Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.

 

Features

  • Linux namespaces support: mount, UTS, IPC, PID, network
  • Process separation
  • Filesystem support: local filesystem mounted read-only, chroot filesystem, and overlay filesystem
  • Support for running multiple sandboxes on top of the same filesystem
  • Server sandboxing
  • GUI application sandboxing
  • User login session sandboxing
  • Private mode
  • Filesystem security profile support; default security profiles for Firefox, Midori and Evince
  • Bash, zsh and csh shell support
  • Seccomp support
  • Linux capabilities support
  • Extensive networking support
  • Extensive monitoring support
  •   more…

     

    News

    September 2014 – version 0.9.12.2 released. This release brings in more pulseaudio fixes.
    Release Notes

    September 2014 – version 0.9.12.1 released. This release includes a number of fixes for pulseaudio running inside the sandbox. Also, –overlay option was temporarily disabled awaiting new development and fixes.
    Release Notes

    September 2014 – version 0.9.12 released. The new release brings in support for Linux capabilities, Cent0S 7 and a number of bugfixes.
    Release Notes

    August 2014 – version 0.9.10 released. The new release brings in several sandbox management capabilities and a number of bugfixes. Please note that –list option was renamed –tree and a new –list was introduced, printing only the main sandbox process data. This version also brings in support for sandboxing Google Chromium browser.
    Release Announcement, Release Notes

    July 2014 – version 0.9.8.1 released. This release fixes a number of problems introduced in release 0.9.8.
    Release Announcement, Release Notes

    July 2014 – version 0.9.8 released. This release adds seccomp support, nowrap mode for –list option, a new –top option similar to Linux top command, PID filtering support in firemon, and lots of bugfixes.

    June 2014 – version 0.9.6 released. This release adds support for running servers, zsh and csh shells, and a number of fixes to chroot and private mode.

    May 2014 – version 0.9.4 released. It fixes network connectivity problems for Ubuntu and Debian systems, /run directory, following symlinks in profile files, and it adds Evince and Midori sandbox profiles.

    April 2014 – version 0.9.2 released. This version brings in support for multiple network devices, –noip option necessary for DHCP setups, default gateway option, syslog support, tmpfs and read-only profile commands, bash completion, and a number of bugfixes.

    April 2014 – version 0.9 released

     

    Download and install

    Download the latest version of the software from sourceforge.net/projects/firejail/files/.

    • Source: Extract the the files from the archive and run ./configure && make && sudo make install in the archive directory. Firejail only needs libc and POSIX threads (libpthreads) for compilation, no additional libraries are required.
    • Debian/Ubuntu/Mint: sudo dpkg -i firejail_X.Y_1_amd64.deb
    • OpenSUSE/Fedora/CentOS 7: sudo rpm -i firejail_X.Y-Z.x86_64.rpm
    • Arch Linux: aur.archlinux.org/packages/firejail/
     

    Documentation

    Usage: firejail [options] program_and_arguments
    more…

    Manual Pages: firejail, firemon

    HOWTOs

     

    Support

    Please use the comment section on this page, or sourceforge.net/projects/firejail/support.

     

69 thoughts on “Firejail

  1. Michel Käser (@frontenderch)

    Firejail looks amazing. I tried installing/using it within an OpenVZ container, but it always aborts with “Error clone main 445: Operation not permitted”.
    To compile, I had to change “/usr/include/linux/netlink.h” so it uses instead of already.

    Is it completely incompatible with CentOS 6 (due to old libc) / or it might be an OpenVZ problem.

    Really appreciating your feedback!
    Thanks.

    Reply
    1. netblue30 Post author

      Looks like it doesn’t have enough permissions to run clone system call. A suggestion would be to start it as user root.

      It could also be the kernel – the older kernel I’ve tested is 3.2. Thank you for letting me know.

      Reply
      1. Michel Käser (@frontenderch)

        The clone() syscalls requires SYS_ADMIN capability (at least in OpenVZ) – enabling it made firejail work. One problem remains with firemon, which reports “Error: cannot write to netlink socket” – this may be due to manual changing of netlink file (or another missing capability). Would it help you if I’d send you an strace log or do you not bother getting firemon to work within such “old/non-default” setups (would be totally fine).

        Thanks :)

      2. netblue30 Post author

        Send it over, I’ll take a look, thanks!

        Question: why did you need to add SYS_ADMIN capability? The executable should already be suid root. It should have this capability by default. It also should have enough permissions to read or write to netlink sockets.

        $ ls -l /usr/bin/firejail
        -rwsr-xr-x 1 root root 63600 Apr 21 11:17 /usr/bin/firejail

  2. Martin Honerkamp

    I tried to connect more than one bridge interfaces to firejail, but it uses only one. Will there be a future version which is capable of handling this?

    Reply
    1. netblue30 Post author

      It is hardcoded to a single bridge in this moment.

      I can definitely add support for multiple bridges in the next release. I think I’ll have a new version in about two or three weeks. Thanks for your suggestion.

      Reply
    1. netblue30 Post author

      OBS – Open Build Service?

      I assume you are on OpenSUSE. Probably you are missing two header files in /usr/include/linux directory: rtnetlink.h and if_link.h. These headers are installed by linux-glibc-devel package:

      netblue@linux-ch5m:~> zypper wp /usr/include/linux/rtnetlink.h
      Command ‘what-provides’ is replaced by ‘search –provides –match-exact’.
      See ‘help search’ for all available options.
      Loading repository data…
      Reading installed packages…

      S | Name | Summary | Type
      –+——————-+—————————————–+——–
      i | linux-glibc-devel | Linux headers for userspace development | package

      Reply
      1. netblue30 Post author

        The standard C library / kernel combination is kind of old. Although is not a good idea to fight it, this quick fix will mask the problem at compile time:

        Open src/lib/libnetlink.c in a text editor and add the following two lines of code on the first line in the file:

        #define RTEXT_FILTER_VF (1 << 0)
        #define IFLA_EXT_MASK __IFLA_MAX

        However, networking features in firejail (such as –net option) will be broken. Thank you for letting me know, I'll add a note on the webpage mentioning OpenSUSE 12.1.

    1. netblue30 Post author

      Thank you for your patches. Regarding the last error, I’ve found a description of the problem here:

      https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges

      It basically requires dropping group privileges before taking away the user-level privileges. I’ve changed the order of setgid and setuid calls in src/firejail/sandbox.c. The new code looks like this:

      (around line 217)
      // drop privileges
      if (setgid(getgid()) < 0)
      errExit("setgid/getgid");
      if (setuid(getuid()) < 0)
      errExit("setuid/getuid");

      I have ready a test version on my regular download page on Sourceforge.

      http://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.7-testing1.tar.bz2/download

      It has some new features and your patches applied. I hope I didn't introduced new problems. Big thanks!

      Reply
      1. new build

        Thanks. Now, here http://susepaste.org/view/raw/39609207 is the correcting patch with correct includes for last SVN rev186 for openSUSE to fix those warnings, second, with last SVN rev186 there is another error appears:

        [ 39s] I: Program returns random data in a function
        [ 39s] E: firejail no-return-in-nonvoid-function firemon.h:46
        [ 39s] E: firejail no-return-in-nonvoid-function fs_var.c:221

      2. netblue30 Post author

        I hope I’ve fixed all of them in SVN rev187. If it is ok with you, I would add you to the authors list in the source archive.

        Thanks!

  3. new build

    Okay, now to for the last 3 warnings http://susepaste.org/view/raw/9990404 for SVN rev187, and one main warning that need to be fixed:
    trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’
    there are also two other non-critical warnings which not affects the build:
    profile.c:42:3: warning: suggest parentheses around assignment used as truth value
    fs.c:95:3: warning: implicit declaration of function ‘ASSERT’

    After testing firejail with the browsers Firefox (clean profile) and Opera on Youtube I noticed that Flash Player didn’t work (it start and then stop after ~2-4 sec.) if DASH is enabled (it is used by Youtube for 1080p and 480p modes).
    Is it the current limitation of firejail or it can be fixed somehow via setup ?

    Reply
    1. netblue30 Post author

      I put all the fixes in SVN rev 188, thanks.

      I didn’t fix trunk/src/firejail/fs_var.c:273: warning: the use of `mktemp’ is dangerous, better use `mkstemp’. I will leave it open for now, I intend to do a new release this week, I’ll fix it in the one after that.

      Firefox: flash should work in Firefox under Firejail. I use it all the time under Debian 7 and OpenSUSE 13.1. I do see sometime the flash plugin crashing, usually first time I try some youtube video after I started Firefox. In that moment if I reload the web page, all is fine. There should be no limitation introduced by Firejail, unless the plugin tries to access some files in the system where it is not allowed.

      Reply
      1. new build

        For Flash related problem there is no crash, but the error after streaming started after ~2-4 sec. like “try again later” and it only not work with firejail if DASH is enabled, which can be reproduced every time, so can you, please, check if you are using the 1080p or 480p mode with firejail on Youtube site ?

  4. new build

    Also this issue come back again in SVN rev 187:
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firemon
    [ 37s] firejail.x86_64: W: missing-call-to-setgroups-before-setuid /usr/bin/firejail
    [ 37s] This executable is calling setuid and setgid without setgroups or initgroups.
    [ 37s] There is a high probability this mean it didn’t relinquish all groups, and
    [ 37s] this would be a potential security issue to be fixed. Seek POS36-C on the web
    [ 37s] for details about the problem.

    Reply
  5. new build

    It didn’t give any lines numbers, but this error basically means that it is needed to call ‘setgroups(0, NULL)’ in both – firejail and firemon – when dropping privileges.

    Reply
    1. netblue30 Post author

      Sound should be working, there is nothing special about it as far as I know. I am using it all the time on youtube videos in Firefox, mainly with the sound set for pulse-audio. I’ve seen it also working in ALSA. What problems do you have?

      Reply
      1. new build

        After some investigating the sound issue I’ve found that it wasn’t related to firejail, but it was the sound permissions problem – since firejail running as another user it needs to allow other users to use alsa shared memory to use device at the same time (when using alsa, but not pulse). It seems that DASH problem also may be related to this.

  6. new build

    I had permit IPC for all users, but that still leave this issue (have tested the sound with other user accounts – it works, but when starting “speaker-test” from the same user via: “$firejail speaker-test” – Playback open error: -13,Permission denied.)

    What am I missing here ?

    P.S.: Also with last version of firejail I’m having the unstable firefox behavior – firejail can quit, but leave firefox running as zombie ( and all its processes (like plugin-container) are running too. This all happens with the following error on Youtube (probably flash related):
    ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 2 requests ago: file /home/abuild/rpmbuild/BUILD/mozilla/toolkit/xre/nsX11ErrorHandler.cpp, line 157

    After this error Firefox always freezes, and in some cases firejail also can quit, as I mentioned before

    Reply
    1. new build

      Also this line:
      ###!!! ABORT: Aborting on channel error.: file /home/abuild/rpmbuild/BUILD/mozilla/ipc/glue/MessageChannel.cpp, line 1522
      So It is somehow related to IPC too and it is triggered by Flash Player (if it disabled – no freeze and error) + FIrejail + Firefox all the time.

      I’m using NVIDIA proprietary driver.

      Reply
  7. new build

    In latest release:
    I: A function overflows or underflows an array access. This could be a real error,
    [ 98s] but occasionaly this condition is also misdetected due to loop unrolling or strange pointer
    [ 98s] handling. So this is warning only, please review.
    [ 98s] W: firejail arraysubscript list.c:42, 53

    speaker-test also still failing on this release.

    Reply
    1. netblue30 Post author

      It is an ugly bug, thanks! I’ve just put out a new release fixing it. Let me know if you run in anything else.

      I am seeing something strange on my Debian 7 station with speaker-test. I start it, and after 2 or 3 minutes it starts working. Still looking into it.

      Reply
  8. Pingback: Linux Software Release, August 2014 | SoftNews

  9. Russell Allen

    Hi! Trying to run a JIT VM within the jail, it works without –seccomp but as soon as I chose –seccomp it dies. Presumably it is trying to do something forbidden! Is there a way to find out what and adjust either the VM or the firejail seccomp filter?

    Reply
    1. netblue30 Post author

      It is very difficult to debug what happened, the kernel kills the process as soon as something out of ordinary is detected. Or it could be just a bug in the program. Seccomp environment is very restrictive, and some bugs become more visible.

      Reply
      1. Russell Allen

        That’s a bit of a pain – its a pretty complex VM :) Is it possible to specify the seccomp restrictions in a profile? Then I could try to see which restriction breaks things. I have previously got it working in a Selinux sandbox so hopefully it is possible.

  10. Pingback: Firejail – A Security Sandbox for Mozilla Firefox | SoftNews

  11. Pingback: Bookmarks for September 22nd | Chris's Digital Detritus

  12. somePasserby

    A bug report:

    Attempt to jail Skype 4.3 (linux, 32 bit) under Xubuntu 12.04.4 results in failure.
    Specifically, skype launches and plays sounds, but during an outgoing call, moments before the call is connected, it crashes.
    –seccomp and –caps do not affect the behavior much (the crash causes the notification to “get stuck” if –seccomp was used though)

    The console content is as follows:

    ====
    useracc@ubuntu:~$ firejail –debug skype
    Found skype profile in /etc/firejail directory
    Reading /etc/firejail/skype.profile
    Using the local network stack
    Parent pid 4494, child pid 4495
    Initializing child process
    PID namespace installed
    Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
    Mounting tmpfs on /run/shm on behalf of /dev/shm
    Mounting tmpfs on /run/lock on behalf of /var/lock
    Mounting tmpfs on /var/tmp
    Mounting tmpfs on /var/log
    Mounting tmpfs on /var/lib/dhcp
    Mounting tmpfs on /var/lib/snmp
    Mounting tmpfs on /var/lib/sudo
    Disable /sbin
    Disable /usr/sbin
    Disable /bin/umount
    Disable /bin/mount
    Disable /bin/fusermount
    Disable /bin/su
    Disable /usr/bin/sudo
    Disable /usr/bin/strace
    Disable /home/useracc/.gnome2/keyrings
    Disable /home/useracc/.pki/nssdb
    Disable /home/useracc/.local/share/recently-used.xbel
    Disable /home/useracc/.mozilla
    Disable /home/useracc/SomeStuff
    Disable /home/useracc/SomeStuffneo
    Disable /home/useracc/Desktop
    Disable /home/useracc/.cache/mozilla
    Disable /home/useracc/.cache/google-chrome
    Disable /home/useracc/.cache/chromium
    Disable /home/useracc/.config/google-chrome
    Disable /home/useracc/.config/chromium
    Remounting /proc and /proc/sys filesystems
    Disable /proc/sysrq-trigger
    Disable /proc/sys/kernel/hotplug
    Disable /sys/kernel/uevent_helper
    Disable /proc/irq
    Disable /proc/bus
    Disable /proc/kcore
    Disable /proc/kallsyms
    Mounting a new /boot directory
    Disable /dev/port
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    wlan0 192.168.5.67 255.255.0.0 UP
    lxcbr0 10.0.3.1 255.255.255.0 UP
    tun0 10.10.0.3 255.255.0.0 UP

    Starting skype
    Child process initialized
    Assertion ‘b’ failed at pulsecore/memblock.c:454, function pa_memblock_acquire(). Aborting.

    parent is shutting down, bye…
    ====

    Any workarounds ? I really hate having Skype run around, but I have to use the goddamned thing

    Reply
      1. somePasserby

        I tried that.
        Doesn’t help, sadly.

        Also, the pulseaudio doesn’t crash when used with Skype without firejail, and doesn’t crash when skype is chrooted, which suggests that there’s something about Firejail’s isolation that destabilizes pulse.

        Also Skype/pulse doesn’t crash on Ubuntu 14 when ran in LXC (but my little laptop doesn’t work all that well with 14, so I am doomed to stick with 12 on it for a loooong while :( )

  13. somePasserby

    I tried that.
    Doesn’t help, sadly.

    Also, the pulseaudio doesn’t crash when used with Skype without firejail, and doesn’t crash when skype is chrooted, which suggests that there’s something about Firejail’s isolation that destabilizes pulse.

    Also Skype/pulse doesn’t crash on Ubuntu 14 when ran in LXC (but my little laptop doesn’t work all that well with 14, so I am doomed to stick with 12 on it for a loooong while :( )

    Reply
    1. netblue30 Post author

      Sorry to hear that. There could be something with the isolation, I see a number of x11 programs, usually gtk/x11 programs, that are crashing trying to access shared memory. I don’t see this kind of problems when running qt4/x11 programs. Also I’ve found ALSA much more stable than pulseaudio.

      I’ll try to look into it, thanks!

      Reply
      1. somePasserby

        Okay, done more playing around.
        Apparently, the kosher way of disabling pulse’s shared memory use on Xubuntu is
        disable-shm = true
        (enable-shm = false doesn’t help for some obscure reason)

        With pulse no longer using shared memory, the crashes when jailing skype have stopped (th-th-the l-lattency is al-most un-bearable, but I can handle it).
        So problem is (partially) solved, and is definitely due to something odd happening to shared memory when firejail is doing it’s deed.

      2. netblue30 Post author

        I think I have a fix for pulseaudio problems, including the latency you’ve been seeing. I put out a new release 0.9.12.2. You would need first to re-enable shm in pulse audio, so remove “disable-shm = true” from the configuration and reboot your box, then try again with version 0.9.12.2.

        I had something very similar in CentOS 7 when playing youtube videos in Firefox. The sound would start playing about 10 seconds into the video. 0.9.12.2 fixes it.

        Thank you for your help debugging this problem.

  14. somePasserby

    Also, a question – would it be acceptable to use –net parameter to specify a non-bridge interface to use ?

    Say, I have a VPN which has already set up a tun0 , mayhaps it would be possible to use Firejail so that a given “suspicious application” can only use tun0 for its communication ?

    (of course, one could set up a bridge (br0) and the IPtables rule to forward traffic between tun0 and br0, but that sounds like work ;-)

    Reply
    1. netblue30 Post author

      –net in this moment accepts only bridge devices such as br0. I guess I can add support for tun/tap devices. This should be interesting! I’ll look into it, thanks.

      Reply
      1. somePasserby

        That would be great, since it would allow to easily (as in, no iptables knowledge needed) and pretty reliably ensure that “naughty” apps will only be able to connect through VPN and no intermittent leaks (DNS, etc.) are liable to happen if there is a hiccup in the connection.

  15. somePasserby

    Unfortunately the 0.9.12.2 does not fix it.

    When shm is enabled for pulseaudio, every call results in crash.

    The console prints this:

    Assertion ‘b’ failed at pulsecore/memblock.c:454, function pa_memblock_acquire(). Aborting.

    Then skype freezes.

    Interestingly, Xubuntu was able to generate a crash log this time.
    It claims /sbin/init has crashed.

    The file is pretty huge, plus I don’t know how to sanitize it (it’s my work laptop. I’m pretty sure there is a lot of stuff in there that needs to be sanitized)

    I’ll try to copy/paste the beginning here.

    Hope it helps.

    Reply
  16. somePasserby

    One more (supposedly unrelated) bug (I am a huge pain, sorry )

    If –name parameter is passed when jailing skype via firejail, two error messages are eventually printed to the console
    ====
    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    _IceTransSocketUNIXConnect: Cannot connect to non-local host ubuntu
    ====
    After that, Skype’s behavior becomes increasingly erratic (increasing sound latency, odd “drops” getting worse with every call).

    Reply
    1. netblue30 Post author

      –name changes the hostname of the system to what you specify. Somehow /etc/hostname does not reflect the new hostname. I’ll add it to my list of problems to fix, thanks!

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s