FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  2. guest

    guest Guest

    Firetools v0.9.62 Released (December 16, 2019)
    News
    New security tool: Firejail DNS over HTTPS proxy server
     
  3. guest

    guest Guest

    How to install and use Firejail on Linux
    Firejail allows you to easily sandbox Linux applications. Find out how to add this extra layer of security
    December 24, 2019
    https://www.techrepublic.com/article/how-to-install-and-use-firejail-on-linux/
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Interesting, I've installed Debian 10 alongside MX-19 and Windows 10, and when I run Firefox v71 under Firejail, it looks to be properly enforced in Apparmor :)

    Code:
    8 processes are in enforce mode.
       /usr/sbin/cups-browsed (690)
       /usr/sbin/cupsd (653)
       /usr/sbin/dhclient (848)
       /usr/sbin/ntpd (727)
       /opt/firefox71/firefox-bin (1197) firejail-default
       /opt/firefox71/firefox-bin (1252) firejail-default
       /opt/firefox71/firefox-bin (1318) firejail-default
       /opt/firefox71/firefox-bin (1414) firejail-default
    
    I haven't generated an Apparmor profile for Firefox. I couldn't achieve this result in MX-19.

    EDIT:

    same thing with Chromium. Very nice :thumb:

    Code:
    16 processes are in enforce mode.
       /usr/sbin/cups-browsed (690)
       /usr/sbin/cupsd (653)
       /usr/sbin/dhclient (848)
       /usr/sbin/ntpd (727)
       /usr/lib/chromium/chromium (1567) firejail-default
       /usr/lib/chromium/chrome-sandbox (1581) firejail-default
       /usr/lib/chromium/chromium (1582) firejail-default
       /usr/lib/chromium/chromium (1584) firejail-default
       /usr/lib/chromium/chromium (1600) firejail-default
       /usr/lib/chromium/chromium (1605) firejail-default
       /usr/lib/chromium/chromium (1654) firejail-default
       /usr/lib/chromium/chromium (1660) firejail-default
       /usr/lib/chromium/chromium (1664) firejail-default
       /usr/lib/chromium/chromium (1680) firejail-default
       /usr/lib/chromium/chromium (1689) firejail-default
       /usr/lib/chromium/chromium (1697) firejail-default
    
    BTW, I'm very impressed with Debian.
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, Firejail supports AppArmor if it was complied with the --enable-apparmor option. In that case a profile named firejail-default is saved in /etc/apparmor.d (if that exists). It is applied in any Firejail profile that contains the apparmor option (and not a possibly existing individual AppArmor profile for the respective application - if you prefer that you have to ignore the apparmor option in the Firejail profile). Since I assume that AppArmor support is available in the Firejail package both for Debian and MX (as it is a Debian derivative), I guess that you simply had not enabled firejail-default in MX by executing
    Code:
    sudo aa-enforce firejail-default
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    No I definitely enabled it that way, but for whatever reason it didn't seem to enforce the processes of Firefox or Chromium the way it's enforced in Debian.

    EDIT:

    I've rechecked again and the firejail-default profile shows as enforced, but no matter what I open with firejail sandbox, the process opened with it does not show as enforced. It's sandboxed, for example geany editor, but geany process is not enforced under firejail.
     
    Last edited: Dec 28, 2019
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Hm, perhaps you're using modified Firejail profiles for those applications without the apparmor option? I can't think of another possible reason right now ...
     
  8. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    How do you check this?
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Code:
    sudo aa-status
    Actually, I compared the firejail-default profiles from Debian 10 and MX-19 and it turns out they're completely different!? Then as an experiment I overwrote MX-19's with Debian's but it still made no difference.
     
  10. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    I'm running Kicksecure which is based on Debian and I've also noticed Chromium is using AppArmor. Quite the nice discovery!
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Are there different Firejail versions on Debian 10 and MX-19? There have been several modifications for firejail-default in the past months. However, they don't explain that different behavior on your systems. The crucial point is if the Firejail profiles for Firefox, Geany etc. contain the apparmor option.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    This is the firejail-default profile for Debian:

    Code:
    # Last Modified: Sat Dec 28 09:01:23 2019
    @{PID} = {[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
    
    #########################################
    # Generic Firejail AppArmor profile
    #########################################
    ##########
    # A simple PID declaration based on Ubuntu's @{pid}
    # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
    # We don't know if this definition is available outside Debian and Ubuntu, so
    # we declare our own here.
    ##########
    
    
    profile firejail-default flags=(attach_disconnected,mediate_deleted) {
      #include <abstractions/dbus-session-strict>
      #include <abstractions/dbus-strict>
      #include <local/firejail-default>
    
      capability chown,
      capability dac_override,
      capability dac_read_search,
      capability fowner,
      capability fsetid,
      capability ipc_lock,
      capability ipc_owner,
      capability kill,
      capability lease,
      capability linux_immutable,
      capability mknod,
      capability net_admin,
      capability net_bind_service,
      capability net_broadcast,
      capability net_raw,
      capability setfcap,
      capability setgid,
      capability setpcap,
      capability setuid,
      capability sys_admin,
      capability sys_boot,
      capability sys_chroot,
      capability sys_module,
      capability sys_nice,
      capability sys_pacct,
      capability sys_ptrace,
      capability sys_rawio,
      capability sys_resource,
      capability sys_time,
      capability sys_tty_config,
    
      network inet,
      network inet6,
      network netlink,
      network packet,
      network raw,
      network unix,
    
      dbus,
    
      mount,
      remount,
      umount,
    
      signal,
    
      ptrace (read readby) peer=firejail-default,
    
      pivot_root,
    
      deny /**/.snapshots/ rwx,
      deny /proc/@{PID}/oom_adj w,
      deny /proc/@{PID}/oom_score_adj w,
    
      /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
      /{,**} mrlk,
      /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
      /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
      /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
      /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
      /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
      /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
      /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
      /{,var/}run/cups/cups.sock w,
      /{,var/}run/firejail/profile/@{PID} w,
      /{,var/}run/systemd/journal/dev-log w,
      /{,var/}run/systemd/journal/socket w,
      owner /opt/firefox71/update.test mrwlk,
      owner /opt/firefox71/update.test/ mrwlk,
      owner /proc/*/clear_refs mrwlk,
      owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
      owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
      owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
      owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
      owner /{,var/}run/media/** w,
    
    }
    ...then the one for MX-19:

    Code:
    #########################################
    # Generic Firejail AppArmor profile
    #########################################
    
    ##########
    # A simple PID declaration based on Ubuntu's @{pid}
    # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
    # We don't know if this definition is available outside Debian and Ubuntu, so
    # we declare our own here.
    ##########
    @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}
    
    profile firejail-default flags=(attach_disconnected,mediate_deleted) {
    
    ##########
    # Allow D-Bus access. It may negatively affect security. Comment those lines or
    # use 'nodbus' option in profile if you don't need D-Bus functionality.
    ##########
    #include <abstractions/dbus-strict>
    #include <abstractions/dbus-session-strict>
    dbus,
    
    ##########
    # With ptrace it is possible to inspect and hijack running programs.
    # Some browsers are also using ptrace for their sandboxing.
    ##########
    # Uncomment this line to allow all ptrace access
    #ptrace,
    # Allow obtaining some process information, but not ptrace(2)
    ptrace (read,readby) peer=firejail-default,
    
    ##########
    # Allow read access to whole filesystem and control it from firejail.
    ##########
    /{,**} rklm,
    
    ##########
    # Allow write access to paths writable in firejail which aren't used for
    # executing programs. /run, /proc and /sys are handled separately.
    # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
    ##########
    /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
    
    ##########
    # Whitelist writable paths under /run, /proc and /sys.
    ##########
    owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
    owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
    owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
    owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
    
    owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
    
    # Allow writing to removable media
    owner /{,var/}run/media/** w,
    
    # Allow logging Firejail blacklist violations to journal
    /{,var/}run/systemd/journal/socket w,
    /{,var/}run/systemd/journal/dev-log w,
    
    # Needed for wine
    /{,var/}run/firejail/profile/@{PID} w,
    
    # Allow access to cups printing socket.
    /{,var/}run/cups/cups.sock w,
    
    # Needed for firefox sandbox
    /proc/@{PID}/{uid_map,gid_map,setgroups} w,
    
    # Needed for electron apps
    /proc/@{PID}/comm w,
    
    # Silence noise
    deny /proc/@{PID}/oom_adj w,
    deny /proc/@{PID}/oom_score_adj w,
    
    # Uncomment to silence all denied write warnings
    #deny /sys/** w,
    
    ##########
    # Allow running programs only from well-known system directories. If you need
    # to run programs from your home directory, uncomment /home line.
    ##########
    /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
    /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
    /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
    /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
    /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
    #/{,run/firejail/mnt/oroot/}home/** ix,
    
    # Appimage support
    /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
    
    ##########
    # Blacklist specific sensitive paths.
    ##########
    # Common backup directory
    deny /**/.snapshots/ rwx,
    
    ##########
    # Allow all networking functionality, and control it from Firejail.
    ##########
    network inet,
    network inet6,
    network unix,
    network netlink,
    network raw,
    # needed for wireshark
    network packet,
    
    ##########
    # There is no equivalent in Firejail for filtering signals.
    ##########
    signal,
    
    ##########
    # We let Firejail deal with capabilities, but ensure that
    # some AppArmor related capabilities will not be available.
    ##########
    capability chown,
    capability dac_override,
    capability dac_read_search,
    capability fowner,
    capability fsetid,
    capability kill,
    capability setgid,
    capability setuid,
    capability setpcap,
    capability linux_immutable,
    capability net_bind_service,
    capability net_broadcast,
    capability net_admin,
    capability net_raw,
    capability ipc_lock,
    capability ipc_owner,
    capability sys_module,
    capability sys_rawio,
    capability sys_chroot,
    capability sys_ptrace,
    capability sys_pacct,
    capability sys_admin,
    capability sys_boot,
    capability sys_nice,
    capability sys_resource,
    capability sys_time,
    capability sys_tty_config,
    capability mknod,
    capability lease,
    #capability audit_write,
    #capability audit_control,
    capability setfcap,
    #capability mac_override,
    #capability mac_admin,
    
    ##########
    # We let Firejail deal with mount/umount functionality.
    ##########
    mount,
    remount,
    umount,
    pivot_root,
    
    # Site-specific additions and overrides. See local/README for details.
    #include <local/firejail-local>
    }
    
    I have no Apparmor profiles for Firefox or Chromium under Debian 10. I'm only running the browsers under Firejail, which of course has its own profile which I posted above. The same problem with Firefox under debian 10 as happened under latest Ubuntu, is that I can create an apparmor profile for it, but in no way can I play Netflix video. The browser otherwise works fine under the profile. I'm finding some buggy behaviour with apparmor, either in the way it creates path rules using aa-logprof or when I'm done profiling it will sometimes crash.It creates all kinds of rules for Widevine plugin, necessary for Netflix, but when attempting to play, I just get the stupid: "Whoops, something went wrong..." error. Even in complain mode this happens, and no amount of re-booting, launching into Netflix, and re-launching aa-logprof ever comes up with a rule(s) necessary to play Netflix videos. Only with MX-19 does my Apparmor Firefox profile work for playing Netflix.

    That said, I really, really like Debian 10 Mate. It's rock solid in every way imaginable, and I'm quite happy to run it under Firejail, with an apparmor profile working for Firejail. Netflix plays fine under this latter setup.
     
    Last edited: Dec 29, 2019
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Very nice indeed :thumb: I take it the Chromium profile was included with the Distro? Maybe sometime I'll burn that one to a pendrive (if possible) and test it.

    I'm curious, when you enter:
    Code:
    chrome://sandbox
    into Chromium's address field, what is the result you get?
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    I see in the firefox-common.profile that "seccomp" is not listed in it, but the Firejail wordpress site states seccomp-bpf is enabled by default. Does this mean it's unnecessary to include it in either the profile, or in the launcher's command line?
     
    Last edited: Dec 29, 2019
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    :eek: Are you sure? firefox-common should contain a
    Code:
    seccomp !chroot
    entry - in the git version I'm using it's line 49.

    If your version doesn't contain that entry something is seriously broken.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    What's the output of firejail --version on both systems?

    But again, the content of firejail-default isn't important here. If it is used in a Firejail profile is only determined by the existence of the apparmor option therein.


    I can't say anything about Netflix as I don't use it. I haven't seen crashes for aa-logprof so far. Problems like the one you mentioned can arise if the profile contains deny rules which take precedence over other rules. Although ... if that happens even with complain mode I guess that it's not caused by AppArmor. Have you also tried to disable the FF profile (aa-disable) and, if so, did Netflix work?
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Positive it wasn't there, but I've fixed the probelm, as I was running the package version .58, I downloaded a newer version: firejail-apparmor_0.9.62_1_amd64.deb, then had to do a --force-overwrite to install overtop the old version. The seccomp !chroot line is there :thumb:

    I had no deny rules, and yes, only if the FF profile is disabled I can run Netflix videos no problem, even under Firejail. Remember, the Netflix issue occurs exactly the same under both Ubuntu latest and Debian latest, so I think it has something common to do with both distros.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Well guess what. I could see the Firefox apparmor profiles I created in Ubuntu and Debian were quite different in some areas than the one I created in MX-19. So I decided to take the MX-19 profiles:

    opt.firefox.firefox
    opt.firefox.firefox-bin
    opt.firefox.plugin-container
    opt.firefox.pingsender

    and use them in Debian 10. All I had to do was change the the /opt/firefox/... entries to /opt/firefox71/... and of course my firefox userprofile entries to match those of Debian.

    It works! I can play Netflix content now :thumb: I guess I must have taken a wrong turn somewhere when creating them in Ubuntu and Debian, or for some reason the aa-logprof didn't generate some of the necessary rules to run the widevine plugin reliably. Not sure, but it's all fixed now.

    EDIT:

    furthermore, I can even run FF in firejail with the FF profiles enforced in Apparmor, which I can't do in MX-19. It doesn't get better than this :)

    EDIT #2:

    when I install this exact same version, obtained from sourceforge.net, into MX-19, and I run firejail --version, it shows as version 0.9.60 and Apparmor support disabled

    here in Debian it shows the expected versio 0.9.62, and Apparmor support enabled
     
    Last edited: Dec 30, 2019
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Congratulations :thumb:

    Hm, why did you fetch it from sourceforge? I had once MX running in a VM, and AFAIR there are newer versions for many packages (including Firejail) offered somewhere in the MX package manager which should have AppArmor support enabled.

    (side note: This is another confirmation for me that my decision to run Arch Linux was right as I have never to bother about using the newest package versions ;) )
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thanks!

    I found sourceforge.net to offer the latest packages.

    All the firejail-default profiles, including the one offered in MX packages, has Apparmor support enabled, but doing a "firejail --version" shows Apparmor as "disabled" in MX-19. I think all along that's been the problem. It's enabled with the command in Debian, and working as expected.

    I decided yesterday to drop MX-19 from my hdrive and now just dual-boot Debian with Windows 10 (I haven't used Windows in montths ;) ). I just find Debian to be a cut above MX, and also I could re-anble Secure boot since Debian supports it :)
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    So it seems that that package was no compiled by using the --enable-apparmor option.

    FWIW, if you're interested in using the latest git version you can do this by executing (make sure that you uninstall the other Firejail version first!):

    Code:
    cd ~
    rm -rf ~/firejail
    git clone https://github.com/netblue30/firejail.git
    cd firejail
    ./configure --prefix=/usr --enable-apparmor
    make
    sudo make install
    
    sudo firecfg
    
    sudo chown -c root:firejail /usr/bin/firejail
    sudo chmod -c 4750 /usr/bin/firejail
    Note that the last 2 lines implement what is suggested here (under 3. Create a special firejail group). You have to create the firejail group and to add your user to that group first, logoff and login again. For the meaning of the 4750 file permission see here.

    In order to update the git version you can use this little script:
    Code:
    cd ~/firejail
    git pull
    ./configure --prefix=/usr --enable-apparmor
    make
    sudo make install
    
    #sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' /etc/firejail/firejail.config
    
    sudo chown -c root:firejail /usr/bin/firejail
    sudo chmod -c 4750 /usr/bin/firejail
    
    sudo firecfg
    
    If you want to implement what is suggested on above link (under 2. Set force-nonewprivs flag) you can uncomment the line containing the sed command. As mentioned there, Chromium-based browsers won't work, and other software might be affected as well so have to try out if it works for you.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    It looks like the one I'm currently running on Debian was released two days ago on sourceforge.net:

    Released /firejail/firejail-apparmor_0.9.62_1_amd64.deb

    This is what returns when I run:

    Code:
    ~$ firejail --version
    firejail version 0.9.62
    
    Compile time support:
       - AppArmor support is enabled
       - AppImage support is enabled
       - chroot support is enabled
       - file and directory whitelisting support is enabled
       - file transfer support is enabled
       - firetunnel support is enabled
       - networking support is enabled
       - overlayfs support is enabled
       - private-home support is enabled
       - seccomp-bpf support is enabled
       - user namespace support is enabled
       - X11 sandboxing support is enabled
    And it works as expected so I'll stick with this version until I see an update. Thanks again!
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    This has nothing to do with firejail, nor with Apparmor. I think it has everything to do with the Linux Kernel. Both Ubunto and Mint, I believe, have optimized the kernel to maximize the sandboxing capabilities of every and all Chrome-based web browsers. The screenshot I've posted is the sandboxing capabilities of Chromium web browser in Debian 10:

    chromium-sanbox.png

    In Ubuntu and Mint you will probably achieve better sandboxing results. However, the most important is "Seccomp-bpf", so as long as you have that, you are well protected in the sandboxing of Chrome-based browsers within Linux.
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    You are right. That the Layer1 sandbox is a SUID sandbox suggests that in your kernel unprivileged user namespaces are not enabled. If they were, "Namespace" would be displayed. Note that unprivileged user namespaces are controversial as there have been multiple security issues in the past - that's why they are disabled in some distros.

    However, I don't know why the Yama LSM is disabled. AFAIK, it's used by most distros.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    it's also disabled in MX-19.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.