Yes to both questions, but I still prefer Chromium based on extensive user experience of both browsers. I don't know for sure, but isn't there sandboxing within sandboxing when firejailing Chromium, because of the already strong sandbox Linux affords it?
You can get the latest pepperflash for firefox on linux by using the freshplayer wrapper. http://www.webupd8.org/2014/05/install-fresh-player-plugin-in-ubuntu.html
This is what netblue30 writes: ... because only the renderer is sandboxed, not the broker system (I think that's what he's referring to). Now look what the default chromium.profile is doing: Code: # Chromium browser profile noblacklist ${HOME}/.config/chromium include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc # chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc # netfilter whitelist ${DOWNLOADS} whitelist ~/.config/chromium whitelist ~/.cache/chromium include /etc/firejail/whitelist-common.inc In your home basically only Downloads, ~/.config/chromium and ~/.cache/chromium are the directories accessible by Chromium (plus some others in whitelist-common.inc). And the other .inc files blacklist more or less all security-relevant system files/folders,
There's a lot to consider when choosing a preferred browser, and although I like Firefox better than Chromium in some ways, I believe Chromium to be a more secure browser than Firefox. Unless Firefox developers have addressed it already, extensions run with full users privileges, while Chromium extensions run with a restricted set of privileges. This alone speaks volumes about the better security focus applied to Chromium than to Firefox. I realize firejail significantly isolates Firefox' weaknesses (and even Chromium weaknesses), I'd still rather sandbox a browser that's less dependent on a "crutch", so to speak, than one that's more dependent on one. BTW, just my humble opinion, but I believe too much concern from this forum's members are placed on the browser's security, when they should probably be more concerned about plugin and extension weaknesses. It is more likely these latter components will prove to be the Achilles heel from an attack.
Does anyone know how to configure Libreoffice apps to run on top of Firejail with XFCE? I can't get that to work. I edited the entries in /usr/share/applications, every other program works except for the Libreoffice stuff. I attatched an image that shows what I've done. I open Libreoffice, then do "firejail --tree", and Libreoffice isn't there.
It works for me on Arch xfce, but I put the command in the Launcher. Portion of firejail --tree shown. Code: 4221:myname:firejail libreoffice --calc 4222:myname:firejail libreoffice --calc 4223:myname:/usr/lib/libreoffice/program/oosplash --calc 4240:myname:/usr/lib/libreoffice/program/soffice.bin --calc --splash-pipe
I think I got it. I'll have to move the entries from /usr/share/applications (obviously making a backup), and then just copy them to /home/amarildo/.local/share/applications/blah-blah-blah. For some odd reason, firejail works with these files, but not with the ones from /usr/share/applications, even though they are exactly the same.
With the Launcher it's just: right-click->Properties...then on the right column there's an "Edit the currently selected item" button.
Oh, now that's MUCH simpler!! Pardon my ignorance, I never used XFCE for more than 15 minutes Thanks!
Where exactly should I make a second downloads folder? Is Shumway difficult to setup? And how well does it work with flash games? For example Newgrounds.
FWIW, I don't modify those launchers anymore but create start scripts as mentioned here. Works well for me.
Yes, on the other hand Mozilla has a very thorough vetting process for extensions. It's not only automated (as it is for Chrome extensions) but they are also always reviewed by an experienced developer (e.g., if you look at the commits for uBlock0 and uMatrix you'll see that gorhill got various hints/feedback from Mozilla before both extensions got cleared for AMO). This is not a 100% guarantee that an extension doesn't do anything unexpected but I believe that it's a considerably better process compared to how Chrome does it. And there was a specific reason affecting extensions why I moved from Chromium to Firefox. But this discussion should actually be an own thread
Just an update: Running programs with Firejail on XFCE doesn't make them run as root as it did on MATE. Code: [amarildo@amarildo ~]$ firejail --tree 661:amarildo:firejail iceweasel 662:amarildo:firejail iceweasel 664:amarildo:iceweasel
Yeah, sandboxes are nice for monitoring and restricting usermode operations, which will stop most of the malware out there. But sandboxes usually don't offer any protection against applications attacking the kernel directly; Linux or Windows.
Honestly no. I hadn't heard of Firejail before this thread. But looking into its capabilities, it seems like it just gives jailed applications a private view of certain kernel resources. But by the nature of sandboxes, the applications run on the real kernel. So if there were an exploitable kernel vulnerability, the jailed application likely would have the ability to attack it. I wish I could give more details, but the Firejail docs that I have read don't really lay out what gets restricted. Since it is designed to be a generic sandbox for any app, I don't see how it could restrict sandboxed applications in a way that would not allow them to exploit kernel vulns. But just because it isn't impenetrable doesn't mean it won't protect you from most of the attacks you will ever encounter. Most malware doesn't resort to attacking the kernel because it usually isn't needed.
Well, Firejail's features are explained here. When it comes to the kernel, seccomp-bpf is the important thing as it filters system calls thus reducing the attack surface of the kernel. man firejail says: Furthermore, all capabilities are dropped and the noroot option (namespace with only the current user) is added in most application profiles. netblue30 once condensed how Firejail works: Thus, I would say that the ability of an intruder to exploit kernel vulnerabilities is, at least, greatly reduced.
Exactly, firejail does have some protections to kernel level. But I don't rely on it for such tasks, for that I use grsecurity. So a combo of both is a pretty good level of security, even for webservers.
I just noticed this commit by netblue30 which suggests an alternative to those start scripts. Haven't tried it yet, though.
There is a new version out: firejail_0.9.38-rc1_1 (deb package). I don't see it mentioned on the webpage itself, but it is in the download section. (and also the source file is the new version).
thanks for this heads up, Linux38911. it is now final: https://firejail.wordpress.com/ Release Notes Version 0.9.38, Thursday, February 4, 2016 IPv6 support (–ip6 and –netfilter6) –join command enhancement (–join-network, –join-filesystem) added –user command added –disable-network and –disable-userns compile time flags Centos 6 support symlink invocation added KMail, Seamonkey, Telegram, Mathematica, uGet and mupen64plus profiles –chroot in user mode allowed only if seccomp support is available in current Linux kernel deprecated –private-home feature the first protocol list installed takes precedence –tmpfs option allowed only running as root added –private-tmp option bugfixes I'm disappointed the private-home feature is deprecated