In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.
Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:
$ firejail firefox $ firejail chromium $ firejail midori $ firejail opera
The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
$ firejail --debug firefox Reading /etc/firejail/firefox.profile Reading /etc/firejail/disable-mgmt.inc Reading /etc/firejail/disable-secret.inc Command name #firefox# Using the local network stack Parent pid 18770, child pid 18771 Initializing child process PID namespace installed Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var Mounting tmpfs on /run/lock on behalf of /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log [...]
Private mode reloaded
According to Mozilla’s Jorge Villalobos:
Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.
He’s talking specifically about extensions published on Mozilla’s addon site. Addons run with full user privileges, and nothing could prevent them from accessing private data, or from sending keystrokes to a third party.
This is where Firejail private mode comes into play. It mounts an empty, temporary filesystem on top of your home directory, basically reseting your browser to factory defaults. No browser addons and no private user files are visible. Data in the temporary home directory is discarded when the browser is closed.
Use this mode when you access your bank account, or for any other private business:
$ firejail --private firefox
For regular everyday browsing, you can replace your home directory with a different one and keep all the modifications when the browsing session is ended. This is how you set it up:
$ cd ~ $ mkdir -p browser-home/Downloads $ firejail --private=~/browser-home firefox
In this new home you can install addons, extensions, whatever. When transferring files, you would need to copy them in ~/browser-home in order for your browser to see them.
Some time ago Opera browser internals have been switched to a fork of Google Chromium. The SUID sandbox, Linux namespaces and seccomp-bpf filters from Chromium, survived the porting. This puts Opera security technology at parity with Chromium.
Recent versions of Firejail install a default Opera security profile in /etc/firejail. It is the same profile used by Chromium. Run it as firejail opera, or use the private mode as described above. It has full audio/video support:
Firejail is easy to use and it has a very low memory footprint. It configures a number of security features in Linux kernel and gets out of the way. It does not interact with the process running in the sandbox, there are no daemons running and no open socket connections. For more information visit the project web page.
Pingback: Sandbox Firefox with Firejail (2) | 0ddn1x: tricks with *nix
Pingback: Firejail – A Security Sandbox for Mozilla Firefox, Part 2 | Firefox Extension Guru's Blog
Pingback: Links 24/2/2015: Xfce 4.12 a Week Away, GNOME 3.16 Previewed | Techrights
This is a fantastic tool, doing in one application more than most of the security application (SELinux, AppArmor, chroot…), in an easier format. I have started using it. Let’s be clear, again, this is an outstanding initiative. I’ve brought the subject on Gentoo with the hope it’ll become an official package, which could complement the “Hardened Gentoo” initiative with Grsec, etc…
I have two points i’d like to make:
– for the apps that are started as a daemon (say dnsmasq, or whatever starts through init scripts calling “runscript”), it looks like it’s non-trivial to squeeze firejail in the command used to fire the daemon.
– for Firefox, most of the time, closing down the browser leaves a running PID in the firejail… I’m starting it through a click running “firejail firefox” but 5min after i closed it it’s still hanging around.
Keep up the good work.
I also hope it will be included at some point in Gentoo.
Apps started as daemon: It needs to be integrated manually in the init scripts, maybe in the scripts in /etc/init.d directory. It will be ugly, and it will be cleaned up every time you update the software. I don’t see any solution in this moment.
Firefox: Firefox runs always a single instance of the browser. The second instance just sends a message to the first instance, and the first instance opens a new tab or window, depending how it was configured. Then, the second instance is terminated. You probably had another firefox instance running before you started “firejail firefox”. Can you check this? Thanks!
Recently I tested it on gentoo (newest stable kernel 4.0.5) but it seems that there are some kernel features missing. The installation was no problem but it does not start. What kernel feature do you have added to make it work? Do you know if somewhere a list of necessary kernel-features exist?
It should work by default with any kernel version 3.2 or newer, and it will enable all the features available in your kernel. In your case, all features will be enabled. You start is manually when you start the application. Example:
$ firejail firefox
I found the problem. It is necessary to activate at least PID-Namespaces (CONFIG_PID_NS=y). Then firejails starts but mentioning that activating USER-Namespaces would be nice (CONFIG_USER_NS=y). It seams reasonable to activate all sub-features in “General-setup –> namespaces-Support”
So it is working now and it is great !!!
@ netblue30: Thanks for your answer. However, some crazy people on gentoo (like me 😉 ) build their kernels manually and need to config the kernel-features via “menuconfig” or similar.
Got a question regarding the “an existing sandbox was detected…” error. I’m running a grsec kernel, and I’ve got two users. User A has /usr/bin/firejail as the shell while user B has /bin/bash. When I bring up a terminal emulator (xterm, uxterm, or xfce terminal) in either of the users, I see this error. When I run firejail –tree, the processes shows up. Even when I log into something like TTY2 without a GUI, I get the same error when attempting to go into firejail or run something with firejail. Should I disable grsec’s chroot restrictions? I’ve tried disabling several (caps, fchdir, shmat, unix, ect) with out any success. When I run firejail without a grsec kernel, firejail works flawlessly. What do?
Probably it is a bug, I’ve move it to the dev site to investigate. Thanks!
this is related to the proc-restrictions of GrSec (CONFIG_GRKERNSEC_PROC=y, CONFIG_GRKERNSEC_PROC_USERGROUP=y). Assuming you have choosen the trusted group 123 then the user opening a firejail-instance must be member of group 123. Otherwise firejail cannot look onto /proc and fails with the “existing sandbox error” (I tested it)
However, inserting the user into the trusted group 123 is more a workaround then a fix, because the user get rights he should not get.
One could overcome this problem if firejail would execute its instaces as a special “user” (for example this user could be called firejail). (Polkit for example acts like that and uses the user polkitd)
Then one could put this special user (firejail) into the trusted group 123 without putting the regular user into the trusted group.
Additionally this would have one further advantage: With grsec one can forbid any network acess to some user/group. Assuming that firejail opens a sandbox with the rights of the special user “firejail” one could forbid network acess to the regular user but the regular user can open a prgramm with netowrk access via firejail. This leads to a regular user which can only access internet through firejail.
I hope this was understandable 😉
PS: If my suggestion is problematic, because one user is not sufficient if a bunch of regaular users would use firejail at the same time on the same machine, one could introduce a firejail user named “user_firejail” for every regular user.
I read all the Firefox guides and X11 guide and I compiled a list of questions that I hope you can answer:
1. When you said “configuration is preserved” when using `–private=`, since this directory is supposed to be treated as the user home directory by Firefox, it’s not just Firefox’s configuration that’s preserved but also files downloaded to a downloads folder that might be in this directory, right? “Modifications” might be a better word.
2. New network stacks don’t have any effect on tracking companies because it’s all behind the router/firewall, right? So if it’s for internally, what specifically does it deter? Similarly, how is specifying an internal IP address (as opposed to an “arbitrary” address from DHCP) helpful security-wise? Please forgive my ignorance.
3. Will `–net=` option eventually support wireless interfaces or is it simply a limitation that cannot be overcome?
4. Can systems with wireless interface only (e.g. laptop) still use `–net=` in order to use Firejail’s default network filter that is installed when `–net=` is used? If so, what should be specified as a value and If not, how can the default filter be used?
5. Similarly, what can be specified for `–net=` for wireless machines in order to use X11 sandbox, which requires this option?
6. When the temporary filesystem is mounted via –private, it’s on tmpfs and nothing is ever written on the disk throughout the given session? But with –private=, it is written to disk like without sandboxing or is is it written on tmpfs and then copied back to at the end of the session?
7. How does `firejail firefox` work where firefox is the default profile name (i.e. a default profile config) for firejail? And if I want to specify additional arguments for Firefox, such as `firefox -P ` to launch one of my several profiles, what would it look like if it were to use the default profile config provided by firejail as well?
8. I use multiple profiles where each profile is dedicated to an aspect of my browsing activity (one for work, one for social media, one for banking, etc.) I am using `firefox -P -no-instance` to launch these profiles as separate instances. Using firejail, I think I can achieve the same effect via `–private=`. How would you recommend a setup for someone utilizing multiple profiles?
9. Firejail is built for X–would such an application be equally as useful in Wayland or does Wayland offer adequate security benefits by design?
1,6. There are two forms of –private:
The simple one, –private, everything is lost when you close the sandbox. the filesystem (tmpfs) is in RAM memory.
The second one, –private=directory, the filesystem is on the disk in “directory”. When you close the sandbox, the files are preserved.
2. No effect on tracking companies.
3,4,5. The necessary support to handle a wireless interface directly is missing in Linux kernel. The only choice you have in this moment is to set a bridge interface, connect the sandboxes to the bridge interface, and route the traffic. Something similar to this setup: https://firejail.wordpress.com/documentation-2/basic-usage/#routed
7,8. The default profile for firefox is in /etc/firejail/firefox.profile. Copy the file somewhere and modify it. Then you would start the sandbox as follows: “firejail –profile=filename firefox”. You can handle this way multiple sandbox configurations.
9. In Wayland you shouldn’t need –x11 in firejail.
Can’t seem to get xpra on Arch to work for X11 forwarding–so I’m going to try xephyr. However, I use i3 window manager and there’s no profile for it (haven’t found one online either). If I just run `firejail –x11=xephyr –net=eth0 i3`, is there still some sandboxing going on or should I just not bother with X11 forwarding unless I use openbox? Are there still advantages to setting up X11 forwarding this way without using a profile?
Sorry for the late response, somehow it got lost.
xpra is broken on Arch, xephyr is working. It has a screen border around it, kind of inconvenient.
Use the same profile as for openbox, otherwise it will block the local configuration for most programs:
$ firejail –x11=xephyr –net=eth0 –profile=/etc/firejail/openbox.profile i3
openbox.profile is a very generic profile for any kind of window managers and desktop environment.