FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. As posted here and here, as I windows user (and Linux noob) I managed to sandbox Chromium with Firejail and AppArmor using the default profiles.

    Thunderbird profile of Firejail, will block clicking links in emails. The workaround which FLU posted is described for people with Linux knowledge (Which I don't have) and including chromium-browser profile in Thunderbird's firejail profile did not work either (suggestion of Summerheat). Would be helpful when some one would with give me tips on how to enable links in emails when firejailing Thunderbird.

    Also when someone would have a working AppArmor profile for Thunderbird, I would also be very thankful when you would share this with me.

    Thanks Kees
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    This is one I used within the last few years on a linux Lite setup:

    NOTE where you see "###", those are used to replace my initials :)

    Code:
    # Last Modified: Sun Nov 10 13:28:25 2013
    #include <tunables/global>
    
    /usr/lib/thunderbird/thunderbird {
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/nameservice>
    
    
      deny /usr/lib/firefox/firefox x,
    
      /bin/readlink rix,
      /bin/which rix,
      /dev/dri/card0 rw,
      /dev/nvidia0 rw,
      /dev/nvidiactl rw,
      /dev/tty rw,
      /etc/*.conf r,
      /etc/*.types r,
      /etc/apparmor.d/opt.google.chrome.chrome r,
      /etc/apparmor.d/opt.google.chrome.chrome-sandbox r,
      /etc/apparmor.d/opt.google.chrome.nacl_helper_bootstrap r,
      /etc/drirc r,
      /etc/fonts/** r,
      /etc/gnome-vfs-2.0/modules/ r,
      /etc/gnome-vfs-2.0/modules/*.conf r,
      /etc/gnome/*.list r,
      /etc/mailcap r,
      /etc/sound/events/*.soundlist r,
      /etc/thunderbird/syspref.js r,
      /etc/xdg/xfce4/*.rc r,
      /home/*/ r,
      /home/*/* r,
      /home/*/.cache/dconf/user rw,
      /home/*/.cache/thunderbird/** rw,
      /home/*/.config/*.dirs r,
      /home/*/.config/dconf/user r,
      /home/*/.config/google-chrome/*/ r,
      /home/*/.config/gtk-2.0/* rw,
      /home/*/.config/gtk-3.0/bookmarks r,
      /home/*/.config/xfce4/*.rc r,
      /home/*/.local/share/ r,
      /home/*/.local/share/* rw,
      /home/*/.local/share/applications/*.desktop r,
      /home/*/.local/share/applications/*.list r,
      /home/*/.local/share/mime/ r,
      /home/*/.local/share/mime/* r,
      /home/*/.local/share/mime/application/ r,
      /home/*/.local/share/xfce4/ r,
      /home/*/.local/share/xfce4/*/ r,
      /home/*/.local/share/xfce4/helpers/*.desktop r,
      /home/*/.thunderbird/*.default** rwk,
      /home/*/.thunderbird/*.ini r,
      /home/*/.thunderbird/hj3i0fkl.default/ r,
      /home/*/.thunderbird/hj3i0fkl.default/* rwk,
      /home/*/.thunderbird/hj3i0fkl.default/ImapMail/imap.telus.net/ r,
      /home/*/.thunderbird/hj3i0fkl.default/ImapMail/imap.telus.net/** rw,
      /home/*/.thunderbird/hj3i0fkl.default/Mail/*/ r,
      "/home/*/.thunderbird/hj3i0fkl.default/Mail/Local Folders/*" rw,
      /home/*/Documents/ r,
      /home/*/Documents/* rw,
      /home/*/Downloads/ r,
      /home/*/Downloads/* rw,
      /media/###/Storage01/ r,
      /media/###/Storage01/* r,
      /media/###/Storage01/###/ r,
      /media/###/Storage01/###/** r,
      /opt/google/chrome/ r,
      /opt/google/chrome/* r,
      /opt/google/chrome/google-chrome rix,
      /proc/*/fd/ r,
      /proc/*/mountinfo r,
      /proc/*/mounts r,
      /proc/*/stat r,
      /proc/*/status r,
      /proc/*/task/** r,
      /proc/interrupts r,
      /run/resolvconf/*.conf r,
      /run/user/###/dconf/user rw,
      /sys/devices/system/cpu/present r,
      /tmp/ r,
      /tmp/* mrw,
      /tmp/MozillaMailnews/ w,
      /tmp/MozillaMailnews/* rw,
      /tmp/orbit-###/ w,
      /usr/bin/ r,
      /usr/bin/exo-open rix,
      /usr/bin/gedit rix,
      /usr/lib/firefox/firefox.sh rix,
      /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 rix,
      /usr/lib{,32,64}/** mr,
      /usr/local/share/ r,
      /usr/local/share/fonts/ r,
      /usr/share/ r,
      /usr/share/applications/*.cache r,
      /usr/share/applications/*.desktop r,
      /usr/share/fonts/ r,
      /usr/share/fonts/** r,
      /usr/share/glib-2.0/schemas/* r,
      /usr/share/gvfs/remote-volume-monitors/ r,
      /usr/share/gvfs/remote-volume-monitors/*.monitor r,
      /usr/share/hunspell/ r,
      /usr/share/hunspell/* r,
      /usr/share/icons/ r,
      /usr/share/icons/DMZ-White/** r,
      /usr/share/icons/Faenza/**/ r,
      /usr/share/icons/Faenza/actions/** r,
      /usr/share/icons/Faenza/apps/** r,
      /usr/share/icons/Faenza/devices/** r,
      /usr/share/icons/Faenza/emblems/** r,
      /usr/share/icons/Faenza/index.theme r,
      /usr/share/icons/Faenza/mimetypes/** r,
      /usr/share/icons/Faenza/places/** r,
      /usr/share/icons/Faenza/status/** r,
      /usr/share/icons/Mint-X-Dark/* r,
      /usr/share/icons/Mint-X-Dark/actions/*/ r,
      /usr/share/icons/Mint-X-Dark/apps/*/ r,
      /usr/share/icons/Mint-X-Dark/places/*/ r,
      /usr/share/icons/Mint-X-Dark/status/*/ r,
      /usr/share/icons/Mint-X/*.theme r,
      /usr/share/icons/Mint-X/actions/** r,
      /usr/share/icons/Mint-X/apps/** r,
      /usr/share/icons/Mint-X/categories/** r,
      /usr/share/icons/Mint-X/devices/** r,
      /usr/share/icons/Mint-X/mimetypes/** r,
      /usr/share/icons/Mint-X/places/** r,
      /usr/share/icons/Mint-X/status/** r,
      /usr/share/icons/gnome/* r,
      /usr/share/icons/hicolor/* r,
      /usr/share/mdm/ r,
      /usr/share/mdm/applications/*.cache r,
      /usr/share/mime/ r,
      /usr/share/mime/*.cache r,
      /usr/share/mime/*/ r,
      /usr/share/mime/application/*.xml r,
      /usr/share/mime/image/* r,
      /usr/share/mime/text/* r,
      /usr/share/pixmaps/ r,
      /usr/share/poppler/cMap/Adobe-CNS1/ r,
      /usr/share/poppler/cMap/Adobe-GB1/ r,
      /usr/share/poppler/cMap/Adobe-Japan1/ r,
      /usr/share/poppler/cMap/Adobe-Japan2/ r,
      /usr/share/poppler/cMap/Adobe-Korea1/ r,
      /usr/share/themes/Gentle_2.0/gtk-2.0/* r,
      /usr/share/themes/Mint-X/gtk-2.0/** r,
      /usr/share/themes/Moomex/gtk-2.0/* r,
      /usr/share/xfce4/ r,
      /usr/share/xfce4/helpers/ r,
      /usr/share/xfce4/helpers/* r,
      /var/cache/fontconfig/* r,
      /var/tmp/ r,
      /var/tmp/* rw,
    
    }
    You'll have to keep in mind, the profile that works for one will likely not work for others, because of themes and desktop environments and such, as well as other variables, for example where you see "Storage01", that's one of my data storage drives. I believe this particular profile is not all that granular in its restrictiveness, but it still provided, at least imo, a reasonably secure profile. Of course if you firejail Thunderbird as well, you will strengthen its security considerably more.
     
  3. Thanks @wat0114, I see a deny for Firefox. Are you using Thunderbird with Firefox? I need to use it with Chromium, but will give your profile a try because I also see Google/Chrome (guess I should be changing that to Chromium)
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    No I just use webmail for my email on Linux, and I no longer use apparmor, because for some reason it won't work on this lxle setup of mine, and of course it's even more difficult on Arch. With the profile I posted I was using mainly Chrome as my browser.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    Execute
    Code:
    sudo aa-logprof
    which provides suggestions how to adjust the Thunderbird apparmor profile. If you still have problems, put the profile into complain mode:
    Code:
    sudo aa-complain /etc/apparmor.d/usr.bin.thunderbird
    use it for a while and execute sudo aa-logprof again, possibly several times. Then put it into enforce mode again:
    Code:
    sudo aa-enforce /etc/apparmor.d/usr.bin.thunderbird
     
  6. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Does anyone have Skype for Linux alpha (their new version) running in firejail?
     
  7. I did that, but sudo-logproff also creates thunderbird.sh which as far as I can make of the comments in older Thunderbird profiles just does not work.

    You really need deep knowledge of Thunderbird and AppArmor, it is not a Monkey's trick ( :D I already tried that).
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    I'm not sure that I understand :confused: sudo aa-logprof doesn't create files but rules for existing AppArmor profiles. A good introduction with some examples is this one from the opensuse.doc. It's important, though, that a profile for Thunderbird already exists in /etc/apparmor.d. If it doesn't you can create one with sudo aa-genprof . It creates a basic profile for the chosen application, creates rules and finally puts the profile into enforce mode. In my experience this happens too early for complex applications in most cases. So I rather suggest that you create the profile with aa-autodep - it leaves the profile in complain mode until you change that. Use the appliacation for 2 or 3 days, execute aa-logprof frequently until no new rules are created anymore. Then you put the profile into enforce mode with aa-enforce.

    aa-logprof will present many rules to you, and you have to have a basic knowledge what they mean. That's why you should familiarize yourself with the profile components and syntax, particularly with file permission access modes and execute modes.
     
  9. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Regarding the firejail/pulseaudio problem. I'm having problems with pulseaudio 7.0 and latest version of firejail (.40). I've only had problems since installing Ubuntu 16.04, it worked fine in 14.04. I wonder, what version of pulseaudio works fine with firejail? I think I'll just install that one.

    Once I got used to firejail, I cannot not use it.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    Did you try this?
     
  11. Sorry it also created the Thunderbird.sh profile, thanks for the information
     
  12. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    So does --private-home switch work in the latest version like --private-home? And how do I use it? --private-home switch firefox?
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Unfortunately, and to my dismay, the --private-home switch was deprecated as of Version 0.9.38 :(
     
  14. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    So theres no way to have a browser session that has all your bookmarks, add-ons/plug-ins and deletes everything much like Sandboxie does anymore?:'(
    Thats ridiculous.:thumbd::mad:
    I hope the developer reimplements this feature in future update. Because what could be more secure than browser session where everything is deleted.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    I wouldn't call it ridiculous as we don't know the reason why this functionality was removed. Anyways, there is an easy trick to get that functionality back.
     
  16. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    556
    Location:
    Canada
    Brand new to Linux here. I installed linux mint cinnamon https://linuxmint.com/edition.php?id=217 to a USB stick with the universal USB installer http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/ So far I've got firefox working with ublock0 installed and videos playing in HTML5 format. I know about Synaptic, Software manager and the APT installer. I've been trying to install "firejail" but not having much luck. Can anyone of you experienced Linux users give me some advise on this? Also any advice would be appreciated as to what other apps would be beneficial to install in Linux Mint. Thanks in advance. (p.s. I'm still keeping my Windows 7 64 bit also)
     
  17. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    671
    Location:
    United States
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Thank you for the link, summerheat, but unfortunately this doesn't work for me, although I could be doing something wrong. I modified the script for chromium-browser as follows:

    Code:
    #/bin/bash
    rm -fr ~/tmpchromium-browser
    mkdir ~/tmpchromium-browser
    cp -a ~/.config/chromium/Default ~/tmpchromium-browser/.
    firejail --private=~/tmpchromium-browser chromium-browser
    It opens Chromium sandboxed, but with no extensions or other personalized settings; just a new virgin session. This honestly doesn't deter me from using firejail, however. I still consider it an enhancement on Chromium's level of security.
     
  19. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    556
    Location:
    Canada
    Thanks for the info. Looks like I'll have to put this on hold for now. Everything that I thought I had installed on USB is now gone after reboot. Looks like the only other option is to install it beside Win 7 and am not ready to do that yet. So for now, I'll stay put. But down the road, if windows updates give me a hard time at least I know I have an alternative, that is linux and not Win 10.
     
  20. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    True I'm probably being a little melodramatic. Thanks but I'm not familiar with bash scripts, also would this script allow me to use this command firejail --private-home=.mozilla firefox to open Firefox in Private Home or would it always launch FF in PH even if use the firejail firefox command?
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    I haven't installed Chromium right now so I can't check what's wrong. However, I noticed that one line in your code says:

    Code:
    cp -a ~/.config/chromium/Default ~/tmpchromium-browser/.
    
    Why did you copy ~/.config/chromium/Default only? Aren't there any settings (and possibly the missing ones) in the parent directory or in the other sub-directories beneath ~/.config/chromium?
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,158
    No, --private-home doesn't exist anymore. Just use the script suggested on the site I mentioned. It creates a directory ~/tmpfirefox, copies ~/.mozilla to that directory, starts firefox using that directory and deletes it when you start firefox again before creating ~/tmpfirefox anew. So all changes/modifications in that directory will be gone every time you start firefox again.

    EDIT: For easy usage, call this script tmpfirefox or whatever you want and create a starter pointing to that script.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    That was just an experimental modification of mine. The original script I was trying to get to work was
    Code:
    cp -a ~/.config/chromium ~/tmpchromium-browser/.
     
  25. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    671
    Location:
    United States
    Based on their second post, from what I can gather from it, they never really installed Mint - they just ran it Live.
     
Loading...