We are happy to announce the release of Firejail version 0.9.38 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. The release brings in a number of new features, program interface changes, new application profiles and bugfixes:
Program interface changes
- –private-home feature was deprecated. If you were using it, please consider switching to –private=directory or –whitelist.
- –chroot running as user will fail if seccomp is not available in the current Linux kernel. Seccomp-bpf was introduced in version 3.5 of Linux kernel.
- –tmpfs option is allowed only if running as root. A new feature, –private-tmp was introduced for regular users. The feature mounts an empty tmpfs filesystem on top of /tmp directory.
- When more then one –protocol commands are present, the first one takes precedence.
This is a small thing, but very convenient. Make a symbolic link (ln -s) to /usr/bin/firejail under the name of the program you want to run, and put the link in the first $PATH position (for
example in /usr/local/bin). Example:
$ which -a transmission-gtk /usr/bin/transmission-gtk $ sudo ln -s /usr/bin/firejail /usr/local/bin/transmission-gtk $ which -a transmission-gtk /usr/local/bin/transmission-gtk /usr/bin/transmission-gtk
We have in this moment two entries in $PATH for transmission. The first one is a symlink to firejail. The second one is the real program. Starting transmission in this moment, invokes “firejail transmission-gtk”
$ transmission-gtk Redirecting symlink to /usr/bin/transmission-gtk Reading profile /etc/firejail/transmission-gtk.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Parent pid 19343, child pid 19344 Blacklist violations are logged to syslog Child process initialized
This seems to be the easiest way to integrate Firejail in a desktop environment. In most cases clicking on a menu entry or an icon will sandbox the program. Use “firejail –tree” to check the program was sandboxed:
$ firejail --tree 5781:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 5782:netblue:/usr/bin/firejail /usr/bin/transmission-gtk 5783:netblue:/usr/bin/transmission-gtk
--ip6=address Assign IPv6 addresses to the last network interface defined by a --net option. Example: $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox --netfilter6=filename Enable the IPv6 network filter specified by filename in the new network namespace. The filter file format is the format of ip6tables-save and ip6table-restore commands. New network namespaces are created using --net option. If a new network namespaces is not created, --netfilter6 option does nothing.
Join command enhancements
--join-filesystem Join the mount namespace of the sandbox. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. --join-network Join the network namespace of the sandbox. By default a /bin/bash shell is started after joining the sandbox. If a program is specified, the program is run in the sandbox. This command is available only to root user. Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
--private-tmp Mount an empty temporary filesystem on top of /tmp directory. Example: $ firejail --private-tmp
--user=new-user Switch the user before starting the sandbox. This command should be run as root. Example: # firejail --user=www-data
CentOS 6.x support
CentOS 6 support was included in this release. You would need a Linux kernel version 3.2 or newer installed on the system.
Compile time options
Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.
If you not happy with a particular kernel feature, all the support can be eliminated from SUID binary at compile time. The following compile time options are implemented:
$ ./configure --help [...] --disable-seccomp disable seccomp --disable-chroot disable chroot --disable-bind disable bind --disable-network disable network --disable-userns disable user namespace [...]
New security profiles
For more information please visit the project page.