FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. alan591

    alan591 Registered Member

    Joined:
    Jun 3, 2016
    Posts:
    3
    Location:
    Germany
    Hello,

    I've been looking into the Firefox and Chromium based browser profiles and noticed that most of the security features firejail provides are missing in the Chromium / Opera / Chrome profiles.

    Only netfilter is enabled.

    I know that Chromium based browsers have a built-in sandbox, but according to this thread some features are missing in order to protect, for instance, the broker process.

    According to netblue30 it is necessary to disable some of the features in firejail in order to allow the built-in sandbox in Chromium based browsers to work properly.

    However some of the people on this thread were able to run Chromium with most of the caps dropped and claimed that it would provide additional safety.

    What about the other features like:

    nonewprivs
    noroot
    protocol unix,inet,inet6,netlink
    tracelog

    I tried running Chromium with everything except seccomp and tracelog and it seemed to work.

    I would like to use as many of the firejail security features as possible with Chromium etc. without compromising its built-in sandbox features.

    Any ideas?
     
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    Finally! I was wondering how long it would take.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,769
    Location:
    Canada
    The renderers host all the code that runs inside the sandbox, and they are already protected by the Linux sandbox model, especially the seccomp-bpf layer, and it's these renderers that are far more likely to be compromised since they process untrusted content.

    There is some info on this here and here.

    AFAIK, Firejail should be sandboxing the Broker process, so you have a sort of dual sandboxing taking place.
     
  4. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    I am not versed in sandboxes or MAC, so I question whether this helps or just increases attack surface. Same question in regards to AppArmor or SELinux for that matter- to use AA one must have audit enabled in the kernel, which in itself is a potential vector for either exploitation or information gathering (about the system for the exploit).

    I write this on a firejail'd apparmor'd firefox, so im not condescending upon anyone. But are we as users really sure that- for example- having two sandboxes is a good thing? Or having audit? Or whatever. Id be curious to hear from the firejail dev on such questions. Obviously a sandboxed FF is better than without, but at what point do we draw the line?
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,827
    Location:
    UK
    There's been extensive discussions on this issue in relation to Sandboxie and Chrome (for example) on Windows.

    The thing I take comfort from in the case of Firejail is that it is using existing kernel functionality; there has been a serious bug in one release, but my feeling overall is that its protections are worth any risk, unless the application is taking advantage of all the controls that Firejail does. As applications improve their built-in Sandboxing, the balance becomes more equivocal, though I'd note that Firejail and Sandboxie both give FAR more control of conditions, access and networking than the essentially unconfigurable application sandboxes.


    In addition, whereas the applications are under sustained attack, attacks on Firejail and Sandboxie or virtualisation are more expensive and specialised - in some cases, standard malware bombs out of activity if it detects these protections.
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,808
    Well, most distros like Debian, Fedora etc. have the audit framework enabled in their kernels. So I would say that although it might increase the attack surface to some extent it's certainly not an obscure technology but a widely used part of the kernel.

    Every user has to answer this question himself/herself. Firejail and AppArmor use different technolgies: Firejail uses technologies added to the kernel in recent years like namespaces and seccomp-bpf while AppArmor is a mandatory access system (like SELinux or Tomoyo) implemented as an LSM module (the latter available in the kernel since 2002 or so). It's a proven technology but critisized (I'm tempted to say: of course!) by the grsecurity guys.

    Combining both offers a layered security which is generally a good thing, IMHO, but with a diminishing marginal utilty (in economics parlance). So it all depends on your degree of paranoia :D
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,808
    Adding to what wat0114 already said , I contributed my two cents earlier in this thread. I think that what I wrote then is not overly incorrect.

    Not for me. If I add

    nonewprivs
    noroot
    protocol unix,inet,inet6,netlink

    to the profile, Chromium doesn't launch. :confused: Are you sure that you launched it firejailed?

    Not to my knowledge, with the exception of what wat0114 suggested - an alternative and perhaps easier method is this one.
     
  8. alan591

    alan591 Registered Member

    Joined:
    Jun 3, 2016
    Posts:
    3
    Location:
    Germany
    Yes, I'm pretty sure.

    My chromium.profile in .config/firejail looks like that:

    #Chromium browser profile
    include /etc/firejail/chromium.profile

    include /etc/firejail/disable-devel.inc

    caps.drop.all
    protocol unix,inet,inet6,netlink
    netfilter
    nonewprivs
    noroot

    I launch Chromium with Firetools. The tools option tells me Chromium is running firejailed with seccomp enabled, all caps disabled, user Namespace disabled, Protocols: unix,inet,inet6,netlink.

    If I include seccomp or tracelog, the browser window won't open but it still shows up in firetools.

    I've done some browsing with this setting and there were no problems.

    By the way: I'm running Leap 42.1 and I cannot find a Chromium profile for AppArmor. There are some experimental ones for Opera and Firefox, but not for Chromium. The one for Ubuntu doesn't work. Any suggestions?

    alan591
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,808
    I don't use Firetools. Can you, please, launch Chromium and show us what

    firejail --list

    or

    firejail --tree

    tell you?

    Put the profile into complain mode and adjust it with aa-logprof.
     
  10. alan591

    alan591 Registered Member

    Joined:
    Jun 3, 2016
    Posts:
    3
    Location:
    Germany
    Hello,

    her comes the tree. Sometimes it lists the flash stuff although it's disabled in Chromium so I added both versions.

    Code:
    user@linux:~> firejail --tree
    3039:user:firejail chromium
      3040:user:firejail chromium
        3042:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable
          3048:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
            3050:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              3123:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
              3137:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
              3161:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
              3189:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
              3196:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
          3097:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A
            3099:user:/usr/lib64/chromium/chromium --type=gpu-broker
    
    
    user@linux:~> firejail --tree
    8512:user:firejail chromium
      8513:user:firejail chromium
        8515:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable
          8521:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
            8523:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8591:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8602:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8636:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8648:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8655:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
              8661:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8570:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A
            8572:user:/usr/lib64/chromium/chromium --type=gpu-broker 
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,808
    That's interesting. As mentioned it doesn't work for me with these settings. The only explanation is what netblue30 wrote in his seccomp guide:
     
  12. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    Please advise what purpose the firetools folder in ~/.config is intended for. At present there is nothing in it. Maybe to get other programs to show up in Firetools gui ? If so how ?
    (Not that I use the gui, just curious).
     
    Last edited: Jun 19, 2016
  13. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    Running Fedora Chrome starts with these profile options below - tracelog is a no go.

    caps.drop.all
    nonewprivs
    noroot
    protocol unix,inet,inet6,netlink

    There is a running error I haven't seen before though

    [1:1:0621/235904:ERROR:platformKeyboardEvent.cpp(117)] Not implemented reached in static PlatformEvent::Modifiers blink::platformKeyboardEvent::getCurrentModifierState()

    Which is otherwise a Chrome bug but doesn't seem to be a security issue.
    https://bugs.chromium.org/p/chromium/issues/detail?id=538289
     
    Last edited: Jun 22, 2016
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    pulseaudio 9 is working fine on my Arch setup.. I remember anasty bug with pulseaudio 7 where firejail muted all sound and the only way to get the sound back with firejail was by deactivating some feature in pulseaudio which would cause massive spam of little files in a pulseaudio folder (snbclient = no or smth like that).

    Is this bug fixed and firejail fully working out of the the box with pulseaudio 9?

    Thanks :)
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    No, I still had to use the workaround with 9.40

    $ mkdir -p ~/.config/pulse
    $ cd ~/.config/pulse
    $ cp /etc/pulse/client.conf .
    $ echo "enable-shm = no" >> client.conf
     
  16. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Thanks, but from what the pulseaudio developer commented, this is a very bad workaround and will cripple the system over time :(
     
  17. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    Do you have a link to that comment?
     
  18. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    +1. Id like to see this too.

    It would really suck if we had to choose between Pulseaudio and Firejail. I will choose Firejail if I have to. Only reason I have pulseaudio installed is for Skype (yeah I know.. I cant choose what people I know use..). Ill tell them all off :p
     
  19. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    I would think Pulse could be replaced by Alsa but in searching most people say there would be issues with that.

    I've been using the Firejail work around for some time and can't attribute any problems from it.
     
  20. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    This may be an issue in Fedora at this point because in the thread on the audio issue netblue30 seems to indicate this is fixed in Debian and Ubuntu which likely means offshoots of those also.

    That discussion is here

    https://github.com/netblue30/firejail/issues/69
     
    Last edited: Jul 2, 2016
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,808
    The fix works also for Fedora. I'm using Fedora 24 (KDE spin) right now.
     
  22. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    When I wrote 'fixed' I meant no workaround necessary
     
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Sorry I dont have the link right now.

    It was on firejails github where the bug was originally reported. The developer of firejail + a pulseaudio developer commented and discussed on how to aolve the issue. At one point the pulseaudio developer explained that "enable-shm = no" is a very bad solution and would cripple the system becaus of...
     
  24. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    I cannot watch youtube videos while my browser is firejailed. I'm using Ubuntu 16.04 and I've tried both with Chromium and Firefox.

    Anyone has the same problem? How does one fix it?

    Sorry if this has already been discussed, if you could link me to the page number, I would appreciate.
     
  25. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    I don't think he ever said that.

    Anyway, just remove the contents of /dev/shm before shutting down or rebooting.

    Or do as the developer actually said: "enable-memfd = yes in /etc/pulse/daemon.conf fixes this issue too"

    https://github.com/netblue30/firejail/issues/69#issuecomment-234000822

    Or: https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/page-18#post-2599259
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.