Hello, I've been looking into the Firefox and Chromium based browser profiles and noticed that most of the security features firejail provides are missing in the Chromium / Opera / Chrome profiles. Only netfilter is enabled. I know that Chromium based browsers have a built-in sandbox, but according to this thread some features are missing in order to protect, for instance, the broker process. According to netblue30 it is necessary to disable some of the features in firejail in order to allow the built-in sandbox in Chromium based browsers to work properly. However some of the people on this thread were able to run Chromium with most of the caps dropped and claimed that it would provide additional safety. What about the other features like: nonewprivs noroot protocol unix,inet,inet6,netlink tracelog I tried running Chromium with everything except seccomp and tracelog and it seemed to work. I would like to use as many of the firejail security features as possible with Chromium etc. without compromising its built-in sandbox features. Any ideas?
The renderers host all the code that runs inside the sandbox, and they are already protected by the Linux sandbox model, especially the seccomp-bpf layer, and it's these renderers that are far more likely to be compromised since they process untrusted content. There is some info on this here and here. AFAIK, Firejail should be sandboxing the Broker process, so you have a sort of dual sandboxing taking place.
I am not versed in sandboxes or MAC, so I question whether this helps or just increases attack surface. Same question in regards to AppArmor or SELinux for that matter- to use AA one must have audit enabled in the kernel, which in itself is a potential vector for either exploitation or information gathering (about the system for the exploit). I write this on a firejail'd apparmor'd firefox, so im not condescending upon anyone. But are we as users really sure that- for example- having two sandboxes is a good thing? Or having audit? Or whatever. Id be curious to hear from the firejail dev on such questions. Obviously a sandboxed FF is better than without, but at what point do we draw the line?
There's been extensive discussions on this issue in relation to Sandboxie and Chrome (for example) on Windows. The thing I take comfort from in the case of Firejail is that it is using existing kernel functionality; there has been a serious bug in one release, but my feeling overall is that its protections are worth any risk, unless the application is taking advantage of all the controls that Firejail does. As applications improve their built-in Sandboxing, the balance becomes more equivocal, though I'd note that Firejail and Sandboxie both give FAR more control of conditions, access and networking than the essentially unconfigurable application sandboxes. In addition, whereas the applications are under sustained attack, attacks on Firejail and Sandboxie or virtualisation are more expensive and specialised - in some cases, standard malware bombs out of activity if it detects these protections.
Well, most distros like Debian, Fedora etc. have the audit framework enabled in their kernels. So I would say that although it might increase the attack surface to some extent it's certainly not an obscure technology but a widely used part of the kernel. Every user has to answer this question himself/herself. Firejail and AppArmor use different technolgies: Firejail uses technologies added to the kernel in recent years like namespaces and seccomp-bpf while AppArmor is a mandatory access system (like SELinux or Tomoyo) implemented as an LSM module (the latter available in the kernel since 2002 or so). It's a proven technology but critisized (I'm tempted to say: of course!) by the grsecurity guys. Combining both offers a layered security which is generally a good thing, IMHO, but with a diminishing marginal utilty (in economics parlance). So it all depends on your degree of paranoia
Adding to what wat0114 already said , I contributed my two cents earlier in this thread. I think that what I wrote then is not overly incorrect. Not for me. If I add nonewprivs noroot protocol unix,inet,inet6,netlink to the profile, Chromium doesn't launch. Are you sure that you launched it firejailed? Not to my knowledge, with the exception of what wat0114 suggested - an alternative and perhaps easier method is this one.
Yes, I'm pretty sure. My chromium.profile in .config/firejail looks like that: #Chromium browser profile include /etc/firejail/chromium.profile include /etc/firejail/disable-devel.inc caps.drop.all protocol unix,inet,inet6,netlink netfilter nonewprivs noroot I launch Chromium with Firetools. The tools option tells me Chromium is running firejailed with seccomp enabled, all caps disabled, user Namespace disabled, Protocols: unix,inet,inet6,netlink. If I include seccomp or tracelog, the browser window won't open but it still shows up in firetools. I've done some browsing with this setting and there were no problems. By the way: I'm running Leap 42.1 and I cannot find a Chromium profile for AppArmor. There are some experimental ones for Opera and Firefox, but not for Chromium. The one for Ubuntu doesn't work. Any suggestions? alan591
I don't use Firetools. Can you, please, launch Chromium and show us what firejail --list or firejail --tree tell you? Put the profile into complain mode and adjust it with aa-logprof.
Hello, her comes the tree. Sometimes it lists the flash stuff although it's disabled in Chromium so I added both versions. Code: user@linux:~> firejail --tree 3039:user:firejail chromium 3040:user:firejail chromium 3042:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable 3048:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 3050:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 3123:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr 3137:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr 3161:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr 3189:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr 3196:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr 3097:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A 3099:user:/usr/lib64/chromium/chromium --type=gpu-broker user@linux:~> firejail --tree 8512:user:firejail chromium 8513:user:firejail chromium 8515:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable 8521:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8523:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8591:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8602:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8636:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8648:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8655:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8661:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 8570:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A 8572:user:/usr/lib64/chromium/chromium --type=gpu-broker
That's interesting. As mentioned it doesn't work for me with these settings. The only explanation is what netblue30 wrote in his seccomp guide:
Please advise what purpose the firetools folder in ~/.config is intended for. At present there is nothing in it. Maybe to get other programs to show up in Firetools gui ? If so how ? (Not that I use the gui, just curious).
Running Fedora Chrome starts with these profile options below - tracelog is a no go. caps.drop.all nonewprivs noroot protocol unix,inet,inet6,netlink There is a running error I haven't seen before though [1:1:0621/235904:ERRORlatformKeyboardEvent.cpp(117)] Not implemented reached in static PlatformEvent::Modifiers blink:latformKeyboardEvent::getCurrentModifierState() Which is otherwise a Chrome bug but doesn't seem to be a security issue. https://bugs.chromium.org/p/chromium/issues/detail?id=538289
pulseaudio 9 is working fine on my Arch setup.. I remember anasty bug with pulseaudio 7 where firejail muted all sound and the only way to get the sound back with firejail was by deactivating some feature in pulseaudio which would cause massive spam of little files in a pulseaudio folder (snbclient = no or smth like that). Is this bug fixed and firejail fully working out of the the box with pulseaudio 9? Thanks
No, I still had to use the workaround with 9.40 $ mkdir -p ~/.config/pulse $ cd ~/.config/pulse $ cp /etc/pulse/client.conf . $ echo "enable-shm = no" >> client.conf
Thanks, but from what the pulseaudio developer commented, this is a very bad workaround and will cripple the system over time
+1. Id like to see this too. It would really suck if we had to choose between Pulseaudio and Firejail. I will choose Firejail if I have to. Only reason I have pulseaudio installed is for Skype (yeah I know.. I cant choose what people I know use..). Ill tell them all off
I would think Pulse could be replaced by Alsa but in searching most people say there would be issues with that. I've been using the Firejail work around for some time and can't attribute any problems from it.
This may be an issue in Fedora at this point because in the thread on the audio issue netblue30 seems to indicate this is fixed in Debian and Ubuntu which likely means offshoots of those also. That discussion is here https://github.com/netblue30/firejail/issues/69
Sorry I dont have the link right now. It was on firejails github where the bug was originally reported. The developer of firejail + a pulseaudio developer commented and discussed on how to aolve the issue. At one point the pulseaudio developer explained that "enable-shm = no" is a very bad solution and would cripple the system becaus of...
I cannot watch youtube videos while my browser is firejailed. I'm using Ubuntu 16.04 and I've tried both with Chromium and Firefox. Anyone has the same problem? How does one fix it? Sorry if this has already been discussed, if you could link me to the page number, I would appreciate.
I don't think he ever said that. Anyway, just remove the contents of /dev/shm before shutting down or rebooting. Or do as the developer actually said: "enable-memfd = yes in /etc/pulse/daemon.conf fixes this issue too" https://github.com/netblue30/firejail/issues/69#issuecomment-234000822 Or: https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/page-18#post-2599259