FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    Here's a pretty cool app, FireJail - https://l3net.wordpress.com/projects/firejail/
    I've been looking for a simple effective way ( outside of a VM ) to sandbox my browser in Linux.
    Found it... "Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces."

    EDIT: Killer feature -
    In private mode Firejail mounts empty temporary filesystems (tmpfs) on top of user home directory and /tmp. Closing the sandbox will discard any new files created in these directories. You can use this option when you want to protect all the files in your user account.

    $ firejail --private firefox
     
  2. AppArmor, FireJail guarding Chrome, I can't imagine anything could escape those policy/virtualisation/sandbox layers
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Kernel exploit? There are plenty of those on Linux.
     
  4. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    Forgive my ignorance... so your saying a kernel exploit could bypass Firejail?
    I have just stumbled across this app today and haven’t had time to poke at it yet.

    EDIT: After a quick look I would say this goes a good way to reducing the attack surface as Firejail uses seccomp filters, limiting system calls and limiting arguments to them.
     
    Last edited: Oct 16, 2014
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    It uses seccomp? Nice. Perhaps I'll try it out... I have to admit I've been less into client-side and desktop security since the Shellshock embarrassment though.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I roll my own version of this, though it's not feature-complete yet.

    A kernel exploit will still bypass this - for example, the futex_requeue vulnerability would bypass the sandbox as the system call futex is allowed.

    An application at *minimum* will require at least mmap, brk, and a few other syscalls - and more to be useful. That's plenty of attack surface, which is why you still need to take care and secure your kernel.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Is it possible to use this on a browser that's already Apparmored? That would be cool if it is :)
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
  9. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    175
    Hi all, Is there a good tutorial of this program? I want to know how to install and how to use it, my pc runs manjaro. Thanks!!!
     
  10. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    It's as simple as

    pacman -S firejail

    firejail firefox (or whatever)
     
  11. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    FYI, best as I can tell on Manjaro, the firejail package is not in the official repositories. You have to build from the AUR.
     
  12. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    It's in the graphical package manager as "firejail," from the AUR
     
  13. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    175
    Hi all. I installed firejail this way: yaourt firejail, then I installed Opera. Now to start firejail I do this in the Terminal: firejail, then I do this:firejail opera, and it says:
    Child process initialized
    parent is shutting down, bye...
    And Opera appears, is it sandboxed now? Is that the way to use it?
    Thanks, this is the first time I do it.
     
  14. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    175
    I have learned how to run the sandbox: open the terminal and write "firejail --private opera" and the opera browser opens sandboxed, it is good. I like too much manjaro, everything runs in this distro.
     
  15. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Does anybody know how to use the Tor Browser with this? firejail tor/tor-browser/start-tor-browser don't work...
     
  16. zorro zorrito

    zorro zorrito Registered Member

    Joined:
    Feb 19, 2006
    Posts:
    175
    Hi all, do you know "minijail"?
    Opening Terminal and wirting "jail" it appears:
    aur/minijail R37.5978-1 (0)
    Tool to run a process in jailed environment

    And there's another one:
    appjail
    aur/appjail 2-1 (2)
    Sandboxing tool to protect private data from untrusted applications

    Thanks for the answears.
     
    Last edited: Jan 27, 2015
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Excellent stuff - looks like firejail is acting as a front-end to seccomp-bpf with a sensible default set of filters for dangerous system calls, is that your interpretation? Sandboxie for Linux anyone? Modern Chrome/Chromium are already using seccomp-bpf filtered to what they require.

    Hopefully, it's a bit easier to use than Apparmor.
     
  18. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    I'm liking Firejail – (currently using it for my browser only)
    firejail --seccomp --debug firefox provides a nice concise readout of what's restricted.

    Too bad there's no 32 bit installer.
     
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Me too - trying it on Linux Mint 17

    It looks quite mature and functional to me, with switches to add/remove system calls or create custom profiles. I like that. As noted, I'd also like a tutorial to help with when/how to use namespaces, private, overlayFS and the bridging functions, although the project site itself is pretty good if your read the documentation.

    I've tried opening straight, with seccomp and with --caps (Linux capabilities which is, I think, a thread user permissions thing), on Firefox and LibreOffice, worked fine. It seems to be using a combination of system controls, not just seccomp.

    So, I like this very much indeed and will continue using it. I think it's crying out for a graphical front-end/controller, and it's reminding me of Sandboxie (but more controllable?). I would like it to do things like visually mark applications which are firejailed (the way Qubes and Sandboxie do), but I don't know how easy it would be to do this.
     
  20. tlu

    tlu Guest

    I'm running Google Chrome, Thunderbird and QuiteRSS under Firejail on Arch Linux right now. Looks good, so far no problems. I will try to finetune the profiles in the next days. An enhanced blacklist option in future Firejail versions would be welcome.
     
  21. tlu

    tlu Guest

    Yes, and seccomp-bpf and Yama LSM (the latter not on Debian Wheezy and Jessie, though - why?). However, the blacklist option is still useful - sort of "Apparmor light".
     
  22. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I enabled the Firejail blacklist. Thanks that is a great idea.
     
  23. tlu

    tlu Guest

    You're welcome. More details and options can be found in man firejail-profile
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Hi tlu,

    what are the additional advantages to sandboxing Chrome/Chromium with this, over that of the sandboxing Linux already provides?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.