FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Here you are:

     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @sthmptn : Just to clarify: without Firejail you are able to read and create/write files in /files?

    What's the output of groups ?
     
  3. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Yes, that's correct; as soon as I issue 'firecfg --clean', I can read/write etc from this directory via LibreOffice. One thing to note is that even with Firejail active, I can still use programs such as Geany and KeepassXC sandboxed - I can read/write txt files etc via Geany and update a Keepass database on files. So this issue only /appears/ to be limited to LibreOffice (possibly the LibreOffice Firejail config.. but then you don't have the problem :doubt:)

    Thanks
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    You can read/write files with those applications in your home directory - but in /files as well?
     
  5. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Hello, and thanks for continuing with this. I'm aware that this may not be solvable but I appreciate your efforts!

    To check other apps, I did the following:

    Installed geany and keepassxc.

    Issued sudo firecfg and confirmed apps are firejailed:

    Created a keepass database in home, restarted app, added an entry, restarted and confirmed entry was written to db.

    Did the same as above for /files directory.

    Created txt files in Geany at both home and /files, saved, and confirmed editing is possible in both locations.

     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @sthmptn : I have a suspicion: Can you write to /files with the firejailed LibreOffice if you add ignore apparmor to its profile?

    Background: The geany profile doesn't contain the apparmor rule - but the LIbreOffice profile does. Which means that it uses /etc/apparmor.d/firejail-default. And that one contains the following rule:
    Code:
    # Allow write access to paths writable in firejail which aren't used for
    # executing programs. /run, /proc and /sys are handled separately.
    # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
    ##########
    /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
    which doesn't include /files.
     
  7. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    hmm. Maybe I've misinterpreted your instructions?

    Code:
    $ cd ~
    $ mkdir -p .config/firejail
    $ cd .config/firejail
    $ cp /etc/firejail/libreoffice.profile libreoffice.profile
    $ nano ~/.config/firejail/libreoffice.profile
    :: added to the end of the file: ignore apparmor
    $ sudo firecfg
    
    Below is the dialog box that appears when attempting to open the existing file.

    As soon as I run sudo firecfg --clean, the file opens without errors/dialog.


    upload_2020-5-26_15-11-30.png


    And this is when trying to save a new document to /files (with Firejail enabled) - in case you were wondering about the "document in use" notification - this file has not been saved yet..

    upload_2020-5-26_15-19-23.png
     
    Last edited: May 26, 2020
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    The easiest way is that you delete ~/.config/firejail/libreoffice.profile and create a file libreoffice.local in that directory with just one entry: ignore apparmor

    EDIT: Of course, you could also simply comment apparmor in ~/.config/firejail/libreoffice.profile. But creating a .local file is simply easier in order to add or change rules in the upstream profile in /etc/firejail.

    EDIT2: See also these instructions.
     
    Last edited: May 26, 2020
  9. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Hey, I was going to post last night when retesting but ran out of time.

    Good news! The instructions to remove existing and recreate a 'local' profile were successful. I tested in the VM and have no read/write problems within the directories.

    Code:
    $ rm .config/firejail/libreoffice.profile
    $ cd .config/firejail && echo ignore apparmor >> libreoffice.local
    
    BTW, I find the .local system much cleaner than recreating and editing the whole profile so thanks for that tip.

    Also, the link was informative; running firejail --noprofile libreoffice, allowed me to use LibreOffice without having to remove any Firejail configs (good for testing).

    Unfortunately my main system is still locking up whenever I try to add that local profile or even run with --noprofile. I can drop to the console via ctrl-alt+f2 but can't kill the processes and have to hard reset; the DE is just frozen with LibreOffice splashscreen. I'm going to start adding to the test VM to see what part of my set up causes this.

    Thank you ever so much for your help in solving this issue: Debian Buster > Apparmor > LibreOffice > Firejail = :sick:
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Good! So it's confirmed that /etc/apparmor.d/firejail-default was the culprit. I should have thought about that earlier - my aplogies.

    Yes, indeed. Btw., the reason why your first attempt didn't work was because an ignore ... rule must be located above the rule to be ignored in the respective profile. As the ...local files are included at the the top of each profile this makes sure that the rules therein take precedence.

    Regarding ignore apparmor: You can keep this modification, of course. However, that means that this additional protection will not be used in the LibreOffice profile. So a better alternative would be:
    1. In the file /etc/apparmor.d/local/firejail-local (which will not get overwritten by Firejail updates) you should add the rule
    Code:
    /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var,files}/** w,
    2. Consequence: Every firejailed application is now allowed to write to /files. If you don't want that I suggest to create the file ~/.config/firejail/globals.local and add the rule blacklist /files which effectively nullifies the change in 1. In order to make an exception for LibreOffice you just have to add noblacklist /files to libreoffice.local (and remove ignore apparmor).

    Or alternatively by executing it with the full path /usr/bin/libreoffice as this bypasses the respective symlink in /usr/local/bin.

    This is very weird, indeed. Have you searched in the logs by executing, e.g., journalctl -e | grep libreoffice or something like journalctl -e | grep -e failed -e Failed -e error -e Error -e ERROR -e DENIED -e denied -e failure -e Failure -e exception -e Exception when this happens?

    You're welcome :)
     
  11. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    44
    Thanks for the additional information above. Once fixed, I'm going to add the apparmor rules as you suggest - happy for that location to be writable as it's archived to another location/device in any case.

    I found a thread (firejail forum) where users are having similar issues starting LibreOffice and someone also mentions the error I was getting when it did start, i.e. read-only access.

    https://github.com/netblue30/firejail/issues/1703

    I realise that my issue is specifically related to a directory outside of home and we've found the culprit but thought it may be useful info if anyone else having issues reads this. I came across this while searching for "Blacklist violations are logged to syslog", which is in my logs when starting LO from the console.

    As I get time, I'm going to go through the profile and gradually uncomment out all the options to see if I can start LO when firejailed.

    I'll update if I can find anything useful.
     
  12. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Here are my 2 or 3 cents:
    1. The notion that Firejail has a larger attack surface is probably related to the fact that Bubblewrap uses PR_SET_NO_NEW_PRIVS. Firejail doesn't use that by default - simply because specific applications (in particular Chromium-based browsers and VirtualBox don't start with it depending on unprivileged user namespaces being enabled in your distro-specific kernel or not). But you can manually enable it - which is what I do on my Arch Linux system (with the effect that VirtulaBox doesn't start with Firejail so it can "only" be confined by AppArmor. I'm using the Firejail git version, and this is the script I'm using to update it:
    Code:
    cd ~/firejail
    git pull
    ./configure --prefix=/usr --enable-apparmor
    make
    sudo make install
    
    sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' /etc/firejail/firejail.config
    sudo sed -i 's/# bind yes/bind no/' /etc/firejail/firejail.config
    sudo sed -i 's/# cgroup yes/cgroup no/' /etc/firejail/firejail.config
    sudo sed -i 's/# overlayfs yes/overlayfs no/' /etc/firejail/firejail.config
    
    sudo groupadd firejail
    sudo chown -c root:firejail /usr/bin/firejail
    sudo chmod -c 4750 /usr/bin/firejail
    sudo usermod -a -G firejail $USER
    
    sudo firecfg
    
    sudo rm /usr/local/bin/VirtualBox
    2. Bubblewrap is harder to use, IMO, and there are no ready-to-use profiles (although there are repositories which offer profiles for few applications). While Firejail offers 966 profiles right now which is certainly a big advantage. Most of those profiles contain the apparmor entry which means additional confinement by /etc/apparmor.d/firejail-default.

    3. The Bubblewrap github site says:
    I'm not sure what that means. Does that mean that whitelisting is not perfect - or does that mean that whitelisting introduces vulnerabilities?

    4. Regarding vulnerabilities: Firejail had its vulnerabilities, most of them in 2016/2017. It was still a rather new project then and has matured since then.
     
  14. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Does anyone know if the development versions of Firejail supports the private home profile? firejail --private-home=.mozilla firefox
    The reason I ask is because I'm going to be installing Kubuntu 20.04 latter this year and it has the development version of Firejail in the software center (Discover Software Center) and when I installed the .deb file for the current version in
    VirtualBox the updater installed the development version. Also are there any security risk in using the development versions?
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199

    Yes, it is. --private-home is not deprecated.

    No.
     
  16. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Thanks I really appreciate. :):thumb:
     
  17. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Is anyone having issues with add-ons being disabled in private-home with Firefox 80?
    firejail --private-home=.mozilla firefox
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Anyone able to start a private instance of Firefox lately?
    Firefox updated for me in the last few days, and now I can't start a private instance of it with:
    Code:
    firejail --private firefox -no-remote
    It just doesn't start at all.

    Kubuntu 20.04.2
     
  19. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    I don't use Firefox on my distro atm, but you could try to added these in your firefox profile, open pref.js and put
    Code:
    user_pref("extensions.autoDisableScopes", 0); + user_pref("extensions.enabledScopes", 15);
    If these already exist, replace-it

    Also you can try this command if the above fail : firejail --private-home=.mozilla firefox

    Rules.
     
  20. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
  21. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
  22. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No. Firejail supports AppImage applications but not Snap or Flatpak. However, snaps are sandboxed with AppArmor, seccomp and cgroup rules. And Flatpak uses a sandbox as well which is based upon bubblewrap, AFAIK. I should add that I haven't used either - I still fail to see the reason why.
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I've noticed that you asked this question also on the Firejail github site. So it seems that private-home is what you're interested in. Unless snap support is possible after all (not to my knowledge as mentioned earlier), please note that a possible alternative might be available. However, I don't know if the snap sandbox allows for that.
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Firejail supports AppArmor in many profiles with the apparmor option - and this always means that /etc/apparmor.d/firejail-default is used. So if your distro (e.g. Ubuntu) comes with a ready-to-use AppArmor profile for, say, Firefox or you've created your own Firefox profile with aa-logprof, it is not used by Firejail - unless you've ironically added ignore apparmor to firefox.local. But this is not recommended as it usually causes trouble to use both for the same application.

    However, now a new AppArmor abstraction has been added to firejail-git: /etc/apparmor.d/abstractions/base.d/firejail-base which adds required permissions for specific firejail paths/libraries. It will be included in the next official firejail version but you can already use it by creating that file manually and inserting its code.

    If you want to use it in your AppArmor profile for Firefox just add:

    Code:
    include <abstractions/base.d/firejail-base>
    and execute sudo aa-enforce for that profile. Don't forget to create the file firefox.local in /etc/firejail or in ~/.config/firejail and add

    Code:
    ignore apparmor
    After executing firejail firefox you'll see via firejail --list (or firejail --tree) and sudo aa-status that Firefox is confined both by Firejail and AppArmor (and in the latter case no longer by firejail-default but by your specific Firefox profile). I've tested it successfully on Arch Linux for Firefox and Brave.

    So you'll get a browser with an extremely tight sandbox. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.