I recently came across this https://privsec.dev/posts/linux/desktop-linux-hardening/#firejail and it looks like Firejail has a large attack surface. Is this true?
There is some interesting debate on that between madaidan and others, including firejail's developer netblue30, in this github discussion.
Thanks It looks like some these security vulnerabilities are overblown and FJ just had an update July of this year so I'm sure more vulnerabilities were patched. Also I have two user accounts on my system one admin and one non-admin and I surf the web from the non-admin account with FJ Private Home. firejail --private-home=.mozilla firefox
I think this critique is largely overblown like a lot of other statements by madaidan. 1. Most of those CVEs mentioned in that article are some years old when firejail was still a young project. In the meantime it has considerably matured. For example, sandbox escapes were possible via dbus: in the past Firejail had just one setting to enable or disable dbus control, but if enabled a lot of applications wouldn't work properly so disabling it was often necessary. However, in the meantime Firejail has a very finegrained dbus control so that's a problem of the past. 2. The problem of Firejail being a SUID application is largely mitigated by the fact that sandboxed applications cannot execute SUID applications - including Firejail itself. And many applications (more than 1200 profiles right now) are sandboxed, so that risk is very small. This large number of profiles is also an important advantage compared with bubblewrap for which hardly any profiles are available and which is much harder to setup. 3. You can further significantly limit that risk of being a SUID application, particularly by setting the force-nonewprivs flag (which makes it comparable with the behaviour of bubblewrap). 4. The attack surface is much smaller today as a lot of features have been deliberataly disabled, like overlays - see the release notes.
I thought this might be the case, but I know very little at all about this technology, so I couldn't comment. Thanks for providing your feedback on this, summerheat I'm also guessing that the home user has even far less to be concerned about than the enterprise environment.
Yeah thanks very much summerheat. BTW do you think there is any issues with my setup? With two user accounts one admin and one non-admin?
You're welcome! But I'm not sure that I understand your setup. Are you saying that in your admin account you're permanently logged in as root? I would strongly recommend against it. If you need to escalate rights you should do this via sudo.
As long as it is not too burdensome it is good thing to have - keloggers and similar malware is going to have much harder time bypassing that setup.
No no no my admin account isn't a root account. I was just wondering if there's any harm in having two user accounts or not? Because that thread on GitHub made it sound like having more than one user account can be problematic for Firejail.
Ah - I'm relieved No, it doesn't harm to have two accounts (and here you are the owner of both accounts) but, IMHO, it's not worth the effort if you apply prudent conduct like keeping your system up-to-date, sticking to the official repositories etc. Regarding Firejail I suggest to apply the mitigations mentioned earlier.
Are these mitigations truly needed or is the firejail --private-home=.mozilla firefox command good enough? @ reasonablePrivacy Yeah keloggers are one of my main concerns that and rootkits.
These two aspects are not related. The mitigations I mentioned only concern the risk of Firejail being a SUID application (although that risk is overstated as mentioned earlier). Well, Linux is not Windows. If you stick with the official repositories you do not need to worry, particularly since you're also using Firejail.
Thanks for all the info, @summerheat. I’ve added firejail to my setup, although I’ve never had any security problem with linux. I’ve only used UFW so far.
You're welcome! Just as a note: depending on which distro you're using you should follow these hints: for Debian use the backports package, for Ubuntu use the ppa (which is maintained by Rainer Hermann who is a Firejail contributor and also the maintainer of the Debian Firejail package). And don't forget the desktop integration. I also suggest reading the basic usage page. There is also some more useful documentation.
Ok, thanks. I have used the current version in the stable repo but will check for the backported version. Desktop integration was done and the basic usage page is already printed and red.
It took quite a while - but finally Landlock is coming to Firejail! While Landlock is still a WIP and not yet a complete sandboxing solution, its already existing features available in the Linux kernel obviously add to the other technologies used in Firejail. It will be interesting to see how much better/more flexible Firejail will become through this change.
You're welcome! Regarding Landlock, there is a post on Phoronix today about Landlock adding initial networking support in kernel 6.7. It's in the Landlock ABI version 3 while Firejail will use ABI version 1 to ensure compatibility with older kernels. But it illustrates that Landlock is improving, and some day those new features will certainly also land in Firejail.
Landlock support has recently been officially merged into firejail-git. It will probably be available in the next stable version. It will be interesting to watch how this will evolve. I guess that most profiles will have to be adjusted accordingly. We'll see how they will implement those changes.
Like flblais, I have been using no security other than UFW. Happily so -- it is very pleasant not to have to stay abreast of all the latest threats & security apps. However, based on what I have read in this thread, I took a look & found that my Linux distro (Zorin) came with Firejail pre-loaded but not installed. VERSION is 0.9.62-1build1. Package includes the Qt-based frontend Firetools. Description says (in part) ... The ONLY apps I run are those I select from a list of the many apps that came pre-loaded with Zorin. ==>Do I really REALLY need to run Firejail?
Realistically probably not, especially if you are running an updated web browser with an ad blocker such as uBlock Origin. I think the reference made in your post to "untrusted" programs could be applied to even well known web browsers, including those obtained from trusted sources like Linux repositories, because of potential vulnerabilities in their code that could be exploited by malicious actors, and even more dangerous is the use of browser extensions and plugins, which are arguably the greatest security risk of web browsers. Regarding the browser's code, just think about what you almost always see in the Release notes of every single popular browser update: typically one or more security vulnerabilities addressed. So firejail is a sandboxing program that could help mitigate these risks if you are not confident that using the latest build on even a Linux platform is secure enough for your surfing habits. Btw, if your browser(s) is a flathub (Flatpak) distribution, then the built-in sandboxing of these builds offers some additional security already, making the consideration for enhancing their security, by way of firejail or another security enhancement, less of a consideration, depending on whether or not you feel it's secure enough as is. More on Linux Flatpaks here One of the reasons given from the site to use Flatpak is: In my case, I deploy Apparmor security on two of my browsers which are not Flatpak distributions, Firefox and Floorp, but two that are Flatpaks, ungoogled-chromium and MS Edge, are not enhanced by Apparmor or any other security program, mainly because I could not successfully get Apparmor to work on these latter two, probably because the built-in sandboxing somehow interferes with it. At any rate, I believe they are secure enough already out-of-the box.
@wat0114 -- Mega-thanks for the verry informative reply! I run FF with the following extensions: Ublock-O, Decentraleyes, & AVG security. I now run ungoogled-Chromium (ug-C) as a back-up to FF. Since ug-C is sourced from dl.flathub.org, I assume that it is flatpak. OTOH, my FF version is sourced from ubuntu-focal-updates-main so I assume that my FF is NOT flatpak. I read 3 articles about flatpak and they all said that flatpak apps run in a sort of mini-container, sandboxed from other applications. That being the case, it sounds like ug-C is a tiny bit more secure than FF. IF SO, maybe I should make ug-C my main browser & make FF the back-up ..................? In any event, I reluctantly will give Firejail a trial in a few days, even though I'd much rather spend that time reading a good Modesitt novel. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Merry Christmas to all, & to all a good night!
Hi bellgamin, I would just use the browser you are most satisfied with. if Firefox, I would suggest removing AVG Security Add-on as it's not actively monitored by Mozilla, and instead enable FF' built-in Security-> Deceptive Content and Dangerous Software controls. This leaves you with only two add-ons, both of which are in the "Recommended" category, so they are properly vetted by Mozilla. If installing and trialing firejail is a reluctant endeavor for you, something you find burdensome, then maybe don't bother. As I mentioned at the beginning of my post above, you most likely don't need firejail. Merry Christmas! EDIT Hi again, bellgamin, because of curiosity and I hadn't used firejail for a while, I wanted to give it a test drive again on MX-23 Linux. I installed v0.9.72-2 using command: sudo apt-get install firejail From a terminal I tried the simple command: firejail firefox, but this resulted in a pop-up error: Profile missing. Your Firefox profile cannot be loaded. It may be missing or inaccessible After some Googling I found out I needed to install firejail profiles with: sudo apt-get install firejail-profiles Well that fixed the problem. in my case because i have an Apparmor-enforced profile for Firefox, I also enforced the firejail-default profile with: sudo aa-enforce firejail-default If you don't use Apparmor, this last command is unnecessary. I just wanted to share this with you in case you do decide to venture down the firejail path
Yes, but note that the sandbox used by flatpak packages is heavily discussed as those packages are not always properly updated and the permissions granted to those packages are sometimes rather permissive in their manifests (although the situation might have improved in the meantime). It really depends how well those flatpak packages are maintained. There are some tools which you can use to inspect and change those permissions. Since Zorin is an Ubuntu derivative, AFAIK, Firefox should be installed as a snap package which is confined by AppArmor by default. No, as mentioned Firefox is confined by AppArmor. :) With Firejail you can sandbox many applications, indeed. If you really need it depends on your personal risk tolerance. As @wat0114 said, you probably don't need it if you keep your system updated and stick to the official repositories. However, there is a small risk that an app has a vulnerability which could be exploited by an attacker to infect your system. For a Linux desktop system I still have to find an example that this has actually happened. But it's not completely unlikely, of course.
