. I didn't know that could be a security issue (because Steam loads those files anyway), so I won't use that command anymore, I'll just delete parts of the Steam runtime and let it load OS-wide libraries. Note that he said "by default", and he's right: by default Linux is a security mess, though still way more secure than Windows.
sure, I just threw in a few extra capabilities: Code: firejail --caps.keep=sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm chromium
Thanks I'll change mine also. I meant though the profile in etc/firejail/chromium # Chromium browser profile noblacklist ${HOME}/.config/chromium include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc # chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc # netfilter whitelist ${DOWNLOADS} whitelist ~/.config/chromium whitelist ~/.cache/chromium include /etc/firejail/whitelist-common.inc
