Firejail 0.9.30 Release Announcement

We are happy to announce the release of Firejail version 0.9.30 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains a large number of bug fixes, several changes to the existing sandbox interface, and the following new features:

Home directory whitelisting

–whitelist option mounts an empty, temporary filesystem over user home directory, and brings in (bind-mount) the files or directories specified. A .bashrc and .Xauthority are included by default. This allows the user to sandbox a program in a home directory with a minimal set of files required by the application. Mozilla Firefox example:

$ firejail --whitelist=~/.mozilla --whitelist=~/Downloads firefox

Modifications to .mozilla and Downloads directories are persistent. Files created outside these directories will be discarded when the sandbox is closed.

Private /etc directory

–private-etc directory allows the user to build a new /etc directory in a temporary filesystem, and copy over the files and directories in the list. All modifications are discarded when the sandbox is closed. Example:

$ firejail --private-etc=group,hostname,localtime,nsswitch.conf,passwd,resolv.conf firefox

Environment variables

–env option configures an environment variable in the sandbox. Example:

$ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
$ firejail --env=CFLAGS="-W -Wall -Werror" make

Security profiles

  • Firefox PDF.js exploit (CVE-2015-4495) fixes.
  • Added /etc/firejail/disable-history, the file is included in all profiles.
  • Supporting net none command in profile files.
  • Added noblacklist command in order to filter blacklists in included profile files
  • Miscellaneous fixes

Interface changes

Unfortunately, from time to time we need to change the sandbox interface in order to allow for new developments. Hopefully, the impact on existing users is minimal. These are the modifications:

  • –private.keep option is renamed –private-home.
  • Running a Firejail sandbox inside a Firejail sandbox has been disabled. Instead, the program for the second sandbox is run directly in a /bin/sh shell inside the first sandbox. This solves a number of problems Mozilla Thunderbird users are having when they click on a link and expect Firefox to open. In this case, Firefox will open in the sandbox where Thunderbird is already running.
  • By default, /etc/firejail/generic.profile is applied every time a sandbox is started by a regular user, if no other profile was set, or if a profile matching the name of the application is not found in the regular places (~/.config/firejail and /etc/firejail directories). This functionality can be disabled by using –noprofile option. Example:
    $ firejail 
    Reading profile /etc/firejail/generic.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-history.inc
    
    ** Note: you can use --noprofile to disable generic.profile **
    
    Parent pid 6738, child pid 6739
    Child process initialized
    [...]
    
    $ firejail --noprofile
    Parent pid 6784, child pid 6785
    Child process initialized
    [...]
    

    The default profile is very restrictive, it disables all capabilities, enables seccomp, and noroot user namespace.

  • Programs started as root use by default /etc/firejail/server.profile. The functionality is similar to /etc/firejail/generic.profile described above, and it can be disabled using –noprofile option.
  • –overlay options stores the filesystem differences in ~/.firejail/ directory. A new option, –overlay-tmpfs was introduced. This option stores the filesystem differences in a temporary filesystem and the differences are discarded when the the sandbox is closed.

Administrativia

Project development has moved to GitHub. SourceForge mirror system will continue to be the main point of distribution for the release archives, everything else there is being phased out.

About

For more information please visit the project Page.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s