FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    And then again, the pulseaudio developers clearly stated that the fix is far from perfect or even good as it will cause pukseaudio to create tons of little files which wont get deleted by pulseaudio.
     
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Exactly, I just delete whatever is on "/dev/shm" before shutting down or rebooting.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hmm that might be a reasonable fix..thanks for that.
     
  4. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    I'm having some difficulties with version 0.9.36_1. I'm unable to drag and drop files into Dropbox and on Linux Mint KDE 17.2 Private Keep isn't working I keep getting an error message something like invalid command.

    Note: Private Keep works just fine on Linux Mint Cinnamon 17.1 heck it even works properly now on the non-admin account.

    BTW how do I use Private Home with Firefox.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    man firejail

    just scroll down to the --private option and you'll see how it can be used in place of private-keep.
     
  6. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Thanks.:) firejail --private-home=.mozilla firefox:thumb: BTW does Private Home allow you to save downloads or bookmarks?
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Wow, this thing is awesome! It's like AppArmor in a 120 KB binary. Rockin'.

    I am a little concerned about the user-administered part though. IOW: it is a setuid binary. We know the sandbox is okay; but do we know that the binary itself won't provide a possible means of privilege escalation, from non-sandboxed programs?

    This calls for some experimentation, I think.

    Edit: it looks like Firejail drops privileges very fast indeed. I think we're okay here.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Indeed! With the .inc files included, e.g., in firefox.profile basically all critical folders/files are blacklisted, and in your home only those folders/files are visible/accessible which are explicitly whitelisted. I recommend it for all distros. For example, in Ubuntu there is an apparmor profile for Firefox available but it's disabled by default. And if you enforce it you have to add various own rules in order to not make it break things. And in Fedora? I've recently installed v. 23 in a Virtualbox VM and noticed to my surprise that Firefox is not confined by SELinux. Ouch! Now consider how easy that is with Firejail. Finally Firefox has a sandbox as strong as the one of Chromium/Google Chrome. And even the latter is considerably more confined by Firejail.

    FWIW, I've firejailed quite a number of applications, including Thunderbird, Okular, Gwenview, unbound, dnscrypt-proxy, LibreOffice, Guayadeque

    Good to know. How did you test that?
     
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Nothing even remotely interesting - just trying to run various already-setuid binaries with it. Don't assume there are no holes just because I haven't found any. :p
     
  10. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Wait you mean Mozilla finally enabled the seccomp sandbox in Firefox by default?
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Downloads yes, but I haven't figured out how to create exceptions for bookmarks when using the --private option. Essentially any and all changes to and within the browser are discarded when the sandbox is closed using the private-home option, because it overrides whitelisting. I'm hoping someone does know how to create these exceptions and can provide an example. Summerheat maybe? :cautious: ...who seems to have a good handle on it.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No, I meant running Firefox firejailed. :)

    EDIT: If you're running Firefox firejailed and open about:support in the browser you'll see at the bottom of that page that seccomp-bpf is enabled.
     
    Last edited: Jan 8, 2016
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Sorry - I don't use that option so I would have to experiment a bit first.
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Me neither, but usually I don't have to download anything when I'm using the --private option (which I only do to use Youtube and Facebook). But if I have to download something, I usually upload it to MEGA/Sendspace, and then download via the regular browser that is opened with "Firejail iceweasel".
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thanks. Yeah, Downloads are easy enough. It's only bookmarks and basically everything else that's a problem. Of course having all changes flushed away when closing the sandboxed browser is a nice security and privacy benefit, but it would be nice if one could include exceptions such as bookmarks and on-the-fly changes to extensions, such as when updating the ruleset to uBlockO, for example.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Quite frankly - I don't see why this should be necessary. I block 3rd-party cookies by default, allow those 1st-party cookies which I don't block with uMatrix anyhow only until the browser closes (with a few exceptions), additionally the extension "Self-destructing cookies" takes care of cookies and local storage, and the browser cache, website offline-data etc. are deleted when the browser closes. And my privacy is already well protected by uBlock0 and strict settings in uMatrix beforehand. I simply don't see the benefits of the --private option for me considering all the trouble discussed above.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    You only lose changes if you use the --private option. Normal "firejail firefox" won't make the changes go away.
    But then, if you need the --private option you might as well not have anything stored as it may be used to identify you and your browser.

    I never used this option, but I think "firejail --private-home=/home/your-user/.mozilla/profile-x" is a good idea to have a separate browser profile. Just remember to create the new profile first, and then point it's directory with the command above.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Points well taken, but it's just I like the fact all history is wiped when I close the firejailed browser, along with any other possible, even if unlikely, unauthorized changes that may have happened in the browser and extensions during the sandboxed session. I don't need an extension to wipe history or cookies this way, either. Of course there is for me a small inconvenience factor whenever I want to make persistent changes such as updating the extensions (uBlockO, Lastpass & New Tab Redirect), expecially uBlock, or the rare times I want to add or manage bookmarks. Updating the browser to a newer version also requires I launch it unsandboxed too. At least I can backup my extension configurations and download files to my Downloads folder on my backup drive in the sandboxed session. It's worth it for me.

    EDIT
    oops, forgot to mention also using HTTPS Everywhere extension

    I have two launchers on my panel for this: One to launch the browser unsandboxed for updating and other maintenance reasons, and one to launch it sandboxed for typical browsing.

    Ohh, just saw your post after I posted ;)

    I use Chromium, and for identity concerns, well, uBlockO hopefully to some extant, at least, handles this concern, plus i block 3rd party cookies.

    What it all comes down to is I like the fact I know for sure when I open a new sandboxed session, it's opening a clean session because of the private-home option.
     
    Last edited: Jan 9, 2016
  19. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    @wat0114 So you'll only use "firejail chromium"?
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Yes. I find Firefox too sluggish for my liking.
     
  21. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    I confess that I'm something of a lackwit on the inner workings of Linux – so my usage of firejail is in the 'monkey see > monkey do' category. For the benefit of others who may be likewise, this forum link provides some easier to understand (IMO) tips and examples on using firejail than the formal Wordpress articles.

    http://forums.linuxmint.com/viewtopic.php?f=42&t=202735
     
  22. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    OK so with Firejail Firefox is as secure as Chromium/Chrome minus Firejail. So what about Private Home is that comparable or on par with Sandboxie? wat0114 I haven't been able to save downloads with Private Home, am I doing something wrong?
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, I found that the settings presented here make a noticeable difference.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Sorry, I should have mentioned you'll have to create a Downloads folder in a location other than under your /home/user_name

    Thanks, but there is also the outdated Flash issue in Firefox under Linux which I don't like. The PPAPI (pepper-Flash) plugin under Chromium looks far more secure than that of Firefox'.
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    That Flash version is not outdated security-wise as it still gets security updates. That said, isn't Flash sandboxed, too, if you run Firefox firejailed? It should but I can't tell for sure as I haven't Flash installed at all but Shumway instead. And most sites work flawlessly.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.