Firejail 0.9.26 Release Announcement

We are happy to announce the release of Firejail version 0.9.26. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, new default profiles, and brings in the following new features:

Private /dev directory

Command line option –private-dev mounts a new /dev directory and populates it with the following device files: null, full, zero, tty, pts, ptmx, random, urandom and shm. The option is targeted to programs that are not supposed to use sound or video camera devices.

New /dev directory created with --private-dev option.

New /dev directory created with –private-dev option.

Private home whitelisting

The format for this command is as follows:

--private.keep=comma-separated-list-of-files-and-directories

The command mounts an empty tmpfs on top of /home/user directory, and copies all the files and directories in the list in the new filesystem. The list elements are separated by comma ‘,’. All modifications are discarded when the sandbox is closed. The original files are not modified.

Example:

$ firejail --private.keep=.mozilla,Downloads firefox

User namespaces

Command –noroot attaches a new user namespace to the sandbox. The namespace has a single user defined, the current user. There is no root user available. Programs requiring root privileges will not be able to run:

Trying to run SUID binaries in a --noroot sandbox.

Trying to run SUID binaries in a –noroot sandbox.

User namespaces have been introduced in Linux kernel 3.9. If the feature is not available in the kernel at runtime, Firejail will print a warning and continue setting up the sandbox.

New default profiles

This version brings in new default profiles for Deluge and qBittorrent BitTorrent clients.

About

For more information please visit the project page.

29 thoughts on “Firejail 0.9.26 Release Announcement

  1. scooby

    I am happy about –noroot parameter although having a little trouble testing it
    I have not sudo setup

    What exactly happens when you are root and do a firejail –join to a –noroot jail?

    thanks for awesome work

    Reply
    1. netblue30 Post author

      I still have to add noroot support in –join. I will let the root join the sandbox, without an user namespace. Nothing can stop him. If I don’t let him go in, he will use another tool to go in.

      Reply
  2. Bob Good

    Thanks NetBlue30, and team, for the private home whitelisting feature. Looking forward to trying it. BTW, how soon until you make debs for it? At release?

    You’ve got a great application on your hands. You should be proud, which I’m sure you are. :). Great work.

    Best regards,

    Bob Good

    Reply
    1. netblue30 Post author

      Thanks!

      I’ll make debs when I release it in the next two weeks. There are still bugs coming in. Probably it will be another rc release before that.

      Reply
  3. tarkatheotter

    Hi, I love the new “private.keep=” feature, but it appears to be having trouble with keeping extra folders in my “$HOME” directory. For instance: I have a locally installed Firefox at the base of “$HOME (~/firefox/),” but when I add it into a private firejail session, firejail won’t copy over all the containing files and sub-directories from within that Firefox folder. Could you look into this before the next RC/Final release, please?

    Reply
    1. netblue30 Post author

      Sure, I’ll look into it! How are you starting the sandbox? What command are you using? I want to try to reproduce it here on my machine.

      Reply
      1. tarkatheotter

        Actually, it turns out the Firefox directory copies; I was having trouble with copying QtAV ( http://sourceforge.net/projects/qtav/ ) into the sandbox. That got fixed when I re-installed QtAV without the examples or source files. Now `firejail –private.keep=QtAV` copies everything; before it failed to copy at a certain point, “duplicate334,” or something and only three files and one subdirectory made it over…

  4. Bob Good

    Hi netblue30,
    Is there any way to recover downloaded files from tmpfs with the –private.keep switch? I listed Desktop (my usual download location) in the directories list but the downloaded file doesn’t show. My switch is firejail –cpu=0,1 –shell=none –private.keep=Desktop,.themes,.icons,.config/google-chrome google-chrome.

    Thanks for your work on firejail. :).

    Best regards,

    Bob Good

    Reply
    1. netblue30 Post author

      Actually is quite easy. First you find the process id (PID) of your firefox process (“ps aux” or “firejail –tree”). The filesystem as viewed by the process is exposed in /proc/PID/root directory.

      Example:

      $ firejail –tree
      3170:netblue:firejail –private=~/myfirefox firefox
         3171:netblue:firefox

      $ ls /proc/3171/root/

      Reply
  5. Bob Good

    Hey netblue30,
    It’s me again…with another feature request. I know what you’re thinking…”Go away kid…you draw flies!”. Sorry about that. :). Anyway, all joking aside, I’d like to request that any downloaded files be copied to their respective user-space folder. At present I’m using a bash script triggered by a cronjob to copy files….

    #!/bin/bash
    download=`ps -ef | awk ‘/[c]hrome -start-maximized/{print $2}’`
    dire=/proc/$download/root/$HOME/Desktop
    if [ -d $dire ]; then
    rsync -rvcm –compare-dest=../$HOME/Desktop/ /proc/$download/root/$HOME/Desktop/ $HOME/Desktop/
    fi
    exit 0

    I’ve looked into inotifywait and incron but if the /proc/PID/root/$HOME/download-location folder doesn’t exist at startup then it exits.

    In the meantime, until you decide whether to include this feature request, do you have any suggestions? I’d be glad to hear them.

    BTW, I love the new –private.keep switch. It’s perfect (except for the downloaded files thingy). ;).

    Later…

    Bob Good

    Reply
    1. netblue30 Post author

      Any time you have an idea just put it here. Some of the best features firejail has, have been suggested by users. The main reason I run this project off a blog is to encourage user participation.

      Try this: create a directory outside your home:

      $ sudo mkdir /storage
      $ sudo chmod 777 /storage

      and configure your browser to save the downloads there. You can also use /tmp or /var/tmp, but they get cleaned up automatically at startup

      Reply
  6. tarkatheotter

    Hi again netblue30, are you able to provide a download mirror for your releases? Sourceforge has stopped working again…

    Reply
  7. Bob Good

    Hi netblue30,
    I have a question. What limitations are there with running Firejail with google-chrome? Is containment of the google-chrome profile the only benefit? Chrome uses sandboxes already…so is google-chrome being ran within a Firejail sandbox?

    I hope I made myself clear to you.

    BTW, how’s the next release coming? What new features can we expect?

    Thanks for you and your teams efforts. :).

    Best regards,
    Bob

    Reply
    1. netblue30 Post author

      Hi Bob,

      Namespace sandboxes can be chained, so Chrome sandbox will run in Firejail sandbox. With a few exceptions – seccomp filters, linux capabilities fiters, and user namespaces – all Firejail features should work. The benefit is you can lock the filesystem which Chrome does not, install a new network namespace, a chroot, control groups (cgroups), a new /dev directory etc.

      The next release will be coming in about one month, with support for network bandwidth management, a graphical user interface, and a number of smaller features.

      Reply
  8. DWORD

    Hello netblue,
    May be it is a bit stupid question but when running Firefox (Skype also) in sandboxed mode it display “(as superuser)” in title of Firefox.
    Execution Command line :
    “xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin %u” limitliuser

    I played a bit with command line switches of firejail.No avail it still displays “As Superuser” in title of Firefox.

    $ ps aux|grep -i “fireja”
    root 4649 0.0 0.0 205572 6480 ? Ss 13:43 0:00 su -l -c xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin limitliuser
    limitli+ 4652 0.0 0.0 121908 3480 ? Ss 13:43 0:00 -bash -c xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin
    root 4684 0.0 0.0 9724 1960 ? S 13:43 0:00 firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin

    Thank you!

    Reply
    1. netblue30 Post author

      It is actually a very good question! If you start the sandbox as a regular user, the processes inside the sandbox should run as regular user. The sandbox itself runs as root. For example in a terminal, running as a regular user, you would do:

      $ firejail firefox &

      Then you can check using ps aux:

      $ ps aux | grep firefox
      root 17071 0.0 0.0 15848 2112 ? S 09:51 0:00 firejail firefox
      netblue 17072 30.2 5.3 990236 379072 ? Rl 09:51 2:20 firefox

      The sandbox process (17071) reported as root does nothing. It just monitors firefox process in order to close the sandbox when firefox is shut down. Firefox process 17072 should definitely be reported as a regular user. If not, it is a bug!

      Reply
  9. HMat

    Hello,

    First, let me congratulate you for the excellent tool this is. To me this should become part of any security oriented packages, like AppArmor or GRSecurity.

    I think I’ve found a bug with the private-dev options: it seems to tamper with the /dev/pts in the normal namespace, so that i can’t open any new terminal, I ge a “grantp failed”, which goes away if I remount /dev/pts.

    regards,
    H

    Reply
      1. HMAT

        Hi,

        I create one firejail for an app with the –nodev option.

        Then in my normal namespace, the /dev/pts becomes blocked and I can’t open up new terminals without getting “grantp failed”.

        If i remount it, it works.

        For your information I use Gentoo hardened stable.

  10. Aleksej

    Hello.

    Some of my home directories are in a common directory under /home. Firejail blacklists that directory, making $HOME unavailable.

    Reply
      1. Aleksej

        So, how do I make it work (with 0.9.28 now)? Preferably without unhiding all other users or making ~ discarded every time.

        I probably can stop using such subdirectories though; if a future file system switch causes problems, bind mounts might solve them.

      2. netblue30 Post author

        I assume each subdirectory in /home belongs to a different user. It is hardcoded in 0.9.28. What is the use case to make it configurable, or to disable it?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s