Firejail 0.9.28 Release Announcement

We are happy to announce the release of Firejail version 0.9.28 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains significant improvements, and a large number of enhancements and bug fixes.

Most new features in this release are network namespaces features. A network namespace is basically a new TCP/IP stack. It is created and attached to the sandbox by using –net command line option. The stack is totally isolated from the host stack, it has its own routing table, netfilter firewall, and its own set of interfaces. Regular Ethernet or bridge interfaces can be supplied as parameters to –net option.

In the examples to follow we will use the main Ethernet interface, eth0. Sandboxes created this way appear to be on the same network as the host computer.

Continue reading

Firejail Seccomp Guide

Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The sandbox is lightweight, the overhead is low. There are no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Seccomp-bpf stands for secure computing mode. It’s a simple, yet effective sandboxing tool introduced in Linux kernel 3.5. It allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel. Seccomp filters are expressed in Berkeley Packet Filter (BPF) format.

Continue reading

Firejail Linux Capabilities Guide

Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list.

With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.

In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

Continue reading

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

Default profiles

Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:

$ firejail firefox
$ firejail chromium
$ firejail midori
$ firejail opera

The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
Continue reading