FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Yes to both questions, but I still prefer Chromium based on extensive user experience of both browsers. I don't know for sure, but isn't there sandboxing within sandboxing when firejailing Chromium, because of the already strong sandbox Linux affords it?
     
  2. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    You can get the latest pepperflash for firefox on linux by using the freshplayer wrapper.
    http://www.webupd8.org/2014/05/install-fresh-player-plugin-in-ubuntu.html
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    This is what netblue30 writes:
    ... because only the renderer is sandboxed, not the broker system (I think that's what he's referring to).

    Now look what the default chromium.profile is doing:
    Code:
    # Chromium browser profile
    noblacklist ${HOME}/.config/chromium
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    
    # chromium is distributed with a perl script on Arch
    # include /etc/firejail/disable-devel.inc
    #
    
    netfilter
    whitelist ${DOWNLOADS}
    whitelist ~/.config/chromium
    whitelist ~/.cache/chromium
    include /etc/firejail/whitelist-common.inc
    
    In your home basically only Downloads, ~/.config/chromium and ~/.cache/chromium are the directories accessible by Chromium (plus some others in whitelist-common.inc). And the other .inc files blacklist more or less all security-relevant system files/folders,
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    There's a lot to consider when choosing a preferred browser, and although I like Firefox better than Chromium in some ways, I believe Chromium to be a more secure browser than Firefox. Unless Firefox developers have addressed it already, extensions run with full users privileges, while Chromium extensions run with a restricted set of privileges. This alone speaks volumes about the better security focus applied to Chromium than to Firefox. I realize firejail significantly isolates Firefox' weaknesses (and even Chromium weaknesses), I'd still rather sandbox a browser that's less dependent on a "crutch", so to speak, than one that's more dependent on one.

    BTW, just my humble opinion, but I believe too much concern from this forum's members are placed on the browser's security, when they should probably be more concerned about plugin and extension weaknesses. It is more likely these latter components will prove to be the Achilles heel from an attack.
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Does anyone know how to configure Libreoffice apps to run on top of Firejail with XFCE? I can't get that to work. I edited the entries in /usr/share/applications, every other program works except for the Libreoffice stuff.

    I attatched an image that shows what I've done. I open Libreoffice, then do "firejail --tree", and Libreoffice isn't there.
     

    Attached Files:

  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    It works for me on Arch xfce, but I put the command in the Launcher. Portion of firejail --tree shown.

    Code:
    4221:myname:firejail libreoffice --calc
      4222:myname:firejail libreoffice --calc
        4223:myname:/usr/lib/libreoffice/program/oosplash --calc
          4240:myname:/usr/lib/libreoffice/program/soffice.bin --calc --splash-pipe
     

    Attached Files:

  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Wait. How did you open that "Edit Launcher" thing?
    @wat0114
     
  8. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I think I got it. I'll have to move the entries from /usr/share/applications (obviously making a backup), and then just copy them to /home/amarildo/.local/share/applications/blah-blah-blah.
    For some odd reason, firejail works with these files, but not with the ones from /usr/share/applications, even though they are exactly the same.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    With the Launcher it's just: right-click->Properties...then on the right column there's an "Edit the currently selected item" button.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Oh, now that's MUCH simpler!! Pardon my ignorance, I never used XFCE for more than 15 minutes :p Thanks!
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    No worries, you're more than welcome :)
     
  12. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Where exactly should I make a second downloads folder?

    Is Shumway difficult to setup? And how well does it work with flash games? For example Newgrounds.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    FWIW, I don't modify those launchers anymore but create start scripts as mentioned here. Works well for me.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No, not really. You can download it here. Its configuration is explained here.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, on the other hand Mozilla has a very thorough vetting process for extensions. It's not only automated (as it is for Chrome extensions) but they are also always reviewed by an experienced developer (e.g., if you look at the commits for uBlock0 and uMatrix you'll see that gorhill got various hints/feedback from Mozilla before both extensions got cleared for AMO). This is not a 100% guarantee that an extension doesn't do anything unexpected but I believe that it's a considerably better process compared to how Chrome does it. And there was a specific reason affecting extensions why I moved from Chromium to Firefox.

    But this discussion should actually be an own thread ;)
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Very interesting and informative. Thanks.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Just an update: Running programs with Firejail on XFCE doesn't make them run as root as it did on MATE.

    Code:
    [amarildo@amarildo ~]$ firejail --tree
    661:amarildo:firejail iceweasel 
      662:amarildo:firejail iceweasel 
        664:amarildo:iceweasel 
     
  18. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Yeah, sandboxes are nice for monitoring and restricting usermode operations, which will stop most of the malware out there. But sandboxes usually don't offer any protection against applications attacking the kernel directly; Linux or Windows.
     
  19. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Could you provide evidence of this kind of attack while using Firejail?
     
  20. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Honestly no. I hadn't heard of Firejail before this thread. But looking into its capabilities, it seems like it just gives jailed applications a private view of certain kernel resources. But by the nature of sandboxes, the applications run on the real kernel. So if there were an exploitable kernel vulnerability, the jailed application likely would have the ability to attack it.

    I wish I could give more details, but the Firejail docs that I have read don't really lay out what gets restricted. Since it is designed to be a generic sandbox for any app, I don't see how it could restrict sandboxed applications in a way that would not allow them to exploit kernel vulns. But just because it isn't impenetrable doesn't mean it won't protect you from most of the attacks you will ever encounter. Most malware doesn't resort to attacking the kernel because it usually isn't needed.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, Firejail's features are explained here. When it comes to the kernel, seccomp-bpf is the important thing as it filters system calls thus reducing the attack surface of the kernel. man firejail says:

    Furthermore, all capabilities are dropped and the noroot option (namespace with only the current user) is added in most application profiles.

    netblue30 once condensed how Firejail works:
    Thus, I would say that the ability of an intruder to exploit kernel vulnerabilities is, at least, greatly reduced.
     
    Last edited: Jan 14, 2016
  22. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Exactly, firejail does have some protections to kernel level. But I don't rely on it for such tasks, for that I use grsecurity. So a combo of both is a pretty good level of security, even for webservers.
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I just noticed this commit by netblue30 which suggests an alternative to those start scripts. Haven't tried it yet, though.
     
  24. Linux38911

    Linux38911 Registered Member

    Joined:
    Feb 17, 2015
    Posts:
    9
    Location:
    Netherlands
    There is a new version out: firejail_0.9.38-rc1_1 (deb package).
    I don't see it mentioned on the webpage itself, but it is in the download section.
    (and also the source file is the new version).
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    thanks for this heads up, Linux38911.

    it is now final:

    https://firejail.wordpress.com/

    Release Notes

    Version 0.9.38, Thursday, February 4, 2016

    • IPv6 support (–ip6 and –netfilter6)
    • –join command enhancement (–join-network, –join-filesystem)
    • added –user command
    • added –disable-network and –disable-userns compile time flags
    • Centos 6 support
    • symlink invocation
    • added KMail, Seamonkey, Telegram, Mathematica, uGet and mupen64plus profiles
    • –chroot in user mode allowed only if seccomp support is available in current Linux kernel
    • deprecated –private-home feature
    • the first protocol list installed takes precedence
    • –tmpfs option allowed only running as root
    • added –private-tmp option
    • bugfixes
    I'm disappointed the private-home feature is deprecated :(
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.