FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes! I haven't dig deep enough into how Spoiler works (and I'm not sure at all if I would understand it if I had ;) ) - but the famous Spectre vulnerabilty can be used for a remote exploitation via javascript. Hence, running your browser with javascript blocked by default (with e.g., Noscript or, preferably, uBlock Origin in medium mode or with blocking JS altogether) is a good protection - which might also help against Spoiler.
     
  2. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Pale Moon Browser won't launch since updating Firejail and applying command $ sudo firecfg.
    I can start and run Pale Moon through Firejail Configuration Wizard and select
    build a custom security profile in FCW.
    I want to be able to update Pale Moon when updates become available.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Which distro and which Firejail version are you using? Are there any errors if you start Palemoon in the console?
    I don't understand. How is that related to Firejail?
     
  4. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Running Linux Mint 19 xfce and Firejail version 0.9.58.2_1_amd64.deb.

    I update Pale Moon out of the sandbox. Similar to when I update browser
    when running Windows and using Sandboxie. (both unsanboxed when updating)
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I've never used Palemoon (and never will). But as far as I've read there are 2 options how to do that:
    1. Using its internal updater - this probably assumes that Palemoon is installed in your home directory. palemoon.profile probably needs to be adjusted accordingly but I don't know if the updater works in the sandbox.
    2. Add Steve Pusser's repository as suggested here. This has the advantage that Palemoon will be updated via the package manager, and the palemoon.profile that comes with Firejail will work out of the box.
     
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @summerheat

    Use Pale Moon internal updater already. Had no problem before clicking on Pale Moon
    without using Firejail and it started and notified me when update was available.
    Problem occured (browser won't start when clicked on in menu) when I added command in
    terminal for Firejail profiles. Next time Pale Moon is updated I can see if PM will
    update in Firejail sandbox. For now if I run PM browser I manually have to enter PM
    (home directory) line in Firejail Configuration Wizard and choose custom security profile.

    I'll most likely have to go into Firejail profiles and edit PM command to launch the
    browser automatically. Hoping it will then notify and update sandboxed.

    Thx for your input.
     
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Just 2 thoughts:
    1. In order to make sudo firecfg work you'll have to add the directory where Palemoon is installed to your PATH. I don't know that directory - let's assume it's ~/palemoon. So you should add something like
    Code:
    export PATH="/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:~/palemoon"
    to your ~/.bashrc, logoff and login again.
    2. The palemoon.profile includes firefox-common.profile which in turn includes disable-exec.inc which blocks execution in your home directory, i.e. it also blocks executing palemoon. In order to fix that create the directory ~/.config/firejail and add the file palemoon.profile with the following content:

    Code:
    ignore noexec ${HOME}
    
    include /etc/firejail/palemoon.profile
    I guess that should be sufficient. If not, ignoring disable-exec.inc completely might be necessary. I don't know if further adjustments will be needed - you have to try it. ;)
     
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @summerheat

    Was able to start Pale Moon by changing the command in Edit Launcher.
    Now PM will run when I click on Mint menu whereas before it wouldn't launch.
    Still working on firejail configuration as you mentioned earlier.
    The home directory for PM browser (/home<username>/palemoon)
    The palemoon.profile file owner is root (no access to permissions) so still learning
    where apps install and save files in Linux and how to edit them. (Prior Windows user)
    I can still launch PM manually using Firejail Configuration Wizard to sandbox browser.
    Firefox browser Firejail's automatically when clicked on.
     
  9. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    The Pale Moon internal updater works in the sandbox. I verified this when PM was
    firejailed at the time of a browser notification update. Installed the update and
    restarted PM browser which remained sandboxed after the update.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    So everything works as expected now?
     
  11. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Not exactly. For now just manually continue to build custom security profile
    in Firejail.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Hm, quite frankly nobody can help you if you don't show us how your custom profile looks like and tell us what exactly you're doing.
     
  13. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411

    PM custom security profile:
    /home/<user name>/palemoon/palemoon

    Restrict /dev directory
    Restrict /temp directory
    Restrict /mnt and /media

    system network

    DNS servers (use different servers. I don't use Googles)

    Disable video camera devices
    Disable CD-ROM/DVD devices
    Disable TV/DVB devices
    Disable 3D acceleration

    Enable seccomp-bpf
    Disable all Linux capabilities
    Restrict user namespace (noroot)

    Sandbox monitoring and statisics sometimes used (Debugging)

    Profile created manually each time and works.

    example: /usr/bin/firejail--profile=/tmp/firejail-ui-MZ1EdL/
    home/<user name>/palemoon/palemoon


    Pale Moon Forum:
    Talking about PM browser and Firejail issues on forum.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    I'm sorry - but I still cannot replicate what you're doing and, quite frankly, I'm close to giving up. Why don't you show the precise content of your individual palemoon.profile file? Why do you save the profile in /tmp where it will be deleted with every system start and not in ~/.config/firejail? How do you start the firejailed Palemoon? What is an UXP application?

    Anyway, all this trouble could probably be avoided if you had applied the second option suggested earlier. Palemoon would be updated with the package manager, its executable would be located in /usr/bin (or in another directory of the PATH), and the profile provided by Firejail would work out of the box.

    The problem is, IMO, that you're doing several things which are not standard in Linux, and since you're not familiar with Linux and Firejail enough you don't know how to fix the consequences.
     
  15. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @summerheat

    Not doing anything out of the ordinary. That's the way Firejail
    works when building a custom security profile.

    Don't want to use 3rd party PPA repository. PM as I said
    runs fine when updated when sandboxed. (Firejail)

    Creating a firejail folder in /home/<user>/config/ with palemoon.profile
    and adding code to it didn't work. That was also a tip others mentioned in
    other forums. Maybe it did work at one time with older versions.

    Other tips were to add ignore tracelog, or commenting out private-bin palemoon
    in palemoon.profile. That also didn't work.

    The only issue I have is starting PM automatically in the Mint menu.
    (sandboxed/unsandboxed)
    The default command in Edit Launcher (palemoon %u) doesn't
    launch PM browser.

    I can change the command to /home/<user name>/palemoon/palemoon
    or /user/bin/palemoon and it will launch browser unsandboxed.
    NOTE: See spinning Icon (mouse pointer) when I do this.

    I could probably undo the sudo firecfg command or
    go back to prior backup, but rather keep things including all updates
    as they are.

    UXP is fork of Firefox 52 ESR with significant modifications to
    be a codebase for creating any number of XUL-based applications.
    Pale Moon 28 was the first version built on UXP, thereby
    providing improved support for web standards and video.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    As a Firejail user and contributor to its project for years I politely disagree. But anyways ...

    That's not surprising if you really used that folder. The correct one is:
    Code:
    /home/<user>/.config/firejail
    The dot before config is important.

    That's expected. Please show the output of
    Code:
    which -a palemoon
    and
    Code:
    ls -l /usr/bin | grep palemoon
    That's not necessary if everything is configured correctly.

    EDIT: Btw., you still haven't shown the precise content of your palemoon.profile. What you presented in a previous post was verbal description but not the precise rules. They are needed in order to check if it's correct or not.
     
    Last edited: May 12, 2019
  17. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @summerheat

    Palemoon.profile (Default) with nothing changed.

    https://github.com/netblue30/firejail/blob/master/etc/palemoon.profile

    Please show me what lines you added/changed in palemoon.profile and where.

    Code:
    ignore noexec ${HOME}
    
    include /etc/firejail/palemoon.profile 
    (any more lines and exact location in palemoon.profile)

    Again FCW seems to work with launching Pale Moon sandboxed fine.
    I just select the settings I want in the GUI and away I go.

    Typo error on my part. Do have .config (/home/<user>/.config/firejail)

    Code:
    which -a palemoon 
    /usr/local/bin/palemoon
    /usr/bin/palemoon


    Code:
    ls -l /usr/bin | grep palemoon 
    lrwxrwxrwx 1 root root 31 Oct 14 2018 palemoon -> /home/<user>/palemoon/palemoon
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Okay, we're coming closer to a solution: palemoon.profile is a whitelisted profile which means that access to anything in your home is blocked if not explicitly whitelisted. Since the palemoon executable (and libraries etc.) are obviously located in ~/palemoon, this has to be added to the profile as well. So ~/.config/firejail/palemoon.profile should look like this:

    Code:
    ignore noexec ${HOME}
    whitelist {HOME}/palemoon
    include /etc/firejail/palemoon.profile
    This should work now. I suggest that you execute sudo firecfg once more to make sure that the entry in the start menu does not contain the full path to the executable (you might want to check that).
     
  19. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @summerheat

    There are 27 lines of code in palemoon.profile.
    Where do I place these 3 lines? (location)
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    As I wrote above: in ~/.config/firejail/palemoon.profile which means /home/<user>/.config/firejail/palemoon.profile.

    The referenced original profile is in /etc/firejail . Or isn‘t it?
     
  21. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes.

    I added those 3 lines of code to palemoon.profile.
    (/home/<user>/.config/firejail/)
    Checked terminal and Firetools GUI and both list PM
    as sandboxed. (/usr/bin/firejail /usr/bin/palemoon)

    Same as Firefox when sandboxed.

    I didn't re-run sudo firecfg command yet. Changed command
    in start menu so PM is not pointing to full path executable.

    Now I can launch PM browser automatically Firejailed
    in the Mint menu. Greatly appreciate your help. Thx.

    NOTE: Wondering as mentioned before in previous post why
    when launching PM my mouse cursor pointer also has small icon
    spinning like its still loading. Spinning does stop, but takes little while.
    Firefox when launched sandboxed does not do this.
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    @Compu KTed : I just noticed that the second line contains a typo. It should read ${HOME}, of course. Sorry!

    BTW, the easiest way to check in an application is running firejailed is by executing

    Code:
    firejail --list
    or:
    Code:
    firejail --tree
     
    Last edited: May 13, 2019
  23. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    No problem. I caught it while I was looking at all the code in palemoon.profile.
    Thx for pointing it out though.
     
  24. SuperSapien

    SuperSapien Registered Member

    Joined:
    Apr 9, 2015
    Posts:
    227
  25. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Firejail 0.9.60 available for download.

    You should update ASAP as a serious vulnerability was fixed discussed here. The release notes are not yet quite uptodate.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.