We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is available in AUR.
The command to start Firefox in a Firejail sandbox is:
$ firejail firefox or $ firejail --debug firefox
The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.
The way the filesystem is build is controlled from /etc/firejail/firefox.profile, modifying it is pretty straightforward.
Firejail uses a number of security filters to enforce the chroot:
- Seccomp-bpf is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables a large number of system calls, reducing this way the kernel attack surface. Seccomp-bpf is enabled by default for Mozilla Firefox.
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities (POSIX 1003.1e). The feature provides fine-grained control over superuser permissions. To further reduce the attack surface and enhance the security, Firejail disables all capabilities. The feature is enabled by default for Mozilla Firefox.
Firejail runs Firefox in an user namespace. The namespace has only one user defined, the current user. There is no root user account defined inside the namespace. The sandbox enables the namespace by default based on the version of the kernel running the system.
In private mode Firejail mounts empty temporary filesystems (tmpfs) on top of user home directory and /tmp. Closing the sandbox will discard any new files created in these directories, including ~/.mozilla and ~/Downloads.
Private mode always starts the browser with factory defaults, protecting it from malicious addons and plugins the user might have installed in the past. It is mainly used for accessing bank websites and alike:
$ firejail --private firefox
For more information about private mode and high security browser setups see part 3 of this series.
- A network namespace is one of the most interesting security options provided by the Linux kernel. It is basically a brand new TCP/IP networking stack created for the sandbox, coming with its own routing table, set of network interfaces, and most important its own iptable/netfilter module. Attaching a network namespace to your browser sandbox is described in part 3 of this series.
- Small home routers connecting us to our Internet service provider are ridiculously insecure. Bugs and backdors are actively exploited in these routers, the main target being the DNS server setup. Firejail provides a –dns option allowing the user to set its own DNS setting, without relaying on an external router:
$ firejail --dns=220.127.116.11 firefox
Although most security features are enabled by default, a number of features are only enabled using command line options:
This is a Chromium web browser running inside a Firejail sandbox:
$ firejail chromium-browser
The chroot filesystem is similar to Mozilla Firefox, with only the configuration directory ~/.config/chromium and ~/Downloads imported form real home directory:
The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.
There’s a new kitten on the block:
$ firejail midori
Midori is a very impressive browser build using WebKit and GTK+2/3. It is lightweight and fast, with a familiar interface. Compared to Firefox and Chromium, it will play your Donald & Daisy videos in less than half the memory.
To conclude, it is important to mention Firejail was designed to be generic. It can run servers and GUI programs, or it can work as a login shell for SSH or telnet users. You can find more information about the sandbox on the project page. Also, Firejail was featured on Linux Action Show (LAS 333, at 0:10:15).