FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Well that is what I meant, would they break anything? :D But I will just test around.. for now I am more concerened about opening app by default with firejail.
     
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    You can blacklist almost all of them. There are exceptions, of course, e.g. Firefox needs to read ".mozilla" in order for it to use your profile. You need to test your apps to see what works and what doesn't. My suggestion is to block everything and then whitelist what the app needs, kind of like a good firewall practice.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    I can confirm that the fix doesn't break pulse AFAIK :) I'll keep testing.
     
  4. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    My I ask which kernel you are using ? I know that there is one official one with grsecurity enabled by default but that's about it ?
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Yes, I'm using linux-grsec from the repo. It's the latest Kernel that grsecurity supports in their Testing repo.
     
    Last edited: Oct 7, 2015
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
  7. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Has anyone used this for skype yet? If so, how did you do it?
     
  8. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Firejail comes with a skype profile, so only a $ firejail skype should work.
     
  9. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    If anyone is interested in a quick and easy way on how to open apps with firejail by default on XFCE:

    Settings -> MIME Type Editor -> Choose the MIME/Protocol e.g. http -> double click it -> below the list of apps that could open it there is "custom command" -> custom command "firejail iceweasel".

    Now whenever you open a link or http protocol it will open with "firejail iceweasel" instead of "iceweasel".

    The only downside:
    Instead of showing "iceweasel" as the prefered application in the MIME Type Editor, it will display firejail.. so you will have a lot of "firejail" entries in that editor instead of the actual app that will open it.
    It is also a pain to configure.. because e.g. okular opens like 50 different MIME/Protocols and you have to change everyone of them one-by-one :/
     
  10. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    That doesn't work for me.

    After doing $ firejail skype I get the following output:

    Reading profile /etc/firejail/generic.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-history.inc

    ** Note: you can use --noprofile to disable generic.profile **

    Parent pid 6098, child pid 6099
    Child process initialized

    parent is shutting down, bye...
    Nothing happens after that.
     
    Last edited: Oct 11, 2015
  11. nailed

    nailed Registered Member

    Joined:
    Oct 11, 2015
    Posts:
    1
    Due to this: https://github.com/netblue30/firejail/tree/master/etc -
    Firejail doesn't come with a skype profile.
    I created skype.profile in /etc/firejail directory including this:
    # Start Firejail Skype profile
    noblacklist ${HOME}/.Skype
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    include /etc/firejail/disable-history.inc
    caps.drop all
    #seccomp
    netfilter
    noroot
    # End Firejail Skype profile

    Seccomp is off , because skype doesn't start with this option.

    PS: Archlinux+ Grsecurity/PAXD(softmode=0)
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    @UnknownK : Firejail doesn't come with a skye profile.

    As there is no Skype profile the generic profile is used. And I guess that you're running into the same problem like our friend @amarildojr : You probably have a 64bit system but Skype is, AFAIR, a 32bit application. seccomp-bpf doesn't work with it. So you should create your own skype profille and disable seccomp. Let us know if that works.
     
  13. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,047
    Hi,
    I use linux mint 17.2 and installed firejail and firetools.However im relatively new to linux and i see the red launcher for firetools but i dont know how to add my browser or any other program to the launcher.
    Any ideas please.
    I use the palemoon browser if it helps.
    Thanks.
     
  14. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    @summerheat Yup, we have to disable seccomp for 32-bit apps.
     
  15. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    How does one go about doing that? It would be cool if you wrote a tutorial somewhere :p
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    There isn't a facility for adding other programs to the launcher other than from source compilation.
    Firetools isn't particular important IMO unless you want the convenience of the monitoring window, I prefer to add scripts to the desktop in the normal way to launch stuff.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    o_O You just don't enable the seccomp filter? ._. There isn't much to it.
     
  18. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    Okay, somehow I thought I had seen a skype profile.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Firejail 0.9.32 is out with many improvements. You should update immediately as the old version contained a very nasty bug:

     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,010
    Location:
    Canada
    Installed. Thanks for the heads up, summerheat.
     
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    You're welcome!

    I'm thinking about how to best use the new --private-bin option which sounds intriguing. As far as I understand this means that the firejailed applications cannot start any other application in /bin, /usr/bin, /usr/sbin and /sbin (the first and the last two being only symbolic links to /usr/bin in Arch Linux, anyhow) except the ones specifically added to that option.
     
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,047
    Thank You.
    I have discovered a way to achieve this.
     
  23. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    There is another "trick" mentioned by netblue30 somewhere on his github site: Just create custom launch scripts in /usr/local/bin. Examples of scripts I've created:

    firefox
    Code:
    #!/bin/bash
    firejail --profile=/home/heat/.config/firejail/firefox.profile /usr/lib/firefox/firefox $1
    libreoffice
    Code:
    #!/bin/bash
    firejail --profile=/home/heat/.config/firejail/libreoffice.profile /usr/bin/libreoffice "$@"
    Just make them executable and all is well. The advantage is that those custom scripts won't be overwritten by updates unlike the system-wide desktop files in /usr/share/applications.

    EDIT: Regarding $1 and "$@" : You might need to experiment which positional parameter is needed for the respective application.

    EDIT2: @amarildojr : We discussed the problem that a firejailed Gwenview couldn't open a file with blanks. Unfortunately, adding shell none to its profile didn't work anymore for v. 15.08.2-1, and I also ran into the same problem with the new Okular version. Solution: Remove the firejail argument in the KDE start menu and create those 2 custom start scripts:

    gwenview
    Code:
    #!/bin/bash
    firejail --profile=/home/heat/.config/firejail/gwenview.profile /usr/bin/gwenview "$*"
    okular
    Code:
    #!/bin/bash
    firejail --profile=/home/heat/.config/firejail/okular.profile /usr/bin/okular "$@"
    BTW, adding the --profile option is not necessary. I'm doing it to make sure that those applications use the correct profile if I accidentally start them as root.
     
    Last edited: Oct 23, 2015
  24. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    This keeps getting better...
    Lock down your Firejailed browsers DNS

    # firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox

    Obviously swap out Google's DNS for your DNS of choice.
     
  25. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Oh that is nice..together with dnscrypt I would simlly force the browser to only use 127.0.0.1 as dns server :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.