FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, not for me.;) For example when I clicked a pdf attachment in a mail in my firejailed Thunderbird, okular wouldn't launch firejailed. (Okay, this might have changed in newer versions of Firejail.) But what about my other example above? I'm sure that you don't firejail your file manager. What happens if you click a pdf file in that application? Does okular start firejailed?
     
  2. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    I did this for firefox and it works nice now. Thank you.
     
    Last edited: Mar 11, 2016
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I saw similar behavior on KDE, I think. I remember on openSUSE, the file manager (started via firejail) communicates via non-jailed socket with another file manager, this causes a private firefox to see my real home. Netblue said there's no problem in that, but that is exactly the reason I left Linux. Soon I'll go back to Arch with MATE, though, so I'll be OK. I don't remember if the same bug happens with KDE on Arch.

    Here's my report: https://github.com/netblue30/firejail/issues/330

    You're welcome :)
     
  4. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    I'm confused by the private switch I cant figure out how to direct it to my Firefox profile.:confused: I'm still very much a noob with command lines.
     
  5. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    I'm trying to figure this out as well... "firejail --private=/home/username firefox" works, but that reads in the whole home directory. so you can make a new folder copy your home directory into it (minus any personal data) and use that for your 'firejail-home' directory - "firejail --private=/home/username/firejail-home firefox"

    However, I don't think i've quite figured this out because all my changes are saved... all changes are saved with '--read-only' option as well. With no options or with only '--private' then firejail seems to behave as expected. I thought this might be due to my having Apparmor enforced for firefox as well, but disabling it did not help - any suggestions?

    "firejail --private.keep=.mozilla firefox" seems like a better option then "--private=directory", but it doesn't seem to work at all - maybe not supported anymore?
     
  6. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Do you guys have transmission-gtk opening with firejail? If so, can you open torrent links/magnet links from chrome directly to transmission?

    I have to manually insert the magnet link in transmission, or I'll open a second instance of transmission and won't start downloading..
     
  7. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    @Overdone Works for me as expected. Magnet links and torrents opened from chrome launch transmission firejailed.

    Not sure what could be the problem on your end. This the launcher line im using for transmission edited via the application finder in linux mint XFCE
    Im not using simlinks in this instance. Similarly files opened via chrome such as pdf or text files are firejailed with evince document viewer. ie accessed via rightclick open containing folder doubleclick to open file. All done through chrome. If i just click on the downloaded file chromes native pdf viewer is used, and is firejailed under chrome. Torrents and magnet links launch an external application obviously.

    When the following command in terminal is used
    the process is not run under chrome. But a new instance/process of the document viewer is shown. Similarly again for transmission.

    regards.
     
    Last edited: Mar 12, 2016
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I'm not yet sure what exactly you're trying to achieve. Basic usage of the --private switch is explained here. By using the --private switch only
    or in other words (man firejail):
    As an alternative you can specify an existing directory as your home directory which is used as a persistent sandbox, i.e., any modifications are not discarded. Any access to files outside the sandbox is blocked. See also this example. Personally I rarely see the need for this since you can achieve something similar with the whitelist switch as done in the default Firefox profile.

    Yes, it's no longer supported.
     
  9. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    So what is the exact replacement for "firejail --private.keep=.mozilla firefox" that will achieve the exact same results?
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Forgot to answer this.

    I remember that I had problems with Ktorrent and Transmission because I clicked "Open Magnet" in a firejail Iceweasel and it would open the torrent programs firejail as well. So yes, a firejailed program opens other programs firejailed as well. I'm positive because I remember spending 4 hours to download something and then thinking "where the F is this download?" and realizing it was on a virtual folder :argh:

    But I'll try that Okular test in a moment. I just got back on Arch.

    And no, I don't firejail my file manager. Doing so would break it.
     
  11. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Thanks for the clarification - my assumption was that the 'existing directory' was used as a template and was not persistent - i.e. the '--private=directory' option is an addition to the '--private' option.

    Ideally I'd like to have... "firejail --private.keep=.mozilla firefox" (see below). But with bookmarks and uBlockO addon persistent.

    Maybe this is the closest to that? "firejail --read-only=/home/username --whitelist=/home/username/...places.sqlite --whitelist=/home/username/...extension-data firefox"

    But, as I said above, I can't seem to get the --read-only option to work... Using "firejail --read-only=/home/username firefox" I can make changes to files in this directory. Is the syntax wrong? Also, how do you use the 'whitelist' opiton?


    --private.keep= Build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home. All modifications are discarded when the sandbox is closed.
     
    Last edited: Mar 13, 2016
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    You really left Linux because of this? Isn't that a bit extreme ? :doubt:o_O:D

    I read https://github.com/netblue30/firejail/issues/330 and to me netblue30's explanations make sense. Are you not convinced?
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    According to the release notes --private.keep was transitioned to --private-home in v. 0.9.30, and --private-home was deprecated in v. 0.9.38. netblue30 wrote:
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Yes, it was extreme, because when I left Linux I though COMODO's Sandbox on Windows would work properly, but I can save files on my real desktop or upload present files to the web. So in all reality Firejail works better than COMODO's Sandbox :) So here I am again, on Arch.

    I tested Firejail now on MATE and I couldn't see my real /home, so the bug I reported must be related to KDE 5. Notice that I didn't try KDE5 on Arch yet, so it's possible that the bug is only present on openSUSE 42.1.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    :thumb::thumb::thumb:

    It depends on what you're doing. If you enter

    Code:
    file:///home/amarildojr
    in the Firefox address line you won't see your real home. However, if you enter about:support and click "Open directory", your file manager will be started which shows your real file system. But as netblue30 said this is not a security problem because:

     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    It might not be a security problem, but it certainly is a privacy problem. And IMO, we cannot live without one of them.

    But I can only applaud Netblue for creating this great tool. In the end, it's working as it should on MATE :) I'll try KDE 5 in a moment to see if it's a general issue or only present on openSUSE.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I don't think so. If netblue30 is right and "Firefox cannot access and manipulate the memory of the process running outside the sandbox" - how can this be a privacy problem?
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Because the browser can see all the folders in my real /home folder, so the "private" option isn't doing a compelte job. It can't see the files, but it shouldn't see the folders on my real /home. Not to mention, one folder can be used to identify an user, so using Firejail+KDE5 is not a full advantage if the user wants real privacy while browsing. For that, VM is the only solution. Or switch to MATE.

    And I can confirm, this is a KDE thing, it also happens on Arch.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No, it's not the browser but the file manager which is a process outside the sandbox and, hence, inaccessible by Firefox.
     
  20. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Really? So an attacker couldn't open this file manager via Firefox like we do? o_O
     
    Last edited: Mar 13, 2016
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I don't know if an attacker would be able to start the file manager. But the thing is that
    You can check this yourself by doing what netblue30 suggested here.

    In other words, even if the attacker were able to start the file manager he would not be able to access it as it is a process outside the sandbox.
     
  22. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    I sure hope so :thumb:
     
  23. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Thanks.
    'Home' is already whitelisted with no 'options' though so really aren't the replacements 1) '--private=directory' or 2) '--read-only' with some '--whitelist' if you want any files/folder to persist.
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    That's incorrect. In the default Firefox profile your home is not whitelisted but only specific directories/files:

    Code:
    # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
    noblacklist ${HOME}/.mozilla
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    include /etc/firejail/disable-devel.inc
    include /etc/firejail/disable-terminals.inc
    caps.drop all
    seccomp
    protocol unix,inet,inet6,netlink
    netfilter
    tracelog
    noroot
    whitelist ${DOWNLOADS}
    mkdir ~/.mozilla
    whitelist ~/.mozilla
    mkdir ~/.cache
    mkdir ~/.cache/mozilla
    mkdir ~/.cache/mozilla/firefox
    whitelist ~/.cache/mozilla/firefox
    whitelist ~/dwhelper
    whitelist ~/.zotero
    whitelist ~/.lastpass
    whitelist ~/.vimperatorrc
    whitelist ~/.vimperator
    whitelist ~/.pentadactylrc
    whitelist ~/.pentadactyl
    whitelist ~/.keysnail.js
    whitelist ~/.config/gnome-mplayer
    whitelist ~/.cache/gnome-mplayer/plugin
    whitelist ~/.pki
    include /etc/firejail/whitelist-common.inc
    
    # experimental features
    #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
    
    
     
  25. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    917
    Anyone able and willing to answer this question for a Linux and FireJail newbie? I've stayed with an older version of FireJail because I don't know how to get the same results with the new one.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.