We are happy to announce the release of Firejail version 0.9.20. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several user-requested new features:
Linux Control Groups (cgroups) support
Firejail can place a full sandbox under a cgroup. The group has to be created and activated before Firejail is started. cgroup configuration is independent of Firejail, and can be modified while the sandbox is running. Multiple sandboxes can be placed in the same cgroup. To enable this option, use –cgroup to pass the cgroup tasks file to Firejail. For example, assuming there is control group mounted under /sys/fs/cgroup/group1 directory, start Firejail as follows:
$ firejail --cgroup=/sys/fs/cgroup/group1/tasks
Firejail can bind the sandbox to a list of CPUs specified with –cpu option. Example:
$ firejial --cpu=0,1 handbrake # run handbrake only on cpu cores 0 and 1
By default, the sandbox preserves the secondary user groups:
$ id uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access) $ firejail [netblue@debian ~]$ id uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access) [netblue@debian ~]$
In the example above netblue is the primary user group, and sudo, fuse, pulse and pulse-access are secondary user groups. The release introduces a new –nogroups option. The option disables the secondary user groups inside the sandbox:
$ id uid=1001(netblue) gid=1001(netblue) groups=1001(netblue),27(sudo),116(fuse),118(pulse),119(pulse-access) $ firejail --nogroups [netblue@debian ~]$ id uid=1001(netblue) gid=1001(netblue) groups=1001(netblue) [netblue@debian ~]$
Support for running commands using –join option
$ firejail --list 2536:root:/usr/bin/firejail --seccomp --private --cgroup=/sys/fs/cgroup/g1/task 3234:netblue:firejail --private=~/myfox iceweasel $ firejail --join=3234 ps aux Switching to pid 3235, the first child process inside the sandbox USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND netblue 1 0.0 10.9 1168768 441864 ? Sl 07:41 5:33 iceweasel netblue 71 0.0 1.0 372208 41108 ? Sl 07:50 0:00 /usr/lib/icewea netblue 120 0.0 0.0 16852 2352 pts/0 R+ 08:28 0:00 ps aux $
Seccomp “empty” attribute
By default, the blacklist syscall filter used by Firejail consists of several dangerous syscalls such as mount, kexec_load, ptrace, init_module, swapoff. Extra syscalls are specified using –seccomp option. If the first entry in the list is “empty”, the default syscall list is not included in the filter. Example:
$ firejail --seccomp # use only the default list $ firejail --seccomp=chmod,chdir # use the default list + chmod and chdir syscalls $ firejail --seccomp=empty,chmod,chdir # do not use the default list, only chmod and chdir
Opera browser support
A default profile for running Opera web browser is provided. The profile creates a chroot filesystem build on top of the host filesystem, with the main directories mounted read-only, empty /boot, /root, and sanitized versions of /var and /proc directories. In user home directory several files holding passwords and encryption keys are blacklisted. The process space is also restricted by a PID namespace. The profile is similar to the profiles used for Chromium and Mozilla Firefox. Use the following command to start Opera:
$ firejail opera $ firejail --debug opera # add --debug for a description of the sandbx
Note: Opera web browser configures its own seccomp filter. Firejail does not attempt to overwrite it.
The new release features a default profile for VLC media player. The profile is similar to the profiles used for Chromium and Mozilla Firefox. Use the following command to start VLC:
$ firejail vlc $ firejail --debug vlc # add --debug for a description of the sandbx
Sandbox monitoring enhancements
firemon utility gained a number of new options for monitoring sandbox status: –cpu, –cgroup, –caps and –seccomp.
For more information please visit the project page.