Firejail 0.9.32 Release Announcement

We are happy to announce the release of Firejail version 0.9.32 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. We start with some issues we hope to address in this release, and we follow with the list of new features:

Privilege escalation bug

Release 0.9.30 introduced a privilege escalation bug, where a regular user logged into the system could exploit it and become root. The bug is also present in 0.9.32-rc1, and it was brought to our attention by a Firejail user – big thanks! Please update to version 0.9.32.

PulseAudio 7.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Arch Linux users are reporting sound problems when running applications in Firejail sandbox. PulseAudio developers are aware of the problem, a fix will be provided in a future PulseAudio release. To mask the problem for now, we disable PulseAudio shared memory functionality inside the sandbox. This should get us going until the real PulseAudio fix is ready.

If you are unable to update Firejail, or if you want to continue using the latest stable release, these are two workarounds:

  • Disable shm functionality in PulseAudio
    $ mkdir -p ~/.config/pulse
    $ cd ~/.config/pulse
    $ cp /etc/pulse/client.conf .
    $ echo "enable-shm = no" >> client.conf
    
  • Disable srbchannel IPC mechanism in PulseAudio version 7.0. Edit /etc/pulse/default.pa – change the line “load-module module-native-protocol-unix” to “load-module module-native-protocol-unix srbchannel=no” and restart PulseAudio daemon.

–interface

–interface command line option allows the user to move a network interface in a new network namespace inside the sandbox. Example:

firejail --interface=eth1 --interface=eth0.vlan100

Up to four –interface options can be specified.

–mtu

Assign an MTU value to the last network interface defined by –net option. Example:

$ firejail --net=eth0 --mtu=1492

–private-bin

Build a new /bin directory in a temporary filesystem, and copy the programs in the list. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin. Example:

$ firejail --private-bin=bash,sed,ls,cat
Parent pid 20841, child pid 20842
Child process initialized
$ ls /bin
bash  cat  ls  sed

–nosound

Disable the sound system inside the sandbox. Both ALSA and PulseAudio are disabled. Use this option to prevent remote sites hijacking your microphone.

$ firejail --nosound firefox

–seccomp.<errnos>

This seccomp-bpf filter entry instructs the kernel to return a specific error number for a system call. This is an example of a little funny sandbox where deleting files is disabled:

$ firejail --seccomp.eperm=unlinkat
Parent pid 10662, child pid 10663
Child process initialized
$ touch testfile
$ rm testfile
rm: cannot remove `testfile': Operation not permitted

You can get a list of all error numbers implemented by your system by running “firejail –debug-errnos“.

Decoupled –name and –hostname

Previously, –name option use set sandbox hostname and assign it a name so it can be referenced easily in commands such as –join or –shutdown. A new option was added, –hostname that configures the host name, while hostname functionality was removed from –name option.

–quiet

This option turns off the regular Firejail output. Errors and warnings are still sent to stderr.

New default security profiles

New profiles have been added for FBReader and Spotify Linux client.

About

For more information please visit the project page.

Advertisements

4 thoughts on “Firejail 0.9.32 Release Announcement

  1. Eddy

    Hi!
    First, thanks for this great piece of software!
    I’d like to start openvpn in its own network namespace.
    I’ve created a bridge with: “brctl addbr br0” but when I type “firejail –interface=br0” I get this:
    RTNETLINK answers: Invalid argument
    Error: cannot establish communication with the parent, exiting…
    How do you use –interface, can you help me, please?

    Reply
    1. netblue30 Post author

      Try “firejail –net=br0”. This attaches the sandbox to the bridge interface.

      –interface moves an interface in the sandbox. It accepts in this moment ethernet, vlan and tun/tap devices. I’ll have to make the error code more friendly, so to let the user know why is failing when trying to move bridge interfaces in the sandbox.

      openvpn is still on my todo list. –interface was a step in that direction, but I’m afraid there is more to come. I’ll try to bring it in the next release.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s