Well, I haven't. But it would be really great if someone could use the full Metasploit arsenal to perform some attacks. I'm not an expert on that, though.
I am getting tons of error messages but some are non-trivial I guess: Pango-WARNING **: error opening config file [path/to/pangorc] not authorized I am not quite sure firejail is working like it should. Any ideas?
Hard to tell if we don't know which profile is affected. And does it really say "path/to/..." or is a specific directory mentioned?
Your ~/.config file is blacklisted in firejail's firefox profile which comes with Parabola. Removing "blacklist ${HOME}/.config" from /etc/fiirejail/firefox.profile will solve your problem. Even the pango error is another trivial error related to pango library which provides something like some multi-language text support. If you can put up with this error, it will be better security-wise to not remove ~/.config from the blacklist. You can also try "read-only ${HOME}/.config" to see if this can solve your problem.
Sorry, I was talking about the firefox (icecat, iceweasel) profile. A specific directory is mentioned, home/username/.config/pango/pangorc. Thanks a lot for your comment. I can (and have) put up with this message, I didn't know what to make of it. Thanks again. I will try "read-only ${HOME}/.config" later.
I'm a bit confused. The default Firefox profile definitely does not contain the rule "blacklist ${HOME}/.config" as completely blacklisting that folder would break a lot of things, indeed. Rather, the file disable-mgmt.inc is included which contains the rule "blacklist ${HOME}/.config/firejail" which doesn't break anything.
If it servers as something useful, here's my iceweasel profile: Code: caps.drop all seccomp noroot shell none ############### disable-mgmt.inc######## # system directories blacklist /sbin blacklist /usr/sbin # system management blacklist ${PATH}/umount blacklist ${PATH}/mount blacklist ${PATH}/fusermount blacklist ${PATH}/su blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/evtest blacklist ${PATH}/xev blacklist ${PATH}/strace # Prevent manipulation of firejail configuration blacklist /etc/firejail blacklist ${HOME}/.config/firejail ############disable-secret.inc############## # HOME directory blacklist ${HOME}/.ssh tmpfs ${HOME}/.gnome2_private blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/kde4/share/apps/kwallet blacklist ${HOME}/kde/share/apps/kwallet blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.gnupg blacklist ${HOME}/.local/share/recently-used.xbel ################ disable-common.inc############### # HTTP / FTP / Mail blacklist ${HOME}/.adobe blacklist ${HOME}/.macromedia blacklist ${HOME}/.icedove blacklist ${HOME}/.thunderbird blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/chromium blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.filezilla blacklist ${HOME}/.config/filezilla # Instant Messaging blacklist ${HOME}/.purple blacklist ${HOME}/.config/psi+ # VNC blacklist ${HOME}/.remmina # Other blacklist ${HOME}/.tconn ############## disable-history.inc ################# # History files in $HOME blacklist ${HOME}/.history blacklist ${HOME}/.*_history
I'm building profiles to applications so that I can have easy control over them. My Iceweasel profile has one modification over the default mozilla profile, which is no "netfilter", because I like my custom firewall rules. I just created this profile, like 5 minutes before linking it here, so I'll add a few more things into it. Also, it seems that firejail developers constantly change their profiles, so these custom ones I'm creating allow me to review those changes before commiting to them. It's a win for me Then I'll also create profiles for other programs like Libreoffice, VLC, games, etc.
That's added by Parabola's maintainer. Not a lot, only this pango thing really which I don't think anybody other than those dealing with exotic languages need.
Ah, okay. Yes, if it's really only in the Firefox profile. Adding an unblacklist rule above "blacklist ${HOME}/.config" would help for pango (I don't know where it's exactly located).
Please help me to determine if this is a vulnerability or not. It looks like a serious vulnerability to me. Create a directory in your home, let's say "browser-home" and copy ".mozilla" to that directory. And start it with "firejail --private=~/browser-home firefox". Now enter about:support in firefox and hit the "Open Directory". It opens the real .mozilla directory not the sanboxed one. Or you can download something and open the file location using firefox's download manager. It opens the real home "Download" folder and there is no file in it. The downloaded file is in sanboxed profile, you can enter manually. But the firejail's private mode was supposed to disable accessing to the real home directory, right? I post this to the developer but he looks like don't want to understand, or i have no idea what i am talking about. Please someone who has knowledge, enlighten me. Here is the conversetaion; my nick is "Name": https://l3net.wordpress.com/2015/09...-sandbox-for-mozilla-firefox-part-3/#comments
No. The private=directory option is not supposed to disable accessing of the real home directory. Your browser will think browser-home is the real home, but you can access the real home through the browser. You can prevent access to real home with private-home=.mozilla option. Bear in mind that any modification done will be lost after you close that instance of the browser, i.e changes are not permanent This is from firejail man page:
In there says; https://l3net.wordpress.com/projects/firejail/firejail-usage/ "Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox." When i enter file:///home/user in iceweasel i can see it is the sanboxed home directory as it is supposed to be. Which means iceweasel really thinks it is the home directory and has no access to the real home. Everything looks fine. But are you suggesting that "Open Directory" in about:support is not part of the iceweasel? Because as i said, it opens the real home.
All right, I was wrong. I just tested it and I could bypass the sandbox by opening files via open directory in about:support. I could see the blacklisted files, however I couldn't open/copy/delete any blacklisted file. Blaclisted directories could be copied/deleted. Definitely a bug/vulnerability. Happens in normal mode as well as in private mode.
Nothing special. Go to about:support via firefox/iceweasel address bar. Click on the clickable open directory box which is meant to open the directory of the the profile you are currently on. Your default file manager will open (or nothing will happen at all depending on your distro/configuration; nothing opens in my debian box) and you can test things there. For example my ~/Documents directory is blacklisted in the firefox profile of firejail, but I can view the list of files there, but couldn't open/copy/delete anything, but could delete ( deleting from the system ) the Documents directory itself.
Congrats, pandorax, for finding a highly exploitable bug. NetBlue, I'm sure, will find a solution. Wonder if the same thing happens in Chrome or Chromium? Later...
