Firejail 0.9.22 Release Announcement

We are happy to announce the release of Firejail version 0.9.22. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several new features:

Container stdout logging and log rotation

Capture container stdout and store it into a file. Six files are rotated, each file size is kept under 512KB.

$ firejail --output=output.log application

The output is stored in output.log, output.log.1, …, output.log.5.

OverlayFS support

Starting with this version, OverlayFS is supported for Linux kernels 3.18 and newer. Example:

$ firejail --overlay application

Updated default seccomp and caps filters

Added process_vm_readv, process_vm_writev and mknod to default seccomp blacklist. Added CAP_MKNOD to default caps blacklist.

Blacklist and whitelist Linux capabilities filters

This release implements full blacklist and whitelist filters for Linux capabilities (see man 7 capabilities). The format of the command is as follows:

-caps Enable  default  Linux  capabilities filter. The filter disables
       CAP_SYS_MODULE,   CAP_SYS_RAWIO,   CAP_SYS_BOOT,   CAP_SYS_NICE,
       CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.

--caps.drop=all
       Drop all capabilities.

--caps.drop=capability,capability,capability
       Blacklist Linux capabilities filter.

--caps.keep=capability,capability,capability
       Whitelist Linux capabilities filter.

Some examples:

(nginx web server)
# firejail --caps.keep=chown,net_bind_service,setgid,setuid --seccomp "/etc/init.d/nginx start && sleep inf"

(apache web server)
# firejail --caps.keep=chown,sys_resource,net_bind_service,setuid,setgid --seccomp "/etc/init.d/apache2 start && sleep inf"

(net-snmp server)
# firejail --caps.keep=net_bind_service,setuid,setgid --seccomp "/etc/init.d/snmpd start && sleep inf"
# firejail --caps.keep=net_bind_service,setuid,setgid --seccomp "/usr/sbin/snmptrapd start && sleep inf"

(ISC DHCP server)
# firejail --caps.keep=net_bind_service,net_raw --seccomp "/etc/init.d/isc-dhcp-server start && sleep inf"

(VNC server - started as regular user)
$ firejail --caps.drop=all --seccomp /usr/lib/vino/vino-server

macvlan device driver support

Up to now –net option allowed new network namespaces to connect only to regular Linux bridge devices. This version introduces support for Linux macvlan devices.

macvlan interfaces can be seen as subinterfaces of a main Ethernet interface. Each macvlan interface has its own MAC address and IP addresses, just like a normal interface. The new interface is assigned to the sandbox, and for the programs running in the sandbox it looks like a regular Ethernet interface:

macvlan network setup

macvlan network setup

In this example, the host IP address is 192.168.1.50 and vm1 sandbox address is 192.168.1.10. The command to start this sandbox is:

$ firejail --net=eth0 --ip=192.168.1.10 application

If no IP address is specified (–ip=192.168.1.10), Firejail will ARP-scan the network and assign an unused IP address to the sandbox.

netfilter support

The new version of Firejail allows the user to configure netfilter subsystem in Linux kernel for a new network namespaces. The format of the command is as follows:

--netfilter=filename

filename is the filter file in iptables-save/iptable-restore format. If no filename is specified, the following default client filter is used:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT

DNS server support

The new version allows the user to define up to three DNS servers to use by the sandbox. Example:

$ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox

Network statistics

–netstats option allows a user to monitor network statistics for sandboxes initializing new network namespaces. Example:

$ firejail --netstats
$ firejail --netstats

$ firejail –netstats

About

For more information please visit the project page.

Advertisements

2 thoughts on “Firejail 0.9.22 Release Announcement

  1. justhelpme

    Hi, I’ve been trying to get a “firejail-ed” openvpn thing working for months now, to run an exclusive firefox browser with a private profile, where the rest of the entire network/OS is left untouched. Running openvpn in firejail and bridging firefox to that same firejail instance in another terminal still affects unsandboxed firefox instances, and I can’t work out how to achieve this using the “br0” mentioned in the manual, or the “tun0” thing that pops up in KDE’s network manager when I import a ovpn file downloaded from vpngate.net. Can you help me get this worked out, please?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s