FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    556
    Location:
    Canada
    Yes, absolutely correct. I couldn't mount the usb scandisk cruzer in linux mint (unable to mount location..can't mound file / error), so all for not. Currently running linux Slacko on scandisk and it's working ok. It has its' own built in firewall so I don't need firejail with it.
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Firejail is not a firewall. You're misunderstanding something.
     
  3. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    556
    Location:
    Canada
    My mistake. It's a sandbox. I am in Linux Slacko64 on a USB stick as I am typing this. It does have it's own firewall and I don't know if I can install firejail in it. Down the road when I leave Win. 7 I think Linux Mint is going to be my pic for it's replacement. For now I am ending this conversion about firejail.:)
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    I installed Chromium and tried it, too. But unfortunately I couldn't make it work, either, even after modifying it. The one for Firefox works. Perhaps you should ask netblue30 ?

    On the other hand I no longer see any compelling reason to use Chromium over Firefox on Linux. I'm running Firefox 48 with multiprocessing enabled with the following extensions:
    Extensions.png
    This is what I did:
    1. in about:config set browser.tabs.remote.autostart to true
    2. create the boolean browser.tabs.remote.force-enable and set it to true

    Restart Firefox - and check if everything works well. Some of your extensions might cause problems. The ones I'm using don't.

    Note that so far only one content process is used by default. If you want to change that you can change the number for dom.ipc.processCount from 1 to, say, 4 or higher. I've set it to 8.

    Result: A Firefox with multiprocessing which is so far absolutely stable and snappy and has - via Firejail - a sandbox which is presumably even stronger than the one for Chromium as no capabilities at all are required. And a bowser which is far better in terms of privacy and configurability.

    I should add that you should backup your profile or create a new one (by starting firefox -p) before applying above changes!
     
  5. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Does your setup see Firejail sandboxing each process separately? When you set the dom.ipc.processCount to, say 8, does it always use 8 processes even with only one tab? Would it be possible to set that value to 50 so that it and firejail effectively create a better version of Chromium?

    To play devil's advocate I could say that the sandbox separating different content processes on Chromium is likely more developed/polished than even a firejail/multiprocess-fox scenario. From what I understand Firefox on Linux hasnt had ANY actual work on its sandbox model or security protections- just the multiprocess aspect.

    I use Firefox full-time on my Linux box as well, so dont take this as me arguing against your suggestions :)

    **EDIT** Its encouraging to see your success story- roughly half the extensions you use, I use as well. I can live without the other ones, so it looks like multiprocess will be fine for me to jump into...
     
  6. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Ok so I decided to try Firefox multi-process myself, and heres my experience. First, I updated my system and FF 48 wasnt available. Checked my mirror and realized its lagging behind the main Arch server, so I switched, -Syy, and then updated.

    Did as summerheat suggested above, and it almost went off without a hitch. When I loaded Firefox, none of my pages would load. Checked journalctl and sure enough had some AppArmor block messages. Disabled apparmor and restarted FF- all of my extensions worked :eek:

    Im impressed! I upped the dom.ipc.processCount to 25, but it did not spawn processes until I opened a new content process (another tab). Didnt experience any crashes or glitches. I did notice that everytime I put in a URL or clicked on a tile in about:newpage there would be a 1-1.5 second delay before the page started loading- im sure theyll fix this in short order, or perhaps I just need to create a new profile. I checked firejail --list and still saw only one process listed, but that may just be the formatting used by that command of firejail.

    For now im back on single threaded, but its a lot less painful than I expected it to be. Thinking about it, I dont think- in some ways- that such a setup would rival Chromium just yet (in terms of security). As I understand it, firejail itself prevents a process (like firefox) from doing certain things or accessing certain places on the OS. While it does limit system calls, I think theoretically FF would still be more vulnerable in terms of one exploited web content process stealing data from another one. On the other had, its likely to be more secure in relation to exploiting the OS (gaining user data from the filesystem, ransomware, etc) since firejail is much more limiting than Chromium in terms of filesystem access (especially at this point when running a grsecurity kernel because of chroot jail hardening).

    When they get the url loading issue resolved and I get around to tweaking my AppArmor profile with audit/aa-logprof, Ill switch. I have 16GB of RAM so what memory it uses beyond single process FF is of no consequence to me.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Strange :oops: I don't have this problem here. Perhaps you should try a new profile ...
    You'll see several processes with firejail --tree.

    I must admit that I don't know if and how different processes are isolated against each other. Will have to search for some info ...

    I've noticed three glitches with e10s enabled:
    1. Updating even restartless extensions now require a restart of the browser.
    2. When I change to another tab sometimes the URL in the address bar still shows the one from the other tab.
    3. Print preview doesn't work (I've seen a bug report for this).

    Otherwise Firefox is very stable and fast.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Thanks for this info and thanks for testing chromium earlier. I guess I'm just sold on the Linux sandboxing afforded to chromium, as well as the fact in testing between the two browsers, I consistently find chromium to be snappier than Firefox. That said, I will try some more testing of Firefox under firejail.
     
  10. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    OK I tried this bash script
    #/bin/bash
    rm -fr ~/tmpfirefox
    mkdir ~/tmpfirefox
    cp -a ~/.mozilla ~/tmpfirefox/.
    firejail --private=~/tmpfirefox firefox
    In Linux Mint 17 inside of Virtualbox, and I noticed when use firejail --private=~/tmpfirefox firefox it kind of saves in the private sandbox for example I disable an add-on in the private FJ it wont be disabled in the standard Firejail command but in the private FJ if I disable an add-on it and close the Firefox and open it again with the firejail --private=~/tmpfirefox firefox command the add-on is disabled. This worries me because if a websites forcefully installs a malicious add-on or I get a browser infection it will persist in the private FJ environment.
    Firjail version 0.9.42
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    I'm not quite sure if I understand this sentence correctly. In any case it's necessary to start Firefox with the bash script as the first line removes ~/tmpfirefox (if it exists), the second line creates an empty ~/tmpfirefox again and the 3rd line copies ~/.mozilla to ~/tmpfirefox. If you only start Firefox with the --private=... switch it will use the same profile therein again, of course. This will not happen if you start Firefox with the script as it will delete that old profile in the first line.
     
  12. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    OK I see now I need to use the full bash script:
    #/bin/bash
    rm -fr ~/tmpfirefox
    mkdir ~/tmpfirefox
    cp -a ~/.mozilla ~/tmpfirefox/.
    firejail --private=~/tmpfirefox firefox

    in order for it to work properly. I just wish I could create a desktop shortcut that bash script, instead of entering the bash script in the terminal evertime.:thumbd:
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,065
    Location:
    Brasil
    Firejail-git now allows you to point to a ".rules" file for handling Firewall permissions. I gotta say I really like Netblue, he's a damn good developer who listens to the community and implements features in the blink of an eye.

    Just open "/etc/firejail/firejail.conf" and edit the "netfilter-default /etc/iptables/off.rules" part. Don't forget to start the sandbox with the "--net" switch.
     
  14. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    +1. Very transparent in terms of his thoughts and ideas as well.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Firejail 0.9.42-rc2 was released just a couple of hours ago. So the final should be released soon.

    There are many improvements in this new version. Particularly interesting for AppArmor users is its explicit AppArmor support:
    The profile itself can be seen here.

    I'm not using AppArmor, but for those of you who do that's really a cool fearure. :thumb:
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Some days ago Firejail 0.9.38.2 was released which is a Long Term Support branch of Firejail.
     
  17. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,065
    Location:
    Brasil
    Today I gave Debian Jessie a try with the MATE desktop, and I couldn't re-open Firefox with the "--private=/dir" switch, Firefox kept saying my profile wasn't accessible (probably because of folder permissions). This doesn't happen with KDE.

    Does anyone have an insight about this?
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    Two days ago Firejail 0.9.42 was released. Among many other improvements and enhancements --private-home is finally back:

     
  19. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    Yea thats great news.:thumb:
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Great news, and thanks for the update!
     
  21. SFB

    SFB Registered Member

    Joined:
    Sep 12, 2016
    Posts:
    1
    Location:
    USA
    --private-home is indeed an excellent re-addition and works charmingly!
     
  22. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    I need to whitelist something for the Thunderbird FJ profile, you see I have a custom email notification sound in Thunderbird but the folder containing the audio file is under Documents>Email notification sounds and it doesn't play my notification sound. I temporarily fixed it by copying the Email notification sounds folder to my downloads folder. But I'm not sure how to whitelist it for Thunderbird. Any ideas?
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
    See man firejail-profile. Just add a whitelist command for that audio file.
     
  24. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    149
    So if I want to whitelist the Email notification sounds folder, I just need to enter firejail-profile /home/vmmint/Documents/Email notification sounds?And will this whitelist the Email notification sounds folder for all FJ profiles including Firefox?
     
    Last edited: Sep 15, 2016
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,160
Loading...