We are happy to announce the release of Firejail version 0.9.8. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The new release brings in several bugfixes, a number of new security feature, and new monitoring capabilities:
User privilege level locking
It is based on no_new_privs feature introduced in Linux kernel version 3.5. The no_new_privs bit is a generic mechanism to make it safe for a process to modify its execution environment in a manner that persists across execve. Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset.
If a program is started in the sandbox as a regular user, the program and all its children cannot gain root privileges via the above mentioned system calls. Regular utilities such as su and sudo are rendered useless, SUID programs are disabled, and direct attacks on programs using setuid and setgid calls are prevented.
This is an example of a bash session running in Firejail protected to su/sudo privilege changes. SUID programs such as ping will also fail.
The feature is part of seccomp support and it is enabled using –seccomp option if the system is running a Linux kernel 3.5 or newer. On kernels 3.4 or older the feature is disabled and a warning is printed on the console.
Note: as explained by Andy Lutomirski, the author of the no_new_privs feature in Linux kernel, the feature does not prevent exploits not involving execve system call. However, the attack surface available to an unprivileged user is reduced.
Seccomp (alias for “secure computing”) is a filtering mechanism that allows processes to specify an arbitrary filter of system calls (expressed as a Berkeley Packet Filter program) that should be forbidden. Berkeley Packet Filter support for seccomp was introduced in Linux kernel 3.5.
Many filesystem features in Firejail such as mounting the filesystem read-only, or disabling hotplug and uevent_helper features under /proc and /sys directories depend on the removal of mount/unmount support in the sandbox. This is easily accomplished by blacklisting support for mount and umount2 system calls in seccomp.
Another system call disabled in the current version of Firejail is ptrace. This system call allows an attacher to interogate and modify running processes started by the user. Tools such as strace and gdb are based on ptrace system call.
This is the list of system calls disabled by this feature:
The feature is enabled using –seccomp option. On kernels 3.4 or older the feature is disabled and a warning is printed on the console. The seccomp filtering is inherited by all the children processes running in the sandbox.
Kernel module loading and system restart disabled
Kernel module loading/unloading and system restarts are disabled in the sandbox by dropping CAP_SYS_MODULE and CAP_SYS_BOOT capabilities. The capability set is inherited by all the children processes running in the sandbox. It is also enforce by the seccomp filter.
The feature is enabled using –seccomp option..
The new version of firemon monitoring utility distributed with Firejail gains support for monitoring specific sandboxes using Process Events Connector feature in Linux kernel. The sandbox PID is specified as an argument to firemon command. The command allows the administrator to trace and log all fork, exec, id change, and exit events in the sandbox. This is an example of Mozilla Firefox starting Adobe Flash plugin on a Youtube video:.
Lastly, both firejail and firemon gain support for process top functionality, providing a dynamic real-time view of a all sandboxes running in the system, similar to Linux top command:
For more information please visit the project website.