FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. tlu

    tlu Guest

    Hi wat0114,

    I think the additional advantages are the various options available in Firejail. E.g., you can blacklist (or only make read-only) directories or files. See the examples in man firejail-profile. The firejail profile for Chromium (which I also use for Chrome) looks like this:

    The included files are disable-mgmt.inc

    ... and disable-secret.inc :

    You see that a couple of important directories and files are protected as any access by Chromium/Chrome is forbidden. You are free to add more. As I said before, this feature is kind of an Apparmor light - for Arch users not bad as Apparmor and SELinux are not easily available. I hope that the Firejail author will implement more fine-grained control in the future.
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Thanks very much for this explanation, very useful. One thing I really value about Sandboxie on Windows is the ability to block access to user data for Internet facing applications, and this provides a really usable alternative for Linux - I've found Apparmor really hard work by comparison even when available. So, for example, I don't want any browser or email program seeing my user data store - none of its business (as well as sensitive OS or credentials directories). As you've done for Chromium/Chrome, I do the same with Chrome on Windows with Sandboxie, even though Chrome has a pretty good sandbox of its own.

    I also hate Linux distros which dual boot (or usb boot) on a laptop having full access to the other operating systems on the disk just by mounting, and this offers a convenient way of preventing programs doing that.

    I suppose what hacks me off is that application writers are not using the functions that are available - so Firejail is effectively making good their deficiencies, and the poor users having to double-guess what system calls and file areas the application actually needs.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    Thanks, tlu!
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Is this enabled by default when you enable the blacklist?
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    I don't think it is. After looking over the man page I came up with:

    Code:
    $ firejail --profile=/etc/firejail/chromium.profile --debug chromium
    
    The --debug switch shows what is enabled (actually "disabled"), and everything in the chromium.profile was shown as blacklisted.
     
  6. tlu

    tlu Guest

    Right. For Firefox this looks like this:

     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    I'm interested in what customized profiles, if any, others are using. My chromium profile is as follows:

    Code:
    # Chromium browser profile
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    tmpfs ${HOME}/.config/chromium/Default/Peppe*
    tmpfs ${HOME}/.cache/chromium/Default/Cache/
    blacklist ${HOME}/.adobe
    blacklist ${HOME}/.macromedia
    blacklist ${HOME}/.mozilla
    blacklist /home/user_name/Downloads
    blacklist /home/user_name/Documents
    blacklist /home/user_name/Pictures
    blacklist /home/user_name/Music
    blacklist /home/user_name/Videos
    blacklist /home/user_name/Public
    blacklist /home/user_name/Templates
    blacklist /mnt
    blacklist /home/user_name/Desktop
    blacklist /run/media
    read-only /usr/share/icons/
    read-only /sys/devices/pci0000:00/
    read-only ${HOME}/.config/chromium/Default/Preferences
    read-only ${HOME}/.config/chromium/Default/Bookmarks
    I just replaced my name with "user_name". I have to say I'm not really a big fan of the blacklisting approach, but it's better than nothing. Also does anyone know how to utilize tmpfs so it launches one's current browser settings, including installed extensions?
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Thanks, I'd also be looking to prevent access to webcams and microphones, but I haven't done enough digging to see if/how that could be done.

    I'll also be setting up 2 different commands, with one using the --private flag to make it a completely transitory session (and hence reducing the need for cookie destroyers).
     
  9. tlu

    tlu Guest

    I haven't had the time yet to finetune my profiles and to try other options. However, as an alternative to what you suggested you can also create a persistent sandbox where your browser settings are saved. I just did it for Google Chrome:

    1. mkdir myprivatechrome
    2. copy ~/.config/google-chrome to ~/myprivatechrome
    3. firejail --profile=/etc/firejail/google-chrome-stable --private=~/myprivatechrome google-chrome-stable

    Works great. @wat0114 :This should mean that blacklisting those subdirectories in your home is superfluous as Chrome is blocked to access them anyhow. Cool! Symbolic links for ~/Downloads, ~/.lastpass ... whatever can be easily added according to your needs.
     
  10. tlu

    tlu Guest

    Why do you need cookie destroyers? I forbid 3rd party cookies and data by default and accept 1st party cookies and data only until the browser closes (with some exeptions). Additionally, I'm using the relevant privacy settings in µMatrix (like clearing the cache regularly -> no Etags). Do cookie destroyers offer more?
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Well I was thinking more about the various cookies or sneaky persistent mechanisms that cannot be controlled by plugins (e.g. https persistence or cache "cookies"). At least this way, you wipe everything!
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    Thanks, tlu, that's slick. You are the best :thumb:

    EDIT

    Actually, giving this more thought, is it possible to to just retain current settings instead of accumulating persistent data? I'd really like to launch chromium with current settings, but everything modified during a browsing session is flushed after it's closed. Is this possible?
     
    Last edited: Feb 10, 2015
  13. tlu

    tlu Guest

    Ha, I'm flattered :) But actually I only echoed what Firejail's author already wrote.


    I don't think that's possible. But I will give it more thought, too.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Yes, that'd be good - I think it'd have to be part of a script to copy files over from a read-only view onto the Chrome profile to the temporary file store, rather than in Firejail.
     
  15. 142395

    142395 Guest

    If someone made and share such script it will benefit many who don't have ability to write script.
     
  16. tlu

    tlu Guest

    Re. "everything modified during a browsing session": but what about, e.g., extension updates or newly saved bookmarks? You will lose them, too, unless this can be solved somehow with a script deBoetie was talking about.

    But I still wonder why. I agree with gorhill that it's not impossible to block tracking/fingerprinting in the browser. A strict cookies and local storage management is rather easy, and you get rid of those cache "cookies" (aka ETags) if you clear the cache regularly which can be done, e.g., by µMatrix. Is there anything left? I must admit that I don't know what https persistence cookies are, so correct me if I'm wrong.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    That's a good point. It would probably take a script as deBoetie suggests, but probably a rather complicated one. And as you allude to the possibility of blocking trackers/fingerprinting and strict cookie and storage management, what do I need to worry about, after all. I guess I'm just seeking something that perfects upon this current sandboxing technique. Something that could allow extension and bookmarks persistence, while flushing every other unwanted/unneeded changes.
     
  18. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    I had in mind something simpler like a bulk unselective file copy from a couple of places. It's a bit similar to what you might do with a virtual machine snapshot, or the analogous situation with a Sandboxie sandbox.

    With some VMs, I normally revert to snapshot (after browsing). But sometimes, as well as updating the system and browser, I'd add any plugins/extensions/bookmarks I wanted, then save a snapshot to that point.

    Same kind of thing with a Sandboxie sandbox, if I want to make a lasting change, I run the thing outside the Sandbox, then update.

    In both cases, because you don't use the system for any "real" browsing while updating, not logged in anywhere etc, you are not persisting cookies or personal information.

    So, what I'd experiment with Firejail would be doing just that, although I'd probably take advantage of the profiles to run a pristine update-only profile, which would be used as the source of the copy.

    @tlu, the HSTS supercookies are what I was referring to. How much these are real-world is debatable, but there is vulnerability there.
     
  19. Linux38911

    Linux38911 Registered Member

    Joined:
    Feb 17, 2015
    Posts:
    9
    Location:
    Netherlands
    Hello everybody. First of all I'd like to mention that I'm not a very advanced user of Linux. I recently switched from Windows to Linux.
    The linux version I'm using is Linux Mint 17.1 Cinnamon (kernel 3.13.0-37-generic).
    I do know a little bit about using the terminal and how to do some system administration via the terminal or disabling some unneeded services from starting up.

    I installed firejail and when I start firefox I do get some messages in the terminal like the following:

    Code:
    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
    
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised
    
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised
    
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised
    
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
    I'm not sure if this just a general warning which has little implications or that I'm doing something wrong.
    The browser opens without any further problems or errors. (in the titlebar of the browser it states: FireJail Linux sandbox).
    I always open my terminal as user and type "firejail firefox" (without the quotation marks).
    Maybe it's nothing to be worried about, but if anyone happen to know if something is wrong (maybe with my system), feel free to comment.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,076
    Location:
    Canada
    It's probably okay. Next time try including the --debug switch in your command line and it will show you everything' that's happening, including hte parent pid and child pid.
     
  21. Linux38911

    Linux38911 Registered Member

    Joined:
    Feb 17, 2015
    Posts:
    9
    Location:
    Netherlands
    Thanks wat0114 for your comment. Also all the comments posted here are very helpful and interesting.
    You're probably right in that it is okay. Probably messages from the browser itself related to the gui or such.
    When you start all sorts of programs via the terminal without gksu or kdesu then you get bombarded with terminal messages about the program that is being run.
    Thanks for the suggestion to use the --debug switch, I will do that.
     
  22. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Just to say, I've been running on LM17.1 x64 and do not recall these messages at all. Was going to repeat as soon as I had time. I did wonder if you had installed dependencies on the package install? Your messages had the feel of something like that.
     
  23. Linux38911

    Linux38911 Registered Member

    Joined:
    Feb 17, 2015
    Posts:
    9
    Location:
    Netherlands
    Hello deBoetie, thanks for commenting. Ehm, well to be honest, I'm not sure how to address the problem.
    You could consider me a bit of a newb when it comes to these kind of things.
    Let me say that I did every update and distupgrade with the mint update manager and installed various other programs with synaptic package manager, which also selects the dependencies automatically when you install something.
    I'm sorry that I'm not knowledgable enough to address the problem and having difficulties finding the solution. although I am planning to search on google, to see if anything related shows up.
    Also, I've installed a slightly newer kernel (uname -r shows: 3.16.0-30) 64 bit.

    Additional note: When I start firefox in the terminal WITHOUT firejail i get just one message :
    Code:
    (process:2869): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
    When I start firefox in the terminal WITH firejail i get additional messages I posted in post #44.

    Anyway, thanks for helping me and I will try to figure it out, hopefully. Otherwise to be absolutely safe when browsing I could open Virtualbox, install a linux in there and browse from within the virtualbox. But that is alot of resources just to browse the internet ;)

    Thanks, I will keep an eye on this thread of course and in the meantime do some googling on the subject.
     
  24. tlu

    tlu Guest

    I've been using Firejail for a while now and it works flawlessly. However, I have one problem I have been unable to resolve. I start Google Chrome with

    Code:
    firejail --profile=/etc/firejail/google-chrome-stable.profile --private=~/myprivatechrome google-chrome-stable %u
    and Thunderbird with

    Code:
    firejail --profile=/etc/firejail/thunderbird.profile --private=~/myprivatethunderbird thunderbird %u
    The problem is: If I click a link in a mail in Thunderbird nothing happens. It doesn't open in Chrome as it had before. I've tried various things to overcome this problem. I added

    Code:
    user_pref("network.protocol-handler.app.http","/usr/bin/firejail --profile=/etc/firejail/google-chrome-stable.profile --private=~/myprivatechrome /usr/bin/google-chrome-stable");
    user_pref("network.protocol-handler.app.https","/usr/bin/firejail --profile=/etc/firejail/google-chrome-stable.profile --private=~/myprivatechrome /usr/bin/google-chrome-stable");
    user_pref("network.protocol-handler.app.ftp","/usr/bin/firejail --profile=/etc/firejail/google-chrome-stable.profile --private=~/myprivatechrome /usr/bin/google-chrome-stable");
    and, alternatively,

    Code:
    user_pref("network.protocol-handler.app.http",~/myprivatethunderbird/.local/share/applications/google-chrome-2.desktop);
    user_pref("network.protocol-handler.app.https",~/myprivatethunderbird/.local/share/applications/google-chrome-2.desktop);
    user_pref("network.protocol-handler.app.ftp",~/myprivatethunderbird/.local/share/applications/google-chrome-2.desktop);
    to my user.js file where google-chrome-stable-2.desktop is a symlink for ~/.local/share/applications/google-chrome-2.desktop. I also added a symlink for ~/.local/share/applications/mimeapps.list.

    I checked the various places which might qualify and also tried to change the default browser with xdg-mime. But everything to no avail :confused:

    The funny thing is that opening such links works in QuiteRSS which I'm also running with Firejail. Does anybody have an additional idea how to solve this problem? I might be overlooking something obvious.

    EDIT: Found a solution. On http://kevinlocke.name/bits/2012/07/18/thunderbird-default-browser-linux/ this remark was crucial:

    So I created a symlink for xdg-open in ~/myprivatethunderbird/.local/share/applications/ . After restarting Thunderbird I clicked a https link, chose xdg-open and saved that as default. The link wouldn't open immediately but I got a KDE notification regarding contacting the respective site. After confirming this all was well - but only for https links, not for http links, though. So I closed Thunderbird and edited ~/myprivatethunderbird/.thunderbird/xxxxxx.default/mimeTypes.rdf. Here I found the following entry:

    Code:
    <RDF:Description RDF:about="urn:scheme:externalApplication:https"
                       NC:prettyName="xdg-open"
                       NC:path="/home/tlu/.local/share/applications/xdg-open" />
    I just added corresponding entries for http and ftp. After restarting Thunderbird those links worked, too.

    Puh! :eek: Thunderbird can be rather stubborn at times ...
     
    Last edited by a moderator: Apr 14, 2015
  25. You mean "urn:scheme:externalApplication:http" and ditto:ftp?

    thx
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.