This is not necessary or, better said, suboptimal as, e.g., Chrome started by another application would not be firejailed. Rather execute sudo firecfg This will create symbolic links for your applications to firejail in /usr/local/bin -> symlink invocation.
No, see, e.g., this release note. You'll see the version numbers at the bottom of that site. The thing is that the Linux version doesn't get new features but still security fixes.
That is what I like about Linux, a lot of people helping you out with directions. Only it is explained in insiders lingo. Could you help me an outsider (my nickname is Windows_Security, not Linux_Security) with an example to start Chromium firejailed? Would this be the sequence of Terminal Commands? $ which -a chromium-browser-gtk /usr/bin/chromium-browser-gtk $ sudo ln -s /usr/bin/firejail /usr/local/bin/chromium-browser-gtk $ which -a chromium-browser-gtk /usr/local/bin/chromium-browser-gtk /usr/bin/chromium-browser-gtk How do you start Chromium fire jailed? By just creating a shortcut/starter "chromium-browser %U"? Thanks
The sysmlinks method posted by summerheat works. You can also go to Properties->Desktop Entry->Command of the chromium shortcut and place it in there. I use, for example: Code: firejail --caps.keep=sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm --dns=8.8.8.8 --dns=8.8.4.4 chromium-browser %U Of course you can go very simple with, for example: Code: firejail chromium-browser ...if you wanted to. Also you can use these commands from the terminal.
I use Code: firejail chromium-browser but Summerheat said that Chrome won't start firejailed But Wat0114 post this is ok Now I am confused
Not with all functions enabled. I don't use Chrome or Chromium, but I'm sure you can use them with Firejail if you don't block a few syscalls and/or disable seccomp or something like that. There's more info on the Firejail thread here on WS.
Don't worry - it's actually rather easy What wat0114 suggested is correct. However, if you add firejail to the chromium shortcut and chromium would be started by clicking a url in another application, this would mean that chromium would not be firejailed as that shortcut or starter would not be used. Rather, the system looks in the $PATH in order to find chromium. Just execute Code: echo $PATH to find the path entries on your system. You'll notice that /usr/local/bin (and possibly /usr/local/sbin - but that differs from distro to distro) are positioned before all other locations, in particular /usr/bin. Now, if you simply execute Code: sudo firecfg it will create symbolic links in /usr/local/bin for those installed applications for which profiles exist in /etc/firejail. Just execute Code: sudo firecfg --list to see which symbolic links were created - or simply navigate to /usr/local/bin in your file manager. You'll see that those symbolic links all point to /usr/bin/firejail. But as /usr/local/bin is your first position in the $PATH this means that chromium would be started firejailed. The firejail entry in the shortcut is therefore unnecessary. This works reliably as long as the other application doesn't use the absolute path to your browser, i.e. /usr/bin/chromium, in its settings. In most cases it doesn't. 2 suggestions: 1. If you want to add more switches as wat0114 suggested, I would create the folder ~/.config/firejail and create the file chromium-browser.profile therein. It would look like this: Code: include /etc/firejail/chromium.profile caps.keep sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm dns 8.8.8.8 dns 8.8.4.4 Profiles in ~/.config/firejail take precedence over profiles in /etc/firejail. 2. If you create own profiles in ~/.config/firejail for other applications not yet included in /etc/firejail, executing sudo firecfg wouldn't add a symlink to /usr/local/bin. You would have to execute Code: sudo ln -s /usr/bin/firejail /usr/local/bin/your_application I hope this clarifies things
@summerheat that does not work When I enter "sudo firecfg" it retuns "command not found" Note: I understand the logic of writing manuals for insiders. It saves a lot of time and prevents people without enough IT knowledge to mess up their system. Only linux geeks top this principe I wrestled through some documentation, I will update my post
Xubuntu as XP replacement (Zorin was first, Lubuntu with XP skin second, Xubuntu third try) Personalisation Changing desktop background with a oicture is easier when using right click on the picture, for wall papers use the desktop appearance applet. Before you can move the taskbar to the bottem, you have to unlock it and grab it on the sides (left or right) otherwise it flies back. Changed the taskbar background to bleu-ish solid color to resemble Win7 a little. Appearance selected Greybird style, with elementary Xfce icons Choose Doloa as style in Windows (looks) manager In (theme) configuration I enabled altenative taskbar colour (set to blue also) Installing essentials for mailreader and webbrowser Update language packs Enable updates from Canonical-partners in Software & Updates Install Chromium from the build in Software (manager) Install flash through terminal command (sudo apt-get install adobe-flashplugin) Install firejail through terminal command (sudo apt-get install firejail) Configure Chrome privacy & security - disable all Chrome services except Safe browsing - allow session cookies only, block third party cookies, request do not track - flags #disable-hyperlink-auditing #reduced-referrer-granularity - extensions: WebRTC leak prevent, CanvasFingerPrintBlock, Avast Online security - flags: #enable-permission-blacklist, #extension-content-verification (strict) Installing other software Wine to install a typical Dutch cards game (Klaverjassen which my senior relatives like). Games: Hearts, Kpatience (sudo apt-get install kpat) and (tuxkarts for their grand-grandchildren) Grub editor to make Windows the default OS and start after 5 seconds (but that is only for my setup). Using firejail Thunderbird Change shortcut / starter of Thunderbird from "thunderbird %U" to "firejail thunderbird %U". Cavat: running Thunderbird firejailed, disables links to websites. I did not found an easy solution for it. Chromium-browser There is a trick to start firejail in stead of chromium-browser. It is called symbolic links. Run all these commands in Terminal Code: sudo ln -s /usr/bin/firejail /usr/local/bin/chromium-browser sudo which -a chromium-browser /usr/local/bin/chromium-browser /usr/bin/chromium-browser You can check whether this works by sending yourself an email with a link of a website. Open in in Thunderbird not firejailed. Open terminal command and enter firejail --list (nothing should be seen). Click on the link (Chromium should start) and repeat terminal command firejail --list (now you should active sandboxes)
You really don't need to create shortcuts if you want to edit the applications so that they start with Firejail. I don't remember exactly how to do it, but you just open the "Start Menu", then click "Run Program", then you'll see a down arrow, click on it. Now all your programs will appear. Right-Click on one and click "Edit". There you go This is the most window-sy way of doing it.
Oops - so it seems that you're still running an old version of Firejail. firecfg was introduced with v. 0.9.40.
Or create a symlink like you did for chromium-browser. It works for me with Firefox. Note that the thunderbird.profile contains Code: include /etc/firejail/firefox.profile Perhaps adding Code: include /etc/firejail/chromium-browser.profile helps.
It works now (firejail --list proves it). Problem with don remember exactly is that the computer will say no
Will wait for the firejail update, so firecfg becomes available on Xubuntu 16. Thanks for your suggestion, will try that later
Okay, including /etc/firejail/chromium-browser.profile removes access rights also, so Thunderbird has no access to its own profile, so that does not work. TLU has given some directions, but these are to much "Linux geek" for a Windows user.
More sandboxing using AppArmor, again could not Thunderbird getting to work, but AppArmor contains a default Chromium-browser profile. Open up Terminal and enter Code: sudo apt-get install apparmor-utils sudo apt install apparmor-profiles sudo systemctl reload apparmor.service sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser When you enter (in terminal) Code: sudo apparmor_status It should show that chromium is profile is enfored Overall not bad for a total noob on Linux to add a two sandboxes to Chromiumś internal sandbox. I did just for fun, no idea whether this actually increases Chrome protection, my guess is that those different sandboxes all use kernel stuff, so kernel exploits would still be the achilles of this tripple sandbox.
Yes, true. However, the Chrome sandbox and Firejail use seccomp-bpf. It filters system calls which in turn reduces the attack surface of the kernel. More info here. AFAIK, there is nothing similar available for Windows. Please correct me if I'm wrong.
Well on windows you can use about://flags to obtain additional attack surface reduction Enable PPAPI Win32k Lockdown #enable-ppapi-win32k-lockdown (disables access for PPAPI plugins to win32K) Enable AppContainer Lockdown #enable-appcontainer (enables windows build in Sandbox) But it is not the same.
Forgot to mention two handy programs to export mail from Outlook (Express) to Thunderbird https://sourceforge.net/projects/ooconverter/ you can import EML with Thunderbird add-on https://addons.mozilla.org/nl/thunderbird/addon/importexporttools/
When you launch a firejailed thunderbird it runs in a single sandbox with two processes. Click on a link in thunderbird and in my case firefox launches and runs as another process inside the sandbox. ocky@ocky-desktop:~$ firejail --tree 3049cky:/usr/bin/firejail thunderbird 3050cky:/usr/bin/firejail thunderbird 3061cky:/usr/lib/thunderbird/thunderbird 3238cky:/usr/lib/firefox/firefox http://www.moneyweb.co.za/moneyweb-opinion/soapbox/ You can also check this with sudo firemon which is to be started before running thunderbird. Once thunderbird is launched the terminal will start filling. Regards