We are happy to announce the release of Firejail version 0.9.32 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. We start with some issues we hope to address in this release, and we follow with the list of new features:
Privilege escalation bug
Release 0.9.30 introduced a privilege escalation bug, where a regular user logged into the system could exploit it and become root. The bug is also present in 0.9.32-rc1, and it was brought to our attention by a Firejail user – big thanks! Please update to version 0.9.32.
PulseAudio 7.0 issue
The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Arch Linux users are reporting sound problems when running applications in Firejail sandbox. PulseAudio developers are aware of the problem, a fix will be provided in a future PulseAudio release. To mask the problem for now, we disable PulseAudio shared memory functionality inside the sandbox. This should get us going until the real PulseAudio fix is ready.
If you are unable to update Firejail, or if you want to continue using the latest stable release, these are two workarounds:
- Disable shm functionality in PulseAudio
$ mkdir -p ~/.config/pulse $ cd ~/.config/pulse $ cp /etc/pulse/client.conf . $ echo "enable-shm = no" >> client.conf
- Disable srbchannel IPC mechanism in PulseAudio version 7.0. Edit /etc/pulse/default.pa – change the line “load-module module-native-protocol-unix” to “load-module module-native-protocol-unix srbchannel=no” and restart PulseAudio daemon.
–interface command line option allows the user to move a network interface in a new network namespace inside the sandbox. Example:
firejail --interface=eth1 --interface=eth0.vlan100
Up to four –interface options can be specified.
Assign an MTU value to the last network interface defined by –net option. Example:
$ firejail --net=eth0 --mtu=1492
Build a new /bin directory in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. Example:
$ firejail --private-bin=bash,sed,ls,cat Parent pid 20841, child pid 20842 Child process initialized $ ls /bin bash cat ls sed
Disable the sound system inside the sandbox. Both ALSA and PulseAudio are disabled. Use this option to prevent remote sites hijacking your microphone.
$ firejail --nosound firefox
This seccomp-bpf filter entry instructs the kernel to return a specific error number for a system call. This is an example of a little funny sandbox where deleting files is disabled:
$ firejail --seccomp.eperm=unlinkat Parent pid 10662, child pid 10663 Child process initialized $ touch testfile $ rm testfile rm: cannot remove `testfile': Operation not permitted
You can get a list of all error numbers implemented by your system by running “firejail –debug-errnos“.
Decoupled –name and –hostname
Previously, –name option use set sandbox hostname and assign it a name so it can be referenced easily in commands such as –join or –shutdown. A new option was added, –hostname that configures the host name, while hostname functionality was removed from –name option.
This option turns off the regular Firejail output. Errors and warnings are still sent to stderr.
New default security profiles
New profiles have been added for FBReader and Spotify Linux client.
For more information please visit the project page.
Email contact info?
netblue30 at yahoo dot com
First, thanks for this great piece of software!
I’d like to start openvpn in its own network namespace.
I’ve created a bridge with: “brctl addbr br0” but when I type “firejail –interface=br0” I get this:
RTNETLINK answers: Invalid argument
Error: cannot establish communication with the parent, exiting…
How do you use –interface, can you help me, please?
Try “firejail –net=br0”. This attaches the sandbox to the bridge interface.
–interface moves an interface in the sandbox. It accepts in this moment ethernet, vlan and tun/tap devices. I’ll have to make the error code more friendly, so to let the user know why is failing when trying to move bridge interfaces in the sandbox.
openvpn is still on my todo list. –interface was a step in that direction, but I’m afraid there is more to come. I’ll try to bring it in the next release.