No, but in reading the question I'm reminded of one of the features of "puppylinux Puli" ~~ the executable for PDF reader is renamed and replaced by same-named wrapper script which performs ifdown before launching the PDF reader. The same approach could be used for the web-capable libreoffice apps.
Has anyone tried the feature --caps.drop=capability,capability,capability ? https://firejail.wordpress.com/features-3/man-firejail/ So far, I have been able to run Chromium with several of the Linux capabilities dropped with the command: Code: firejail --caps.drop=sys_ptrace,kill,fsetid,dac_override,syslog,mac_admin,setuid,setgid,dac_read_search,linux_immutable,sys_module,net_admin,sys_rawio,net_bind_service,chown,fowner,sys_resource chromium The following command: firejail --caps.print=PID reveals all the selected capabilities are disable... [code] $ firejail --caps.print=23737 chown - disabled dac_override - disabled dac_read_search - disabled fowner - disabled fsetid - disabled kill - disabled setgid - disabled setuid - disabled setpcap - enabled linux_immutable - disabled net_bind_service - disabled net_broadcast - enabled net_admin - disabled net_raw - enabled ipc_lock - enabled ipc_owner - enabled sys_module - disabled sys_rawio - disabled sys_chroot - enabled sys_ptrace - disabled sys_pacct - enabled sys_admin - enabled sys_boot - enabled sys_nice - enabled sys_resource - disabled sys_time - enabled sys_tty_config - enabled mknod - enabled lease - enabled audit_write - enabled audit_control - enabled setfcap - enabled mac_override - enabled mac_admin - disabled syslog - disabled wake_alarm - enabled block_suspend - enabled audit_read - enabled ...otherwise they all will show "Enabled" without using the caps.drop=capability,capability,capability... feature. However, attempting to drop sys_admin or sys_chroot, for example, will break prevent chromium from opening. I will try dropping other capabilities one-by-one to see how many more I can disable without breaking the browser. My only question is: how much, if at all, does this bolster the sandboxed browser? I haven't yet noticed anything unusual in my normal browsing with all these capabilities dropped.
Mostly all the capabilities are disabled now without breakage to Chromium firejailed. A couple I didn't bother with such as sys_time and sys_tty_config. Code: $ firejail --caps.print=3151 chown - disabled dac_override - disabled dac_read_search - disabled fowner - disabled fsetid - disabled kill - disabled setgid - disabled setuid - disabled setpcap - disabled linux_immutable - disabled net_bind_service - disabled net_broadcast - disabled net_admin - disabled net_raw - disabled ipc_lock - disabled ipc_owner - disabled sys_module - disabled sys_rawio - disabled sys_chroot - enabled sys_ptrace - disabled sys_pacct - disabled sys_admin - enabled sys_boot - disabled sys_nice - disabled sys_resource - disabled sys_time - enabled sys_tty_config - enabled mknod - disabled lease - disabled audit_write - disabled audit_control - disabled setfcap - disabled mac_override - disabled mac_admin - disabled syslog - disabled wake_alarm - enabled block_suspend - disabled audit_read - disabled
Thanks for your post - it's very useful, indeed! I'm not an expert, but this is how I see it: I haven't searched in the Chromium source files for the syscalls and capabilities dropped in the Chromium sandbox but I think it's a safe guess that only the syscalls and capabilities are allowed which are absolutely necessary in order to tighten the sandbox as much as possible. Hence, I don't think that Firejail can bolster the Chromium sandbox itself. However, the important thing is that only the renderer processes in Chromium/Chrome are sandboxed - the broker (or browser) process is not! The latter is completely unconfined, and this is probably what netblue30 war referring to when he wrote: "Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open." This has two implications, IMHO: 1. The renderer processes and the broker process communicate via IPC (inter-process communication). I haven't searched for related vulnerabilities in the past. But it seems obvious to me that IPC is, at least, a potential weak spot. That's why confining the broker process - as you've thankfully done - makes perfectly sense. 2. Notwithstanding the above, the fact that the broker process has unlimited file system access is also a potential privacy issue. This problem can be controlled by Firejail's whitelist, blacklist and read-only options. Taken all together, firejailing Chromium makes definitely sense. But again, that's only my layman's view. Anyways, I've tried your suggestions with Inox and haven't had any problems Thanks again! Now the next step would be trying to also drop as many syscalls as possible ...
Thank you, summerheat! I was waiting in eager anticipation for your response and you did Well I'm certainly glad to now know that the caps.drop feature is a useful security feature, at least to fortify the broker process. Thanks again for providing your expertise on this! BTW, this is the full command I use for chromium: Code: firejail --caps.drop=sys_ptrace,kill,fsetid,dac_override,syslog,mac_admin,setuid,setgid,dac_read_search,linux_immutable,sys_module,net_admin,sys_rawio,net_bind_service,chown,fowner,sys_resource,ipc_owner,ipc_lock,mac_override,net_raw,sys_boot,net_broadcast,audit_read,audit_write,audit_control,setpcap,setfcap,block_suspend,mknod,lease,sys_nice,sys_pacct chromium
I have dnscrypt installed and running. I see there is a defined profile for dnscrypt in /etc/firejail, but when I run firejail --top it is not shown as running, that is because as I understand you have to tell it to launch with firejail parameters. I know with Chrome you can change the launcher command such as firejail --[options] [profile to load] but if dnscrypt is a startup service, how do you edit the launch parameters so it runs default with that firejail profile loaded? regards.
That depends. If you're using a distro that uses systemd you can find the solution in some posts of mine. In the third post of that thread you'll find how to start dnsmasq firejailed. You can apply this solution to dnscrypt-proxy, too.
I don't know if some of you guys are using symlink invocation introduced in Firejail 0.9.38. It's really very convenient: You don't have to modify your launchers anymore, and it ensures that your applications always start properly firejailed. It's very easy: Just execute Code: echo $PATH On my system /usr/local/sbin is the first $PATH position. Just create respective symlinks like: Code: sudo ln -s /usr/bin/firejail /usr/local/sbin/firefox sudo ln -s /usr/bin/firejail /usr/local/sbin/libreoffice sudo ln -s /usr/bin/firejail /usr/local/sbin/vlc sudo ln -s /usr/bin/firejail /usr/local/sbin/okular ... etc. Ready!
@summerheat That is perfect. Its exactly what I want to accomplish. Your info and profile on dnsmasq is greatly appreciated as well. I know apparmor had this covered but I wasn't sure if firejail was able to. I did find a workaround earlier that involved editing the /etc/init/dnscrypt-proxy.config but I know that is not the proper solution. thanks again regards.
How do use --private=directory? I'm guessing its something like firejail --private=firefox. And does --private=directory copy your browsers profile over? So you can use all your bookmarks, settings & add-ons.
Not exactly. The "private" switch doesn't control the executable, only the directory. If the directory you provided contains your profile, yes.
How do I make it so everytime I open chromium, it's opened using firejail? That is, what do I need to edit in order be able to open chromium using firejail by clicking on the icon? (I know how to run from terminal).
The best way is doing it like mentioned here. This makes sure that, e.g., your browser always starts firejailed regardless how it is started (e.g by clicking a link in another application).
Thank you, that worked perfectly for both chromium and transmission. However, for firefox the story is different. I did: Code: sudo ln -s /usr/bin/firejail /usr/local/bin/firefox and now I have Code: $ which -a firefox /usr/local/bin/firefox /usr/bin/firefox However, upon opening firefox, I get the following error: Code: $ firefox Redirecting symlink to /usr/bin/firefox Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 18286, child pid 18287 Child process initialized (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised Error: Access was denied while trying to open files in your profile directory. parent is shutting down, bye... A pop-up appears saying "Your Firefox profile cannot be loaded. It may be missing or inaccessible." Any idea what is causing this? Thanks in advance.
Looking at the terminal output I'm 99.9% positive that you're having problems because you're simply firejailing things with those simlinks, and by doing so you're telling firejail to open it's generic profile, which IIRC blacklists the ".mozilla" folder. My personal suggestion is to edit the program launcher rather than linking the executables to firejail, because it's much easier to control what each profile does and it does not involve much thinking if something goes wrong. Editing program launchers is really easy, no matter the Desktop Environment. For XFCE, LXDE, and MATE, just use "mozo" or "alacarte". KDE has it's own program editor, it's just a matter of right-clicking the "Start button". GNOME I don't know because I never used it, but I'm guessing it too has some sort of menu editor. Heck, if Unity has it, it's no less of an obligation for the others to have it too So edit the menu and put "firejail firefox" to allow firejail to open the Firefox/Iceweasel profile.
Yes, it tries to load the generic.profile which is very strict as it contains all *.inc files and blacklists, e.g., ~/.mozilla. Hence, it's not surprising that Firefox doesn't start. The question is why generic.profile is loaded - it shouldn't. As the pop-up is saying, obviously the Firefox profile (which doesn't contain generic.profile) that comes with Firejail could not be loaded for whatever reason. Either it doesn't exist, is corrupt or modified somehow. Isn't it available in /etc/firejail ?
I disagree. This works beautifully if you start an application directly but it often doesn't work reliably if an application is launched via another application. For example, if the launchers are modified and I click *.pdf, *.jpg or *.mp3 files in the file manager (krusader in my case) the respective applications (okular, gwenview, VLC) are not started sandboxed. There are 2 ways to overcome this problem in a reliable way: 1. Create launch scripts as described here. 2. Use symlink invocation as described here. I prefer the second alternative. So far it works absolutely reliable regardless how the target application is launched.
Personally I've never seen this happening on KDE/MATE/XFCE. When I start a program with firejail via a launcher, and this firejailed program starts another program, everything is always sandboxed. At least that is what SHOULD be happening for everybody. But since your experiences with firejail don't seem to be 100% correct, then without a doubt go with the symlinks