Running Dropbox in Firejail Sandbox

This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR.

Moving Dropbox in the new home directory

Dropbox software consists of three directories placed in user home: .dropbox, Dropbox, and .dropbox-dist. I kill the running instance of Dropbox, create the new home directory (mybox), and I move the three directories there:

$ cd ~
$ pkill dropbox
$ mkdir mybox
$ mv .dropbox mybox/.
$ mv Dropbox mybox/.
$ mv .dropbox-dist mybox/.

I also create a symbolic link to ~/mybox/Dropbox:

$ ln -s mybox/Dropbox Dropbox

The last step is to change the autostart entry. For this, I open ~/.config/autostart/dropbox.desktop in a text editor and modify Exec line as follows:

Exec=firejail --private=~/mybox "dropbox start -i && sleep inf"

Next computer restart or user login, Dropbox software will start automatically in sandbox with /home/user/mybox as home directory. Personal files in your actual home directory will not be accessible to Dropbox process.

Starting Dopbox manually

You can add a start icon on your desktop:

$ cp ~/.config/autostart/dropbox.desktop ~/Desktop/.

or you can start Dropbox from a terminal:

$ firejail --private=~/mybox "dropbox start -i && sleep inf"

Verifying Dropbox is running

To check if Dropbox is running, use firejail –tree. This will list all the processes running in the sandbox:

Verifying Dropbox is running

Verifying Dropbox is running

1549 is the process id (PID) of the sandbox. You can use this PID value to join the sandbox.

Auditing the sandbox

To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.

Joining the sandbox

Joining the sandbox

The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.

For more information about Firejail, visit the project page.

Advertisements

6 thoughts on “Running Dropbox in Firejail Sandbox

  1. lupegetust

    An include command or something akin to private.keep but with persistent data would be a great addition to firejail. Using this example: You could just point to the three Dropbox folders instead of moving and softlinking them, that would add a great deal of flexibility and ease of use.

    Reply
    1. netblue30 Post author

      I think the name is set in an external DNS server. I would create a new network namespace with a random IP address, and a new hostname:

      $ firejail –net=eth0 –hostname=newname firefox

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s