FireJail - Linux sandbox

Discussion in 'all things UNIX' started by Gitmo East, Oct 16, 2014.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    Version 0.9.34 released, Saturday, November 7, 2015

    • added –ignore option
    • added –protocol option
    • support dual i386/amd64 seccomp filters
    • added Google Chrome profile
    • added Steam, Skype, Wine and Conkeror profiles
    • Bugfixes
     
  2. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Thanks, do you know if the pulseaudio bug on arch is also finally fixed?
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    You're welcome. It looks like the problem is just "masked" since v0.9.32 until PulseAudio developers fix the issue.

    Details here.
     
  4. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    So, supposedly firejail should support skype out of the box now. It doesn't work for me though. I'm using the GUI (firetools) and there's no skype icon.

    If I do "firejail skype" in terminal, I get the following:

    Reading profile /etc/firejail/skype.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Parent pid 9215, child pid 9216
    Child process initialized

    parent is shutting down, bye...

    How do I go about fixing this? I'm a complete noob, so step-by-step would be much appreciated :p

    EDIT: Nevermind. I managed to do it. Doing "firejail skype" works just fine. I had Skype opened already, might be why that didn't work before.

    Is there an easy way that I can see that this is actually doing what's it's supposed to do?
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Sorry for asking this, but I've been away from Linux for the last couple of months. Do you guys know how to fix a firefox annoyance? Everytime I open it, it asks me if I want to make it default, even though it is my default browser (iceweasel). I think I must whitelist some file/directory, but I don't know which.
     
  6. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    @amarildojr
    type about:config in browser urlbar
    then search for preference name "browser.shell.checkDefaultBrowser"
    set the value for this preference to false, and the prompt at each startup should cease
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Actually, my problem is related to firejail. Firejail loads my profile fine, but it blocks some system file that tells Iceweasel that it is my default browser.
     
  8. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    There is no such problem when using with "--private=~/whatever"
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Thanks. I just moved to Debian and will test it today.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    that doesn't work for me using chromium nor any other variations I've tried. The syntax I'm using that works fine, except that I get the same nuisance issue ("chromium isn't your default..." as amarildojr is:

    Code:
    firejail --private-home=.config/chromium/ chromium
    This is my preferred option for running chromium as it discards any and all changes made within the browsing session under firejail. BTW, I'm running the .36 RC1 with no noticeable issues yet.
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Did you apply the pref I cited? You applied that pref and it failed to suppress the undesired behavior?
    If so, the only thing I can suggest is that your changed pref is being discarded with the sandbox.
    Need to apply the pref during an unsandboxed session or the saved pref will not persist, right?
     
  12. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Yes, I couldn't get that to work either. But I can live with it.

    Not in my case. If I start Iceweasel un-sandboxed no warning will appear, because I already configured it unsandboxed. But if I start it with Firejail, all the configurations will still be in place, however it won't recognize that it is the default browser. I have no idea what file I need to white-list in order to have that working, but I'm not going to move a finger to find it :p
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Try using the --debug switch.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Thanks! But how do you manage extension updates, changes in your bookmarks, etc.? They are all lost once the sandbox is closed, aren't they?
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    What's interesting is the --whitelist switch in recent versions of Firejail. netblue30 has modified several included profiles accordingly, e.g. the Firefox profile. If you input

    Code:
    file:///home/your_user
    in the address line you'll see that only a very limited number of directories in your home are visible/accessible. Very cool!

    netblue30 once explained how it works:
    Explanation: A bind mount takes an existing directory tree and replicates it under a different point. The directories and files in the bind mount are the same as the original. Any modification on one side is immediately reflected on the other side, since the two views show the same data.

    I've seen that the coming version will bring further improvements.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    Well, in those cases I have to open the browser non-firejailed for all updates and changes I want to make. Maybe that --whitelist switch can make this more convenient? I'll look into it.

    *EDIT*

    hmmm..maybe it won't help. I think any and all changes in whitelisted directories will still be flushed away when the sandbox closes.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    What I find interesting is that Iceweasel says it's been run as superuser. Am I the only one?
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    No, they aren't!

    EDIT: Just try the Firefox profile that comes with Firejail, and you will see. The advantage of the --whitelist approach is that you don't have to blacklist one (sub)directory after the other in your home.
     
    Last edited: Dec 13, 2015
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Well, not here:

    Code:
    739:root:/usr/bin/firejail --profile=/home/heat/.config/firejail/dnsmasq.profile /usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=
      760:nobody:/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl --local-address=127.0.0.1:40 --user=nobody
    742:root:/usr/bin/firejail --profile=/home/heat/.config/firejail/dnsmasq.profile /usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.1:41 --user=
      1351:nobody:/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-dk --local-address=127.0.0.1:41 --user=nobody
    1191:root:/usr/bin/firejail --profile=/home/heat/.config/firejail/dnsmasq.profile /usr/bin/unbound -d
      1192:unbound:/usr/bin/unbound -d
    24607:heat:/usr/bin/firejail firefox
      24608:heat:/bin/bash /usr/local/bin/firefox
        24609:heat:firejail --profile=/home/heat/.config/firejail/firefox.profile /usr/lib/firefox/firefox
          24610:heat:/usr/lib/firefox/firefox
            24633:heat:/usr/lib/mozilla/kmozillahelper
    25873:heat:/usr/bin/firejail thunderbird
      25874:heat:thunderbird 
    Only unbound and dnscrypt-proxy run as root, of course, Firefox and Thunderbird as normal user.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    EDIT2. ... or the Chromium profile.
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    Huh.

    Code:
     1462 root      20   0    7.4m   1.7m   0.0  0.0   0:00.00 S                  `- firejail                                                   
    1464 amarildo  20   0  977.0m 306.4m   3.3  3.8   0:27.33 S                      `- iceweasel 
    On the titlebar it says (superuser)
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    What does firejail --tree say?
     
  23. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    [amarildo@amarildo ~]$ firejail --tree
    1811:amarildo:firejail iceweasel
    1814:amarildo:iceweasel

    What I don't get is why it says (superuser) on the Title Bar. Look: https://i.imgur.com/wCBD5xj.png
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    That's strange, indeed. I've never seen this on my system. How does it look if you start Firefox un-firejailed?
     
  25. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    It looks normal.

    I think this is an Iceweasel thing. Remember, it's way locked down on security and privacy, I wouldn't be surprised if the Parabola developers would make it so that the program shows when it -or it's parent- is running as root. I'll ask them and I'll ask NetBlue as well.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.