FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Thanks.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Has anyone actually tested Firejail to see if it's effective against exploits?
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Well, I haven't. But it would be really great if someone could use the full Metasploit arsenal to perform some attacks. I'm not an expert on that, though.
     
  5. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    I am getting tons of error messages but some are non-trivial I guess:

    Pango-WARNING **: error opening config file [path/to/pangorc] not authorized

    I am not quite sure firejail is working like it should. Any ideas?
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Hard to tell if we don't know which profile is affected. And does it really say "path/to/..." or is a specific directory mentioned?
     
  7. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Your ~/.config file is blacklisted in firejail's firefox profile which comes with Parabola. Removing "blacklist ${HOME}/.config" from /etc/fiirejail/firefox.profile will solve your problem. Even the pango error is another trivial error related to pango library which provides something like some multi-language text support. If you can put up with this error, it will be better security-wise to not remove ~/.config from the blacklist. You can also try "read-only ${HOME}/.config" to see if this can solve your problem.
     
  8. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
    Sorry, I was talking about the firefox (icecat, iceweasel) profile. A specific directory is mentioned, home/username/.config/pango/pangorc.

    Thanks a lot for your comment. I can (and have) put up with this message, I didn't know what to make of it. Thanks again. I will try "read-only ${HOME}/.config" later.
     
  9. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    I'm a bit confused. The default Firefox profile definitely does not contain the rule "blacklist ${HOME}/.config" as completely blacklisting that folder would break a lot of things, indeed. Rather, the file disable-mgmt.inc is included which contains the rule "blacklist ${HOME}/.config/firejail" which doesn't break anything.
     
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    If it servers as something useful, here's my iceweasel profile:

    Code:
    caps.drop all
    seccomp
    noroot
    shell none
    
    ############### disable-mgmt.inc########
    
    # system directories
    blacklist /sbin
    blacklist /usr/sbin
    
    # system management
    blacklist ${PATH}/umount
    blacklist ${PATH}/mount
    blacklist ${PATH}/fusermount
    blacklist ${PATH}/su
    blacklist ${PATH}/sudo
    blacklist ${PATH}/xinput
    blacklist ${PATH}/evtest
    blacklist ${PATH}/xev
    blacklist ${PATH}/strace
    
    # Prevent manipulation of firejail configuration
    blacklist /etc/firejail
    blacklist ${HOME}/.config/firejail
    
    ############disable-secret.inc##############
    
    # HOME directory
    blacklist ${HOME}/.ssh
    tmpfs ${HOME}/.gnome2_private
    blacklist ${HOME}/.gnome2/keyrings
    blacklist ${HOME}/kde4/share/apps/kwallet
    blacklist ${HOME}/kde/share/apps/kwallet
    blacklist ${HOME}/.pki/nssdb
    blacklist ${HOME}/.gnupg
    blacklist ${HOME}/.local/share/recently-used.xbel
    
    ################ disable-common.inc###############
    # HTTP / FTP / Mail
    blacklist ${HOME}/.adobe
    blacklist ${HOME}/.macromedia
    blacklist ${HOME}/.icedove
    blacklist ${HOME}/.thunderbird
    blacklist ${HOME}/.config/midori
    blacklist ${HOME}/.config/opera
    blacklist ${HOME}/.config/chromium
    blacklist ${HOME}/.config/google-chrome
    blacklist ${HOME}/.filezilla
    blacklist ${HOME}/.config/filezilla
    
    # Instant Messaging
    blacklist ${HOME}/.purple
    blacklist ${HOME}/.config/psi+
    
    # VNC
    blacklist ${HOME}/.remmina
    
    # Other
    blacklist ${HOME}/.tconn
    
    ############## disable-history.inc #################
    # History files in $HOME
    blacklist ${HOME}/.history
    blacklist ${HOME}/.*_history
    
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Hm, that's actually equivalent with the default profile. Why don't you use that one?
     
  12. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    I'm building profiles to applications so that I can have easy control over them.

    My Iceweasel profile has one modification over the default mozilla profile, which is no "netfilter", because I like my custom firewall rules. I just created this profile, like 5 minutes before linking it here, so I'll add a few more things into it. Also, it seems that firejail developers constantly change their profiles, so these custom ones I'm creating allow me to review those changes before commiting to them. It's a win for me :)

    Then I'll also create profiles for other programs like Libreoffice, VLC, games, etc.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Understood! Take care :thumb:
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Thanks! You too.
     
  15. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    That's added by Parabola's maintainer.
    Not a lot, only this pango thing really which I don't think anybody other than those dealing with exotic languages need.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Ah, okay.

    Yes, if it's really only in the Firefox profile. Adding an unblacklist rule above "blacklist ${HOME}/.config" would help for pango (I don't know where it's exactly located).
     
  17. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Please help me to determine if this is a vulnerability or not. It looks like a serious vulnerability to me. Create a directory in your home, let's say "browser-home" and copy ".mozilla" to that directory. And start it with "firejail --private=~/browser-home firefox". Now enter about:support in firefox and hit the "Open Directory". It opens the real .mozilla directory not the sanboxed one. Or you can download something and open the file location using firefox's download manager. It opens the real home "Download" folder and there is no file in it. The downloaded file is in sanboxed profile, you can enter manually. But the firejail's private mode was supposed to disable accessing to the real home directory, right?

    I post this to the developer but he looks like don't want to understand, or i have no idea what i am talking about. Please someone who has knowledge, enlighten me.

    Here is the conversetaion; my nick is "Name": https://l3net.wordpress.com/2015/09...-sandbox-for-mozilla-firefox-part-3/#comments
     
  18. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    No. The private=directory option is not supposed to disable accessing of the real home directory. Your browser will think browser-home is the real home, but you can access the real home through the browser. You can prevent access to real home with private-home=.mozilla option. Bear in mind that any modification done will be lost after you close that instance of the browser, i.e changes are not permanent

    This is from firejail man page:
     
  19. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    In there says; https://l3net.wordpress.com/projects/firejail/firejail-usage/

    "Private mode is a quick way of hiding all the files in your home directory from programs running inside the sandbox."

    When i enter file:///home/user in iceweasel i can see it is the sanboxed home directory as it is supposed to be. Which means iceweasel really thinks it is the home directory and has no access to the real home. Everything looks fine.

    But are you suggesting that "Open Directory" in about:support is not part of the iceweasel? Because as i said, it opens the real home.
     
  20. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    All right, I was wrong. I just tested it and I could bypass the sandbox by opening files via open directory in about:support. I could see the blacklisted files, however I couldn't open/copy/delete any blacklisted file. Blaclisted directories could be copied/deleted. Definitely a bug/vulnerability. Happens in normal mode as well as in private mode.
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    @UnknownK, mind explaining the exact steps to reproduce this?

    Thanks.
     
  22. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Nothing special. Go to about:support via firefox/iceweasel address bar. Click on the clickable open directory box which is meant to open the directory of the the profile you are currently on. Your default file manager will open (or nothing will happen at all depending on your distro/configuration; nothing opens in my debian box) and you can test things there. For example my ~/Documents directory is blacklisted in the firefox profile of firejail, but I can view the list of files there, but couldn't open/copy/delete anything, but could delete ( deleting from the system ) the Documents directory itself.
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    You are right, I could reproduce. That's a nasty bug.
     
  24. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    Ok. Developer of the firejail says it is a bug.

     
  25. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Congrats, pandorax, for finding a highly exploitable bug. NetBlue, I'm sure, will find a solution.

    Wonder if the same thing happens in Chrome or Chromium?

    Later...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.