We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
Introducing Firejail
The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is available in AUR.
Mozilla Firefox
The command to start Firefox in a Firejail sandbox is:
$ firejail firefox or $ firejail --debug firefox
The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.
The way the filesystem is build is controlled from /etc/firejail/firefox.profile, modifying it is pretty straightforward.
Firejail uses a number of security filters to enforce the chroot:
- Seccomp-bpf is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables a large number of system calls, reducing this way the kernel attack surface. Seccomp-bpf is enabled by default for Mozilla Firefox.
-
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities (POSIX 1003.1e). The feature provides fine-grained control over superuser permissions. To further reduce the attack surface and enhance the security, Firejail disables all capabilities. The feature is enabled by default for Mozilla Firefox.
-
Firejail runs Firefox in an user namespace. The namespace has only one user defined, the current user. There is no root user account defined inside the namespace. The sandbox enables the namespace by default based on the version of the kernel running the system.
-
In private mode Firejail mounts empty temporary filesystems (tmpfs) on top of user home directory and /tmp. Closing the sandbox will discard any new files created in these directories, including ~/.mozilla and ~/Downloads.
Private mode always starts the browser with factory defaults, protecting it from malicious addons and plugins the user might have installed in the past. It is mainly used for accessing bank websites and alike:
$ firejail --private firefox
For more information about private mode and high security browser setups see part 3 of this series.
- A network namespace is one of the most interesting security options provided by the Linux kernel. It is basically a brand new TCP/IP networking stack created for the sandbox, coming with its own routing table, set of network interfaces, and most important its own iptable/netfilter module. Attaching a network namespace to your browser sandbox is described in part 3 of this series.
- Small home routers connecting us to our Internet service provider are ridiculously insecure. Bugs and backdors are actively exploited in these routers, the main target being the DNS server setup. Firejail provides a –dns option allowing the user to set its own DNS setting, without relaying on an external router:
$ firejail --dns=8.8.8.8 firefox
Although most security features are enabled by default, a number of features are only enabled using command line options:
Chromium
This is a Chromium web browser running inside a Firejail sandbox:
$ firejail chromium-browser
The chroot filesystem is similar to Mozilla Firefox, with only the configuration directory ~/.config/chromium and ~/Downloads imported form real home directory:
The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.
Midori
There’s a new kitten on the block:
$ firejail midori
Midori is a very impressive browser build using WebKit and GTK+2/3. It is lightweight and fast, with a familiar interface. Compared to Firefox and Chromium, it will play your Donald & Daisy videos in less than half the memory.
Conclusion
To conclude, it is important to mention Firejail was designed to be generic. It can run servers and GUI programs, or it can work as a login shell for SSH or telnet users. You can find more information about the sandbox on the project page. Also, Firejail was featured on Linux Action Show (LAS 333, at 0:10:15).
Reblogged this on Typing Loud, Knowing Nothing. and commented:
I’m giving this a try.
Pingback: Firejail – A Security Sandbox for Mozilla Firefox | SoftNews
I maintain firejail in the arch user repository (it’s a bit behind, but I’ll update it soon) and really like it, but I have some problems with getting sound to work with pulseaudio and Firefox running inside a firejail. Is this a known issue and if not how should I debug it?
Thank you for building and maintaining fairejail packaged in Arch!
Updated Sept 22:
I think I have a fix for the problem. A new release is coming in the next few days. Thanks for letting me know!
I’ve just released a new version, hopefully it will fix the pulseaudio problem.
I’ll sadly need a few weeks to test this, because I don’t have access to my main PC at the moment, but I’ll report back then.
No problem, leave a message here when you get a chance.
I have modified /etc/chromium-browser/default
CHROMIUM_FLAGS=”–disk-cache-dir=/dev/null –disk-cache-size=1 –incognito -start-maximized
So when I try firejail chromium-browser I get:
$ firejail chromium-browser
Reading /etc/firejail/chromium-browser.profile
Parent pid 3840, child pid 3841
Interface IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0 10.0.2.15 255.255.255.0 UP
docker0 172.17.42.1 255.255.0.0 DOWN
Child process initialized
[1:29:0926/122128:ERROR:nss_util.cc(740)] Error initializing NSS with a persistent database (sql:/home/user/.pki/nssdb): NSS error code: -8174
Created new window in existing browser session.
parent is shutting down, bye…
$
It is still a nice tool, but may be you can elaborate a bit what does this mean.
> So when I try firejail chromium-browser I get:
> …
>Created new window in existing browser session.
You already have Chromium running, the new process will create a new window in your old Chromium instance and shut down the new one. This is normal, it will happen with or without firejail.
Both Chromium and Firefox try to keep only a single browser instance open. By default new instances are attached to the existing instance. There are some command line options to force multiple instances, if this is what you want.
Oh, I see, makes sense, thanks.
Pingback: Links 26/9/2014: LibreOffice Celebrations, Betas of *buntu | Techrights
I have some questions:
1) I was trying firejail with dropbox, but somehow somehow firejail exists and dropbox does not start:
$ firejail dropbox start
Parent pid 2803, child pid 2804
Interface IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
…
Child process initialized
Starting Dropbox…Done!
parent is shutting down, bye…
$
Is it possible to use use firejail with dropbox?
2) All applications started on same X session can see the events of other applications (keyboard, mouse). Is it possible to prevent this via firejail? For example, now if I start firejail xev -id 0x2a00003, where 0x2a00003 is the ID of some existing GUI window, I get all events happening in that window, within firejail started xev too.
3) Ubuntu uses AppArmor. If some application is protected by AppArmor and I start it via firejail, do the restrictions of both programs apply?
Thank you.
> 2) All applications started on same X session can see the events of other applications
This is the biggest problem x11 has in this moment. The Unix socket where the communication takes place is a public socket, and can be accessed by anybody running in the box. They say upcoming Wayland will have better session security and it will fix this kind of problems.
The only thing I can think of in this moment is to blacklist some of the outrageous x11 executables such as xinput (I am blacklisting it in firefox.profile). Or when running servers blacklisting x11 libraries. However, this is not a fix, is more like security through obscurity.
> 3) Ubuntu uses AppArmor.
I didn’t try it yet with AppArmor, I have it on my to do list. Theoretically it should work, and both restrictions should apply. Ubuntu already has an LXC (Linux containers) profile for AppArmor, maybe something similar will be necessary for firejail.
I asked before about dropbox, I already found how to do it based on your examples:
firejail “dropbox start && sleep inf”
This seems to be working fine. The other two question still apply. Thank you.
Thanks, that’s good to know! I’ll try it myself also.
Could you add a whitelist feature? Also, I’d like a way to be able to trace all files that are accessed during execution, this would be really useful for creating profiles.
Whitelisting would work like this:
(dropbox.profile)
whitelist ${HOME}/.dropbox
whitelist ${HOME}/Dropbox
whitelist /opt/dropbox
for example. The trace feature would help in case there are any other files it requires.
Also, network blacklisting/whitelisting would be a bonus. This is currently only possible through iptables.
I’ll add filsystem whitelisting to my to do list, thanks. I’ll look also into network whitelist/balcklist.
On the tracing side, until I figure it out, you can try for now to run all the sandbox under strace using -f flag, something like this:
strace -f firejail yourprogram
You will have to be root, however.
or nftables – which I find easier to understand
Yes, good idea!
Nice program! Shared it: http://tuxdiary.com/2014/10/01/firejail/
Thanks!
Thank you for your post. Very enlightening. Kindly help me understand.. I thought the only way an application could access the /usr and /sbin folders was through sudo (as root)..
/usr, /sbin and almost all other directories in the box are accessible to everybody. You can check it out by doing a “ls -l /”. Most of them have read and execute permissions, some of them have also write permissions.
Reblogged this on jamesgoode98 and commented:
Security – a growing problem ( even on Linux ) but this Firejail sandbox for Firefox might just come in handy!
Reblogged this on Linux News and commented:
Security, a growing problem; but this sandbox for Linux looks to be useful!
Very interesting project! I will give it a try.
Two small things:
1. Have you heard of https://github.com/thestinger/playpen ? It seems to have a similar purpose, but it is more minimalistic and less documented. Maybe your projects could profit from each other.
2. Of course this is your own decision, but is there a particular reason why firejail is on Sourceforge as an SVN repo? IMHO it would make collaboration, issue tracking and viewing changes easier if you used git and hosted it on Github or something similar.
1. I know about it – there are quite a number of sandbox projects in this moment 🙂
2. I am trying to keep it simple, maybe if the project grows I’ll consider something like Github.
sf.net allows hosting of packages for download, with a large number of mirrors all over the world. If sf.net disappears tomorrow, the code will still be there on Internet.
2. The main reason I would recommend to use git for this project is that git better integrates with tools like GPG which allows you as an developer to prove the integrity of your software. You do this already for releases by signing tar balls but this is not reflected by your source control system. I for example sign every git commit (and releases of course). SVN seems to not really address software integrity at all?
Migration is really easy and you can keep all your history: http://stackoverflow.com/a/79178
See also: http://doublecmd.sourceforge.net/forum/viewtopic.php?f=5&t=1742&p=13393#p13393
I also think that GitHub would be nicer for collaborating.
Thanks for the “git svn clone” link.
When I start firefox with firejail (firejail firefox), I can not use ibus to input chinese.
any idea to solve it? (my system is debian linux)
I’ll have to look into it, thank you for letting me know.
Hi netblue30,
Any idea, why firefox with firejail can not use ibus input?
Thank you.
Hi netblue30
I found a workaround to solve it.
create a firefox wrapper script like this
———————————————————————-
#!/bin/sh
env `grep ^I ${HOME}/.config/ibus/bus/*-unix-0` firejail firefox “$@”
———————————————————————–
what is this file look like:
cat .config/ibus/bus/4f807d482cba7003a685564153f3c5b7-unix-0
——————————————————————–
# This file is created by ibus-daemon, please do not modify it
IBUS_ADDRESS=unix:abstract=/tmp/dbus-6m048aXr,guid=8cc2812d84ec4472c8ea2880545bd8c3
IBUS_DAEMON_PID=1448
———————————————————————————–
thank you.
I’ll give it a try, thanks!
I get error:
Child process initialized
(process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0’ failed
(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised
(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised
(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised
(firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
Can’t set previliges to configuration folder “/home/user/.gnome2_private/” in user folder to 0700: operation not permited
parent is shutting down, bye…
Can you help? I have no other instances of Firefox running.
Ok. I’ve found the solution. But is it safe?
“Enable gnome_private directory. As root, open /etc/firejail/disable-secret.inc file in a text editor and comment out gnome2_private line (add a # in front of it). Like this:
# blacklist ${HOME}/.gnome2_private
This should allow firefox to use this directory.”
Some Gnome programs keep passwords in ${HOME}/.gnome2_private directory – evolution mail client for example. These passwords are in clear, and are readable by any program you run, so I disabled gnome_private directory for Firefox.
What Firefox version are you using? I don’t see this on my version of Firefox. Anyway, enable gnome_private directory for now, I’ll look into it.
1. When I use this
firejail –seccomp –private=/home/user1/downloads firefox
I can see that when I do save a file in firefox it has access (at least it shows) folders that are outside of /home/user1/downloads
also I can click into some root owned folders like /usr or /dev
I don’t know if it secure or not. I’m asking just in case…
Can I further restrict firejail so that in case there are bad scripts someone can’t see them or break of dedicated /home/user1/downloads folder?
2.Is it possible to have different “profiles” for firefox, for example one for more important and secure sites like banking and second separate for unknown sites. And premise is that they would be so separate that if one gets “dirty” the second will remain secure.
Forgive me if these is not a legit question. I use firejail just in case because I don’t understand what are the real threats of entering “bad” internet site I only read that it can be dangerous.
1. /bin, /lib, /lib64, /usr, /etc, /var are read-only. The user cannot modify them from Firefox. Other directories such as /boot, /sbin and /usr/sbin are seen as empty by Firefox. If you run it with –debug option it will give you a full list of filesystem modifications:
$firejail –debug –seccomp –private=/home/user1/downloads firefox
Absolute safety cannot be guaranteed, however,it will be much safer.
2. That’s a good idea, I’ll have to implement it. I’m afraid in this moment it supports a single, common profile. I’ll try to release a test version next week, I’ll leave you a message here on this thread.
The best thing you can do for accessing your bank is to start always in private mode like this:
$ firejail –private firefox
It creates a new, empty home directory. This way you always start fresh from a secure state, and anything you do there will be discarded when you exit Firefox.
A big thank you for PROFILES.
1. Is it possible to run firejail with noexec, nosetuid entry for /tmp in /etc/fstab?
2. Would it be possible to add option like blacklist all /home folders and subfolders exept of
/home/specific_subfolder
(a kind of whitelist)?
The reason is: Firefox run in Firejail when open files, save files options are used can see other folders outside of –private=/home/folder_name. And I am affraid that (assuming I have some files in /home/user folder with private/personal information like CV’s etc.) someone who will use some bad scripts that I can catch while browsing will be able to have access to my information.
Having just blacklist option I need to remember to place sensitive files only in blacklisted folders. Am I right?
3. Strange but I can’t see any profile files stored in ~/.config/firejail directory.
4. And additional information to profile usage
firejail –profile=firefox.profile –seccomp –private=/home/user_name/folder_name firefox
didn’t worked. I needed to give path to profile file
firejail –profile=/etc/firejail/firefox.profile –seccomp –private=/home/user_name/folder_name firefox
and it works.
1. I think only –trace option temporarily places a shared library under /tmp, and it will not work if /tmp was mounted noexec. Other than that, everything else should work.
2. Instead of whitelisting use –private=some-directory. This will mount some-directory as /home/user inside the sandbox. For example, to run firefox set up a private directory (myfox in the example below) and move .mozilla and Downloads in that directory:
$ cd ~
$ mkdir myfox
$ mv .mozilla myfox/.
$ mv Downloads myfox/.
$ ln -s myfox/Downloads Downloads
Downloads is restored in /home/user as a symbolic link. Now, you can start firefox in the new home like this:
$ firejail –private=~/myfox firefox
As an example, I have a full Dropbox setup here:
3. By default ~/.config/firejail directory does not exist. You can create it (mkdir ~/.config/firejail) and place your profile files there. Profiles in this directory will take precedence over profiles in /etc/firejail
4. You have to specify full path for profile files. If you don’t specify a profile, firejail will look for a default profile such as program-name.profile first in .config/firejail/program-name.profile and then in /etc/firejail/program-name.profile. In Firefox case, there is a default profile in /etc/firejail/firefox.profile.
When I follow instructions above and issue ‘firejail –private=~/myfox firefox’ I get an
error: the two home directories must have the same owner, aborting…
everything looks to be owned by me:me or me:users, not sure where the permission issue lives.
This is definitely a bug! I’ll have it fixed in the next version. Thank you for reporting it.
Workaround:
It seems, the software checks both the user and group. For now, set ~/myfirefox directory with exactly the same user:group as you real home directory (“chown me:users ~/myfirefox” or “chown me:me ~/myfirefox”).
Could you help, please. I can’t run Opera.
firejail –profile=/media/data/jailkonf/.config/jail.profile –seccomp –private=/media/data/jail/ opera
Reading /media/data/jailkonf/.config/jail.profile
Reading /etc/firejail/disable-mgmt.inc
Reading /etc/firejail/disable-secret.inc
Parent pid 4540, child pid 4541
Interface IP Mask Status
lo **** 255.0.0.0 UP
eth0 **** 255.255.255.0 UP
Child process initialized
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, …)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
I don’t understand where is the problem because I start Firefox with the same command (within the same jail) and it works.
I’ll have to try it out. Probably they are already using namespaces to control it. I’ll put a fix in the next version, thank you for letting me know.
Opera browser support was introduced in version 0.9.20-rc1. See the news section on https://l3net.wordpress.com/projects/firejail/
I can’t enter the jail unless I’m root. I changed the permissions of /usr/local/bin/firejail to the user, and it still gives me permission denied. Anyone have any ideas?
firejail iceweasel
bash: /usr/local/bin/firejail: Permission denied
Hi!
Thanks for your work on firejail. Its simplicity is really useful.
I like the new ability to specify syscalls to be excluded. Is it possible to also allow the core syscall list to be selectively specified too? I realise this isn’t something you’d want to encourage but it would be very useful if only for working out which syscalls are causing the sandboxed binary to be terminated.
Russell
Hi Russel! I still have no idea how to approach syscall whitelisting. In order to start the sandbox and set namespaces and all other features, I need all kind of syscalls active, many more than what the actual sandboxed program would require. Only the /bin/bash session where the program runs would bring in about 40 syscalls. Somehow I have to find a way to apply the seccomp filter after the program was started. I’am looking into it.
Hi!
Whitelisting would also be great, but what would be useful now is simply an extension of the blacklist facility so that I can start with an empty blacklist and selectively add. At the moment I always have to blacklist the core list of dangerous syscalls. Some of these break my software; if I start with an empty blacklist and can add them one at a time then I can hopefully find which ones are causing the issue.
ie something like:
firejail –unsafeseccomp=mount ./myprog
would only blacklist mount, not iopl or ioperm etc
That is, same as –seccomp= but without the initial list of dangerous syscalls.
Cheers! Russell
Yes, it makes sense. I’ll implement it for the next release, thanks!
I’ve added support for a “empty” attribute in seccomp list. For your example above, you would start the sandbox as:
$ firejail –seccomp=empty,mount ./myprog
This will include only mount syscall in blacklist. See the news section on https://l3net.wordpress.com/projects/firejail/.
Hi, if I run firejail /usr/bin/firefox, then the cfg.command become to ‘/usr/bin/firefox’,
so firejail will not find firefox.profile to use
This is a bug, I’ll have to fix it. Thanks!
I noticed you fixed this problem on new truck version.
and it work now.
thank you.
I’m glad to hear that.
I have a ‘no sound’ problem when I run firefox with firejail in lxc.
if I remove setgroups(0, NULL) in src/firejail/list.c can fix the issus.
I need audio group to make firefox sound work.
debian@lxc:~$ id
uid=1000(debian) gid=1000(debian) groups=1000(debian),29(audio)
debian@lxc:~$ firejail
[debian@debian ] id
uid=1000(debian) gid=1000(debian) groups=1000(debian)
please help, thank you
I’ll have to try it out. What version of lxc you have? Is your system a Debian wheezy?
If you are using PulseAudio, somehow firefox cannot connect to pulseaudio socket.
Or, if you are running ALSA, you need to make sure you don’t restrict the audio devices under /dev in lxc configuration. ALSA is accessing /dev directly. lxc config has some lxc.cgroup.devices entries, comment them out.
My system is Debian/unstable/i386, but lxc version is 1.0.7-1 (debian experimental package)
yes, I think firefox want to direct access /dev/snd/controlC0,
and /dev/snd/controlC0 need the user has audio group permission to read/write,
ls -l /dev/snd/controlC0 –> 660 root:audio
but firejail will run setgroups(0, NULL) to remove group list,
not lxc restrict the audio devices
why you want firejail run setgroup(0, NULL) in src/firejail/list.c ??
it restrict firefox to access /dev/snd/controlC0.
thank you. (sorry, for my very bad english)
Try this:
Start lxc, run id, then run firejail (without any program, just a simple bash session), then run id again and speaker-test. Something like this:
debian@lxc:~$ id
debian@lxc:~$ firejail
[netblue@debian~]$ id
[netblue@debian~]$ speaker-test
Do you hear any sound? And what is id reporting?
Update: I think I know what the problem is. setgroups call is bad, dropping all groups. Instead it should set the supplementary groups for the regular user. As a result, the user inside the sandbox does not belong to audio group.
I have created a ticket at https://sourceforge.net/p/firejail/tickets/4/
I’ll try to put a fix in for the next release. If not, it will go in the one after.
Thank you for reporting the problem!
Hi, I think dropping all groups is not bad all, for security reason, it is good to drop all permission when you don’t need. maybe you can make the option to disable it –no-dropgroups, like –seccomp / –caps does.
Anyway, thank you.
Thanks, that’s a good idea!
HI, please also add the keyword(nogroups) to profile
— src/firejail/profile.c.orig 2015-01-30 21:16:25.968000000 +0000
+++ src/firejail/profile.c 2015-01-30 21:14:52.000000000 +0000
@@ -95,6 +95,10 @@
arg_private = 1;
return 0;
}
+ else if (strcmp(ptr, “nogroups”) == 0) {
+ arg_nogroups = 1;
+ return 0;
+ }
// seccomp list
if (strncmp(ptr, “seccomp “, 8) == 0) {
Fixed in svn, thanks!
I have icecat firejailed and then I want to start another instance of icecat
not sharing the same sandbox (not the same tmpfs I guess since I am running –private)
When I do it know another window in the same sandbox appear?
As displayed with firejail –list
How to have multiple sandboxes of the same program
For most programs, you can run multiple sandboxes. Firefox somehow enforces only one instance of the program, regardless if you run it in a sandbox or not. I guess they do it in order to preserve the memory and cpu resources consumed by the application.
Allright thought it was you who did something for some reason.
I can happily report when I use “icecat –new-instance” it works as I wanted
I’ll have to try it out, thanks for letting me know.
Pingback: Sandbox Firefox with Firejail (1) | 0ddn1x: tricks with *nix
Hi, is it possible to run a video player like VLC or SMplayer by allowing it access to videos in filesystem, while blocking its access to the internet? Thank you.
Yes:
$ firejail –net=none vlc
Thanks, it works.
Is it possible to combine Firejail with TorBrowser, with the profiles you made for Firefox? (TorBrowser has full access to .gnupg folder contents of same user)
It will useful if you will write a separate blog article post about this if it is difficult to do.
You’re welcome!
You can reuse an existing profile for another application. Actually, this is how I start tor:
$ firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser
You can also build a custom profile for your application and place it in ~/.config/firejail directory. I wrote down the steps here:
https://l3net.wordpress.com/projects/firejail/building-custom-profiles/
Question: do you need .gnupg for tor?
“$ firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser”
Yes, this command works. I can’t see .gnupg folder contents from Tor Browser now. (which is how it should be! …I think firejail should be default in all GNU/Linux systems 🙂 )
I checked firefox profile and the “include” files also. Is it possible to add “–net=none” as a line in a profile or one of these include files? Then one shall add it to profile of vlc and do away with typing net=none everytime. Sorry for reply to wrong comment, but I don’t seem to see “reply” button on your latest comment.
Suggestions:
1) Good to add ~/.purple under default blacklisted folder-list, because it has private OTR keys for pidgin or other libpurple using chat clients.
2) Please put up files in Github, as Sourceforge doesn’t provide SSL/TLS protection 😦
3) Sign the source files and binaries please. 🙂
firejail looks really nice!
Unfortunately there’s an ancient insecure by design flaw in the X graphics server that limits
the usefulness of something like firejail.
The problem is that X itself doesn’t have decent security isolation
between apps, by design. Any program that has access to X can access all
events on X including all of your keystrokes, taking screenshots /
movies of your activity and also initiating events (inserting
keystrokes). So even if you put a GUI Linux program in a bulletproof
jail it still has access to your X server and the attacker can not only
passively monitor everything you but also take control of any terminal
window (for example) and su to root with with the root password he
captured earlier.
To make it more difficult for the attacker you need to set things up so
the program connects to a nested X server (e.g., xnest) instead of
having direct access to the main X server.
Yada yada.
Xorg listens on both /tmp/.X11-unix/X0 in the filesystem and /tmp/.X11-unix/X0 in the abstract namespace (generally written @/tmp/.X11-unix/X0). Using a nested X server will not solve the problem because the abstract socket namespace is globally accessible,. The intruder will go after the main x11 stack, not the one where the program is running.
They say Wayland will solve this issue.
Can I add “Exec=firejail –caps firefox %u” in firefox.desktop file?
Yes, actually this is how I run it myself. –caps is not necessary, it does it by default for firefox. This is what I have in mine:
Exec=firejail firefox %u
Thank you for the permissions fix! It worked. I notice that the title bar in firefox shows “(as superuser)” is that normal? Or did I goof a setting? How do I test that I’m ‘sandboxed’?
The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. I don’t know why firefox shows as superuser, “ps aux | grep firefox” reports it as a regular user. I would say is a bug in firefox.
To check if you are in a sandbox, in a terminal run “firejail –tree”. It will list all running sandboxes and the processes inside.
It would be nice if you could publish the md5 of every download file.
I have sha256 checksums in firejail-X.Y.Z.asc files on the download page.
After some time messing with SELinux Grsecurity and AppArmor I found Firejail in the Arch Linux Wiki and I really like how it works and how simple it is, but I’m having a problem with Firefox and Firejail (under Arch Linux 64). Whenever I start Firefox with Firejail (no options, just ‘firejail firefox’), it doesn’t write anything in the ~/.mozilla directory, so whenever I restart Firefox it’s not configured…
This is the optput:
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Warning: user namespaces not available in the current kernel.
Parent pid 894, child pid 895
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized
2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/firefox/liblgpllibs.so could not be stored
2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/libsystemd.so.0 could not be stored
2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/libnss_myhostname.so.2 could not be stored
2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/firefox/components/libdbusservice.so could not be stored
I think I’m missing something obvious here…
> it doesn’t write anything in the ~/.mozilla directory, so whenever I restart Firefox it’s not configured…
If ~/.mozilla directory doesn’t exist before the sandbox is started, it will be discarded when the sandbox is closed. It is a bug, I’ll have it fixed in the next version.
Workaround: run firefox once without the sandbox, so it creates .mozilla directory and stores a default configuration there. After that you shut it down and start it in the sandbox.
Hello
I have a problem with firejail and pulseaudio.
Everytime when i start firefox with firejail, i can only hear sound in firefox, but nothing more in the rest of the system. When i start vlc player, i receive a warning message thats pulseaudio didnt work. After closing firejail, a complete pc restart is needed for pulseaudio to work again. The same problem comes up with chromium too.
I work with Debian Testing and Cinnamon 2.8.
Sorry for my english, i am not a native speaker.
It is a known PulseAudio problem. You’ll find a fix here: https://firejail.wordpress.com/support/known-problems/
When I run: firejail chromium
I always get these warnings:
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
And I can access /bin, /sbin and /usr/sbin from chromium. Is it still safe or is something wrong?
Disregard it. This happens usually on Arch Linux or Fedora where all executables are stored under /bin, and everything else is a symbolic link to /bin.
I am unable to run Vivaldi-web-browser with firejail under Archlinux. This is the output.
$ firejail vivaldi-stable
Reading profile /etc/firejail/vivaldi-stable.profile
Reading profile /etc/firejail/vivaldi.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 2847, child pid 2848
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, …)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Parent is shutting down, bye…
It is a bug, I’ll fix it in the next version. For now, open /etc/firejail/vivaldi.profile and comment out nonewprivs line:
#nonewprivs
Thank you for reporting it.
@netblue30:
Hi,
unfortunately what you suggested doesn´t work for me:
“You can reuse an existing profile for another application. Actually, this is how I start tor:
$ firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser”
Whenever I type the respective command (which for me is “firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser.desktop”) I get the following error-message:
“/bin/bash: ./start-tor-browser: Datei oder Verzeichnis nicht gefunden”, i.e. file or folder not found.
I have no idea why that is.
Could you help me?
Greetings.
Rosika
Hi,
is there a way of running teamviewer in firejail. Whenever I try to do this firejail complains about “teamviewer daemon not running”.
Child process initialized
Init…
XRandRWait: No value set. Using default.
XRandRWait: Started by user.
Checking setup…
Launching TeamViewer …
Starting network process (no daemon)
terminate called without an active exception
/opt/teamviewer/tv_bin/script/tvw_exec: Zeile 95: 113 Abgebrochen “$TV_BIN_DIR/teamviewerd” -n -f
Network process already started (or error)
Launching TeamViewer GUI …
Greetings.
Rosika
P.S.:
system: Linux/Lubuntu 16.04.2 LTS
I’ll have to check it out. Where do you download teamviewer?
Hi,
I downloaded and installed it by using this command:
sudo apt-get purge teamviewer; sudo apt-get purge teamviewer:i386; sudo dpkg –add-architecture i386; sudo apt-get update; sudo apt-get install libasound2:i386 libfontconfig1:i386 libfreetype6:i386 libjpeg62:i386 libpng12-0:i386 libsm6:i386 libxrandr2:i386 libxrender1:i386 libxtst6:i386 libxinerama1:i386; wget –continue ‘http://download.teamviewer.com/download/teamviewer_i386.deb’; sudo dpkg -i teamviewer_i386.deb; sudo apt-get install -f
This procedure is described on https://wiki.ubuntuusers.de/TeamViewer/ .
This command loads teamviewer i386.deb (also useable on 64bit-systems) from the TeamViewer-homepage and installs it.
Well, it works really fine except for use in firejail.
I’ll look into it, thanks.
Pingback: Firejail : préservez un peu plus votre vie privée sous Firefox/Thunderbird | Up and Clear
Hi,
I have a problem running “firejail –net=none” with certain programmes.
For example when trying to run “firejail –net=none evince” I get the following:
rosika@rosika-Lenovo-H520e ~> firejail –net=none evince
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 17269, child pid 17270
Child process initialized
Failed to connect to Mir: Failed to connect to server socket: Datei oder Verzeichnis nicht gefunden
Unable to init server: Verbindung ist gescheitert: Verbindungsaufbau abgelehnt
Cannot parse arguments: Anzeige kann nicht geöffnet werden:
parent is shutting down, bye…
The “Failed to connect to Mir”-message also appears with “okular”.
With other programmes however it works just fine, like “gedit” and all the browsers.
Greetings.
Rosika
On some platforms – I have it on Ubuntu but not on Debian. I think it is an AppArmor problem, see here:https://firejail.wordpress.com/support/known-problems/#apparmor
A solution is to replace “–net=none” with “–protocol=unix”, the effect will be the same as “–net=none”.
@netblue30
Thanks a lot for the workaround. “–protocol=unix” works well on my Lubuntu-System.
Thanks also for the link.
Greetings.
Rosika
You’re welcome
Hi,
I´ve downloaded opera-browser for Linux as a .deb-package from this site: http://www.opera.com/de/computer/linux .
After that I converted the .deb-package into a portable version of opera as described on this page: https://gist.github.com/ruario/8416e36372f1a976a713 .
I start it with this command: “opera-stable_45.0.2552.812_amd64/run &” .
All that went well and I can use portable opera nicely.
Now for the tricky part.
I want to start this portable version of opera within firejail.
Yet the command “firejail opera-stable_45.0.2552.812_amd64/run &” doesn´t work. Terminal says: “[0523/180152.100814:FATAL:credentials.cc(334)] Check failed: ChrootToSafeEmptyDir()” and lots of other error-related stuff.
So I tried “firejail –noprofile opera-stable_45.0.2552.812_amd64/run &” and THIS command works just fine. So far so good.
But what I really want to achieve is starting my portable opera with the “–private”-option, or rather “-private=[path to specified work-directory]”. Again this doesn´t work.
Can you help me?
Thanks in advance.
Greetings.
Rosika
In Linux Mint 18.2 Mate, I’m running the latest firejail (0.9.50) but when I start Thunderbird it reports in the title bar of TB as “superuser”. Htop on the other hand reports normal user space. Note that I have to enter my system password to enable the thunderbird security device (to unlock my pop3/smtp passwords etc.) which might be related perhaps?
Q1 – “firejail -tree” shows TB as running as user, not root, so has something gone wrong with Thunderbird?
Q2 – How would I run TB outside of firejail? I don’t necessarily want TB to run firejailed, because for example URLs in my emails won’t work directly (which is good security, I know, but when it is a trusted email it is awkward to have to copy the URL to my browser – which is firejailed)
> Q1 – “firejail -tree” shows TB as running as user, not root, so has something gone wrong with Thunderbird?
TB is running as a regular user. It is believed to be bug in the window manager. It was fixed already in newer versions of Ubuntu and Debian. Also, see here: https://firejail.wordpress.com/support/frequently-asked-questions/#as-superuser
> Q2 – How would I run TB outside of firejail?
How do you start it? By default when you click on TB icon in your menu, it should run outside the sandbox. If you run “firecfg” after installing firejail, this added a thunderbird symbolic link in /usr/local/bin. All you have to do is to remove the symbolic link: “sudo rm /usr/local/bin/thunderbird”
netblue30 – thanks very much – I hadn’t spotted that “bug” report. I see how to remove the symlink that gets created – nice! I’m impressed with firejail and it sounds like a candidate to be included natively in (e.g.) Mint.
Thanks.
Pingback: Ephemeral Firefox in Ubuntu (1/3) - Michael Altfield's Tech Blog