Firejail 0.9.24 Release Announcement

We are happy to announce the release of Firejail version 0.9.24. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, updated default profiles, and brings in several new features:

Double Dash

Double dash (“–“) signals the end of command line options and disables further option processing. It is used mainly for building commands when programs or directory names are starting in dash (“-“). Example:

$ firejail --private -- -somedirectory/myprogram

–shell=none

By default Firejail runs all programs through “/bin/bash -c”. The new option allows the user to run the program directly, without a POSIX shell. The program has to be an ELF binary. Example:

$ firejail --shell=none myprogram

Seccomp Whitelist and Blacklist Filters

This release introduces whitelist and blacklist filters support for seccomp filters. The current seccomp commands are as follows:

       --seccomp
              Enable  seccomp filter and blacklist the syscalls in the default
              list.

       --seccomp=syscall,syscall,syscall
              Enable  seccomp  filter,  blacklist  the  default  list  and the
              syscalls specified by the command.

       --seccomp.drop=syscall,syscall,syscall
              Enable seccomp filter, and blacklist the syscalls  specified  by
              the command.

       --seccomp.keep=syscall,syscall,syscall
              Enable  seccomp  filter, and whitelist the syscalls specified by
              the command.

       --seccomp.print=name
              Print the seccomp filter for the sandbox  started  using  --name
              option.

New syscalls have been added to the default blacklist filter enabled by –seccomp command. The current list is as follows: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, mknod, sysfs, _sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp.

Note: empty attribute for –seccomp command was removed. Use –seccomp.drop instead.

Default profiles updates

There are several updates for the default application profiles stored in /etc/firejail. Most of them disable in this moment all Linux capabilities (–caps.drop=all). New default profiles have been added for Audacious, Clementine, gnome-mplayer, Rhythmbox and Totem (Gnome Videos). The default profiles cover in this moment the most popular video and audio players.

About

For more information please visit the project page.

Advertisements

7 thoughts on “Firejail 0.9.24 Release Announcement

  1. Bob Good

    Hi,
    I’m using firejail and like it a great deal. Thank you for your work on it. :).

    I have a feature requests…

    With the –private switch firejail basically creates a new Default profile for your browser. The problem with the –private switch is that none of my bookmarks, passwords, extensions, etc., are being used making it a bit bothersome. How about a switch that copies your present browser profile, uses that to run your browser, then after closing erases that profile (and all the changes that were made during that session).

    This feature probably has already been requested before but I haven’t read thru the whole blog yet.

    Best regards,

    Bob

    Reply
    1. netblue30 Post author

      You can fix it by using a persistent private directory for you browser. I have an example here:

      https://l3net.wordpress.com/2015/02/19/firejail-a-security-sandbox-for-mozilla-firefox-part-2/

      Basically, you create a new home directory for the browser:

      $ cd ~
      $ mkdir -p browser-home/Downloads

      Copy your exiting browser configuration in the new home:

      $ cp -a ~/.mozilla ~/browser-home/.mozilla

      Start your browser using the new home directory:

      $ firejail –private=~/browser-home firefox

      Just keep in mind the files you download are in ~/browser-home/Downlodas. Also when you uploads files you need to copy them first in ~/browser-home. When you are done browsing you can remove ~/browser-home directory:

      $ cd ~
      $ rm -fr ~/browser-home

      Yes, something like this was requested before, Building a script with all these commands was also suggested. Maybe one day I’ll implement something along these lines, but it will not be as flexible as a simple script.

      Reply
  2. Bob Good

    Hey netblue30,
    Over at Wilders Security Forum, All Things Unix subsection, we have a running thread about Firejail. It was where I first heard about Firejail. :). A fellow linux user discussed a persistent private directory and is using it presently I believe. The problem, at least for me, is the “clean slate” that the –private switch starts you with. I’m fairly good at writing bash scripts and I have written a script to do as you suggested, but the “clean slate” is always the starting point.

    Well, hopefully, someday, you’ll add what I, and others, have requested. Then Firejail would be a great deal similar to a Windows application I use to use, a long time ago…in a land far, far away…;), called Sandboxie (I still have a lifetime key).

    Have a nice one, netblue30

    Later…

    Bob

    Reply
    1. netblue30 Post author

      OK, I’ll have something in the next release in a few weeks. It will create a new home directory, copy .mozilla folder form the real home directory, start the sandbox, and remove the private dir once the sandbox is closed.

      Thanks for suggesting it!

      Reply
  3. Bob Good

    Hi netblue30,

    Great! Thanks for your consideration in implementing it. But can you make it flexible enough to include other browser profiles (like chrome, chromium, etc.)?

    Being a developer, such as yourself, you obviously have a passion for coding. And you must get a great feeling of satisfaction knowing so many people are using, and appreciating, your creation. But, I’m sure, the demands of these users wanting this or wanting that can be a bit irritating…so, thanks for putting up with me. :).

    Best regards,

    Bob

    Reply
    1. netblue30 Post author

      You’re welcome!

      I am thinking about adding an option such as:

      –private.keep=directory,directory,directory

      where would list all the files and directories you want to copy over in the new home. I think it will solve the problem for any kind of program.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s