Firejail

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, CentOS 7 and Fedora packages are provided. An Arch Linux package is maintained in AUR.

 

News

October 2014 – version 0.9.14 released. This release brings in support for user-defined seccomp blacklists, tracing filesystem and network accesses, bind mounts, process resource limits, monitoring ARP tables, route tables and interfaces, and a number of smaller features and bugfixes.
Release Notes

September 2014 – version 0.9.12.2 released. This release brings in more pulseaudio fixes.
Release Notes

September 2014 – version 0.9.12.1 released. This release includes a number of fixes for pulseaudio running inside the sandbox. Also, –overlay option was temporarily disabled awaiting new development and fixes.
Release Notes

September 2014 – version 0.9.12 released. The new release brings in support for Linux capabilities, Cent0S 7 and a number of bugfixes.
Release Notes

 

Documentation

Features   Download and Installation   Usage

Manual Pages: firejail, firemon, firejail profile files

HOWTOs:

 

Support

Please use the comment section on this page, or sourceforge.net/projects/firejail/support.

 

82 thoughts on “Firejail

  1. Michel Käser (@frontenderch)

    Firejail looks amazing. I tried installing/using it within an OpenVZ container, but it always aborts with “Error clone main 445: Operation not permitted”.
    To compile, I had to change “/usr/include/linux/netlink.h” so it uses instead of already.

    Is it completely incompatible with CentOS 6 (due to old libc) / or it might be an OpenVZ problem.

    Really appreciating your feedback!
    Thanks.

    Reply
    1. netblue30 Post author

      Looks like it doesn’t have enough permissions to run clone system call. A suggestion would be to start it as user root.

      It could also be the kernel – the older kernel I’ve tested is 3.2. Thank you for letting me know.

      Reply
      1. Michel Käser (@frontenderch)

        The clone() syscalls requires SYS_ADMIN capability (at least in OpenVZ) – enabling it made firejail work. One problem remains with firemon, which reports “Error: cannot write to netlink socket” – this may be due to manual changing of netlink file (or another missing capability). Would it help you if I’d send you an strace log or do you not bother getting firemon to work within such “old/non-default” setups (would be totally fine).

        Thanks :)

      2. netblue30 Post author

        Send it over, I’ll take a look, thanks!

        Question: why did you need to add SYS_ADMIN capability? The executable should already be suid root. It should have this capability by default. It also should have enough permissions to read or write to netlink sockets.

        $ ls -l /usr/bin/firejail
        -rwsr-xr-x 1 root root 63600 Apr 21 11:17 /usr/bin/firejail

  2. Martin Honerkamp

    I tried to connect more than one bridge interfaces to firejail, but it uses only one. Will there be a future version which is capable of handling this?

    Reply
    1. netblue30 Post author

      It is hardcoded to a single bridge in this moment.

      I can definitely add support for multiple bridges in the next release. I think I’ll have a new version in about two or three weeks. Thanks for your suggestion.

      Reply
    1. netblue30 Post author

      OBS – Open Build Service?

      I assume you are on OpenSUSE. Probably you are missing two header files in /usr/include/linux directory: rtnetlink.h and if_link.h. These headers are installed by linux-glibc-devel package:

      netblue@linux-ch5m:~> zypper wp /usr/include/linux/rtnetlink.h
      Command ‘what-provides’ is replaced by ‘search –provides –match-exact’.
      See ‘help search’ for all available options.
      Loading repository data…
      Reading installed packages…

      S | Name | Summary | Type
      –+——————-+—————————————–+——–
      i | linux-glibc-devel | Linux headers for userspace development | package

      Reply
      1. netblue30 Post author

        The standard C library / kernel combination is kind of old. Although is not a good idea to fight it, this quick fix will mask the problem at compile time:

        Open src/lib/libnetlink.c in a text editor and add the following two lines of code on the first line in the file:

        #define RTEXT_FILTER_VF (1 << 0)
        #define IFLA_EXT_MASK __IFLA_MAX

        However, networking features in firejail (such as –net option) will be broken. Thank you for letting me know, I'll add a note on the webpage mentioning OpenSUSE 12.1.

    1. netblue30 Post author

      Thank you for your patches. Regarding the last error, I’ve found a description of the problem here:

      https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

      It basically requires dropping group privileges before taking away the user-level privileges. I’ve changed the order of setgid and setuid calls in src/firejail/sandbox.c. The new code looks like this:

      (around line 217)
      // drop privileges
      if (setgid(getgid()) < 0)
      errExit("setgid/getgid");
      if (setuid(getuid()) < 0)
      errExit("setuid/getuid");

      I have ready a test version on my regular download page on Sourceforge.

      http://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.7-testing1.tar.bz2/download

      It has some new features and your patches applied. I hope I didn't introduced new problems. Big thanks!

      Reply
      1. new build

        Thanks. Now, here http://susepaste.org/view/raw/39609207 is the correcting patch with correct includes for last SVN rev186 for openSUSE to fix those warnings, second, with last SVN rev186 there is another error appears:

        [ 39s] I: Program returns random data in a function
        [ 39s] E: firejail no-return-in-nonvoid-function firemon.h:46
        [ 39s] E: firejail no-return-in-nonvoid-function fs_var.c:221

      2. netblue30 Post author

        I hope I’ve fixed all of them in SVN rev187. If it is ok with you, I would add you to the authors list in the source archive.

        Thanks!

  3. new build

    Okay, now to for the last 3 warnings http://susepaste.org/view/raw/9990404 for SVN rev187, and one main warning that need to be fixed:
    trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’
    there are also two other non-critical warnings which not affects the build:
    profile.c:42:3: warning: suggest parentheses around assignment used as truth value
    fs.c:95:3: warning: implicit declaration of function ‘ASSERT’

    After testing firejail with the browsers Firefox (clean profile) and Opera on Youtube I noticed that Flash Player didn’t work (it start and then stop after ~2-4 sec.) if DASH is enabled (it is used by Youtube for 1080p and 480p modes).
    Is it the current limitation of firejail or it can be fixed somehow via setup ?

    Reply
    1. netblue30 Post author

      I put all the fixes in SVN rev 188, thanks.

      I didn’t fix trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’. I will leave it open for now, I intend to do a new release this week, I’ll fix it in the one after that.

      Firefox: flash should work in Firefox under Firejail. I use it all the time under Debian 7 and OpenSUSE 13.1. I do see sometime the flash plugin crashing, usually first time I try some youtube video after I started Firefox. In that moment if I reload the web page, all is fine. There should be no limitation introduced by Firejail, unless the plugin tries to access some files in the system where it is not allowed.

      Reply
      1. new build

        For Flash related problem there is no crash, but the error after streaming started after ~2-4 sec. like “try again later” and it only not work with firejail if DASH is enabled, which can be reproduced every time, so can you, please, check if you are using the 1080p or 480p mode with firejail on Youtube site ?

  4. new build

    Also this issue come back again in SVN rev 187:
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firemon
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firejail
    [ 37s] This executable is calling setuid and setgid without setgroups or initgroups.
    [ 37s] There is a high probability this mean it didn’t relinquish all groups, and
    [ 37s] this would be a potential security issue to be fixed. Seek POS36-C on the web
    [ 37s] for details about the problem.

    Reply
  5. new build

    It didn’t give any lines numbers, but this error basically means that it is needed to call ‘setgroups(0, NULL)’ in both – firejail and firemon – when dropping privileges.

    Reply
    1. netblue30 Post author

      Sound should be working, there is nothing special about it as far as I know. I am using it all the time on youtube videos in Firefox, mainly with the sound set for pulse-audio. I’ve seen it also working in ALSA. What problems do you have?

      Reply
      1. new build

        After some investigating the sound issue I’ve found that it wasn’t related to firejail, but it was the sound permissions problem – since firejail running as another user it needs to allow other users to use alsa shared memory to use device at the same time (when using alsa, but not pulse). It seems that DASH problem also may be related to this.

  6. new build

    I had permit IPC for all users, but that still leave this issue (have tested the sound with other user accounts – it works, but when starting “speaker-test” from the same user via: “$firejail speaker-test” – Playback open error: -13,Permission denied.)

    What am I missing here ?

    P.S.: Also with last version of firejail I’m having the unstable firefox behavior – firejail can quit, but leave firefox running as zombie ( and all its processes (like plugin-container) are running too. This all happens with the following error on Youtube (probably flash related):
    ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 2 requests ago: file /home/abuild/rpmbuild/BUILD/mozilla/toolkit/xre/nsX11ErrorHandler.cpp, line 157

    After this error Firefox always freezes, and in some cases firejail also can quit, as I mentioned before

    Reply
    1. new build

      Also this line:
      ###!!! ABORT: Aborting on channel error.: file /home/abuild/rpmbuild/BUILD/mozilla/ipc/glue/MessageChannel.cpp, line 1522
      So It is somehow related to IPC too and it is triggered by Flash Player (if it disabled – no freeze and error) + FIrejail + Firefox all the time.

      I’m using NVIDIA proprietary driver.

      Reply
  7. new build

    In latest release:
    I: A function overflows or underflows an array access. This could be a real error,
    [ 98s] but occasionaly this condition is also misdetected due to loop unrolling or strange pointer
    [ 98s] handling. So this is warning only, please review.
    [ 98s] W: firejail arraysubscript list.c:42, 53

    speaker-test also still failing on this release.

    Reply
    1. netblue30 Post author

      It is an ugly bug, thanks! I’ve just put out a new release fixing it. Let me know if you run in anything else.

      I am seeing something strange on my Debian 7 station with speaker-test. I start it, and after 2 or 3 minutes it starts working. Still looking into it.

      Reply
  8. Pingback: Linux Software Release, August 2014 | SoftNews

  9. Russell Allen

    Hi! Trying to run a JIT VM within the jail, it works without –seccomp but as soon as I chose –seccomp it dies. Presumably it is trying to do something forbidden! Is there a way to find out what and adjust either the VM or the firejail seccomp filter?

    Reply
    1. netblue30 Post author

      It is very difficult to debug what happened, the kernel kills the process as soon as something out of ordinary is detected. Or it could be just a bug in the program. Seccomp environment is very restrictive, and some bugs become more visible.

      Reply
      1. Russell Allen

        That’s a bit of a pain – its a pretty complex VM :) Is it possible to specify the seccomp restrictions in a profile? Then I could try to see which restriction breaks things. I have previously got it working in a Selinux sandbox so hopefully it is possible.

  10. Pingback: Firejail – A Security Sandbox for Mozilla Firefox | SoftNews

  11. Pingback: Bookmarks for September 22nd | Chris's Digital Detritus

  12. somePasserby

    A bug report:

    Attempt to jail Skype 4.3 (linux, 32 bit) under Xubuntu 12.04.4 results in failure.
    Specifically, skype launches and plays sounds, but during an outgoing call, moments before the call is connected, it crashes.
    –seccomp and –caps do not affect the behavior much (the crash causes the notification to “get stuck” if –seccomp was used though)

    The console content is as follows:

    ====
    useracc@ubuntu:~$ firejail –debug skype
    Found skype profile in /etc/firejail directory
    Reading /etc/firejail/skype.profile
    Using the local network stack
    Parent pid 4494, child pid 4495
    Initializing child process
    PID namespace installed
    Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
    Mounting tmpfs on /run/shm on behalf of /dev/shm
    Mounting tmpfs on /run/lock on behalf of /var/lock
    Mounting tmpfs on /var/tmp
    Mounting tmpfs on /var/log
    Mounting tmpfs on /var/lib/dhcp
    Mounting tmpfs on /var/lib/snmp
    Mounting tmpfs on /var/lib/sudo
    Disable /sbin
    Disable /usr/sbin
    Disable /bin/umount
    Disable /bin/mount
    Disable /bin/fusermount
    Disable /bin/su
    Disable /usr/bin/sudo
    Disable /usr/bin/strace
    Disable /home/useracc/.gnome2/keyrings
    Disable /home/useracc/.pki/nssdb
    Disable /home/useracc/.local/share/recently-used.xbel
    Disable /home/useracc/.mozilla
    Disable /home/useracc/SomeStuff
    Disable /home/useracc/SomeStuffneo
    Disable /home/useracc/Desktop
    Disable /home/useracc/.cache/mozilla
    Disable /home/useracc/.cache/google-chrome
    Disable /home/useracc/.cache/chromium
    Disable /home/useracc/.config/google-chrome
    Disable /home/useracc/.config/chromium
    Remounting /proc and /proc/sys filesystems
    Disable /proc/sysrq-trigger
    Disable /proc/sys/kernel/hotplug
    Disable /sys/kernel/uevent_helper
    Disable /proc/irq
    Disable /proc/bus
    Disable /proc/kcore
    Disable /proc/kallsyms
    Mounting a new /boot directory
    Disable /dev/port
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    wlan0 192.168.5.67 255.255.0.0 UP
    lxcbr0 10.0.3.1 255.255.255.0 UP
    tun0 10.10.0.3 255.255.0.0 UP

    Starting skype
    Child process initialized
    Assertion ‘b’ failed at pulsecore/memblock.c:454, function pa_memblock_acquire(). Aborting.

    parent is shutting down, bye…
    ====

    Any workarounds ? I really hate having Skype run around, but I have to use the goddamned thing

    Reply
      1. somePasserby

        I tried that.
        Doesn’t help, sadly.

        Also, the pulseaudio doesn’t crash when used with Skype without firejail, and doesn’t crash when skype is chrooted, which suggests that there’s something about Firejail’s isolation that destabilizes pulse.

        Also Skype/pulse doesn’t crash on Ubuntu 14 when ran in LXC (but my little laptop doesn’t work all that well with 14, so I am doomed to stick with 12 on it for a loooong while :( )

  13. somePasserby

    I tried that.
    Doesn’t help, sadly.

    Also, the pulseaudio doesn’t crash when used with Skype without firejail, and doesn’t crash when skype is chrooted, which suggests that there’s something about Firejail’s isolation that destabilizes pulse.

    Also Skype/pulse doesn’t crash on Ubuntu 14 when ran in LXC (but my little laptop doesn’t work all that well with 14, so I am doomed to stick with 12 on it for a loooong while :( )

    Reply
    1. netblue30 Post author

      Sorry to hear that. There could be something with the isolation, I see a number of x11 programs, usually gtk/x11 programs, that are crashing trying to access shared memory. I don’t see this kind of problems when running qt4/x11 programs. Also I’ve found ALSA much more stable than pulseaudio.

      I’ll try to look into it, thanks!

      Reply
      1. somePasserby

        Okay, done more playing around.
        Apparently, the kosher way of disabling pulse’s shared memory use on Xubuntu is
        disable-shm = true
        (enable-shm = false doesn’t help for some obscure reason)

        With pulse no longer using shared memory, the crashes when jailing skype have stopped (th-th-the l-lattency is al-most un-bearable, but I can handle it).
        So problem is (partially) solved, and is definitely due to something odd happening to shared memory when firejail is doing it’s deed.

      2. netblue30 Post author

        I think I have a fix for pulseaudio problems, including the latency you’ve been seeing. I put out a new release 0.9.12.2. You would need first to re-enable shm in pulse audio, so remove “disable-shm = true” from the configuration and reboot your box, then try again with version 0.9.12.2.

        I had something very similar in CentOS 7 when playing youtube videos in Firefox. The sound would start playing about 10 seconds into the video. 0.9.12.2 fixes it.

        Thank you for your help debugging this problem.

  14. somePasserby

    Also, a question – would it be acceptable to use –net parameter to specify a non-bridge interface to use ?

    Say, I have a VPN which has already set up a tun0 , mayhaps it would be possible to use Firejail so that a given “suspicious application” can only use tun0 for its communication ?

    (of course, one could set up a bridge (br0) and the IPtables rule to forward traffic between tun0 and br0, but that sounds like work ;-)

    Reply
    1. netblue30 Post author

      –net in this moment accepts only bridge devices such as br0. I guess I can add support for tun/tap devices. This should be interesting! I’ll look into it, thanks.

      Reply
      1. somePasserby

        That would be great, since it would allow to easily (as in, no iptables knowledge needed) and pretty reliably ensure that “naughty” apps will only be able to connect through VPN and no intermittent leaks (DNS, etc.) are liable to happen if there is a hiccup in the connection.

  15. somePasserby

    Unfortunately the 0.9.12.2 does not fix it.

    When shm is enabled for pulseaudio, every call results in crash.

    The console prints this:

    Assertion ‘b’ failed at pulsecore/memblock.c:454, function pa_memblock_acquire(). Aborting.

    Then skype freezes.

    Interestingly, Xubuntu was able to generate a crash log this time.
    It claims /sbin/init has crashed.

    The file is pretty huge, plus I don’t know how to sanitize it (it’s my work laptop. I’m pretty sure there is a lot of stuff in there that needs to be sanitized)

    I’ll try to copy/paste the beginning here.

    Hope it helps.

    Reply
  16. somePasserby

    One more (supposedly unrelated) bug (I am a huge pain, sorry )

    If –name parameter is passed when jailing skype via firejail, two error messages are eventually printed to the console
    ====
    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    ====
    After that, Skype’s behavior becomes increasingly erratic (increasing sound latency, odd “drops” getting worse with every call).

    Reply
    1. netblue30 Post author

      –name changes the hostname of the system to what you specify. Somehow /etc/hostname does not reflect the new hostname. I’ll add it to my list of problems to fix, thanks!

      Reply
  17. Pingback: Firejail: sandbox processes on Linux | Regular Expressions

  18. somePasserby

    Okay, some more interesting Skype behaviors (I hope I am being useful and not merely annoying)
    This time it’s kinda okayish behavior (I’d like to keep it, performance increased somehow!) but it’s worth noticing cause, you know, errors are printed ;-)

    So, I got around to bottling up Skype’s networking via tun0 (mullvad VPN), firejail’s –net directive (and appropriate bridge) and iptables.

    I created a bridge called sjbr0 (sj stands for skype jail :) )

    sudo brctl addbr sjbr0

    then I configured it so it would have a very small subnet all its own (just in case)

    sudo ifconfig sjbr0 192.169.1.1/30

    then I proceeded to enable forwarding and iptables (comments provided for benefit of google and future readers)
    —–
    sudo echo “1” > /proc/sys/net/ipv4/ip_forward
    sudo iptables -t nat -A POSTROUTING -s 192.169.1.0/30 -o tun0+ -j MASQUERADE
    #
    # the iptables rule has a + after tun0 because Mullvad/OpenVPN configure their tun as tun0-00
    # I’m not sure it won’t configure it as tun0-02 or some stuff if the connection is broken/re-established later.
    # as long as mullvad/openvpn is the only one managing interfaces that start with tun0
    # and as long as there is only one such interface at a given time, it should be fine
    # not that thanks to -s parameter this masquerade rule will only apply to the very special subnet of sjbr0
    #

    sudo iptables -A FORWARD -i sjbr0 -o tun0+ -j ACCEPT
    sudo iptables -A FORWARD -i tun0+ -o sjbr0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    #
    # forwarding from sjbr0 to tun0 (and its possible heirs) is always okay
    # forwarding from tun0 and its ilk is okay only if the connection is related to one of the outgoing ones
    #

    sudo su
    #
    # because for some reason, the following commands work only as “proper root”
    #

    iptables -A FORWARD -i ‘!’tun0+ -o sjbr0 -j DROP
    iptables -A FORWARD -i sjbr0 -o ‘!’tun0+ -j DROP
    #
    # we explicitly prohibit traffic from our “skype containment interface” from going anyplace other than tun0 (s)
    # we also explicitly prohibit traffic from interfaces that aren’t “tun0″ and its possible successors from going to the skype container’s interface
    #

    sudo iptables -P FORWARD DROP
    exit
    #
    # we set our default forwarding policy to “drop” (just in case)
    #

    —-

    Now, we launch skype in firejail with –net parameter targeting our newly made skype jail interface:
    firejail –seccomp –net=sjbr0 –caps –name=skypejail0 –profile=/etc/firejail/skype.profile –debug /usr/bin/skype

    Now, interesting stuff starts happening. First, we see the following in the console (interesting part bolded for emphasis)
    —-
    Reading /etc/firejail/skype.profile
    IP address range from 192.169.1.1 to 192.169.1.2
    Trying 192.169.1.2 …
    192.169.1.2 IP address assigned to the sandbox
    Parent pid 4983, child pid 4984
    create veth veth4983eth0/eth0/4984
    netlink message length 108, it should be 104 bytes
    Initializing child process
    PID namespace installed
    —-

    Now, the “netlink message length 108, it should be 104 bytes” is slightly worrysome (especially since I can’t google this one up) and might indicate a problem.
    Despite this worrisome netlink thingie, after a bunch of normal-looking firejail messages about disabling directories and whatnot, skype proceeds to start.
    —–
    Configuring 192.169.1.2 address on interface eth0
    Using first bridge address as default route
    Network namespace enabled
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    eth0 192.169.1.2 255.255.255.252 UP

    Drop CAP_SYS_MODULE
    Drop CAP_SYS_RAWIO
    Drop CAP_SYS_BOOT
    Drop CAP_SYS_NICE
    Drop CAP_SYS_TTY_CONFIG
    Drop CAP_SYSLOG
    Drop CAP_SYS_ADMIN
    seccomp enabled
    Starting /usr/bin/skype
    Child process initialized
    —-

    And immediately experiences a bunch of errors (one of which was reported above, but another one is new, I bolded new one)

    —-
    (process:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-i9fqlSMfwt: Connection refused

    (process:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-i9fqlSMfwt: Connection refused

    (process:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-i9fqlSMfwt: Connection refused

    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    —-

    However – and this is the fun part – not only does skype launch and operate normal-ish in these conditions (sound is okay, test call also seemingly okay), it actually got better (a bunch of annoying interface glitches that plague jailed skype when using default network stack have disappeared), and is actually faster (more responsive).
    Looks like preventing Skype from touching DBUS’s naughty places served it well enough.

    I hope this long and drawn out report will be helpful to you.

    Also, you might want to make an instructional post about jailing skype with firejail – jailing skype is a bit of a challenge, it turns out.

    P.S.:
    I may be dumb, but is there a way to set an environment variable inside Firejail so that it would only affect things inside the jail ?

    Reply
    1. netblue30 Post author

      > I hope I am being useful and not merely annoying
      Keep going! So far I’ve fixed a number problems you found, thanks!

      > netlink message length 108, it should be 104 bytes
      That’s ugly, I need to fix it!

      > GConf-WARNING **: Client failed to connect to the D-BUS daemon:
      I thought I’ve fixed this one, are you using version 0.9.12.2?

      > IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
      I’ll bring in a fix in the next version. Inside the sandbox, /etc/hosts and the host name are out of sync.

      > is there a way to set an environment variable inside Firejail
      firejail “export MYVAR=asdf && /bin/bash”
      opens a new bash session with MYVAR set. Any new processes or bash sessions started after that will have MYVAR set. Replace /bin/bash with /usr/bin/skype and you’ll have MYVAR passed down to skype.

      Thanks!

      Reply
      1. somePasserby

        >Keep going! So far I’ve fixed a number problems you found, thanks!

        will do.
        Next planned test – does Skype crash with Pulse shared memory=on if operating under isolated network ?

        >I thought I’ve fixed this one, are you using version 0.9.12.2?

        “firejail –version” output is:
        firejail version 0.9.12.2

        However, the thing is…
        I like being able to lock down DBUS, especially since in this particular case the limitation of DBUS functionality is partial (various important DBUS-related features of Skype ARE working).
        If anything, current Skype’s behavior better than the one I got without DBUS isolation (UI is definitely more responsive, there are no UI glitches)

        It would be nice if there was some granular way of managing DBUS isolation (so that I could basically get the behavior I am getting now in future versions ;) )

        >firejail “export MYVAR=asdf && /bin/bash”

        this is awesome.

        I assume that if a shell script running inside the jail (variables.sh) does “export NEWVAR=foo”, the variable will be set as well and available to programs inside the jail (so I could write a launcher script that neatly sets all the necessary stuff) ?

      2. somePasserby

        Experiment outcome:

        Sadly, re-enabling pulse’s shared memory causes crash during call irrespective of how network isolation was configured.

      3. netblue30 Post author

        DBus: I used to have it disabled in the sandbox, then I run into a number of programs that crash if they cannot connect to DBus. I don’t think access to DBus can create security problems in this moment, but as more and more functionality is added to DBus, it could become a problem at some point.

        export NEWVAR=foo: My understanding is as follows. It will be inherited by the children sessions, but not by the parent. The exports you define in a script will be dropped down as soon as you exit the script.

        shared memory: Are you starting skype as root or as a regular user? As root I set a new shared memory space, for regular user I leave the old one in place.

        firejail –net=sjbr0 firefox: will not be able to connect to X11. I’ve never figured out the X11 authentication. The way it is configured by default, it will accept connections from 127.0.0.1, but not from the IP address you have defined for sjbr0. Or maybe the host names is confusing him.

  19. somePasserby

    Interestingly enough, launching firefox (and goo chrome, but that was kinda expected) with –seccomp –caps and –net=sjbr0 yields “unwelcome” behaviors.

    I am running out of battery.

    Will post the firefox log later.

    Reply
  20. somePasserby

    >shared memory: Are you starting skype as root or as a regular user? As root I set a new shared memory space, for regular user I leave the old one in place.

    Of course as a regular user. Who in his right mind would run anything skype-related as root :) ?

    Should I start firejail as root to test it out ?

    I vaguely suspect that other, hard to properly reproduce quirks I’m getting when using jailed skype ( like Mullvad’s VPN manager (process “python2″) locking up suddenly) are also related to shared memory.

    >firejail –net=sjbr0 firefox: will not be able to connect to X11. I’ve never figured out the X11 authentication. The way it is configured by default, it will accept connections from 127.0.0.1, but not from the IP address you have defined for sjbr0.

    Yes, firefox launched in this manner seems to have a lot of trouble, and exhibits all kinds of weirdo behavior (and seems to cause lock-up of VPN manager way more often – but that lock-up doesn’t get reflected in mullvad’s logs so it would be way to hard to investigate).

    When I launch firefox like this:

    firejail –seccomp –net=sjbr0 –caps –name=stuff –debug firefox

    The errors in firefox’s console are :
    ——
    Starting firefox
    Child process initialized

    (firefox:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-L1iHdfFvVF: Connection refused

    (firefox:1): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Could not connect: Connection refused

    ** (firefox:1): WARNING **: Could not connect: Connection refused

    (firefox:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-L1iHdfFvVF: Connection refused
    ###!!! [Child][MessageChannel] Error: Channel closing: too late to send/recv, messages will be lost

    (firefox:1): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
    Failed to connect to socket /tmp/dbus-L1iHdfFvVF: Connection refused
    1412450276605 addons.repository WARN Unknown type id when parsing addon: 5
    1412450276631 addons.repository WARN Unknown type id when parsing addon: 5
    1412450282057 addons.update-checker WARN Update manifest for ubufox@ubuntu.com did not contain an updates property
    1412450282431 addons.update-checker WARN Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property
    ——

    I suspect that “Could not connect: Connection refused” is related to very odd networking behavior it is exhibiting.

    firefox appears to have trouble loading pages (it manages to load them most of the time, which suggests that forwarding works…Also, Skype connects without issue on same interface later on, so it’s unlikely to be network config) and seems to have very poor performance.

    P.S.:
    If specifying –net= causes problems with X connections, how does my jailed skype manage to display, well, anything ?

    Also, if X11 forwarding from jail to host is a problem, maybe one should try xpra ? It might even be more secure (maybe. sorta.)!

    Reply
    1. netblue30 Post author

      > Should I start firejail as root to test it out ?

      No way!

      > If specifying –net= causes problems with X connections, how does my jailed skype manage to display, well, anything ?

      I’ve just test it it again. Debian 7, a simple bridge traffic routed trough the box, iptables masquerade on the box:
      – chromium working
      – firefox working
      – midori: Failed to connect to socket /tmp/dbus-WzUnM3Vf7F: Connection refused. It seems to think there is another midori browser already running and it refuses to start.

      I’ll have to look into it. A few months back when I last tested it, nothing would work.

      Reply
  21. somePasserby

    Some feature ideas (in case you are interested in that kind of thing ;) ):

    It would be neat (and might be good for debugging) if DBUS, and X-server and shared memory behaviors of firejail were configurable via command line.

    Something like –shmnew=1 to force creation of a new shared memory space (and –shmnew=0 to force leaving the old one be), and so forth. Same kind of switches for DBUS and X (people who are extra-paranoid could then lock DBUS and X completely and forward their X stuff through xpra and a bridge … though I suspect one could already achieve exactly same result by building a chroot and having firejail operate in it, as long as DBUS’s stuff isn’t explicitly mounted into said chroot)

    Exclusion syntax or iptable-like behavior (whichever is easier to implement) for profiles (basically, what it would allow to achieve is “ban every single thing in /home/foo/ EXCEPT file /home/foo/bar/creepy-app.conf” and EXCEPT directory /home/foo/bar/creepy-app-files)

    Reply
    1. netblue30 Post author

      > Some feature ideas (in case you are interested in that kind of thing ;) ):
      Always interested!

      > shared memory
      In the current version shared memory is only virtualized if the sandbox is started as root. For a regular user I don’t modify it. I guess I need to understand why some programs still have problems with it.

      > dbus and x11
      I’ve added them to my to do list

      > filtering of /home/foo
      It is by far the most requested feature in this moment. I’ll have it implemented by the end of the month.

      Thanks for your suggestions!

      Reply
  22. Pingback: Linux Software Releases, October 2014 | SoftNews

  23. Pingback: Firejail – Linux namespaces sandbox program - Der PCFreak Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s