We are happy to announce the release of Firejail version 0.9.38 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. The release brings in a number of new features, program interface changes, new application profiles and bugfixes:
Program interface changes
- –private-home feature was deprecated. If you were using it, please consider switching to –private=directory or –whitelist.
- –chroot running as user will fail if seccomp is not available in the current Linux kernel. Seccomp-bpf was introduced in version 3.5 of Linux kernel.
- –tmpfs option is allowed only if running as root. A new feature, –private-tmp was introduced for regular users. The feature mounts an empty tmpfs filesystem on top of /tmp directory.
- When more then one –protocol commands are present, the first one takes precedence.
Symlink invocation
This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under the name of the program you want to run, and put the link in the first $PATH position (for
example in /usr/local/bin). Example:
$ which -a transmission-gtk /usr/bin/transmission-gtk $ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk $ which -a transmission-gtk /usr/local/bin/transmission-gtk /usr/bin/transmission-gtk
We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. The second one is the real program. Starting transmission in this moment, invokes “firejail transmission-gtk”
$ transmission-gtk Redirecting symlink to /usr/bin/transmission-gtk Reading profile /etc/firejail/transmission-gtk.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Parent pid 19343, child pid 19344 Blacklist violations are logged to syslog Child process initialized
This seems to be the easiest way to integrate Firejail in a desktop environment. In most cases clicking on a menu entry or an icon will sandbox the program. Use “firejail –tree” to check the program was sandboxed:
$ firejail --tree 5781:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 5782:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 5783:netblue:/usr/bin/transmission-gtk
IPv6 support
--ip6=address Assign IPv6 addresses to the last network interface defined by a --net option. Example: $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox --netfilter6=filename Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format is the format of ip6tables-save and ip6table-restore commands. New network namespaces are created using --net option. If a new network namespaces is not created, --netfilter6 option does nothing.
Join command enhancements
--join-filesystem Join the mount namespace of the sandbox. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. --join-network Join the network namespace of the sandbox. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
–private-tmp
--private-tmp Mount an empty temporary filesystem on top of /tmp directory. Example: $ firejail --private-tmp
–user
--user=new-user Switch the user before starting the sandbox. This command should be run as root. Example: # firejail --user=www-data
CentOS 6.x support
CentOS 6 support was included in this release. You would need a Linux kernel version 3.2 or newer installed on the system.
Compile time options
Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.
If you not happy with a particular kernel feature, all the support can be eliminated from SUID binary at compile time. The following compile time options are implemented:
$ ./configure --help [...] --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind --disable-network disable network --disable-userns disable user namespace [...]
New security profiles
KMail, Seamonkey, Telegram, Mathematica, uGet, and mupen64plus.
About
For more information please visit the project page.
Hi!
Is it possible to know who did the audit and get the detailed results (pdf?)
Thanks.
At the moment the project is not setup for this type of discloser, I am still working on it.
Hi,
Thanks again for the program, and I’m excited it’s become popular enough for an audit!
However, I think 1ab4535fab9de3273a73e3d1002a8e4a4f546666 (changing the terminal title to “Firejail”) should be reverted. While I’m not against the suggestion of appending “[firejailed]” after the terminal title, the current solution also removes the information about the terminal program, which is much more valuable!
For example, if someone uses the following programs in three separate terminals:
firejail less aaa.txt
firejail less bbb.txt
firejail mpv song.mp3
I think it is undeniably easier to navigate the default titles: “less aaa.txt”, “less bbb.txt”, “mpv song.mp3”, than “Firejail”, “Firejail”, “Firejail”. As a user of many terminal programs, I can confirm that it is currently very difficult to select the correct window, whether from alt-tab or a list. Scripting based on window title (aside from “firejailed or not”) is also not possible right now.
Thank you.
I’ll fix it in the next version
https://github.com/netblue30/firejail/issues/281
Hi,
since –private-home feature was deprecated, how can i get now the effect of this feature (mount an empty tmpfs on top of /home/user directory, and copy all the files and directories in the list in the new filesystem and discard all modifications when the sandbox is closed)?
As far as i understand all modifications with –private=directory or –whitelist are persistant.
Using a script, you create a temporary directory and bring in all the files you need. Example for firefox:
Hi,
The latest version (0.9.38) caused problem on keepassx (could not open a database) using –private=directory. Version 0.9.36 is ok.
Thanks.
Do you have .keepassx directory in the directory you are using for –private? What application are you running?
Hi,
The Keepassx database is in the specified private directory. Keepassx is a password manager. It doesn’t have .keepassx directory but it use .config where it keep its configuration. I am running keepassx inside the firejail.
I think there is a bug on the latest version (0.9.38) since version 0.9.36 is ok.
Thanks.
Most programs have the configuration under ~/.config. There must be a keepassx directory there, you need to whitelist it.
The keepassx directory configuration is already inside the specified private directory.
~/sandbox/.config/keepassx
The database file is in the the specified private directory.
~/sandbox/keepassx.kdbx
The keepassx directory configuration was created when it was first invoked using the following command:
/usr/bin/firejail –private=~/sandbox keepassx %f
The keepassx file menu can see the database, but it cannot open it. I tried to run it in a terminal using the above command to see if there is any cli error message but there is no error or clue what is wrong.
Thanks.
Found it! By default all password databases are disabled. Run it like this:
Previously I read this specification relating to all password databases being disabled in Firejail somewhere in your blog but I could not locate it now.
Version 0.9.38 work now with the –noblacklist option. Many thanks for the great software.
You’re welcome!
I’m testing firewall and so far, it’s a perfect example of the UNIX philosophy in application writing. I wonder if firewall can work to restrict access to mounted encrypted volumes. As it stands now if I blacklist (using firefox.profile) a mounted encrypted EncFS directory, firefox can still access the contents. Regular folders work fine to be blocked in this way but the mount point of that encrypted folder wont restrict the firejailled application from having access. Is there a way around this limitation?
Thanks for the bug, I’ll try to bring in a fix.
https://github.com/netblue30/firejail/issues/321
I have been playing with symlink invocation and it works great, but when I pointed a libreoffice symlink to firejail the behavior was a little unexpected at first, because my /etc/firejail/libreoffice.profile was ignored and the program was launched with the generic profile instead. This could be easily fixed, however, by renaming libreoffice.profile to soffice.profile.
Also I have two humble suggestions for the stock profiles: I guess it would make sense to blacklist ~/.cache/mozilla, ~/.cache/google-chrome etc. by default. These places tend to contain lots of private/sensitive information. Second, I would like to suggest to include whitelist ~/.config/Trolltech.conf in whitelist-common.inc. The appearance of Qt applications may depend on access to Trolltech.conf.
Where did you get /etc/firejail/libreoffice.profile? Is this something you added? I also think is should be soffice.profile.
You are right, the directories you mention in ~/.cache should be blacklisted.
I’ll add ~/.config/Trolltech.conf in whitelist-common.inc, thanks!
Yes, I created that profile myself.
BTW, thank you for your great work on firejail!
How to do the same for the –private=directory command? Like I would like the browser to always open in the temporary filesystem.
You can put “private directory-name” in a profile file. Copy /etc/firejail/firefox.profile in /home/username/.config/firejail directory, and add “private directory-name” in that file.