FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    159
    i just updated my mx-17 32 bit laptop to mx-19. i enabled the backports in synaptic and it is showing firejail 9.58.2. shouldn't the version number be 9.6? is the install process the same as the instructions you gave me about a year ago? should i install 9.6(+) and ifso, how? thank you for your help
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    The sourceforge.net download link summerheat gives is correct. That's where I got mine from a while back:

    Code:
    @debian:~$ firejail --help
    firejail - version 0.9.62
    
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,190
    Location:
    Among the gum trees
    I see Firejail is available for download in Solus Gnome, also a GUI for Firejail. Is it worth it for a basically beginner to Linux? Do you need to tweak things to get them to work?
     
  4. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    Usually not. It has per application profiles. If FireJail does not work for particular application then you may just ignore it for that application, but use FireJail for other applications.
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    newbie to Firejail here.

    I am using several Firefox profiles, when I launch firefox in firejail it opens the default one. The question is, when I open another profile alongside the default one (I launch that another one from about: profiles in the default one), is it opened inside firejail? I guess it should, but I am not 100% sure.
    Thanks.
     
  6. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Yes, it is opened inside firejail.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    You can easily check if a program runs firejailed by executing

    firejail --list

    or, for a more detailed view,

    firejail --tree

    in the console.
     
  8. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Does anyone know if Firejail runs on ARM CPUs? Like a Raspberry Pi for example?
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    There are no ready-to-use binaries on the Firejail download site, AFAIK. However, there are versions for several architectures on the respective site for Debian SID. The armhf version should be the right one.
     
  10. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Thanks. :thumb: I'm guessing this would also work on Ubuntu for Raspberry Pi?
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, it should!
     
  12. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Hello,

    I have a problem when running LibreOffice while firejailed.

    Some background; my OS (Debian) is partitioned as root, home and files. The 'files' partition is mounted on boot at /files.

    If I try to open a LibreOffice document from the "files" directory, as you may guess, it is read-only due to Firejail restrictions. When I disable Firejail, read-write access is restored.

    I have tried to overcome this by:

    1. Creating a custom profile, as https://firejail.wordpress.com/documentation-2/building-custom-profiles/

    2. Adding the following below "noblacklist": "whitelist /files"

    When I then attempt to start LibreOffice, it fails to start out with: error invalid whitelist path /files.

    I've tried various other solutions but I'm not sure if I have the syntex correct?

    Thanks,
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @sthmptn : Please show us your /etc/fstab and the output of the mount command.
     
  14. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    The relevant line from fstab is:

    /dev/mapper/vg001-files /files ext4 defaults 0 2

    This was created on install. The hierarchy for this device is basically: LUKS > LVM > LVs > filesystems

    As you can see, the partition is mounted at boot.

    Thanks for your help
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I suggest to start with the --tracelog option - perhaps it reveals some additional details. Btw.: Does your profile contain disable-mnt ? (although it shouldn't matter here ...)

    Just to make sure that I understood this correctly. You wrote
    The first rule is "noblacklist /files", isn't it?
     
  16. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    I will run a tracelog shortly.

    No, the profile does not contain 'disalbe-mnt'. The only customisation from my part is to add the line (below existing noblacklist entries):

    whitelist /files

    I followed instructions from this guide (right at the bottom, where he adds a documents whitelist):
    https://www.techrepublic.com/article/how-to-install-and-use-firejail-on-linux/

    As a temporary fix, would I be breaking anything by mv-ing the libreoffice.profile out of /etc/firejail and re-issuing firecfg - is there an easier way of removing a single application from Firejail? I don't want to disable it for all apps.

    I guess that Firejail is trying to protect any files that are outside of the home/default directories and especially those directories at the top level of root /.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Please add

    noblacklist /files

    above that line. Does that make a difference?
     
  18. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    I added the following to the custom profile:
    $ firejail --tracelog libreoffice
    Reading profile /home/USER/.config/firejail/libreoffice.profile
    Reading profile /etc/firejail/allow-java.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-exec.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/whitelist-var-common.inc
    Warning: networking feature is disabled in Firejail configuration file
    Parent pid 8520, child pid 8521
    Error: invalid whitelist path /files
    Error: proc 8520 cannot sync with peer: unexpected EOF
    Peer 8521 unexpectedly exited with status 1

    LibreOffice does not start.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    That's incorrect. noblacklist must be above whitelist,
     
  20. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    I switched them around and with the 'whitelist' entry enabled, LibreOffice does not start - same errors as previous post.

    With 'whitelist' commented out of the profile, LibreOffice starts but any files outside of home are read-only.

    When issuing $ sudo firejail --clean, all files are read-write..

    As additional info, I have keepass (Firejailed) files as well as things like txt files that I can happily edit via Geany (Firejailed) - everything on this partition works except for LibreOffice files - it must be linked to the default LibreOffice profile rather than my system setup (IMO).
     
    Last edited: May 14, 2020
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @sthmptn : Please show your complete profile. By looking only to fractions of it it's difficult to say what's wrong.

    Btw., I forgot to answer this question:

    Not quite. This article explains the default access to the filesystem. Additionally a lot of specific folders/files are blacklisted by the various *.inc files included in every profile. And if the profile contains disable-mnt, /mnt, /media, /run/mount and /run/media are blacklisted as well.

    So actually /files is not covered at all by default which means that noblacklist /files and whitelist /files are moot. I hadn't thought about that earlier. These rules would only be necessary if you had created a file like, say, myrules.inc in ~/.config/firejail which contains the rule blacklist /files and which you added to your profiles or (even easier) if you added that rule to the globals.local file (which is automatically included in every profile) to make sure that no application can access this folder.
     
  22. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44


    Thank you for your time - I appreciate the effort you make to provide advice and information for others!

    My solution currently is to move any files/directories over to ~/home first, edit, and then move back when complete - bit of a faff but it's my choice to use this OS/LibreOffice.

    I tried moving and also renaming the libreoffice.profile in /etc/ to see if I could disable Firejail for LibreOffice but this freezes my desktop environment with only a hard reset (hold power) available.

    As per previous post, this is tracelog output:

    And this is the profile contents:

    $ cd ~
    $ mkdir -p .config/firejail
    $ cd .config/firejail
    $ cp /etc/firejail/libreoffice.profile libreoffice.profile
    $ nano ~/.config/firejail/libreoffice.profile

    Note: I have currently commented out my two entries. Everything else is default.

    As you hint to, I think the culprit/solution may be in those additionally included config files (disable-devel, disable-common??) but I'm not sure I have the knowledge to troubleshoot. For me, the PROS Firejail adds to my security outweighs the CONS regarding LibreOffice.
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    As mentioned, this shouldn't be necessary as /files is not blocked by Firejail by default - unless you added blacklist /files to, e.g., globals.local. I have a partition named Backup on an extra hard disk:

    Code:
    # /dev/sdc1 LABEL=Backup
    UUID=7d87ed2f-1f93-456c-a50e-8330cda01a23   /Backup       ext4         defaults,noatime   0 2
    ... and I can access it with LibreOffice without any problems

    Ouch :eek: This shouldn't happen at all (and it doesn't on my system, I just tried to reproduce). It seems something is broken on your system. :oops: Btw.: in order to disable Firejail for a specific application you can simply delete the respective symlink in /usr/local/bin.

    Code:
    Error: invalid whitelist path /files
    This makes sense: if it's not blacklisted it cannot get whitelisted. However, I wonder why this message still appears considering that you wrote:

    No, as those *.inc files are in my LIbreOffice profile as well and I can access my /Backup drive as mentioned above.

    Could you, please, execute

    Code:
    firejail --debug libreoffice
     
  24. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44

    Thanks for your comments - I have been testing over the weekend. As I can see that you have a working set up not /too/ dissimilar to mine I have not given up hope. Regarding the system, it only freezes when trying to start LibreOffice with Fierjail enabled AND those custom rules in place. Obviously not good but apart from this the system is rock solid, and is a fresh install from the last month or so.

    Putting aside my original device, I decided to spin up a test VM and try and keep it as vanilla as possible while still recreating my setup.

    I installed using a Debian 10 minimal ISO.

    At partitioning, I chose manual, created a /boot and a /root as well as a new partition at /files.

    For software, I simply chose DE of XFCE along with standard sys utils.

    Once inside, and with LibreOffice already installed as default, I issued the following commands:

    $ sudo chown deb -R /files && sudo chmod 770 -R /files
    $ sudo nano /etc/apt/sources.list
    :: deb http://deb.debian.org/debian buster-backports main
    $ sudo apt-get update && sudo apt-get upgrade
    $ sudo apt-get install -t buster-backports firejail firejail-profiles
    $ firecfg --fix-sound
    $ sudo firecfg
    $ sudo apt-get install vdagent - for copy / paste ;)

    After a reboot, I can create odt documents and save to home - I can also copy these to files but when opening from files the error (read-only) persists.

    After issuing sudo firecfg --clean, odt documents are subsequently read-write.

    Is it simply a permissions issues? See my first command above for the files directory.

    Here is the debug output:

    EDIT: BTW, this is without any custom profiles, as the permissions error is present even at this stage - I didn't want to complicate it further.
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @sthmptn : Could you, please, show the output of

    Code:
    ls -l /files
    and

    Code:
    id
    and

    Code:
    cat /etc/firejail/firejail-users
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.