Firejail 0.9.40 Release Announcement

We are happy to announce the release of Firejail version 0.9.40 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release includes a number of major features, such as X11 sandboxing support, file transfers between sandboxes and the host system, run-time configuration support, AppArmor and Grsecurity support, and firecfg, a desktop configuration utility. A number of smaller features, documentation and bugfixes are also included:

X11 sandboxing support

Firejail X11 sandboxing support is built around an external X11 server software package. Both Xpra and Xephyr are supported (apt-get install xpra xserver-xephyr on Debian). To allow people to use the sandbox on headless systems, Firejail compile and install is not be dependent on Xpra or Xephyr packages. more…

AppArmor and Grsecurity support

On Debian and Ubuntu systems, AppArmor brings in security profiles for the following applications: Firefox, Chromium, Evince, Pidgin and Totem. Chromium profile is broken, apparently it is maintained by AppArmor project. Firejail works fine with the remaining four applications (tested on Ubuntu 16.04).

A lot of fixes went into this release in order to support Grsecurity systems. A Grsecurity 4.4 Linux kernel is available in Debian testing and unstable. The kernel is also available to regular Debian stable users in jessie-backports repository. We follow in our testing the developments on this kernel. Firejail support is documented in Grsecurity Notes.

Sandbox/host file transfers

FILE TRANSFER
       These features allow the user to inspect the filesystem container of an
       existing sandbox and transfer files from  the  container  to  the  host
       filesystem.

       --get=name filename
              Retrieve the container file and store it on the host in the cur‐
              rent working directory.  The  container  is  specified  by  name
              (--name option). Full path is needed for filename.

       --get=pid filename
              Retrieve the container file and store it on the host in the cur‐
              rent working directory.  The container is specified  by  process
              ID. Full path is needed for filename.

       --ls=name dir_or_filename
              List  container  files.   The  container  is  specified  by name
              (--name option).  Full path is needed for dir_or_filename.

       --ls=pid dir_or_filename
              List container files.  The container is specified by process ID.
              Full path is needed for dir_or_filename.

       Examples:

              $ firejail --name=mybrowser --private firefox

              $ firejail --ls=mybrowser ~/Downloads
              drwxr-xr-x netblue  netblue         4096 .
              drwxr-xr-x netblue  netblue         4096 ..
              -rw-r--r-- netblue  netblue         7847 x11-x305.png
              -rw-r--r-- netblue  netblue         6800 x11-x642.png
              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png

              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png

Firecfg desktop configuration utility

FIRECFG(1)                     firecfg man page                     FIRECFG(1)



NAME
       Firecfg - Desktop configuration program for Firejail software.

SYNOPSIS
       firecfg [OPTIONS]

DESCRIPTION
       Firecfg is the desktop configuration utility for Firejail software. The
       utility creates several symbolic links  to  firejail  executable.  This
       allows the user to sandbox applications automatically, just by clicking
       on a regular desktop menus and icons.

       The symbolic links are placed in /usr/local/bin. For more  information,
       see DESKTOP INTEGRATION section in man 1 firejail.


OPTIONS
       --clean
              Remove all firejail symbolic links.

       -?, --help
              Print options end exit.

       --list List all firejail symbolic links

       --version
              Print program version and exit.



       Example:

       $ sudo firecfg
       /usr/local/bin/firefox created
       /usr/local/bin/vlc created
       [...]
       $ firecfg --list
       /usr/local/bin/firefox
       /usr/local/bin/vlc
       [...]
       $ sudo firecfg --clean
       /usr/local/bin/firefox removed
       /usr/local/bin/vlc removed
       [...]


LICENSE
       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published  by  the
       Free  Software Foundation; either version 2 of the License, or (at your
       option) any later version.

       Homepage: http://firejail.wordpress.com

SEE ALSO
       firejail(1), firemon(1), firejail-profile(5),  firejail-login(5)  fire‐
       jail-config(5)





0.9.40                             May 2016                         FIRECFG(1)

Compile time and run time configuration support

Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.

If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, or at run time by editing /etc/firejail/firejail.config file.

The following features can be enabled or disabled:

$ cat /etc/firejail/firejail.config
[...]
# Enable or disable bind support, default enabled.
# bind yes

# Enable or disable chroot support, default enabled.
# chroot yes

# Enable or disable file transfer support, default enabled.
# file-transfer yes

# Enable or disable networking features, default enabled.
# network yes

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

# Enable or disable seccomp support, default enabled.
# seccomp yes

# Enable or disable user namespace support, default enabled.
# userns yes

# Enable or disable X11 sandboxing support, default enabled.
# x11 yes

# Force use of nonewprivs.  This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control.  Default disabled
# force-nonewprivs no

# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024

STUN/WebRTC disabled in default netfilter configuration

The current netfilter configuration (–netfilter option) looks like this:

           *filter
              :INPUT DROP [0:0]
              :FORWARD DROP [0:0]
              :OUTPUT ACCEPT [0:0]
              -A INPUT -i lo -j ACCEPT
              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
              # allow ping
              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
              # drop STUN (WebRTC) requests
              -A OUTPUT -p udp --dport 3478 -j DROP
              -A OUTPUT -p udp --dport 3479 -j DROP
              -A OUTPUT -p tcp --dport 3478 -j DROP
              -A OUTPUT -p tcp --dport 3479 -j DROP
              COMMIT

The filter is loaded by default for Firefox if a network namespace is configured:

$ firejail --net=eth0 firefox

Set sandbox nice value

      --nice=value
              Set nice value for all processes running inside the sandbox.

              Example:
              $ firejail --nice=-5 firefox

New security profiles

The number of applications with default security profiles is 95, and going up with each release. Applications without a security profiles use by default a very restrictive profile from /etc/firejail/default.profile file.

New profiles in this release: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave.

About

For more information please visit the project page.

Advertisements

18 thoughts on “Firejail 0.9.40 Release Announcement

  1. César de Tassis Filho

    Firejail 0.9.40-rc1 gives a warning (“Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features in a /bin/sh shell”) when hidepid=1 or hidepid=2 is enabled for /proc.
    Firejail 0.9.38 works fine with hidepid>0.
    hidepid>0 should not be considered as sandbox as it only hides processes of other users.
    Can you please fix this?
    Thanks in advance.

    Reply
  2. David Brown

    How about firejail using waitpid() so daemons won’t be automatically terminated. As of now, we have to use “firejail && sleep inf”

    Reply
    1. netblue30 Post author

      If you run “firejail /etc/init.d/nginx start”, this will wait for the daemon to finish. Or you can start a session and send it in the background: “firejail /etc/init.d/nginx start &”

      Do you need firejail itself to be a daemon and to detach from the session?

      Reply
  3. Pingback: Links 8/5/2016: Parsix GNU/Linux 8.5r1, Slackware Live Edition | Techrights

  4. Pingback: #Firejail 0.9.40-rc1 Release Announcement https://l3net.wordpress.c… | Dr. Roy Schestowitz (罗伊)

  5. tommyd

    It would be nice if version 1.0 would be rewritten in Rust before being released. They say it’s best to rewrite your 1.0 version anyway knowing all the things you’ve learned before then.

    Reply
  6. Robert T. Pack

    Hello. We’re evaluating using firejail as a security measure. I’m building 0.9.40 in an ARM / embedded environment and I get a compilation error in protocol.c, line 176 ‘EM_ARM’ undeclared (first use in this function) VALIDATE_ARCHITECTURE,

    This is a build based on buildroot targeting armv7a (32 bit) ARM machine.

    Any suggestions appreciated. I read that it has been ported to ARM, but we are a strictly embedded ARM build (no package manager) so we can’t just use other packages and need to build it for the target system.

    Reply
  7. Radius

    Firefox tells me that it runs as super user when I run “firejail firefox” (Arch Linux)

    This is weird as ps aux report is as running as my user, and firejail –tree gives the following:
    19600:user:firejail firefox
    19603:user:firejail firefox
    19605:user:firefox

    I did read in one of your answers to an older comment that this could be a bug in firefox; does that happens to every users or just those using a specific version of firefox? (i’m using firefox version 46.0.1, with firejail version 0.9.40).

    Is there any fix? I have a hard time feeling comfortable reading that my firefox is running as root, even though it seems that it isn’t…

    Thanks!

    Reply
    1. netblue30 Post author

      It is very easy to check the user running firefox. In a terminal run “ps aux | grep firefox”. I am on Debian stable, so for me firefox is called iceweasel:

      $ ps aux | grep iceweasel
      netblue   7561  0.0  0.0  13240  2792 ?        S    16:50   0:00 /bin/bash /usr/local/bin/iceweasel
      netblue   7562  0.0  0.0  16112  2316 ?        S    16:50   0:00 firejail --name=browser --net=eth0 --iprange=192.168.1.150 192.168.1.199 /usr/lib/iceweasel/iceweasel
      netblue   7563  0.0  0.0  16112  2128 ?        S    16:50   0:00 firejail --name=browser --net=eth0 --iprange=192.168.1.150 192.168.1.199 /usr/lib/iceweasel/iceweasel
      netblue   7577  0.0  0.0   8472   760 ?        S    16:50   0:00 /bin/bash -c "/usr/lib/iceweasel/iceweasel" 
      netblue   7578 16.2  8.8 1591920 628980 ?      Sl   16:50  49:55 /usr/lib/iceweasel/iceweasel
      netblue   9030  0.0  0.0  12736  2132 pts/3    S+   21:56   0:00 grep iceweasel
      

      Everybody, including the sandbox processes, are running as regular user. This is a Firefox bug.

      Reply
  8. Cake

    Firefox now runs as superuser and I ran the command I saw at the bottom of this comments section and my termial looks like this:
    efff@Jeffs-Streambook ~ $ ps aux | grep firefox
    root 2532 0.0 0.1 16232 2192 ? S 20:04 0:00 firejail firefox
    root 2535 0.0 0.1 16232 2000 ? S 20:04 0:00 firejail firefox
    jefff 2536 23.7 21.1 1071000 402556 ? Sl 20:04 2:18 /usr/lib/firefox/firefox
    jefff 2581 14.1 13.7 751380 261048 ? Sl 20:04 1:22 /usr/lib/firefox/plugin-container -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 2 true tab
    jefff 3595 0.0 0.0 14224 956 pts/0 S+ 20:14 0:00 grep –color=auto firefox

    Reply
    1. netblue30 Post author

      > jefff 2536 23.7 21.1 1071000 402556 ? Sl 20:04 2:18 /usr/lib/firefox/firefox

      This line means firefox runs as jefff. The sandbox itself runs as root, the programs in the sandbox run as regular user.

      Reply
  9. Chas Belfield

    Has anyone else not been able to get “sudo firecfg” to work on Ubuntu based systems? I’ve tried it on Ubuntu MATE and Xubuntu and each time I get “sudo: firecfg: command not found”

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s