Firejail 0.9.28 Release Announcement

We are happy to announce the release of Firejail version 0.9.28 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains significant improvements, and a large number of enhancements and bug fixes.

Most new features in this release are network namespaces features. A network namespace is basically a new TCP/IP stack. It is created and attached to the sandbox by using –net command line option. The stack is totally isolated from the host stack, it has its own routing table, netfilter firewall, and its own set of interfaces. Regular Ethernet or bridge interfaces can be supplied as parameters to –net option.

In the examples to follow we will use the main Ethernet interface, eth0. Sandboxes created this way appear to be on the same network as the host computer.

–iprange

This command defines a range of IP addresses for an interface in a new network namespace. The address is assigned at random in the provided range, and is verified using ARP before assignment. Example:

$ firejail --net=eth0 --iprange=192.168.1.200,192.168.1.220
Parent pid 3917, child pid 3918

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-3917        da:f7:62:5a:a7:07  192.168.1.214    255.255.255.0    UP    
Default gateway 192.168.1.1

Child process initialized
[...]

–mac

This option configures a MAC address for an interface in a new network namespace. Example:

$ firejail --net=eth0 --mac=00:11:22:33:44:55
Parent pid 3968, child pid 3969

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-3968        00:11:22:33:44:55  192.168.1.49     255.255.255.0    UP    
Default gateway 192.168.1.1

Child process initialized
[...]

If –mac option is not used, the kernel assigns a random MAC address to the interface. Use this option when you intend to start a DHCP client inside the sandbox.

–scan

When using Ethernet interfaces, the kernel attaches a macvlan device driver to the Ethernet device, and makes it impossible for the two drivers to communicate. As a result, regular tools such as arp-scan or nmap fail to discover sandboxes running on the same host. –scan option solves this problem by doing an ARP scan of the network from inside the sandbox. Example:

$ firejail --net=eth0 --scan
Parent pid 3118, child pid 3119

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-3118        02:a5:54:d2:6c:03  192.168.1.153    255.255.255.0    UP    
   Network scan:
   e0:3f:49:7a:14:09	192.168.1.60
   7a:c6:9a:32:58:3f	192.168.1.154
   00:0f:db:c5:4f:f2	192.168.1.1
   a4:ba:db:a9:f4:1c	192.168.1.51
   2e:3f:43:d9:2d:5d	192.168.1.201
Default gateway 192.168.1.1

Child process initialized
[...]

Network traffic shaping

Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling the amount of data that flows into and out of the sandboxes.

Firejail implements a simple rate-limiting shaper based on Linux command tc. The shaper works at sandbox level, and can be used to control sandboxes configured with new network namespaces.

This is a small example of limiting the bandwidth of a Mozilla Firefox browser running in a Firejail sandbox. We start the browser and attach a new a network namespace to the sandbox:

$ firejail --net=eth0 --name=browser firefox &

The name of the sandbox is browser. The following command configures a 80KB/s receive maximum rate and a 20KB/s transmit maximum rate on interface eth0:

$ firejail --bandwidth=browser set eth0 80 20

To adjust the bandwidth, you can issue this command as many times as necessary. To remove the bandwidth limits the command is:

$ firejail --bandwidth=browser clear eth0

Security profiles features

  • New default application supported in this release: GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF.
  • Blacklisting Opera and Chrome/Chromium directories in all profile files.
  • Enable a no-root user namespace in all profile files if permitted by the kernel running the system (kernel version 3.10 or newer).
  • Added an /etc/firejail/disable-common.inc file to hold common directory blacklists. The file is included in all profiles. If you need to disable a specific directory in your $HOME, add a line such as “blacklist ${HOME}/dirname” to this file.

Debian

Thanks to Reiner Herrmann, Firejail was included in Debian. If you are running Stretch or Sid, install Firejail as “sudo apt-get install firejail”.

Platform support

Firejail is supported on platforms such as Intel, MIPS, and PowerPC. The new release also solves a number of problems for ARM. If you have access to a Raspberry Pi board, please give it a try and let us know, thanks!

About

For more information please visit the project page.

Advertisements

6 thoughts on “Firejail 0.9.28 Release Announcement

  1. ca

    Do you have any idea why an external link won’t open from Thunderbird to Firefox or Hexchat to Firefox when they’re all confined?

    I get a:

    Error: the sandbox is not setuid root

    when debugging.

    No profile have been modified.

    running Firejail 0.9.28

    Reply
    1. netblue30 Post author

      This is because the first sandbox (running Thunderbird) disables SUID executables, and the second sandbox (running Firefox) is prevented from running. I’m fighting this problem also, no idea how it can be fixed. I’ll log a bug in my bug tracker to track it.

      Reply
  2. Bob Good

    Hi NetBlue,
    I was wondering when you, and the team, might add the feature I requested previously, referring to the –private.keep switch, where downloaded files, within a browser, are copied to their respective user space folder upon completion? At present I’m using a bash script to accomplish this. It works fine but requires a while : ; do loop to function as I wanted (plus, I have to use bash in my desktop launcher to execute it).

    Also, when using the –cpu switch, a dual-core is –cpu=0,1 while a quad-core is –cpu=0,1,2,3. Right?

    Thank you.

    Best regards,
    Bob

    Reply
    1. netblue30 Post author

      Unfortunately, detecting when the sandbox is closed is not possible.

      The kernel can kill the sandbox or the processes running in the sandbox. It usually happens without any notification. Or the admin can just do a “kill -9 …” and shut it down. Once the sandbox is killed, your downloaded files are lost.

      A possible workaround would be to configure firefox to store downloads outside your home directory. For example you can create a global directory “mkdir /mydownloads”, give your user access to this directory “chown user:user /mydownloads”, and then configure firefox to use /mydownloads.

      And yes, a quad-core would be –cpu=0,1,2,3

      Reply
  3. Bob Good

    Hey NetBlue,
    I set up my download folder as you suggested, and, with the aid of inotifywait, it works just as I want. This is on Firefox. Again, thanks.

    I’ll keep track of firejail’s progress with the hopes that you might add my prior request at some point.

    BTW, when the noroot switch is used in combination with the private.keep the firefox profile is created in tmpfs which resides in memory. Right? I went to /proc/firefox-pid but the root folder is not there. Neither is the user home folder (obviously). So, there is no actual folder for root that one can access?

    Best regards,
    Bob Good

    Reply
    1. netblue30 Post author

      Thanks, I didn’t know this about noroot.

      /proc/firefox-pid/root seems to be there, but only root user has access to it. The user home folder is still there, root can access it.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s