FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    185
    Thanks.:)
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Firejail 0.9.54~rc2 is available , 0.9.54 final should be offered here before long. It contains a bunch of improvements like a lot of new profiles and profile unification for Chromium- and Firefox-based browsers repectively.

    An important change is the introduction of the Firejail user access database. This tries to mitigate the concerns about Firejail being an SUID application. After updating to the new version you should execute sudo firecfg which not only applies the newly introduced profiles but also adds the current user to the newly created file /etc/firejail/firejail.users which contains the users who are allowed to execute Firejail. This adresses a concern expressed here that (possibly hijacked) unprivileged running daemons might exploit the setuid nature of Firejail and was discussed here.

    For every Firejail user definitely worth reading is this newly written site which contains a very good overview about its usage and the technologies used by it. Note that the chapter about SUID contains a section "3. Create a special firejail group". This is actually obsolete and is taken care by the change mentioned above.
     
  3. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    185
    There's a problem with Firefox 60 and Firejail 0.9.52_1, you cant surf the web when using Firejail.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Yes, this is caused by improvements in the Linux sandbox of Firefox 60. You should make 2 changes in /etc/firejail/firefox-common.profile:

    1. Remove or comment tracelog.
    2. Remove chroot from the seccomp.drop line. It should look like this now:
    Code:
    seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
    This should fix the problem. Those changes will be available in Firejail 0.9.54.

    EDIT: Sorry, this post contains an error. firefox-common.profile doesn't exist yet in Firejail 0.9.52 (and earlier). So above changes should be done in firefox.profile instead.
     
    Last edited: May 13, 2018
  5. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    185
    Thanks but I think I found solution by using the most recent version of Firejail version 0.9.54~rc1_1, it seems to solve the problem so far I haven't noticed any major issues although there are two minor issues I've noticed namely when opening a new tab it doesn't always load or sometimes Firefox crashes but these might be Firefox 60 problems (how ever these problems only seem to be an issue with Private-Home the standard Firejail profile seem to work just fine).
     
    Last edited: May 12, 2018
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    I'm not sure where you've got 0.9.54~rc1_1 from but the newest version is 0.9.54~rc2. It contains further fixes compared to rc1 which may solve your other problems.

    EDIT: See also this post and the one below.
     
    Last edited: May 13, 2018
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    A new firefox.profile to be used in Firejail 0.9.38 is available here and new profiles for Firefox, gedit and LibreOffice to be used in Firejail 0.9.52 are available here. There has been a discussion if updates for Firejail 0.9.38, 0.9.48 and 0.9.52 should be published but the problem is that distros like Debian and Ubuntu don't have the newest version of Firejail in their repositories - hence it would be unsure if such updates would land therein.
     
  8. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    185
    @ summerheat

    I got version 0.9.54~rc1_1 from here: https://sourceforge.net/projects/firejail/files/firejail/
    BTW I see that version 0.9.54~rc2 is available as .deb.
    Quote: Firejail 0.9.38, 0.9.48 and 0.9.52 should be published but the problem is that distros like Debian and Ubuntu don't have the newest version of Firejail in their repositories - hence it would be unsure if such updates would land therein. I wonder if Linux Mint will have the latest update for the LTS version FJ?
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    I doubt that since Mint uses the Ubuntu repositories. You will probably get newer version if you add the Firejail ppa. However, this won't help in this case as a new stable version is not yet out so you have to modify the respective profile itself. Anyways, here's a good post by Fred Barclay, who is a contributor to the Firejail project, in the Mint forum.
     
  10. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    46
    Firejail 0.9.38. Similar modifications seem to be needed for the thunderbird profile.
    Using latest Thunderbird email client, with Firefox 60 as a default browser, will stall when clicking on a web link in an email.

    Commenting out tracelog and modifying the seccomp line in thunderbird.profile, solves the problem.
     
  11. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    185
    Once again thanks summerheat.

    @ Sealord

    Same here TB just crashes on me whenever I try run it in Firejail. I'm hoping that theres a new stable release soon.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Firejail 0.9.54 final is out. It can be downloaded here.
     
  13. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    981
    Thanks!
     
  14. gk59

    gk59 Registered Member

    Joined:
    May 31, 2018
    Posts:
    3
    Location:
    US of A
    Hi all, I'm very new to Firejail and have to say I love what it can provide however, since installing 0.9.54 on my host Kubuntu 18.04 LTS on my Lenovo laptop and of course still learning my way around, I can't access any of my files on my attached (to my Asus RT-AC86U router) WD Passport drive, .txt or otherwise, all comes up blank and zip files fail to open with Ark errors (fails to open.."
    No suitable plugin found. Ark does not seem to support this file type.). Is this a default profile issue and how can I set Firejail so I and only me can access these files or any user I give authorization to? Thanks in advance.
     
  15. gk59

    gk59 Registered Member

    Joined:
    May 31, 2018
    Posts:
    3
    Location:
    US of A
    anyone?
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    I had read your post but, quite frankly, I couldn't really understand your problem.

    You wrote:
    How did you try to access those files? Since you mentioned Ark, I assume that you're using KDE. If you were using dolphin it should not cause any problems to access external drives and the files thereon. So I rather think that it's a permission problem. Can you open those files as root? What's the file system on that Passport drive - is it ext2/3/4 or is it NTFS? I haven't used an NTFS drive with Linux for years but AFAIR you need root permissions for it.

    I've just tried it and there is, indeed, a problem in the ark.profile (which should be reported to upsttream). Comment the private-bin line and try again. That doesn't explain why you could not access other files, though. So I still think it's a permission problem.
     
  17. gk59

    gk59 Registered Member

    Joined:
    May 31, 2018
    Posts:
    3
    Location:
    US of A
    Hi, thanks for responding and I'll apologize for being a bit vague. The drive is formatted NTFS and I can access all files, but with the exception of .pdf which are read only all others are blank.
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Firejail 0.9.56 is available. It comes with many improvements and with nearly 30 new profiles (so don't forget to execute sudo firecfg again). Right now the Firejail wordpress site doesn't mention it yet but it's already available for download.
     
  19. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    132
    i have converted acer aspire 6930 32bit vista over to a linux mx-17(done 3 months ago). i really like mx-17 and was wondering if firejail would work on this system? i've used sandboxie free on my windows machines for several years and would like to firejail firefox on mx-17. thanks for your help.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Yes, it works well. You should use the version from the stretch-backports repo (0.9.56.2). Don't forget to also install firejail-profiles.
     
  21. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    132
    summerheat, thanks for your reply. i know little of the inner-workings of linux. where would i find this repo and install steps? is there a youtube video? thanks
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Well, the easiest way is to use the Synaptic package manager. I can't remember if it's installed by default. If not - just execute sudo apt install synaptic. It's possible that the backports repo has to be enabled in the Synaptic settings first before you can install Firejail.
     
  23. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    132
    summerheat, yes Synaptic was installed. i downloaded firejail and profiles-are they applied automatically or is there something else i need to do? thanks
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,769
    Just execute
    Code:
    firecfg --fix-sound
    sudo firecfg
    The second command makes sure that all applications for which Firejail profiles are available will be started sandboxed.
     
  25. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    132
    summerheat, thanks again for your help. when i checked Synaptic-settings-repo, i could not find backports. this item was enabled deb http://lso.mxrepo.com/ when i tyed in and checked off firejail and profiles and clicked apply, it downloaded/installed(?) firejail and profile version 0.9.50-0mx17+1. each had a green checkmark. i just can't find where it says they are installed. do i need to enter the 2 codes you posted? i'm a newb to linux and matters like this can be confusing, but i like the OS. thanks again
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.