FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Well, it seems that it's not enabled in the Synaptic settings.

    But to make things a bit easier, you can execute the following command in the console:

    Code:
    sudo apt install -t stretch-backports firejail firejail-profiles
    No, but you should execute them in the console after installing Firejail.

    I strongly suggest that you look into the Debian documentation where you'll find plenty of information.
     
  2. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    i ran the stretch-backport cmd and it came back stretch-backports is invalid for APT. i ran the 2 codes(sound and config) lots of items with created by their name. went back into Synaptic and now firejail and profiles have blue checkmarks instead of green.how do you tell if it is installed and working? i promise this is my last question. thanks for your help.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    You have to enable the stretch-backports first - either in Synaptic (Settings -> Sources) or by editing /etc/apt/sources.list.d/debian.list and removing the # at the start of the stretch-backports line.

    Then execute

    Code:
    sudo apt update
    and then

    Code:
    sudo apt install -t stretch-backports firejail firejail-profiles
    Finally again

    Code:
    sudo firecfg
    as new profiles have been added.

    Code:
    firejail --version
    should show that 0.9.56 is running now.

    If you start applications for which Firejail profiles are available (e.g. Firefox) you'll see that when executing

    Code:
    firejail --list
    or, more detailed,

    Code:
    firejail --tree
     
  4. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    summerheat, Synaptic- settings- (no Sources listed) ran the cmd - permission denied. since i had already ran the firejail config code, i ran the version code. it showed firejail 0.9.50. installed. i then ran tree cmd it listed several items as enabled( apparmor, ....x11 sandbox). i guess it is installed and working. i'm use to sandboxie yellow bordor) hopefully mx-17 will offer an update for firejail. thanks for your help, i never would have made this far without it.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Well, I'm not sure if it's called "Sources" or "Repositories" in the English version. In any case there is an entry in the settings where all repositories are listed and where you have to enable the backports repository. Close Synaptic and execute the commands above. And sudo firecfg should be executed with every Firejail update as new profiles are usually added.
     
  6. linuxop

    linuxop Registered Member

    Joined:
    Nov 6, 2018
    Posts:
    1
    Location:
    USA
    I've read many articles about Firejail, but there is one think I am still confused about.
    I am unclear as to why Firejail is better than running an app as a restricted user.
    There is a similar question on superuser.com, but it received no answer:
    https://superuser.com/questions/1359975/sudo-pkexec-vs-sandbox-differences-pros-cons
    It seems to me that Firejail has a wider surface attack than simply running the app as a restricted system user.
    What are the pros and cons of Firejail vs. Restricted User.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    1. First of all this contradistinction doesn't exist. If you run applications sandboxed with Firejail, they are not running with root privileges, either. The sandbox process starts as root but after it configures the filesystem, network and seccomp it drops privileges and starts the user application.
    2. It's true that a restricted user doesn't have access to most "dangerous" stuff. Nevertheless, privilege escalation is possible if there is a vulnerability in an application. Besides, it's possible that, e.g., an infected browser starts a helper application that does something evil. As for most applications all capabilities are dropped by Firejail and a seccomp filter is applied, the attack surface of the system (and the kernel in particular) is dramatically reduced.
    3. Apart from this an application running as restricted user still has access to your whole home directory. Firejail restricts that access considerably by blacklisting critical folders and files (not only in your home) by the various *.inc files included in all profiles. And applications with whitelisted profiles have actually only access to folders/files which are explicitly whitelisted. This doesn't only improve your security but also your privacy.
     
  8. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    @summerheat Do you know how can I make firejail allow gimp to execute a single file?

    Like in gimp.profile it says "noexec ${HOME}", but how can prevent execution of anything EXCEPT in a folder like "/home/amarildo/.gimp-2.8/plug-ins/"?
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    I've seen that you asked this question also here. I can't really add to what is said there. As a matter of fact, noexec ${HOME} is commented in the gimp profile that comes with Firejail. So if you uncommented it manually the suggestions made by glitsj16 are probably the way to go as noexec takes precedence over whitelist.
     
  10. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    summerheat, i feel like a real dumbaxx. after synaptic-settings-repo, i had to expand the repo window to see the backports-stretch to enable it. after doing that and following all the commands you listed, firejail updated to 9.56. will firejail auto-update now? thanks again for all of your help.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    As soon as new Firejail versions will arrive in that repo you will receive them.
     
  12. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Is anyone familiar with how Firejail is set up on Parrot? I've read they integrated it into the system. Maybe its just preinstalled and nothing more than that. Just wondering,
     
  13. Jan42

    Jan42 Registered Member

    Joined:
    Feb 9, 2016
    Posts:
    11
    Just a quick thank you to summerheat !.
    I've read several comments in this huge thread and you are so helpful in many many ways.
    Thank you so much for taking the time to help everybody as much as you can and for announcing new versions quite frequently.
    I think I speak for everyone in saying that this is simply awesome. Thank you very very much for this amazing piece of software and your additional help.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,284
    Location:
    Canada
    Sorry if I've asked this question sometime before, but if I did, I've already forgotten the answer :oops: I ran sudo firecfg to automatically sandbox all relevant applications, but is there a way to run an app like google-chrome-stable un-sandboxed temporarily for the purpose of exporting bookmarks or retrieving files from MS Onedrive, for example?

    EDIT:

    I suppose I may have answered my own question - maybe. I created a separate launcher and edited the command to: firejail --noprofile google-chrome-stable
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Thank you very much for your nice words! I‘m a bit embarrassed now ...
    Just a clarification: this is not my software and I am only an interested user who is happy to help. :)
     
    Last edited: Dec 27, 2018
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Well, the easiest way is using the full path for the application , i.e. starting it like
    Code:
    /usr/bin/google-chrome-stable
    This makes sure that the respective symlink in /usr/local/bin (pointing to /usr/bin/firejail) is not used and, consequently, the application is executed unsandboxed.
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,284
    Location:
    Canada
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Firejail 0.9.58 released with some improvements and many new profiles.
     
  19. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    how will i know if/when it is offered to mx-17? i have saved the commands from post 603 to a folder so i will always have them. my backports are enabled. thanks again for your help.
     
  20. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    283
    Location:
    USA
    In your MX Package Installer, click on the MX Test Repo tab, search for firejail. I show 0.9.58 available for firejail and firejail-profiles.
     
  21. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    yes, i see that also. i have 9.56 installed. what is the proper way to update to 9.58? will it be offered in a daily update or will i need to run the commands again? thanks for everyone's help
     
  22. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    283
    Location:
    USA
    That is the proper way to upgrade if you don't want to wait indefinitely for it to be offered in the stable repo where it will arrive with the normal updates. In the package installer test repo, just select firejail 0.9.58-1~mx17+1 and firejail-profiles if desired, they should have the orange symbol with arrows by them showing they're upgradable as you have an earlier version installed, then at the bottom click on upgrade once you have them checked.

    Just to be sure; you are looking at the MX Package Installer, and not Synaptics, if not, click on the MX symbol in the task bar (I think it's called the "whisker menu") and type "MX Package Installer" in the search box, then click on the MX Test Repo tab.

    I believe the test repo is pretty safe and reliable, and if something goes wrong you can downgrade. Though personally I tend to wait for things to be offered through the stable repo.
     
    Last edited: Feb 7, 2019
  23. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    146
    snowwalker, since i'm new to firejail i wasn't sure how the update would be offered. like you, i will wait for it in the daily updates. thanks again for your help.
     
  24. guest

    guest Guest

    I know that firejail isolate specified applications, but there is a way to isolate folders? (i mean if a process/program start from a specified folder, Firejail automatically isolate it).
     
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Firejail 0.9.58.2 is out. It mainly contains some bugfixes.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.