Firejail 0.9.38 Release Announcement

We are happy to announce the release of Firejail version 0.9.38 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. The release brings in a number of new features, program interface changes, new application profiles and bugfixes:

Program interface changes

  • –private-home feature was deprecated. If you were using it, please consider switching to –private=directory or –whitelist.
  • –chroot running as user will fail if seccomp is not available in the current Linux kernel. Seccomp-bpf was introduced in version 3.5 of Linux kernel.
  • –tmpfs option is allowed only if running as root. A new feature, –private-tmp was introduced for regular users. The feature mounts an empty tmpfs filesystem on top of /tmp directory.
  • When more then one –protocol commands are present, the first one takes precedence.

Symlink invocation

This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under the name of the program you want to run, and put the link in the first $PATH position (for
example in /usr/local/bin). Example:

$ which -a transmission-gtk 
/usr/bin/transmission-gtk

$ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk

$ which -a transmission-gtk 
/usr/local/bin/transmission-gtk
/usr/bin/transmission-gtk

We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. The second one is the real program. Starting transmission in this moment, invokes “firejail transmission-gtk”

$ transmission-gtk
Redirecting symlink to /usr/bin/transmission-gtk
Reading profile /etc/firejail/transmission-gtk.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 19343, child pid 19344
Blacklist violations are logged to syslog
Child process initialized

This seems to be the easiest way to integrate Firejail in a desktop environment. In most cases clicking on a menu entry or an icon will sandbox the program. Use “firejail –tree” to check the program was sandboxed:

$ firejail --tree
5781:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 
  5782:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 
    5783:netblue:/usr/bin/transmission-gtk 

IPv6 support

      --ip6=address
              Assign IPv6 addresses to the last network interface defined by a
              --net option.

              Example:
              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox

       --netfilter6=filename
              Enable the IPv6 network filter specified by filename in the  new
              network  namespace.  The  filter  file  format  is the format of
              ip6tables-save  and  ip6table-restore  commands.   New   network
              namespaces  are  created  using  --net  option. If a new network
              namespaces is not created, --netfilter6 option does nothing.

Join command enhancements

       --join-filesystem
              Join the mount namespace of the sandbox. By
              default  a /bin/bash shell is started after joining the sandbox.
              If a program is specified, the program is run  in  the  sandbox.
              This  command is available only to root user.  Security filters,
              cgroups and cpus configurations are not applied to  the  process
              joining the sandbox.

      --join-network
              Join the network namespace of the sandbox. By
              default  a /bin/bash shell is started after joining the sandbox.
              If a program is specified, the program is run  in  the  sandbox.
              This  command is available only to root user.  Security filters,
              cgroups and cpus configurations are not applied to  the  process
              joining the sandbox.

–private-tmp

       --private-tmp
              Mount an empty temporary filesystem on top of /tmp directory.

              Example:
              $ firejail --private-tmp

–user

      --user=new-user
              Switch the user before starting the sandbox. This command should
              be run as root.

              Example:
              # firejail --user=www-data

CentOS 6.x support

CentOS 6 support was included in this release. You would need a Linux kernel version 3.2 or newer installed on the system.

Compile time options

Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.

If you not happy with a particular kernel feature, all the support can be eliminated from SUID binary at compile time. The following compile time options are implemented:

$ ./configure --help
[...]
  --disable-seccomp       disable seccomp
  --disable-chroot        disable chroot
  --disable-bind          disable bind
  --disable-network       disable network
  --disable-userns        disable user namespace
[...]

New security profiles

KMail, Seamonkey, Telegram, Mathematica, uGet, and mupen64plus.

About

For more information please visit the project page.

Advertisements

21 thoughts on “Firejail 0.9.38 Release Announcement

  1. Jim Aost

    Hi,

    Thanks again for the program, and I’m excited it’s become popular enough for an audit!

    However, I think 1ab4535fab9de3273a73e3d1002a8e4a4f546666 (changing the terminal title to “Firejail”) should be reverted. While I’m not against the suggestion of appending “[firejailed]” after the terminal title, the current solution also removes the information about the terminal program, which is much more valuable!

    For example, if someone uses the following programs in three separate terminals:

    firejail less aaa.txt

    firejail less bbb.txt

    firejail mpv song.mp3

    I think it is undeniably easier to navigate the default titles: “less aaa.txt”, “less bbb.txt”, “mpv song.mp3”, than “Firejail”, “Firejail”, “Firejail”. As a user of many terminal programs, I can confirm that it is currently very difficult to select the correct window, whether from alt-tab or a list. Scripting based on window title (aside from “firejailed or not”) is also not possible right now.

    Thank you.

    Reply
  2. Bert

    Hi,

    since –private-home feature was deprecated, how can i get now the effect of this feature (mount an empty tmpfs on top of /home/user directory, and copy all the files and directories in the list in the new filesystem and discard all modifications when the sandbox is closed)?
    As far as i understand all modifications with –private=directory or –whitelist are persistant.

    Reply
    1. netblue30 Post author

      Using a script, you create a temporary directory and bring in all the files you need. Example for firefox:

      #/bin/bash
      rm -fr ~/mynewhome
      mkdir ~/mynewhome
      cp -a ~/.mozilla ~/mynewhome/.
      firejail --private=~/mynewhome firefox
      
      Reply
  3. russ wall

    Hi,

    The latest version (0.9.38) caused problem on keepassx (could not open a database) using –private=directory. Version 0.9.36 is ok.

    Thanks.

    Reply
      1. russ wall

        Hi,

        The Keepassx database is in the specified private directory. Keepassx is a password manager. It doesn’t have .keepassx directory but it use .config where it keep its configuration. I am running keepassx inside the firejail.

        I think there is a bug on the latest version (0.9.38) since version 0.9.36 is ok.

        Thanks.

      2. russ wall

        The keepassx directory configuration is already inside the specified private directory.

        ~/sandbox/.config/keepassx

        The database file is in the the specified private directory.

        ~/sandbox/keepassx.kdbx

        The keepassx directory configuration was created when it was first invoked using the following command:

        /usr/bin/firejail –private=~/sandbox keepassx %f

        The keepassx file menu can see the database, but it cannot open it. I tried to run it in a terminal using the above command to see if there is any cli error message but there is no error or clue what is wrong.

        Thanks.

      3. netblue30 Post author

        Found it! By default all password databases are disabled. Run it like this:

        $ /usr/bin/firejail --private=~/sandbox --noblacklist=~/keepassx.kdbx keepassx %f
        
      4. russ wall

        Previously I read this specification relating to all password databases being disabled in Firejail somewhere in your blog but I could not locate it now.

        Version 0.9.38 work now with the –noblacklist option. Many thanks for the great software.

  4. Confused

    I’m testing firewall and so far, it’s a perfect example of the UNIX philosophy in application writing. I wonder if firewall can work to restrict access to mounted encrypted volumes. As it stands now if I blacklist (using firefox.profile) a mounted encrypted EncFS directory, firefox can still access the contents. Regular folders work fine to be blocked in this way but the mount point of that encrypted folder wont restrict the firejailled application from having access. Is there a way around this limitation?

    Reply
  5. SYN-cook

    I have been playing with symlink invocation and it works great, but when I pointed a libreoffice symlink to firejail the behavior was a little unexpected at first, because my /etc/firejail/libreoffice.profile was ignored and the program was launched with the generic profile instead. This could be easily fixed, however, by renaming libreoffice.profile to soffice.profile.

    Also I have two humble suggestions for the stock profiles: I guess it would make sense to blacklist ~/.cache/mozilla, ~/.cache/google-chrome etc. by default. These places tend to contain lots of private/sensitive information. Second, I would like to suggest to include whitelist ~/.config/Trolltech.conf in whitelist-common.inc. The appearance of Qt applications may depend on access to Trolltech.conf.

    Reply
    1. netblue30 Post author

      Where did you get /etc/firejail/libreoffice.profile? Is this something you added? I also think is should be soffice.profile.

      You are right, the directories you mention in ~/.cache should be blacklisted.

      I’ll add ~/.config/Trolltech.conf in whitelist-common.inc, thanks!

      Reply
  6. tommy

    How to do the same for the –private=directory command? Like I would like the browser to always open in the temporary filesystem.

    Reply
    1. netblue30 Post author

      You can put “private directory-name” in a profile file. Copy /etc/firejail/firefox.profile in /home/username/.config/firejail directory, and add “private directory-name” in that file.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s