FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    Well, it seems that it's not enabled in the Synaptic settings.

    But to make things a bit easier, you can execute the following command in the console:

    Code:
    sudo apt install -t stretch-backports firejail firejail-profiles
    No, but you should execute them in the console after installing Firejail.

    I strongly suggest that you look into the Debian documentation where you'll find plenty of information.
     
  2. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    106
    i ran the stretch-backport cmd and it came back stretch-backports is invalid for APT. i ran the 2 codes(sound and config) lots of items with created by their name. went back into Synaptic and now firejail and profiles have blue checkmarks instead of green.how do you tell if it is installed and working? i promise this is my last question. thanks for your help.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    You have to enable the stretch-backports first - either in Synaptic (Settings -> Sources) or by editing /etc/apt/sources.list.d/debian.list and removing the # at the start of the stretch-backports line.

    Then execute

    Code:
    sudo apt update
    and then

    Code:
    sudo apt install -t stretch-backports firejail firejail-profiles
    Finally again

    Code:
    sudo firecfg
    as new profiles have been added.

    Code:
    firejail --version
    should show that 0.9.56 is running now.

    If you start applications for which Firejail profiles are available (e.g. Firefox) you'll see that when executing

    Code:
    firejail --list
    or, more detailed,

    Code:
    firejail --tree
     
  4. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    106
    summerheat, Synaptic- settings- (no Sources listed) ran the cmd - permission denied. since i had already ran the firejail config code, i ran the version code. it showed firejail 0.9.50. installed. i then ran tree cmd it listed several items as enabled( apparmor, ....x11 sandbox). i guess it is installed and working. i'm use to sandboxie yellow bordor) hopefully mx-17 will offer an update for firejail. thanks for your help, i never would have made this far without it.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    Well, I'm not sure if it's called "Sources" or "Repositories" in the English version. In any case there is an entry in the settings where all repositories are listed and where you have to enable the backports repository. Close Synaptic and execute the commands above. And sudo firecfg should be executed with every Firejail update as new profiles are usually added.
     
  6. linuxop

    linuxop Registered Member

    Joined:
    Nov 6, 2018
    Posts:
    1
    Location:
    USA
    I've read many articles about Firejail, but there is one think I am still confused about.
    I am unclear as to why Firejail is better than running an app as a restricted user.
    There is a similar question on superuser.com, but it received no answer:
    https://superuser.com/questions/1359975/sudo-pkexec-vs-sandbox-differences-pros-cons
    It seems to me that Firejail has a wider surface attack than simply running the app as a restricted system user.
    What are the pros and cons of Firejail vs. Restricted User.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    1. First of all this contradistinction doesn't exist. If you run applications sandboxed with Firejail, they are not running with root privileges, either. The sandbox process starts as root but after it configures the filesystem, network and seccomp it drops privileges and starts the user application.
    2. It's true that a restricted user doesn't have access to most "dangerous" stuff. Nevertheless, privilege escalation is possible if there is a vulnerability in an application. Besides, it's possible that, e.g., an infected browser starts a helper application that does something evil. As for most applications all capabilities are dropped by Firejail and a seccomp filter is applied, the attack surface of the system (and the kernel in particular) is dramatically reduced.
    3. Apart from this an application running as restricted user still has access to your whole home directory. Firejail restricts that access considerably by blacklisting critical folders and files (not only in your home) by the various *.inc files included in all profiles. And applications with whitelisted profiles have actually only access to folders/files which are explicitly whitelisted. This doesn't only improve your security but also your privacy.
     
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,085
    Location:
    Brasil
    @summerheat Do you know how can I make firejail allow gimp to execute a single file?

    Like in gimp.profile it says "noexec ${HOME}", but how can prevent execution of anything EXCEPT in a folder like "/home/amarildo/.gimp-2.8/plug-ins/"?
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    I've seen that you asked this question also here. I can't really add to what is said there. As a matter of fact, noexec ${HOME} is commented in the gimp profile that comes with Firejail. So if you uncommented it manually the suggestions made by glitsj16 are probably the way to go as noexec takes precedence over whitelist.
     
  10. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    106
    summerheat, i feel like a real dumbaxx. after synaptic-settings-repo, i had to expand the repo window to see the backports-stretch to enable it. after doing that and following all the commands you listed, firejail updated to 9.56. will firejail auto-update now? thanks again for all of your help.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    As soon as new Firejail versions will arrive in that repo you will receive them.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    692
    Location:
    United States
    Is anyone familiar with how Firejail is set up on Parrot? I've read they integrated it into the system. Maybe its just preinstalled and nothing more than that. Just wondering,
     
  13. Jan42

    Jan42 Registered Member

    Joined:
    Feb 9, 2016
    Posts:
    11
    Just a quick thank you to summerheat !.
    I've read several comments in this huge thread and you are so helpful in many many ways.
    Thank you so much for taking the time to help everybody as much as you can and for announcing new versions quite frequently.
    I think I speak for everyone in saying that this is simply awesome. Thank you very very much for this amazing piece of software and your additional help.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,326
    Location:
    Canada
    Sorry if I've asked this question sometime before, but if I did, I've already forgotten the answer :oops: I ran sudo firecfg to automatically sandbox all relevant applications, but is there a way to run an app like google-chrome-stable un-sandboxed temporarily for the purpose of exporting bookmarks or retrieving files from MS Onedrive, for example?

    EDIT:

    I suppose I may have answered my own question - maybe. I created a separate launcher and edited the command to: firejail --noprofile google-chrome-stable
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    Thank you very much for your nice words! I‘m a bit embarrassed now ...
    Just a clarification: this is not my software and I am only an interested user who is happy to help. :)
     
    Last edited: Dec 27, 2018
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,518
    Well, the easiest way is using the full path for the application , i.e. starting it like
    Code:
    /usr/bin/google-chrome-stable
    This makes sure that the respective symlink in /usr/local/bin (pointing to /usr/bin/firejail) is not used and, consequently, the application is executed unsandboxed.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,326
    Location:
    Canada
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.