Firejail 0.9.34 Release Announcement

We are happy to announce the release of Firejail version 0.9.34 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes:

PulseAudio 7.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Arch Linux users are reporting sound problems when running applications in Firejail sandbox. PulseAudio developers are aware of the problem, a fix will be provided in a future PulseAudio release. The following configuration fix will mask the problem for now:

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

Home directory whitelisting in default Firefox profile

Starting Firefox using the default security profile

$ firejail firefox

whitelists files and directories under /home/user:

Firefox home directory.

Firefox home directory.

Home directory whitelisting in default Chromium profile

Starting Firefox using the default security profile

$ firejail chromium

whitelists files and directories under /home/user:

Chromium home directory.

Chromium home directory.

–ignore

Use this option to disable commands in security profiles. Example:

$ firejail –ignore=seccomp wine

–protocol

Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. Valid values: unix, inet, inet6, netlink and packet.

$ firejail –protocol=unix,inet,inet6

“unix” describes the regular Unix socket connections, while “inet” and “inet6” describe IPv4 and IPv6 traffic. Most GUI applications need “unix,inet,inet6”. “netlink” is the protocol used to talk to Linux kernel. You’ll only need this for applications used in system administration (iproute2 etc). “packet” is used by sniffers to talk directly with the Ethernet layer.

Protocol filter is enabled for most GUI applications (“protocol unix,inet,inet6”).

Dual 32 bit/64 bit seccomp filter

–seccomp option now installs a dual 32 bit/64 bit default filter. i386 applications running on regular amd64 computers (Skype, Steam etc.), are protected by i386 seccomp filter.

New default security profiles

Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications.

About

For more information please visit the project page.

25 thoughts on “Firejail 0.9.34 Release Announcement

  1. sandboxer

    I possibly found a bug. When Steam is launched with either ‘firejail /usr/games/steam’ or ‘firejail –profile=/etc/firejail/steam.profile /usr/games/steam’ the whole /home/user/ is available with no restrictions. I tested again by comparing ‘firejail –profile=/etc/firejail/steam.profile bash’ and ‘firejail –profile=/etc/firejail/firefox.profile bash’ with ‘ls -a’. Again the whole home folder is accessible with default Steam profile. I tried it on another machine with same results, both have firejail_0.9.43_1_amd64.deb installed.

    Looking through Firejail profiles and inspecting manpage I found no reason why this is happening.

    This cannot be correct behavior right?

    Reply
    1. netblue30 Post author

      > the whole /home/user/ is available with no restrictions

      No, some directories and files under /home/user are blocked, mainly files with passwords or encryption keys ( ~/.ssh, ~/.gnupg).

      To go one step further and clean up everything in home directory, you need to do whitelisting. Currently this is implemented only for firefox and chromium.

      Whitelisting is not a big deal. You just have specify what directories you want to be visible under /home. For example, if there is a directory /home/user/steam, then you would start steam as follows:

      $ firejail –whitelist=~/steam /usr/games/steam

      I have more example in the man page. Look for directories specific to steam and give it a try.

      Reply
      1. sandboxer

        Thanks for your reply! I discovered the behavior of whitelist (and its impact on a profile without any whitelisted files/folders) just before your reply. And you are right that files specified in disable-*****.inc files are still protected. My bad, I should have read the manpage more carefully.

        Now I have one file whitelisted, and it works as it’s made to work.
        Keep up the good work 🙂

  2. sandboxer

    I just added a new line to steam.profile: whitelist ~/black.png. So it works only for me because I have that file.

    Steam creates a folder called Steam on user home at the first time it is run after installing it on the system. Could that folder be used, it contains only Steam logs and skins (also it’s not in steam.profile)? The problem is that the folder must exist before running Steam for first time while it should not be created unless it’s really needed.
    Without better knowledge I don’t know a better solution, I hope I gave you some idea.

    Whitelisting by default on Steam profile would be a great improvement for end-users like me.

    Reply
  3. Jean

    I can’t seem to get it working with symlinks.
    I have a file ~/.pentadactylrc which is a symlink to ~/.dotfiles/pentadactylrc.
    Even though I have whitelisted ~/.pentadactylrc, firefox still cannot see it hence not loading my settings.

    Any idea ?

    Reply
  4. jason

    I have searched & googled without success & was wondering if its possible to run firejail with portable apps.
    I use a browser called SlimJet which I think is a great browser when it comes to security.
    Can someone give an update on using firejail with portables?

    Reply
    1. netblue30 Post author

      Firejail runs only Linux binaries, so you would need to install the Linux version. It should run fine under Firejail with the default profile. You will basically get all the crazy security filters enabled (seccomp, caps, protocol, noroot).

      Same for portables, as long as you have a Linux version Firejail should run it. If it doesn’t, it is a bug – you let me know and I’ll fix it.

      Reply
  5. jason

    Yep Sorry I should have noted I was using linux, I run a lot software as portable apps, as a lot of the software for linux involves just being able to extract to a folder & then click & they run without installation.
    AnyWay wether I symlink slimjet to local/bin or run from the folder it was extracted to that the error is the same-

    firejail /usr/local/bin/flashpeak-slimjet
    Reading profile /home/me/.config/firejail/flashpeak-slimjet.profile
    Parent pid 3869, child pid 3870
    Warning: cannot disable /sys/hypervisor directory
    Child process initialized
    /bin/bash: /usr/local/bin/flashpeak-slimjet: Permission denied
    parent is shutting down, bye…

    And running firefox as a portable is very similar

    firejail /home/GENTOO-FILES/GENTOO-APPS/APPS-NETWORK/FireFox-38.0.1-ESR/firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Parent pid 28838, child pid 28839
    Warning: cannot disable /sys/hypervisor directory
    Child process initialized
    /bin/bash: /home/GENTOO-FILES/GENTOO-APPS/APPS-NETWORK/FireFox-38.0.1-ESR/firefox: No such file or directory

    parent is shutting down, bye…

    Thanks

    Reply
    1. netblue30 Post author

      Firejail cleans all the directories under /home with the exception of the current user directory. This is done on purpose in order not to leak user information – /etc/passwd and /etc/group inside the sandbox are also modified removing other users. Move GENTOO-FILES directory outside /home and all should be fine.

      Reply
  6. tuxnotes

    Hello!
    Comand “firejail firefox” are whitelist some directory, but on Desktop and Download, files are not saved. So it should be? (Sorry for my English). Linux Mint Cinnamon 17.3, browser Firefox

    Reply
    1. netblue30 Post author

      Your English is fine!

      “Desktop” directory is not whitelisted. It is created by Firefox and discarded when you close the browser. Your your real “Desktop” directory is hidden from the browser.

      Downloads directory is whitelisted. Make sure you already have a “Downloads” directory in your home, otherwise Firefox will create one and it will get discarded when you close the browser. You would need to check in Firefox under Preference where is Firefox configured to put the downloads.

      Reply
      1. tuxnotes

        Many thanks for the answer! In Russian localization folder Donwloads refers to Загрузки and Firejail in it does not keep (for us it Downloads). Has created folder Downloads (home/myname/Downloads) and it has kept. You could add in whitelist also a folder of Загрузки (Downloads on Russian language). Where it is possible to look all folders in whitelist?
        I beginning user GNU/Linux, am pleasant to me studies. Your program has very much liked, is assured that at it the big future. Would like to write even small, but interesting, article about the program. Therefore I ask questions, hardly there will be another questions later:)

  7. tuxnotes

    Thanks, has turned out. In the whitelist is ./mozilla, but two files that store passwords (Key3.DB, logins. json), yes they are encrypted, but an attacker could decipher them. It is possible to limit access of a browser to these files?

    Reply
    1. netblue30 Post author

      That’s easy, you need to add a blacklist command for each of the two files in /etc/firejail/firefox.profile. Example:

      blacklist ~/.mozilla/firefox/8t1m3f8a.default/logins.json

      Reply
      1. tuxnotes

        Thank you very much for the quality of support. At one Russian-speaking site read that firejail blocking access only ~/.ssh, ~/.gnupg. Is it true? Where can I view or you can tell which browser access blocked directories, and which in the whitellist?

  8. tuxnotes

    But where can I view or you can tell which browser access blocked directories, and which in the whitellist? It is very important to know. To me will ask a question, to what directories on blacklist, and what is whitelist directories.

    Reply
    1. netblue30 Post author

      In the next release I will log a message to syslog every time a blacklisted directory is accessed.

      Also, you can try –trace option. Start firefox like this:

      $ firejail –trace firefox

      It will print on the screen all files the browser is accessing.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s