Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.

 

Features

  • Linux namespaces support: mount, UTS, IPC, PID, network
  • Process separation
  • Filesystem support: local filesystem mounted read-only, chroot filesystem, and overlay filesystem
  • Support for running multiple sandboxes on top of the same filesystem
  • Server sandboxing
  • GUI application sandboxing
  • User login session sandboxing
  • Private mode
  • Filesystem security profile support; default security profiles for Firefox, Midori and Evince
  • Bash, zsh and csh shell support
  • Extensive networking support
  • Extensive monitoring support
  •   more…

     

    News

    June 2013 – version 0.9.6 released. This release adds support for running servers, zsh and csh shells, and a number of fixes to chroot and private mode. more…

    May 2013 – version 0.9.4 released. It fixes network connectivity problems for Ubuntu and Debian systems, /run directory, following symlinks in profile files, and it adds Evince and Midori sandbox profiles.

    April 2013 – version 0.9.2 released. This version brings in support for multiple network devices, –noip option necessary for DHCP setups, default gateway option, syslog support, tmpfs and read-only profile commands, bash completion, and a number of bugfixes.

    April 2013 – version 0.9 released

     

    Download and install

    Download the latest version of the software from sourceforge.net/projects/firejail/files/.

    • Source: Extract the the files from the archive and run ./configure && make && sudo make install in the archive directory. Firejail only needs libc and POSIX threads (libpthreads) for compilation, no additional libraries are required.
    • Debian/Ubuntu/Mint: sudo dpkg -i firejail_X.Y_1_amd64.deb
    • OpenSUSE/Fedora: sudo rpm -i firejail_X.Y-Z.x86_64.rpm
    • Arch Linux: aur.archlinux.org/packages/firejail/
     

    Documentation

    Usage: firejail [options] program_and_arguments
    more…

    Manual Pages: firejail, firemon

    HOWTOs

     

    Support

    Please use the comment section on this page, or sourceforge.net/projects/firejail/support.

     

42 thoughts on “Firejail

  1. Michel Käser (@frontenderch)

    Firejail looks amazing. I tried installing/using it within an OpenVZ container, but it always aborts with “Error clone main 445: Operation not permitted”.
    To compile, I had to change “/usr/include/linux/netlink.h” so it uses instead of already.

    Is it completely incompatible with CentOS 6 (due to old libc) / or it might be an OpenVZ problem.

    Really appreciating your feedback!
    Thanks.

    Reply
    1. netblue30 Post author

      Looks like it doesn’t have enough permissions to run clone system call. A suggestion would be to start it as user root.

      It could also be the kernel – the older kernel I’ve tested is 3.2. Thank you for letting me know.

      Reply
      1. Michel Käser (@frontenderch)

        The clone() syscalls requires SYS_ADMIN capability (at least in OpenVZ) – enabling it made firejail work. One problem remains with firemon, which reports “Error: cannot write to netlink socket” – this may be due to manual changing of netlink file (or another missing capability). Would it help you if I’d send you an strace log or do you not bother getting firemon to work within such “old/non-default” setups (would be totally fine).

        Thanks :)

      2. netblue30 Post author

        Send it over, I’ll take a look, thanks!

        Question: why did you need to add SYS_ADMIN capability? The executable should already be suid root. It should have this capability by default. It also should have enough permissions to read or write to netlink sockets.

        $ ls -l /usr/bin/firejail
        -rwsr-xr-x 1 root root 63600 Apr 21 11:17 /usr/bin/firejail

  2. Martin Honerkamp

    I tried to connect more than one bridge interfaces to firejail, but it uses only one. Will there be a future version which is capable of handling this?

    Reply
    1. netblue30 Post author

      It is hardcoded to a single bridge in this moment.

      I can definitely add support for multiple bridges in the next release. I think I’ll have a new version in about two or three weeks. Thanks for your suggestion.

      Reply
    1. netblue30 Post author

      OBS – Open Build Service?

      I assume you are on OpenSUSE. Probably you are missing two header files in /usr/include/linux directory: rtnetlink.h and if_link.h. These headers are installed by linux-glibc-devel package:

      netblue@linux-ch5m:~> zypper wp /usr/include/linux/rtnetlink.h
      Command ‘what-provides’ is replaced by ‘search –provides –match-exact’.
      See ‘help search’ for all available options.
      Loading repository data…
      Reading installed packages…

      S | Name | Summary | Type
      –+——————-+—————————————–+——–
      i | linux-glibc-devel | Linux headers for userspace development | package

      Reply
      1. netblue30 Post author

        The standard C library / kernel combination is kind of old. Although is not a good idea to fight it, this quick fix will mask the problem at compile time:

        Open src/lib/libnetlink.c in a text editor and add the following two lines of code on the first line in the file:

        #define RTEXT_FILTER_VF (1 << 0)
        #define IFLA_EXT_MASK __IFLA_MAX

        However, networking features in firejail (such as –net option) will be broken. Thank you for letting me know, I'll add a note on the webpage mentioning OpenSUSE 12.1.

    1. netblue30 Post author

      Thank you for your patches. Regarding the last error, I’ve found a description of the problem here:

      https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

      It basically requires dropping group privileges before taking away the user-level privileges. I’ve changed the order of setgid and setuid calls in src/firejail/sandbox.c. The new code looks like this:

      (around line 217)
      // drop privileges
      if (setgid(getgid()) < 0)
      errExit("setgid/getgid");
      if (setuid(getuid()) < 0)
      errExit("setuid/getuid");

      I have ready a test version on my regular download page on Sourceforge.

      http://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.7-testing1.tar.bz2/download

      It has some new features and your patches applied. I hope I didn't introduced new problems. Big thanks!

      Reply
      1. new build

        Thanks. Now, here http://susepaste.org/view/raw/39609207 is the correcting patch with correct includes for last SVN rev186 for openSUSE to fix those warnings, second, with last SVN rev186 there is another error appears:

        [ 39s] I: Program returns random data in a function
        [ 39s] E: firejail no-return-in-nonvoid-function firemon.h:46
        [ 39s] E: firejail no-return-in-nonvoid-function fs_var.c:221

      2. netblue30 Post author

        I hope I’ve fixed all of them in SVN rev187. If it is ok with you, I would add you to the authors list in the source archive.

        Thanks!

  3. new build

    Okay, now to for the last 3 warnings http://susepaste.org/view/raw/9990404 for SVN rev187, and one main warning that need to be fixed:
    trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’
    there are also two other non-critical warnings which not affects the build:
    profile.c:42:3: warning: suggest parentheses around assignment used as truth value
    fs.c:95:3: warning: implicit declaration of function ‘ASSERT’

    After testing firejail with the browsers Firefox (clean profile) and Opera on Youtube I noticed that Flash Player didn’t work (it start and then stop after ~2-4 sec.) if DASH is enabled (it is used by Youtube for 1080p and 480p modes).
    Is it the current limitation of firejail or it can be fixed somehow via setup ?

    Reply
    1. netblue30 Post author

      I put all the fixes in SVN rev 188, thanks.

      I didn’t fix trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’. I will leave it open for now, I intend to do a new release this week, I’ll fix it in the one after that.

      Firefox: flash should work in Firefox under Firejail. I use it all the time under Debian 7 and OpenSUSE 13.1. I do see sometime the flash plugin crashing, usually first time I try some youtube video after I started Firefox. In that moment if I reload the web page, all is fine. There should be no limitation introduced by Firejail, unless the plugin tries to access some files in the system where it is not allowed.

      Reply
      1. new build

        For Flash related problem there is no crash, but the error after streaming started after ~2-4 sec. like “try again later” and it only not work with firejail if DASH is enabled, which can be reproduced every time, so can you, please, check if you are using the 1080p or 480p mode with firejail on Youtube site ?

  4. new build

    Also this issue come back again in SVN rev 187:
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firemon
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firejail
    [ 37s] This executable is calling setuid and setgid without setgroups or initgroups.
    [ 37s] There is a high probability this mean it didn’t relinquish all groups, and
    [ 37s] this would be a potential security issue to be fixed. Seek POS36-C on the web
    [ 37s] for details about the problem.

    Reply
  5. new build

    It didn’t give any lines numbers, but this error basically means that it is needed to call ‘setgroups(0, NULL)’ in both – firejail and firemon – when dropping privileges.

    Reply
    1. netblue30 Post author

      Sound should be working, there is nothing special about it as far as I know. I am using it all the time on youtube videos in Firefox, mainly with the sound set for pulse-audio. I’ve seen it also working in ALSA. What problems do you have?

      Reply
      1. new build

        After some investigating the sound issue I’ve found that it wasn’t related to firejail, but it was the sound permissions problem – since firejail running as another user it needs to allow other users to use alsa shared memory to use device at the same time (when using alsa, but not pulse). It seems that DASH problem also may be related to this.

  6. new build

    I had permit IPC for all users, but that still leave this issue (have tested the sound with other user accounts – it works, but when starting “speaker-test” from the same user via: “$firejail speaker-test” – Playback open error: -13,Permission denied.)

    What am I missing here ?

    P.S.: Also with last version of firejail I’m having the unstable firefox behavior – firejail can quit, but leave firefox running as zombie ( and all its processes (like plugin-container) are running too. This all happens with the following error on Youtube (probably flash related):
    ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 2 requests ago: file /home/abuild/rpmbuild/BUILD/mozilla/toolkit/xre/nsX11ErrorHandler.cpp, line 157

    After this error Firefox always freezes, and in some cases firejail also can quit, as I mentioned before

    Reply
    1. new build

      Also this line:
      ###!!! ABORT: Aborting on channel error.: file /home/abuild/rpmbuild/BUILD/mozilla/ipc/glue/MessageChannel.cpp, line 1522
      So It is somehow related to IPC too and it is triggered by Flash Player (if it disabled – no freeze and error) + FIrejail + Firefox all the time.

      I’m using NVIDIA proprietary driver.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s