FireJail - Linux sandbox

Hello,

I've been looking into the Firefox and Chromium based browser profiles and noticed that most of the security features firejail provides are missing in the Chromium / Opera / Chrome profiles.

Only netfilter is enabled.

I know that Chromium based browsers have a built-in sandbox, but according to this thread some features are missing in order to protect, for instance, the broker process.

According to netblue30 it is necessary to disable some of the features in firejail in order to allow the built-in sandbox in Chromium based browsers to work properly.

However some of the people on this thread were able to run Chromium with most of the caps dropped and claimed that it would provide additional safety.

What about the other features like:

nonewprivs
noroot
protocol unix,inet,inet6,netlink
tracelog

I tried running Chromium with everything except seccomp and tracelog and it seemed to work.

I would like to use as many of the firejail security features as possible with Chromium etc. without compromising its built-in sandbox features.

Any ideas?

 

Finally! I was wondering how long it would take.

 

The renderers host all the code that runs inside the sandbox, and they are already protected by the Linux sandbox model, especially the seccomp-bpf layer, and it's these renderers that are far more likely to be compromised since they process untrusted content.

There is some info on this here and here.

AFAIK, Firejail should be sandboxing the Broker process, so you have a sort of dual sandboxing taking place.

 

I am not versed in sandboxes or MAC, so I question whether this helps or just increases attack surface. Same question in regards to AppArmor or SELinux for that matter- to use AA one must have audit enabled in the kernel, which in itself is a potential vector for either exploitation or information gathering (about the system for the exploit).

I write this on a firejail'd apparmor'd firefox, so im not condescending upon anyone. But are we as users really sure that- for example- having two sandboxes is a good thing? Or having audit? Or whatever. Id be curious to hear from the firejail dev on such questions. Obviously a sandboxed FF is better than without, but at what point do we draw the line?

 

There's been extensive discussions on this issue in relation to Sandboxie and Chrome (for example) on Windows.

The thing I take comfort from in the case of Firejail is that it is using existing kernel functionality; there has been a serious bug in one release, but my feeling overall is that its protections are worth any risk, unless the application is taking advantage of all the controls that Firejail does. As applications improve their built-in Sandboxing, the balance becomes more equivocal, though I'd note that Firejail and Sandboxie both give FAR more control of conditions, access and networking than the essentially unconfigurable application sandboxes.


In addition, whereas the applications are under sustained attack, attacks on Firejail and Sandboxie or virtualisation are more expensive and specialised - in some cases, standard malware bombs out of activity if it detects these protections.

 

Well, most distros like Debian, Fedora etc. have the audit framework enabled in their kernels. So I would say that although it might increase the attack surface to some extent it's certainly not an obscure technology but a widely used part of the kernel.

Every user has to answer this question himself/herself. Firejail and AppArmor use different technolgies: Firejail uses technologies added to the kernel in recent years like namespaces and seccomp-bpf while AppArmor is a mandatory access system (like SELinux or Tomoyo) implemented as an LSM module (the latter available in the kernel since 2002 or so). It's a proven technology but critisized (I'm tempted to say: of course!) by the grsecurity guys.

Combining both offers a layered security which is generally a good thing, IMHO, but with a diminishing marginal utilty (in economics parlance). So it all depends on your degree of paranoia

 

Adding to what wat0114 already said , I contributed my two cents earlier in this thread. I think that what I wrote then is not overly incorrect.

Not for me. If I add

nonewprivs
noroot
protocol unix,inet,inet6,netlink

to the profile, Chromium doesn't launch. Are you sure that you launched it firejailed?

Not to my knowledge, with the exception of what wat0114 suggested - an alternative and perhaps easier method is this one.

 

Yes, I'm pretty sure.

My chromium.profile in .config/firejail looks like that:

#Chromium browser profile
include /etc/firejail/chromium.profile

include /etc/firejail/disable-devel.inc

caps.drop.all
protocol unix,inet,inet6,netlink
netfilter
nonewprivs
noroot

I launch Chromium with Firetools. The tools option tells me Chromium is running firejailed with seccomp enabled, all caps disabled, user Namespace disabled, Protocols: unix,inet,inet6,netlink.

If I include seccomp or tracelog, the browser window won't open but it still shows up in firetools.

I've done some browsing with this setting and there were no problems.

By the way: I'm running Leap 42.1 and I cannot find a Chromium profile for AppArmor. There are some experimental ones for Opera and Firefox, but not for Chromium. The one for Ubuntu doesn't work. Any suggestions?

alan591

 

I don't use Firetools. Can you, please, launch Chromium and show us what

firejail --list

or

firejail --tree

tell you?

Put the profile into complain mode and adjust it with aa-logprof.

 

Hello,

her comes the tree. Sometimes it lists the flash stuff although it's disabled in Chromium so I added both versions.

Code:

user@linux:~> firejail --tree
3039:user:firejail chromium
  3040:user:firejail chromium
    3042:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable
      3048:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
        3050:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          3123:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
          3137:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
          3161:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
          3189:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
          3196:user:/usr/lib64/chromium/chromium --type=renderer --enable-threaded-compositing --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThr
      3097:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A
        3099:user:/usr/lib64/chromium/chromium --type=gpu-broker


user@linux:~> firejail --tree
8512:user:firejail chromium
  8513:user:firejail chromium
    8515:user:/usr/lib64/chromium/chromium --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242 --password-store=gnome --enable
      8521:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
        8523:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8591:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8602:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8636:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8648:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8655:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
          8661:user:/usr/lib64/chromium/chromium --type=zygote --ppapi-flash-path=/usr/lib64/chromium/PepperFlash/libpepflashplayer.so --ppapi-flash-version=21.0.0.242
      8570:user:/usr/lib64/chromium/chromium --enable-features=DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Serialize_A
        8572:user:/usr/lib64/chromium/chromium --type=gpu-broker 

 

That's interesting. As mentioned it doesn't work for me with these settings. The only explanation is what netblue30 wrote in his seccomp guide:

 

Please advise what purpose the firetools folder in ~/.config is intended for. At present there is nothing in it. Maybe to get other programs to show up in Firetools gui ? If so how ?
(Not that I use the gui, just curious).

 

Running Fedora Chrome starts with these profile options below - tracelog is a no go.

caps.drop.all
nonewprivs
noroot
protocol unix,inet,inet6,netlink

There is a running error I haven't seen before though

[1:1:0621/235904:ERRORlatformKeyboardEvent.cpp(117)] Not implemented reached in static PlatformEvent::Modifiers blink:latformKeyboardEvent::getCurrentModifierState()

Which is otherwise a Chrome bug but doesn't seem to be a security issue.
https://bugs.chromium.org/p/chromium/issues/detail?id=538289

 

pulseaudio 9 is working fine on my Arch setup.. I remember anasty bug with pulseaudio 7 where firejail muted all sound and the only way to get the sound back with firejail was by deactivating some feature in pulseaudio which would cause massive spam of little files in a pulseaudio folder (snbclient = no or smth like that).

Is this bug fixed and firejail fully working out of the the box with pulseaudio 9?

Thanks

 

No, I still had to use the workaround with 9.40

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

 

Thanks, but from what the pulseaudio developer commented, this is a very bad workaround and will cripple the system over time

 

Do you have a link to that comment?

 

+1. Id like to see this too.

It would really suck if we had to choose between Pulseaudio and Firejail. I will choose Firejail if I have to. Only reason I have pulseaudio installed is for Skype (yeah I know.. I cant choose what people I know use..). Ill tell them all off

 

I would think Pulse could be replaced by Alsa but in searching most people say there would be issues with that.

I've been using the Firejail work around for some time and can't attribute any problems from it.

 

This may be an issue in Fedora at this point because in the thread on the audio issue netblue30 seems to indicate this is fixed in Debian and Ubuntu which likely means offshoots of those also.

That discussion is here

https://github.com/netblue30/firejail/issues/69

 

The fix works also for Fedora. I'm using Fedora 24 (KDE spin) right now.

 

When I wrote 'fixed' I meant no workaround necessary

 

Sorry I dont have the link right now.

It was on firejails github where the bug was originally reported. The developer of firejail + a pulseaudio developer commented and discussed on how to aolve the issue. At one point the pulseaudio developer explained that "enable-shm = no" is a very bad solution and would cripple the system becaus of...

 

I cannot watch youtube videos while my browser is firejailed. I'm using Ubuntu 16.04 and I've tried both with Chromium and Firefox.

Anyone has the same problem? How does one fix it?

Sorry if this has already been discussed, if you could link me to the page number, I would appreciate.

 

I don't think he ever said that.

Anyway, just remove the contents of /dev/shm before shutting down or rebooting.

Or do as the developer actually said: "enable-memfd = yes in /etc/pulse/daemon.conf fixes this issue too"

https://github.com/netblue30/firejail/issues/69#issuecomment-234000822

Or: https://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/page-18#post-2599259