FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Option to discard modifications when sandbox is closed:

    'firejail --private-home=.mozilla firefox' replaces > 'private.keep' option from 0.9.30-1 onwards - 'private-home' option is deprecated from 0.9.38-1.

    As far as I'm aware (correct me if I'm wrong) the only other options which discard modifications from 0.9.38-1, is the 'private' option which launches an unconfigured Firefox, or – the 'private-etc' option (which I haven't touched on yet)
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I think you're right. AFAIK, there is nothing that truly replaces the now deprecated private-home option. Too bad :(
     
  3. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    Yes, that truly sucks. Thanks for the info though. I guess I'll keep using the older version. I wonder why the ability was killed off.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I don't know why that switch was killed. Anyways, you should not keep the older version as
     
  5. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    I was actually aware of the security audit. Honestly, my main purpose for using FireJail wasn't for the added security anyway. I just liked the ability to use Firefox and drop any changes made when I close it. Unless someone can advise me that by running the older version of FireJail I have less security than running Linux without FireJail at all then I'll probably stick with the version that does what I want it to do.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    But isn't that what the --private switch does?

    Regarding the security audit, we don't know what problems exactly were found. So I would be cautious - it's possible that an attacker could gain root rights. That's certainly not what you want ;)
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Yes, but remember this opens up a completely new, virgin session of the browser without extensions or plugins, as opposed to the pre-configured browser session that opens using the --private-home switch.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, that's true. I don't know why netblue30 removed it. Perhaps because only a handful of Firejail users were willing to abstain from extension updates etc. :D:D:D
     
  9. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    No need to miss extension updates, etc.

    I have one icon that opens Firefox normally and one that opens Firefox with FireJail. I can update things and keep them with the normal Firefox. Then I can open Firefox using my Firejailed Firefox icon and surf with my updated Firefox and then lose any other changes made when I close it.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    :thumb: Exactly what I was doing with Chromium.
     
  11. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    exactly what i do with Sandboxie in Windows
     
  12. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Does anyone here use lastpass and firejail? The browser keep asking me for the 2FA code, even though I've "Trust this computer for 30 days" ticked. I'm already in talk with lastpass support and I wonder if firejail might be the problem?
     
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    It could be, depending on where lastpass' binaries and configuration files are located. Did you whitelist laspass on your firefox's firejail config or in any other firejail config?
     
  14. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Yes, it definitely is firejail's fault. I've tested without firejail and lastpass works ok. Now all I need to do is find out where the hell lastpass saves the config files for firefox..
     
    Last edited: Apr 6, 2016
  15. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Ok, so playing with firejail and firefox, I found out the following:

    - If I "Trust this computer for 30 days" in a non-firejailed firefox, it'll work once I open firefox firejailed;
    - If I "Trust this computer for 30 days" in a firejailed firefox, it will not work once I restart firefox;

    Any suggestions?
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    What distro are you using?
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Sorry, I don't get it. :confused: The Lastpass directories/files are already whitelisted in the default Firefox profile in /etc/firejail. If you're using your own profile just add those entries to it.
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    How would I start firejail with the following command?

    LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} /usr/bin/steam %U


    I need to make Steam run on firejail with this command, but this is what I get:


    Code:
    libGL error: unable to load driver: radeonsi_dri.so
    libGL error: driver pointer missing
    libGL error: failed to load driver: radeonsi
    libGL error: unable to load driver: swrast_dri.so
    libGL error: failed to load driver: swrast
    

    How I'm trying:


    Code:
    LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} firejail steam
    I tried adding the following to the steam profile, but it didn't work.

    Code:
    noblacklist /usr/$LIB/libstdc++.so.6
    noblacklist /usr/$LIB/libgcc_s.so.1
    noblacklist /usr/$LIB/libxcb.so.1
    noblacklist /usr/$LIB/libasound.so.2
    
     
  19. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    I am using Ubuntu 14.04
     
  20. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Yes, I thought so. Though in my case there's no .lastpass folder. (Ubuntu 14.04). The fact that it doesn't work as it is supposed to, proves that something is wrong. Namely:

    - If I "Trust this computer for 30 days" in a non-firejailed firefox, it'll work once I open firefox firejailed;
    - If I "Trust this computer for 30 days" in a firejailed firefox, it will not work once I restart firefox;
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Is lastpass installed as a web plugin for Firefox?
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I must admit that I'm confused. What does "Trust this computer for 30 days" mean? Where does it come from? I've never seen this before.
     
  23. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    It's probably like what Facebook does, if you click "Trust this computer" Facebook will then drop a file to your folder that will, after you re-open the browser, tell Facebook it doesn't need some security permission (like 2-factor authentication).
     
  24. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Ah, sorry.
    Lastpass supports two-factor-authentication and "Trust this computer for 30 days" means that I don't need to input my 2FA key everytime I restart the browser.
     
  25. taytong888

    taytong888 Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    168
    Hello,

    Can anyone show me how to install firejail in Jessie (Debian Stable v. 8.4) ?

    Thanks for your help!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.