We are happy to announce the release of Firejail version 0.9.40 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release includes a number of major features, such as X11 sandboxing support, file transfers between sandboxes and the host system, run-time configuration support, AppArmor and Grsecurity support, and firecfg, a desktop configuration utility. A number of smaller features, documentation and bugfixes are also included:
X11 sandboxing support
Firejail X11 sandboxing support is built around an external X11 server software package. Both Xpra and Xephyr are supported (apt-get install xpra xserver-xephyr on Debian). To allow people to use the sandbox on headless systems, Firejail compile and install is not be dependent on Xpra or Xephyr packages. more…
AppArmor and Grsecurity support
On Debian and Ubuntu systems, AppArmor brings in security profiles for the following applications: Firefox, Chromium, Evince, Pidgin and Totem. Chromium profile is broken, apparently it is maintained by AppArmor project. Firejail works fine with the remaining four applications (tested on Ubuntu 16.04).
A lot of fixes went into this release in order to support Grsecurity systems. A Grsecurity 4.4 Linux kernel is available in Debian testing and unstable. The kernel is also available to regular Debian stable users in jessie-backports repository. We follow in our testing the developments on this kernel. Firejail support is documented in Grsecurity Notes.
Sandbox/host file transfers
FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files from the container to the host filesystem. --get=name filename Retrieve the container file and store it on the host in the cur‐ rent working directory. The container is specified by name (--name option). Full path is needed for filename. --get=pid filename Retrieve the container file and store it on the host in the cur‐ rent working directory. The container is specified by process ID. Full path is needed for filename. --ls=name dir_or_filename List container files. The container is specified by name (--name option). Full path is needed for dir_or_filename. --ls=pid dir_or_filename List container files. The container is specified by process ID. Full path is needed for dir_or_filename. Examples: $ firejail --name=mybrowser --private firefox $ firejail --ls=mybrowser ~/Downloads drwxr-xr-x netblue netblue 4096 . drwxr-xr-x netblue netblue 4096 .. -rw-r--r-- netblue netblue 7847 x11-x305.png -rw-r--r-- netblue netblue 6800 x11-x642.png -rw-r--r-- netblue netblue 34139 xpra-clipboard.png $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
Firecfg desktop configuration utility
FIRECFG(1) firecfg man page FIRECFG(1) NAME Firecfg - Desktop configuration program for Firejail software. SYNOPSIS firecfg [OPTIONS] DESCRIPTION Firecfg is the desktop configuration utility for Firejail software. The utility creates several symbolic links to firejail executable. This allows the user to sandbox applications automatically, just by clicking on a regular desktop menus and icons. The symbolic links are placed in /usr/local/bin. For more information, see DESKTOP INTEGRATION section in man 1 firejail. OPTIONS --clean Remove all firejail symbolic links. -?, --help Print options end exit. --list List all firejail symbolic links --version Print program version and exit. Example: $ sudo firecfg /usr/local/bin/firefox created /usr/local/bin/vlc created [...] $ firecfg --list /usr/local/bin/firefox /usr/local/bin/vlc [...] $ sudo firecfg --clean /usr/local/bin/firefox removed /usr/local/bin/vlc removed [...] LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Homepage: http://firejail.wordpress.com SEE ALSO firejail(1), firemon(1), firejail-profile(5), firejail-login(5) fire‐ jail-config(5) 0.9.40 May 2016 FIRECFG(1)
Compile time and run time configuration support
Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.
If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, or at run time by editing /etc/firejail/firejail.config file.
The following features can be enabled or disabled:
$ cat /etc/firejail/firejail.config [...] # Enable or disable bind support, default enabled. # bind yes # Enable or disable chroot support, default enabled. # chroot yes # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable or disable networking features, default enabled. # network yes # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. # seccomp yes # Enable or disable user namespace support, default enabled. # userns yes # Enable or disable X11 sandboxing support, default enabled. # x11 yes # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration # that is partially under their control. Default disabled # force-nonewprivs no # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024
STUN/WebRTC disabled in default netfilter configuration
The current netfilter configuration (–netfilter option) looks like this:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # allow ping -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # drop STUN (WebRTC) requests -A OUTPUT -p udp --dport 3478 -j DROP -A OUTPUT -p udp --dport 3479 -j DROP -A OUTPUT -p tcp --dport 3478 -j DROP -A OUTPUT -p tcp --dport 3479 -j DROP COMMIT
The filter is loaded by default for Firefox if a network namespace is configured:
$ firejail --net=eth0 firefox
Set sandbox nice value
--nice=value Set nice value for all processes running inside the sandbox. Example: $ firejail --nice=-5 firefox
New security profiles
The number of applications with default security profiles is 95, and going up with each release. Applications without a security profiles use by default a very restrictive profile from /etc/firejail/default.profile file.
New profiles in this release: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave.
For more information please visit the project page.