FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    No, but in reading the question I'm reminded of one of the features of "puppylinux Puli" ~~ the executable for PDF reader is renamed and replaced by same-named wrapper script which performs ifdown before launching the PDF reader. The same approach could be used for the web-capable libreoffice apps.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Has anyone tried the feature --caps.drop=capability,capability,capability ?

    https://firejail.wordpress.com/features-3/man-firejail/

    So far, I have been able to run Chromium with several of the Linux capabilities dropped with the command:

    Code:
    firejail  --caps.drop=sys_ptrace,kill,fsetid,dac_override,syslog,mac_admin,setuid,setgid,dac_read_search,linux_immutable,sys_module,net_admin,sys_rawio,net_bind_service,chown,fowner,sys_resource chromium
    
    The following command: firejail --caps.print=PID reveals all the selected capabilities are disable...
    
    [code]
    $ firejail --caps.print=23737
    chown               - disabled
    dac_override        - disabled
    dac_read_search     - disabled
    fowner              - disabled
    fsetid              - disabled
    kill                - disabled
    setgid              - disabled
    setuid              - disabled
    setpcap             - enabled
    linux_immutable     - disabled
    net_bind_service    - disabled
    net_broadcast       - enabled
    net_admin           - disabled
    net_raw             - enabled
    ipc_lock            - enabled
    ipc_owner           - enabled
    sys_module          - disabled
    sys_rawio           - disabled
    sys_chroot          - enabled
    sys_ptrace          - disabled
    sys_pacct           - enabled
    sys_admin           - enabled
    sys_boot            - enabled
    sys_nice            - enabled
    sys_resource        - disabled
    sys_time            - enabled
    sys_tty_config      - enabled
    mknod               - enabled
    lease               - enabled
    audit_write         - enabled
    audit_control       - enabled
    setfcap             - enabled
    mac_override        - enabled
    mac_admin           - disabled
    syslog              - disabled
    wake_alarm          - enabled
    block_suspend       - enabled
    audit_read          - enabled
    ...otherwise they all will show "Enabled" without using the caps.drop=capability,capability,capability... feature.

    However, attempting to drop sys_admin or sys_chroot, for example, will break prevent chromium from opening. I will try dropping other capabilities one-by-one to see how many more I can disable without breaking the browser.

    My only question is: how much, if at all, does this bolster the sandboxed browser? I haven't yet noticed anything unusual in my normal browsing with all these capabilities dropped.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Mostly all the capabilities are disabled now without breakage to Chromium firejailed. A couple I didn't bother with such as sys_time and sys_tty_config.

    Code:
    $ firejail --caps.print=3151
    chown               - disabled
    dac_override        - disabled
    dac_read_search     - disabled
    fowner              - disabled
    fsetid              - disabled
    kill                - disabled
    setgid              - disabled
    setuid              - disabled
    setpcap             - disabled
    linux_immutable     - disabled
    net_bind_service    - disabled
    net_broadcast       - disabled
    net_admin           - disabled
    net_raw             - disabled
    ipc_lock            - disabled
    ipc_owner           - disabled
    sys_module          - disabled
    sys_rawio           - disabled
    sys_chroot          - enabled
    sys_ptrace          - disabled
    sys_pacct           - disabled
    sys_admin           - enabled
    sys_boot            - disabled
    sys_nice            - disabled
    sys_resource        - disabled
    sys_time            - enabled
    sys_tty_config      - enabled
    mknod               - disabled
    lease               - disabled
    audit_write         - disabled
    audit_control       - disabled
    setfcap             - disabled
    mac_override        - disabled
    mac_admin           - disabled
    syslog              - disabled
    wake_alarm          - enabled
    block_suspend       - disabled
    audit_read          - disabled
    
     
  4. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I drop all caps to all my programs. No problems so far.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Even on Chromium? It breaks if I disable either sys_admin or sys_chroot.
     
  6. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I don't use Chromium. Never will :) Sorry hehehehe.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Oh, okay.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Thanks for your post - it's very useful, indeed! :thumb:

    I'm not an expert, but this is how I see it: I haven't searched in the Chromium source files for the syscalls and capabilities dropped in the Chromium sandbox but I think it's a safe guess that only the syscalls and capabilities are allowed which are absolutely necessary in order to tighten the sandbox as much as possible. Hence, I don't think that Firejail can bolster the Chromium sandbox itself.

    However, the important thing is that only the renderer processes in Chromium/Chrome are sandboxed - the broker (or browser) process is not! The latter is completely unconfined, and this is probably what netblue30 war referring to when he wrote: "Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open."

    This has two implications, IMHO:
    1. The renderer processes and the broker process communicate via IPC (inter-process communication). I haven't searched for related vulnerabilities in the past. But it seems obvious to me that IPC is, at least, a potential weak spot. That's why confining the broker process - as you've thankfully done - makes perfectly sense.
    2. Notwithstanding the above, the fact that the broker process has unlimited file system access is also a potential privacy issue. This problem can be controlled by Firejail's whitelist, blacklist and read-only options.

    Taken all together, firejailing Chromium makes definitely sense. But again, that's only my layman's view.

    Anyways, I've tried your suggestions with Inox and haven't had any problems :) Thanks again!

    Now the next step would be trying to also drop as many syscalls as possible ...
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thank you, summerheat! I was waiting in eager anticipation for your response and you did :thumb:

    Well I'm certainly glad to now know that the caps.drop feature is a useful security feature, at least to fortify the broker process. Thanks again for providing your expertise on this!

    BTW, this is the full command I use for chromium:

    Code:
    firejail --caps.drop=sys_ptrace,kill,fsetid,dac_override,syslog,mac_admin,setuid,setgid,dac_read_search,linux_immutable,sys_module,net_admin,sys_rawio,net_bind_service,chown,fowner,sys_resource,ipc_owner,ipc_lock,mac_override,net_raw,sys_boot,net_broadcast,audit_read,audit_write,audit_control,setpcap,setfcap,block_suspend,mknod,lease,sys_nice,sys_pacct chromium
     
  10. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    I have dnscrypt installed and running. I see there is a defined profile for dnscrypt in /etc/firejail, but when I run firejail --top it is not shown as running, that is because as I understand you have to tell it to launch with firejail parameters.

    I know with Chrome you can change the launcher command such as firejail --[options] [profile to load] but if dnscrypt is a startup service, how do you edit the launch parameters so it runs default with that firejail profile loaded?

    regards.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    That depends. If you're using a distro that uses systemd you can find the solution in some posts of mine. In the third post of that thread you'll find how to start dnsmasq firejailed. You can apply this solution to dnscrypt-proxy, too.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I don't know if some of you guys are using symlink invocation introduced in Firejail 0.9.38. It's really very convenient: You don't have to modify your launchers anymore, and it ensures that your applications always start properly firejailed.

    It's very easy: Just execute

    Code:
    echo $PATH
    On my system /usr/local/sbin is the first $PATH position. Just create respective symlinks like:

    Code:
    sudo ln -s /usr/bin/firejail /usr/local/sbin/firefox
    sudo ln -s /usr/bin/firejail /usr/local/sbin/libreoffice
    sudo ln -s /usr/bin/firejail /usr/local/sbin/vlc
    sudo ln -s /usr/bin/firejail /usr/local/sbin/okular
    ... etc. Ready!
     
  13. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    @summerheat

    That is perfect. Its exactly what I want to accomplish. Your info and profile on dnsmasq is greatly appreciated as well. I know apparmor had this covered but I wasn't sure if firejail was able to.

    I did find a workaround earlier that involved editing the /etc/init/dnscrypt-proxy.config but I know that is not the proper solution.

    thanks again regards.
     
  14. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    So what replaces private home? Maybe firejail --private-tmp firefox?
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    There is an option: --private=directory - use directory as user home.
     
  16. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    How do use --private=directory? I'm guessing its something like firejail --private=firefox. And does --private=directory copy your browsers profile over? So you can use all your bookmarks, settings & add-ons.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Not exactly. The "private" switch doesn't control the executable, only the directory.

    If the directory you provided contains your profile, yes.
     
  18. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Can you give me an example?
     
  19. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    How do I make it so everytime I open chromium, it's opened using firejail? That is, what do I need to edit in order be able to open chromium using firejail by clicking on the icon? (I know how to run from terminal).
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    The best way is doing it like mentioned here. This makes sure that, e.g., your browser always starts firejailed regardless how it is started (e.g by clicking a link in another application).
     
  21. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Thank you, that worked perfectly for both chromium and transmission. However, for firefox the story is different.

    I did:

    Code:
    sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
    and now I have

    Code:
    $ which -a firefox
    /usr/local/bin/firefox
    /usr/bin/firefox
    However, upon opening firefox, I get the following error:

    Code:
    $ firefox
    Redirecting symlink to /usr/bin/firefox
    Reading profile /etc/firejail/generic.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    
    ** Note: you can use --noprofile to disable generic.profile **
    
    Parent pid 18286, child pid 18287
    
    Child process initialized
    
    (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised
    
    (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised
    
    (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised
    
    (firefox:2): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
    Error: Access was denied while trying to open files in your profile directory.
    
    parent is shutting down, bye...
    A pop-up appears saying "Your Firefox profile cannot be loaded. It may be missing or inaccessible."

    Any idea what is causing this?

    Thanks in advance.
     
  22. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Looking at the terminal output I'm 99.9% positive that you're having problems because you're simply firejailing things with those simlinks, and by doing so you're telling firejail to open it's generic profile, which IIRC blacklists the ".mozilla" folder.

    My personal suggestion is to edit the program launcher rather than linking the executables to firejail, because it's much easier to control what each profile does and it does not involve much thinking if something goes wrong.

    Editing program launchers is really easy, no matter the Desktop Environment. For XFCE, LXDE, and MATE, just use "mozo" or "alacarte". KDE has it's own program editor, it's just a matter of right-clicking the "Start button". GNOME I don't know because I never used it, but I'm guessing it too has some sort of menu editor. Heck, if Unity has it, it's no less of an obligation for the others to have it too :p

    So edit the menu and put "firejail firefox" to allow firejail to open the Firefox/Iceweasel profile.
     
    Last edited: Mar 11, 2016
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, it tries to load the generic.profile which is very strict as it contains all *.inc files and blacklists, e.g., ~/.mozilla. Hence, it's not surprising that Firefox doesn't start. The question is why generic.profile is loaded - it shouldn't. As the pop-up is saying, obviously the Firefox profile (which doesn't contain generic.profile) that comes with Firejail could not be loaded for whatever reason. Either it doesn't exist, is corrupt or modified somehow. Isn't it available in /etc/firejail ?
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I disagree. This works beautifully if you start an application directly but it often doesn't work reliably if an application is launched via another application. For example, if the launchers are modified and I click *.pdf, *.jpg or *.mp3 files in the file manager (krusader in my case) the respective applications (okular, gwenview, VLC) are not started sandboxed. There are 2 ways to overcome this problem in a reliable way:

    1. Create launch scripts as described here.
    2. Use symlink invocation as described here.

    I prefer the second alternative. So far it works absolutely reliable regardless how the target application is launched.
     
  25. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Personally I've never seen this happening on KDE/MATE/XFCE. When I start a program with firejail via a launcher, and this firejailed program starts another program, everything is always sandboxed. At least that is what SHOULD be happening for everybody.

    But since your experiences with firejail don't seem to be 100% correct, then without a doubt go with the symlinks :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.