Apparmor, Chromium sandbox, Firejail - which to combine?

Discussion in 'all things UNIX' started by rm22, Mar 4, 2016.

  1. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    I currently have Apparmor enabled for Firefox in Ubuntu. What do I gain by using a sandbox in addition to Apparmor? And are the combination of Firefox+Apparmor+Firejail pretty much on par with Chromium+Apparmor? I believe with Firejail folder access can also be limited, but i do not store any files on this PC.

    I use Sandboxie in Windows, but I guess there is no equivalent for linux?

    I am doing research that takes me to a lot of high risk sites on an old PC with limited resources - so I'd like to lock it down, but not slow it down.

    Thanks
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    AppArmor is a Mandatory Access Control (MAC) system which applies a security policy that goes beyond the control provided by the traditional file permissions (Discretionary Access Control - DAC) but is not a sandbox. Firejail uses other technologies like namespaces and seccomp-bpf which sandbox applications, it's therefore an additional security layer. Using both together provides very high security.

    Yes, I think so.

    Yes. I suggest that you read its documentation for details.

    I'm not familiar with Sandboxie but I think that Firejail can be used in a similar way. Someone else might give you a better answer.

    I haven't noticed any performance impact by Firejail.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    I've used Firejail with AppArmor on openSUSE, no problems.
     
  4. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    Thanks for the replies guys - very helpful.

    I've had another look at the Firejail documentation and i'm still not sure what it's doing...

    i think the difference between Sandboxie and Chromium sandbox is - Sandboxie provides containment+light virtualization whereas Chromium provides containment. So if malware is able to execute in Chromium's sandbox and make file modifications - your infected. But, in Sandboxie apps only have access to temporary copies of files - so you can get infected within the sandbox, but the host system remains untouched.

    How does Firejail compare? The documentation suggests it's functioning like Sandboxie, but then I don't know why there would be a "read only" filesystem operation
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    There are various documentation pages that explain the details.

    Only if the malware is able to break out of the sandbox.


    The documentation suggests that it's functioning like Sandboxie if you use the --private switch. man firejail says:
    That part of the documentation doesn't say anything about read-only.
     
  6. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    118
    You might want try Private Keep: firejail --private-home=.mozilla firefox nothings saved in PH but unlike firejail --private firefox it copies you browsers profile over so all bookmarks, settings & add-ons will be available, just take note that you cant save anything while using this.
    Update: Never mind private home is deprecated.
     
    Last edited: Mar 7, 2016
  7. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    With Chromium each tab, each plugin and optionally frames and the V8 resolver are all run in different sandboxed processes.

    Firejail uses some of the same methods for sandboxing as Chromium but using it on a browser doesn't isolate individual processes from each other. Firejail can isolate other programs though which is great.

    Firefox has been inching its way towards using the Chromium sandbox in Firefox.
     
  8. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    thanks for the info everyone - I have been playing around with firejail + firefox. I have not been able to get Chromium to open with Apparmor enabled - the profile needs modification, but i can't seem to figure out how to debug it yet...
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    That's true. Howevever, multithreading (and, possibly, sandboxed processes) will be soon available in Firefox, too, with Electrolysis. My remark was meant to say that sealing off your system from browser activities in a firejailed Firefox is probably as good as in Chromium, particularly since the browser process in Chromium is not sandboxed.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    Well, there seem to be problems when using Firejail and AppArmor together. I'm no longer using AppArmor - but I suggest that you put your AppArmor profile in complain mode for a while. Perhaps some rules are generated that solve the problem.
     
  11. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Even without firejail and only apparmor installed, chromium did not start with the chromium profile in apparmor. Could be a matter of outdated profiles, given chromium's and chrome's development pace. But as summerheat suggest, run the complain mode and change the profile to allow for these requests, review the logs and adapt the profile using the prompts in the terminal. Cant comment on firefox, sorry.

    I ended up writing my own profile for chrome V47 instead, and have used it with firejail with success. They should work irrespective of one another, and using both together should not be a problem and many users do. For me imo it was a profile issue and not a compatibility issue between the two ways of mitigation/lockdown.

    A few good sources to get you started with adding changes, albeit I have not found many.

    http://www.la-samhna.de/library/apparmor.html

    https://help.ubuntu.com/community/AppArmor

    https://help.ubuntu.com/12.04/serverguide/apparmor.html

    regards.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    Right, I forgot to mention to use aa-logprof in order to adapt the profile.

    Another good source, of course, is http://wiki.apparmor.net/index.php/Main_Page , particularly http://wiki.apparmor.net/index.php/Documentation and http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
     
  13. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Distros using Apparmor and SELinux have profiles which confine the Chromium broker process already. Weakening that protection to introduce another doesn't make sense to me.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    It's obvious that I solely compared a firejailed Firefox with Chromium. AppArmor and SELinux are another story, and I didn't mention them in that remark. Besides, they are not readily available in every distro as you know. And if they are, the browsers are not confined by default: In Ubuntu the AppArmor profile for Firefox is disabled, and - if I remember correctly - the one for Chromium must be installed via apparmor-profiles-extra and is in complain mode by default. And in SELinux on Fedora Firefox is not confined at all, neither are other browsers, AFAIK.

    I'm not sure what you're referring to.
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    I was talking about Chrome/Chromium only. I never mention FF. My post said "distros using Apparmor and SELinux have profiles"

    The profiles exist but rather than use them its advocated to tweak AppArmor (which the OP has already set up for Firefox as stated in the original post) to install another program and use that instead? That in fact is the OPs question - whats the advantage to that?

    Chrome has a preexisting SELinux policy built into Fedora from scratch. Up until a few months ago there was an issue with the Chrome profile not opening correctly and RedHat/Fedora/Centos had to tweak the default SeLinux policy for that.
     
  16. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    I'm using Apparmor+Firejail+Firefox now with no apparent issues (although i haven't looked at aa-logprof to see if there is anything blocked).

    I'm stuck with Apparmor+Chromium though... I read up on 'aa-logprof' and went about 'allowing' all the blocked stuff for Chromium. However, after making the changes i could not 'aa-enforce' the profile. Doing a 'apparmor_status' shows Chromium still in 'complain' and nothing I tried worked. So I wanted to start again and be more careful with what i 'allow' thinking maybe i messed up the profile? I deleted the profile using 'rm' and then tried to reinstall 'apparmor-profiles', but that doesn't work - I just get a message that 'apparmor-profiles' is already at the latest version... Tried to un-install all of 'apparmor-profiles' and re-install, but get the same message.

    Anyone know how i can reinstall the default Apparmor profile for Chromium? and possible reasons why 'aa-enforce' was not working? (i've posted this in 'AskUbuntu' as well, but no suggestions yet)

    @AutoCascade I'll keep using Apparmor, but based on the feedback here, I'll add a sandbox - either firejail+firefox or chromium or both - i'd like to at least get both working so i have the options available. I don't mind using firefox or chromium - they both have all the settings/add-ons I want
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    Really never? ;)

    I think everything is answered in post #2.

    Good to know!
     
  18. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
  19. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    512
    Location:
    Australia
    Definitely not the latest one. http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/

    Here is my chromium profile from the latest version of apparmor for linux mint 15.10. Other versions can be selected from above link. Choose version and find chromium profile, right side select icon to download profile.

    Code:
    # Author: Jamie Strandboge <jamie@canonical.com>
    #include <tunables/global>
    
    # We need 'flags=(attach_disconnected)' in newer chromium versions
    /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
      #include <abstractions/audio>
      #include <abstractions/cups-client>
      #include <abstractions/dbus-session>
      #include <abstractions/gnome>
      #include <abstractions/ibus>
      #include <abstractions/nameservice>
      #include <abstractions/user-tmp>
    
      # This include specifies which ubuntu-browsers.d abstractions to use. Eg, if
      # you want access to productivity applications, adjust the following file
      # accordingly.
      #include <abstractions/ubuntu-browsers.d/chromium-browser>
    
      # Networking
      network inet stream,
      network inet6 stream,
      @{PROC}/[0-9]*/net/if_inet6 r,
      @{PROC}/[0-9]*/net/ipv6_route r,
    
      # Should maybe be in abstractions
      /etc/mime.types r,
      /etc/mailcap r,
      /etc/mtab r,
      /etc/xdg/xubuntu/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/defaults.list r,
      owner @{HOME}/.local/share/applications/mimeinfo.cache r,
    
      @{PROC}/[0-9]*/fd/ r,
      @{PROC}/filesystems r,
      @{PROC}/ r,
      @{PROC}/[0-9]*/task/[0-9]*/stat r,
      owner @{PROC}/[0-9]*/cmdline r,
      owner @{PROC}/[0-9]*/io r,
      @{PROC}/[0-9]*/smaps r,
      owner @{PROC}/[0-9]*/stat r,
      @{PROC}/[0-9]*/statm r,
      owner @{PROC}/[0-9]*/status r,
      owner @{PROC}/[0-9]*/oom_{,score_}adj w,
    
      # Newer chromium needs these now
      /etc/udev/udev.conf r,
      /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
      /sys/devices/pci[0-9]*/**/class r,
      /sys/devices/pci[0-9]*/**/device r,
      /sys/devices/pci[0-9]*/**/irq r,
      /sys/devices/pci[0-9]*/**/resource r,
      /sys/devices/pci[0-9]*/**/vendor r,
      /sys/devices/pci[0-9]*/**/removable r,
      /sys/devices/pci[0-9]*/**/uevent r,
      /sys/devices/pci[0-9]*/**/block/**/size r,
      /sys/devices/virtual/block/**/removable r,
      /sys/devices/virtual/block/**/uevent r,
      /sys/devices/virtual/block/**/size r,
      # This is requested, but doesn't seem to actually be needed so deny for now
      deny /run/udev/data/** r,
    
      # Needed for the crash reporter
      owner @{PROC}/[0-9]*/auxv r,
    
      # chromium mmaps all kinds of things for speed.
      /etc/passwd m,
      /usr/share/fonts/truetype/**/*.tt[cf] m,
      /usr/share/fonts/**/*.pfb m,
      /usr/share/mime/mime.cache m,
      /usr/share/icons/**/*.cache m,
      owner /{dev,run}/shm/pulse-shm* m,
      owner @{HOME}/.local/share/mime/mime.cache m,
      owner /tmp/** m,
    
      @{PROC}/sys/kernel/shmmax r,
      owner /{dev,run}/shm/{,.}org.chromium.* mrw,
    
      /usr/lib/chromium-browser/*.pak mr,
      /usr/lib/chromium-browser/locales/* mr,
    
      # Noisy
      deny /usr/lib/chromium-browser/** w,
    
      # Allow ptracing ourselves
      ptrace (trace) peer=@{profile_name},
    
      # Make browsing directories work
      / r,
      /**/ r,
    
      # Allow access to documentation and other files the user may want to look
      # at in /usr
      /usr/{include,share,src}** r,
    
      # Default profile allows downloads to ~/Downloads and uploads from ~/Public
      owner @{HOME}/ r,
      owner @{HOME}/Public/ r,
      owner @{HOME}/Public/* r,
      owner @{HOME}/Downloads/ r,
      owner @{HOME}/Downloads/* rw,
    
      # For migration
      owner @{HOME}/.mozilla/firefox/profiles.ini r,
      owner @{HOME}/.mozilla/firefox/*/prefs.js r,
    
      # Helpers
      /usr/bin/xdg-open ixr,
      /usr/bin/gnome-open ixr,
      /usr/bin/gvfs-open ixr,
      # TODO: kde, xfce
    
      # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
      # which is provided by abstractions/ubuntu-browsers.d/user-files).
      @{PROC}/[0-9]*/oom_{,score_}adj w,
      /etc/firefox/profile/bookmarks.html r,
      owner @{HOME}/.mozilla/** k,
    
      # Chromium configuration
      owner @{HOME}/.pki/nssdb/* rwk,
      owner @{HOME}/.cache/chromium/ rw,
      owner @{HOME}/.cache/chromium/** rw,
      owner @{HOME}/.cache/chromium/Cache/* mr,
      owner @{HOME}/.config/chromium/ rw,
      owner @{HOME}/.config/chromium/** rwk,
      owner @{HOME}/.config/chromium/**/Cache/* mr,
      owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
      owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
    
      # Allow transitions to ourself and our sandbox
      /usr/lib/chromium-browser/chromium-browser ix,
      /usr/lib/chromium-browser/chromium-browser-sandbox cx -> chromium_browser_sandbox,
      /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
    
      /bin/ps Uxr,
      /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
      /usr/bin/xdg-settings Cxr -> xdgsettings,
      /usr/bin/lsb_release Cxr -> lsb_release,
    
      # GSettings
      owner /{,var/}run/user/*/dconf/     rw,
      owner /{,var/}run/user/*/dconf/user rw,
      owner @{HOME}/.config/dconf/user r,
    
      profile xdgsettings flags=(attach_disconnected) {
        #include <abstractions/bash>
        #include <abstractions/gnome>
    
        /bin/dash ixr,
    
        /etc/ld.so.cache r,
        /usr/bin/xdg-settings r,
        /usr/lib/chromium-browser/xdg-settings r,
        /usr/share/applications/*.desktop r,
    
        # Checking default browser
        /bin/grep ixr,
        /bin/readlink ixr,
        /bin/sed ixr,
        /bin/which ixr,
        /usr/bin/basename ixr,
        /usr/bin/cut ixr,
    
        # Setting the default browser
        /bin/mkdir ixr,
        /bin/mv ixr,
        /bin/touch ixr,
        /usr/bin/dirname ixr,
        /usr/bin/gconftool-2 ix,
        /usr/bin/[gm]awk ixr,
        /usr/bin/xdg-mime ixr,
        owner @{HOME}/.local/share/applications/ w,
        owner @{HOME}/.local/share/applications/mimeapps.list* rw,
      }
    
      profile lsb_release flags=(attach_disconnected) {
        #include <abstractions/base>
        #include <abstractions/python>
        /usr/bin/lsb_release r,
        /bin/dash ixr,
        /usr/bin/dpkg-query ixr,
        /usr/include/python2.[4567]/pyconfig.h r,
        /etc/lsb-release r,
        /etc/debian_version r,
        /var/lib/dpkg/** r,
    
        /usr/local/lib/python3.[0-4]/dist-packages/ r,
        /usr/bin/ r,
        /usr/bin/python3.[0-4] r,
      }
    
    
      # Site-specific additions and overrides. See local/README for details.
      #include <local/usr.bin.chromium-browser>
    
    profile chromium_browser_sandbox flags=(attach_disconnected) {
        # Be fanatical since it is setuid root and don't use an abstraction
        /lib/libgcc_s.so* mr,
        /lib/@{multiarch}/libgcc_s.so* mr,
        /lib{,32,64}/libm-*.so* mr,
        /lib/@{multiarch}/libm-*.so* mr,
        /lib{,32,64}/libpthread-*.so* mr,
        /lib/@{multiarch}/libpthread-*.so* mr,
        /lib{,32,64}/libc-*.so* mr,
        /lib/@{multiarch}/libc-*.so* mr,
        /lib{,32,64}/libld-*.so* mr,
        /lib/@{multiarch}/libld-*.so* mr,
        /lib{,32,64}/ld-*.so* mr,
        /lib/@{multiarch}/ld-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
        /lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
        /usr/lib/libstdc++.so* mr,
        /usr/lib/@{multiarch}/libstdc++.so* mr,
        /etc/ld.so.cache r,
    
        # Required for dropping into PID namespace. Keep in mind that until the
        # process drops this capability it can escape confinement, but once it
        # drops CAP_SYS_ADMIN we are ok.
        capability sys_admin,
    
        # All of these are for sanely dropping from root and chrooting
        capability chown,
        capability fsetid,
        capability setgid,
        capability setuid,
        capability dac_override,
        capability sys_chroot,
    
        capability sys_ptrace,
        ptrace (read, readby),
    
        @{PROC}/ r,
        @{PROC}/[0-9]*/ r,
        @{PROC}/[0-9]*/fd/ r,
        owner @{PROC}/[0-9]*/oom_adj w,
        owner @{PROC}/[0-9]*/oom_score_adj w,
        @{PROC}/[0-9]*/status r,
        @{PROC}/[0-9]*/task/[0-9]*/stat r,
    
        /usr/bin/chromium-browser r,
        /usr/lib/chromium-browser/chromium-browser Px,
        /usr/lib/chromium-browser/chromium-browser-sandbox r,
        /usr/lib/chromium-browser/chrome-sandbox r,
    
        /dev/null rw,
    
        owner /tmp/** rw,
      }
    }
    Copy contents to text file and label "usr.bin.chromium-browser" and place into /etc/apparmor.d/ Make sure you have all the abstractions listed at the very top of the profile at this location as well, otherwise it will not load.

    regards.
     
    Last edited: Mar 13, 2016
  20. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    @TS4H Great - thanks a lot for the info
     
  21. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    ;)

    Not in the post you were answering but I can't argue I did mention Firefox out of context with this.

    Yes, I suppose.

    Is the need for Root in Firejail similar to Chrome's broker not being sandboxed?
     
    Last edited: Mar 21, 2016
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    730
    I'm sorry but I don't understand that question ... :confused:
     
  23. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Firejail needs root to run so my question is whether you believe that is a worse risk than Chrome's broker not being sandboxed?
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I'm running Firejail in an account that is non root and non sudo. I just took a look at the manual and there are some options that require root but there is also a "caps" option that can limit a process started as root. There is also a "noroot" option.
     
  25. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    I'm just going by what their website is saying. Maybe they have a way to create an SUID sandbox without root which is required by SUID.

    "The project went through an external security audit, and several SUID-related problems have been found. Please update your software. "

    Are you using a password to login to Firejail?
     
Loading...