Firejail 0.9.20 Release Announcement

We are happy to announce the release of Firejail version 0.9.20. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several user-requested new features:

Linux Control Groups (cgroups) support

Firejail can place a full sandbox under a cgroup. The group has to be created and activated before Firejail is started. cgroup configuration is independent of Firejail, and can be modified while the sandbox is running. Multiple sandboxes can be placed in the same cgroup. To enable this option, use –cgroup to pass the cgroup tasks file to Firejail. For example, assuming there is control group mounted under /sys/fs/cgroup/group1 directory, start Firejail as follows:

$ firejail --cgroup=/sys/fs/cgroup/group1/tasks

CPU affinity

Firejail can bind the sandbox to a list of CPUs specified with –cpu option. Example:

$ firejial --cpu=0,1 handbrake          # run handbrake only on cpu cores 0 and 1

Secondary groups

By default, the sandbox preserves the secondary user groups:

$ id
uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access)

$ firejail 
[netblue@debian ~]$ id
uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access)
[netblue@debian ~]$ 

In the example above netblue is the primary user group, and sudo, fuse, pulse and pulse-access are secondary user groups. The release introduces a new –nogroups option. The option disables the secondary user groups inside the sandbox:

$ id
uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access)

$ firejail --nogroups
[netblue@debian ~]$ id
uid=1001(netblue) gid=1001(netblue) groups=1001(netblue)
[netblue@debian ~]$ 

Support for running commands using –join option

Example:

$ firejail --list
2536:root:/usr/bin/firejail --seccomp --private --cgroup=/sys/fs/cgroup/g1/task
3234:netblue:firejail --private=~/myfox iceweasel 

$ firejail --join=3234 ps aux
Switching to pid 3235, the first child process inside the sandbox
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
netblue      1  0.0 10.9 1168768 441864 ?      Sl   07:41   5:33 iceweasel
netblue     71  0.0  1.0 372208 41108 ?        Sl   07:50   0:00 /usr/lib/icewea
netblue    120  0.0  0.0  16852  2352 pts/0    R+   08:28   0:00 ps aux
$

Seccomp “empty” attribute

By default, the blacklist syscall filter used by Firejail consists of several dangerous syscalls such as mount, kexec_load, ptrace, init_module, swapoff. Extra syscalls are specified using –seccomp option. If the first entry in the list is “empty”, the default syscall list is not included in the filter. Example:

$ firejail --seccomp                    # use only the default list
$ firejail --seccomp=chmod,chdir        # use the default list + chmod and chdir syscalls
$ firejail --seccomp=empty,chmod,chdir  # do not use the default list, only chmod and chdir

Opera browser support

A default profile for running Opera web browser is provided. The profile creates a chroot filesystem build on top of the host filesystem, with the main directories mounted read-only, empty /boot, /root, and sanitized versions of /var and /proc directories. In user home directory several files holding passwords and encryption keys are blacklisted. The process space is also restricted by a PID namespace. The profile is similar to the profiles used for Chromium and Mozilla Firefox. Use the following command to start Opera:

$ firejail opera
$ firejail --debug opera # add --debug for a description of the sandbx

Note: Opera web browser configures its own seccomp filter. Firejail does not attempt to overwrite it.

VLC support

The new release features a default profile for VLC media player. The profile is similar to the profiles used for Chromium and Mozilla Firefox. Use the following command to start VLC:

$ firejail vlc
$ firejail --debug vlc # add --debug for a description of the sandbx

Sandbox monitoring enhancements

firemon utility gained a number of new options for monitoring sandbox status: –cpu, –cgroup, –caps and –seccomp.

About

For more information please visit the project page.

Advertisements

2 thoughts on “Firejail 0.9.20 Release Announcement

  1. Tomer Cohen

    Do you have an idea when would this pretty application become available on the official Debian repositories (for Jessie) so we could install it by sudo apt install firejail?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s