Firejail Linux Capabilities Guide

Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list.

With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.

In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

Continue reading

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

Default profiles

Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:

$ firejail firefox
$ firejail chromium
$ firejail midori
$ firejail opera

The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
Continue reading

Lightweight Ubuntu: LXDE Desktop from Scratch

The overall Linux performance depends on the amount of system resources your desktop environment is using. Lightweight desktop environments such as LXDE consume less resources, and are ideal for older computers that can’t keep up with heavier Linux desktop environments.

This article describes how to build an Ubuntu-based LXDE system piece by piece. It is a longer process but the resulting system is as small and light as it possibly gets. I start by installing a regular Ubuntu 14.10 server system and add desktop functionality on top of it in small steps.

Server Install

The installation of Ubuntu Server is actually very straight forward. You first need to download the ISO image from the Ubuntu Website and burn it to a CD. You can also copy the ISO image to a USB flash drive.

Boot the computer from CD or USB stick and go trough the install menus one by one.

Ubuntu Server 14.10 install

Ubuntu Server 14.10 install

Continue reading

Running Dropbox in Firejail Sandbox

This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR.
Continue reading

Debian/Ubuntu Cross-distro Gaming with Firejail

I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.

Ubuntu 14.04 version of AssaultCube running on Debian 7

Ubuntu 14.04 version of AssaultCube running on Debian 7

Debian/Ubuntu setup

I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.

The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:

Continue reading