We are happy to announce the release of Firejail version 0.9.22. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several new features:
Container stdout logging and log rotation
Capture container stdout and store it into a file. Six files are rotated, each file size is kept under 512KB.
$ firejail --output=output.log application
The output is stored in output.log, output.log.1, …, output.log.5.
Starting with this version, OverlayFS is supported for Linux kernels 3.18 and newer. Example:
$ firejail --overlay application
Updated default seccomp and caps filters
Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist. Added CAP_MKNOD to default caps blacklist.
Blacklist and whitelist Linux capabilities filters
This release implements full blacklist and whitelist filters for Linux capabilities (see man 7 capabilities). The format of the command is as follows:
-caps Enable default Linux capabilities filter. The filter disables CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. --caps.drop=all Drop all capabilities. --caps.drop=capability,capability,capability Blacklist Linux capabilities filter. --caps.keep=capability,capability,capability Whitelist Linux capabilities filter.
(nginx web server) # firejail --caps.keep=chown,net_bind_service,setgid,setuid --seccomp "/etc/init.d/nginx start && sleep inf" (apache web server) # firejail --caps.keep=chown,sys_resource,net_bind_service,setuid,setgid --seccomp "/etc/init.d/apache2 start && sleep inf" (net-snmp server) # firejail --caps.keep=net_bind_service,setuid,setgid --seccomp "/etc/init.d/snmpd start && sleep inf" # firejail --caps.keep=net_bind_service,setuid,setgid --seccomp "/usr/sbin/snmptrapd start && sleep inf" (ISC DHCP server) # firejail --caps.keep=net_bind_service,net_raw --seccomp "/etc/init.d/isc-dhcp-server start && sleep inf" (VNC server - started as regular user) $ firejail --caps.drop=all --seccomp /usr/lib/vino/vino-server
macvlan device driver support
Up to now –net option allowed new network namespaces to connect only to regular Linux bridge devices. This version introduces support for Linux macvlan devices.
macvlan interfaces can be seen as subinterfaces of a main Ethernet interface. Each macvlan interface has its own MAC address and IP addresses, just like a normal interface. The new interface is assigned to the sandbox, and for the programs running in the sandbox it looks like a regular Ethernet interface:
In this example, the host IP address is 192.168.1.50 and vm1 sandbox address is 192.168.1.10. The command to start this sandbox is:
$ firejail --net=eth0 --ip=192.168.1.10 application
If no IP address is specified (–ip=192.168.1.10), Firejail will ARP-scan the network and assign an unused IP address to the sandbox.
The new version of Firejail allows the user to configure netfilter subsystem in Linux kernel for a new network namespaces. The format of the command is as follows:
filename is the filter file in iptables-save/iptable-restore format. If no filename is specified, the following default client filter is used:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT COMMIT
DNS server support
The new version allows the user to define up to three DNS servers to use by the sandbox. Example:
$ firejail --dns=220.127.116.11 --dns=18.104.22.168 firefox
–netstats option allows a user to monitor network statistics for sandboxes initializing new network namespaces. Example:
$ firejail --netstats
For more information please visit the project page.