Linux ransomware already infected at least tens of users

No, because chmod is also a library call; and the Metasploit interpreter process can tamper with a million other things.

Firejail could probably do other things to make Metasploit not work, though.

e.g. blanket denial of exec privileges, which *would* prevent the interpreter from running.

Edit: stuff like this is why you want to enumerate "goodness" rather than "badness" IMO.

 

Could you elaborate a bit?

I remember that you're using AppArmor. Do you have rules in AppArmor to prevent such an attack? If so, perhaps we can "translate" that into a Firejail rule somehow.

Yes, this is what the whitelist command in Firejail does but it's only implemented for user home, /dev, /media, /opt, /var, and /tmp directories.

 

Code:

CHMOD(2)                   Linux Programmer's Manual                  CHMOD(2)

NAME
       chmod, fchmod, fchmodat - change permissions of a file

SYNOPSIS
       #include <sys/stat.h>

       int chmod(const char *pathname, mode_t mode);
       int fchmod(int fd, mode_t mode);

       #include <fcntl.h>           /* Definition of AT_* constants */
       #include <sys/stat.h>

       int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags);

Not specific rules, no. For Firefox, I restrict its access to my home dir, and blanket deny its exec privileges across the entire filesystem. It could chmod +x stuff, but still wouldn't be able to run it, because AppArmor filters that call. And anything "spawned" in Firefox's address space would inherit all of those restrictions.

Note too that my Firefox profile is not even particularly rigorous.

... Alas, firejail looks like it can't do the above. Probably not a big deal though; since spawned processes will inherit all of its restrictions, just as with AppArmor.

Too bad, I guess. OTOH you can filter all kinds of stuff with seccomp.

 

Thanks for your comments!

Yes, but this would make using Firejail probably much more complicated if you want to avoid breaking too many things. On the other hand I think the sandbox is strong and the list of blacklisted files/folders is rather comprehensive and contains the "usual suspects" (as Captain Renault would have put it ). Thus, it's a good mix of easy usage and good security.

 

@GJ : Just a second thought about ...

I think the difference is that you can deny exec permissions with AppArmor but not with Firejail. Firefox, e.g., needs read and write permissions to, e.g., /tmp (that's why it's not blacklisted in Firejail) but Firejail can't prevent something being executed, IMO. Or am I missing something?