Oh okay. I don't remember changing anything in the default profile: Code: # Chromium browser profile noblacklist ${HOME}/.config/chromium include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc # chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc # netfilter whitelist ~/Downloads whitelist ~/.config/chromium # common whitelist ~/.fonts whitelist ~/.fonts.d whitelist ~/.fontconfig whitelist ~/.fonts.conf whitelist ~/.fonts.conf.d
Early on you showed this but I was never able to get this to work. https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/page-2#post-2457345 # Chromium browser profile include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc tmpfs ${HOME}/.config/chromium/Default/Peppe* tmpfs ${HOME}/.cache/chromium/Default/Cache/ blacklist ${HOME}/.adobe blacklist ${HOME}/.macromedia blacklist ${HOME}/.mozilla blacklist /home/user_name/Downloads blacklist /home/user_name/Documents blacklist /home/user_name/Pictures blacklist /home/user_name/Music blacklist /home/user_name/Videos blacklist /home/user_name/Public blacklist /home/user_name/Templates blacklist /mnt blacklist /home/user_name/Desktop blacklist /run/media read-only /usr/share/icons/ read-only /sys/devices/pci0000:00/ read-only ${HOME}/.config/chromium/Default/Preferences read-only ${HOME}/.config/chromium/Default/Bookmarks
You don't have to change that. Just create chromium.profile in ~/.config/firejail , include the default profile and add your modifications. It would look like this: Code: include /etc/firejail/chromium.profile caps.keep sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm It takes pecedence over the default profile (which would be overwritten by a Firejail update, anyhow).
I forgot to reply to this part of your post I think we could argue all day the long if Linux is really a "security mess". When you and GJ say that those security technologies which I mentioned are not implemented by default (e.g. Arch has no AppArmor or SELinux support), it's simply because Linux desktop users are, realistically, not really under attack. If the threat scenario really becomes worse in the future it will be relatively easy to implement them as they are readily available, so reinventing the wheel is unnecessary. Besides, improvements are already on their way as all Gnome (and probably KDE) users will benefit from sandboxed applications before long, and package hardening certainly won't be restricted to Fedora.
Some time ago I did away with that customized profile for several reasons, maybe after a firejail update, and because I'm so confident in the overall security of chromium under both the Linux sandbox and firejail, not to also mention the ublockO and https everywhere extensions, plus O/S hardening here and there.
I'm with you on that though I've also been able to add a grsec kernel. Do you run as a standard user?
gresec fails on this old hardware of mine. yes I run as a standard user, elevating with sudo command when required.
What's the terminal output? Remember that you must disable mprotect for a good amount of software: Code: setfattr -n user.pax.flags -v "m" /usr/bin/problematic_binary If that's not enough, you can disable emutramp as well: Code: setfattr -n user.pax.flags -v "em" /usr/bin/problematic_binary This is required because even legit software (like KDE, GNOME) don't operate within secure limits. I don't need to edit any TPE settings on Arch Linux, but on Debian I do. I assume the same is necessary for Ubuntu: Code: adduser amarildo grsec-tpe NOTE: If the group "grsec-tpe" doesn't exist, create it, then change it's GID: Code: addgroup grsec-tpe Code: groupmod -g 64040 grsec-tpe Then logoff and login to apply the changes.
Using default firefox profile. What do I need to do in order to be able to print from my Deskjet and to pdf ?
It works here with the default profile. Remember that the "filesystem container is created when the sandbox is started and destroyed when the sandbox is closed." The sandbox consists of a filesystem container built “on the fly” from user’s real filesystem. If you try to print to pdf Firefox does it to ~. But it's not persistent as ~ is not whitelisted. Solution: Print to ~/Downloads.
There must be something (cups ?) to which access is denied in the sandbox. Log shows ... Apr 29 12:59:45 ocky-desktop kernel: [17174.164486] type=1400 audit(1461927585.793:2609): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="run/cups/cups.sock" pid=5807 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 I should be getting the same print dialogue windows as in firejailed Opera and Chrome. See sshot (printer not turned on). (I was only able to print to pdf .. Select>Select>Print). No option to print from Deskjet printer).
Isn't this rather an AppArmor problem? Sorry, I don't use ApArmor so can't tell. FWIW, there seem to be problems with AppArmor.
Thanks amarildojr. it was the video that it broke at the time. I might just have a go at it again this weekend. EDIT I forgot to mention I did harden the kernel against access to kernel logs: Code: $ sudo sysctl --system [sudo] password for wat0114: * Applying /etc/sysctl.d/50-coredump.conf ... kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %e * Applying /etc/sysctl.d/50-default.conf ... kernel.sysrq = 16 kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 net.core.default_qdisc = fq_codel fs.protected_hardlinks = 1 fs.protected_symlinks = 1 * Applying /etc/sysctl.d/50-dmesg-restrict.conf ... kernel.dmesg_restrict = 1 ...note the line: kernel.dmesg_restrict = 1 link: -https://wiki.archlinux.org/index.php/security#Kernel_hardening
Ocky, I just tried it in Debian sid (running in Virtualbox) with a firejailed Firefox and using the default Firefox AppArmor profile. I was able to print to a pdf file (in ~/Downloads) and to my printer. Do you use a self-made AppArmor profile where some necessary rules might be missing?
Disabling the AA profile for Firefox works. I thought it might be the cupsd profile, but disabling only usr.sbin.cupsd does not solve the problem. A few years ago I created one or two profiles for AA but reverted to the defaults as it was much too time consuming and I have more pressing things to do. It is not serious as I can at least print to file and from there of course I can print the pdf with my printer. In any case I prefer Chrome and Opera which work great with Firejail. BTW. Firefox 46 update breaks flash. Thanks. Edit: Just remembered that the Firefox profile is not enabled by default in AA. So maybe you should enable it and then try. sudo aa-enforce /etc/apparmor.d/usr.bin.firefox Check status before enabling and after. sudo apparmor_status
I know The profile is in enforce mode. I should have mentioned, though, that there is no usr.bin.firefox profile in Debian sid (probably because usr/bin/firefox is a symlink to /usr/lib/firefox/firefox - I don't know if it's different in Ubuntu). I used the usr.lib.firefox.firefox profile from /usr/share/doc/apparmor-profiles/extras. I believe it's also available in Ubuntu if you install the apparmor-profiles-extra package. Perhaps comparing the rules in both profiles will give a hint how to solve your problem.
Thanks for the heads up. The firecfg feature is most welcome and simplifies the creation of symbolic links.
Yes, although executing sudo ln -s /usr/bin/firejail /usr/local/bin/your_application isn't too difficult, either.
