FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I'm not sure that I understand. You can blacklist any folder if that's what you're trying to achieve.
     
  2. guest

    guest Guest

    yes, i thinks this is more or less what i want to do, was not sure i could. Thanks.

    i want a program/file executed from a folder to be ran automatically isolated.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I'm still not sure that I understand it correctly.

    If it is about blacklisting folders, please note that Firejail comes with a specific profile for more than 600 applications (they are located in /etc/firejail). Those profiles contain blacklist commands mostly through the various *.inc files in those profiles. In many profiles there are also whitelist directives (which can be used for home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp) which means that the respective application can only access files/folders therein which are explicitly whitelisted.

    If your question is about automatically sandboxing an application, this can be achieved by executing sudo firecfg which makes sure that all applications for which a Firejail profile is available are automatically sandboxed when they are started. See chapter 2.3 in this documentaion.
     
  4. guest

    guest Guest

    yes this one i used it already. i think it is the closest thing to achieve what i want.

    Which is more like: you download an installer or file in a folder, then when it is executed, it ran sandboxed.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, in Linux you normally install applications from the official repositories with the respective package manager (depending on which distro you are using). They are usually installed in /usr/bin. sudo firecfg does 2 things:
    1. It removes the complete path in the .desktop files for those installed applications for which Firejail profiles are available.
    2. It creates symbolic links (pointing to /usr/bin/firejail) in /usr/local/bin. As that directory is located before /usr/bin in the $PATH of most distributions (you can check this by executing echo $PATH) the symlink in /usr/local/bin is used when such an application is executed making sure that it is sandboxed by Firejail. This is called symlink invocation.

    Again, this works only for applications with a Firejail profile. Other applications can be started by executing firejail application_name - in this case the default profile in /etc/firejail is applied. Or you create your own profile in ~/.config/firejail. If you execute sudo firecfg again those custom profiles are also been taken into account.
     
  6. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    I think that this is beginning to change with Snap, Appimage, Flatpak. Of course official repositories are not gonna go away, but at least some programs will be installed and updated through these channels.
    I use Snap for Signal Desktop, NotepadQQ on my primary Debian Testing Gnu/Linux system. Do you know is it possible to create custom Firejail profile for programs installed from Snap?
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I must confess that I'm not really familiar with that stuff. I just know that Firejail has built-in AppImage support. Flatpak and Snap have their own sandboxes which make use of seccomp-bpf, namespaces (and AppArmor for Snap). Those sandboxes seem to be rather strict. If additional sandboxing with Firejail makes sense is probably questionable. But I assume that it is possible to create custom profiles.
     
  8. guest

    guest Guest

    from what i read Firejail can be used on top of Apparmor without much issues, some capabilities will be redundant, but won't wreck havoc on the system.
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, but if you're referring to Flatpak and Snap, they use also technologies used in Firejail so there is a considerable overlap. Regarding using Firejail and AppArmor simultanously, there can be problems but my impression is that a recent fix solved most of them.
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    Technology allows to create strict policies, but it doesn't mean they are. At least NotepadQQ has access to my ${HOME}. I also tested Firefox from Snap and it also has access to my ${HOME} directory (but by default downloads to "${HOME}/snap/firefox/common/Downloads" instead).
    I wonder whether there is a way to customize Snap policies.
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    As mentioned, I'm not familiar with Snap. But according to this site it should be possible to change the confinement to strict. But this could mean that you're running into trouble, of course ... ;)
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @reasonablePrivacy : I just realized that Firejail comes with a snap.profile. It doesn't contain seccomp etc. but basically restricts access in your home to ~/Downloads and ~/snap. You can modify it to your liking in ~/.config/firejail/snap.profile or /etc/firejail/snap.local.

    This post suggests that you might need to start ist similar to the --appimage switch.
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,999
    Location:
    Member state of European Union
    This is for building Snap packages from scratch.

    Unfortunately this doesn't work for me.
    I don't understand how Snap/snapd works under the hood. It seems for me that it executes some snap code and then launches target application. This is the command I type to execute Signal:
    Code:
    snap run signal-desktop
    so I typed
    Code:
    firejail --profile=snap snap run signal-desktop
    I guess snap needs enough privileges, including suid/root, to work correctly. I think AppArmor or other MAC/RBAC should be more easily used to restrict programs executed by Snap/snapd, but it is only my guess.
     
  14. guest

    guest Guest

    @summerheat do you know by chance the command line to cancel "firecfg"
     
  15. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    I had to uninstall all together. Because Chrome stopped launching.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Code:
    sudo firecfg --clean
    See man firecfg. But why would you want to do that?
     
  17. guest

    guest Guest

    Just to know if it was possible, thanks :)
     
  18. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    159
    firejail 9.58.2 installed today(mx-17) by daily updates along with long list of profiles. i ran firejail --version cmd and it showed 9.58.2 and below that apparmore and several programs ending with x11 program all enabled. do i still need to run the sudo firecfg ? thanks for your help.
     
  19. SnowWalker

    SnowWalker Registered Member

    Joined:
    Apr 2, 2012
    Posts:
    287
    Location:
    USA
    I don't really know, but I think if you're unsure it wouldn't hurt to run
    Code:
    firecfg --clean
    to reset everything before running
    Code:
    firecfg
    to reset everything, but I don't know that it's necessary.

    So, did you enable the test repo? I'm still showing 0.9.50 in the stable, which is the version I have, and they show 0.9.58 and 0.9.58.2 having been put in test some time ago. https://forum.mxlinux.org/viewtopic.php?f=134&t=48245&p=485279&hilit=firejail#p485279
     
  20. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    159
    back in december i enabled backports-stretch in synaptic. synaptic-settings-repo you have to expand the repo window to see the entry for the backports-stretch. after rereading threads 603 and 605 several times, i think the sudo firecfg needs to be ran.i did not touch anything in test repo.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    It is recommended to run sudo firecfg with every Firejail update as usually a couple of new profiles are added for applications which you may be using. This can also be done if you install new applications for which Firejail profiles are available, of course. Executing sudo firecfg --clean first is not necessary in either case.
     
  22. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    159
    i ran the sudo firecfg cmd and there was 2 new profiles. now that i know/understand how the update process works i'm good to go. thanks again for all your help. i love mx-17
     
  23. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Who knows? It's possible that an attacker needs to use specific syscalls and/or capabilities to fully exploit that vulnerability and that Firejail could protect against that. But it's also possible that the attack begins at an earlier stage before Firejail can intervene. This is what Intel says:

     
  25. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
    Thanks that's a relief.:thumb: Good to know that it's not guaranteed that Spoiler will affect your system as long as you have an up to date kernel.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.