We are happy to announce the release of Firejail version 0.9.40 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release includes a number of major features, such as X11 sandboxing support, file transfers between sandboxes and the host system, run-time configuration support, AppArmor and Grsecurity support, and firecfg, a desktop configuration utility. A number of smaller features, documentation and bugfixes are also included:
X11 sandboxing support
Firejail X11 sandboxing support is built around an external X11 server software package. Both Xpra and Xephyr are supported (apt-get install xpra xserver-xephyr on Debian). To allow people to use the sandbox on headless systems, Firejail compile and install is not be dependent on Xpra or Xephyr packages. more…
AppArmor and Grsecurity support
On Debian and Ubuntu systems, AppArmor brings in security profiles for the following applications: Firefox, Chromium, Evince, Pidgin and Totem. Chromium profile is broken, apparently it is maintained by AppArmor project. Firejail works fine with the remaining four applications (tested on Ubuntu 16.04).
A lot of fixes went into this release in order to support Grsecurity systems. A Grsecurity 4.4 Linux kernel is available in Debian testing and unstable. The kernel is also available to regular Debian stable users in jessie-backports repository. We follow in our testing the developments on this kernel. Firejail support is documented in Grsecurity Notes.
Sandbox/host file transfers
FILE TRANSFER These features allow the user to inspect the filesystem container of an existing sandbox and transfer files from the container to the host filesystem. --get=name filename Retrieve the container file and store it on the host in the cur‐ rent working directory. The container is specified by name (--name option). Full path is needed for filename. --get=pid filename Retrieve the container file and store it on the host in the cur‐ rent working directory. The container is specified by process ID. Full path is needed for filename. --ls=name dir_or_filename List container files. The container is specified by name (--name option). Full path is needed for dir_or_filename. --ls=pid dir_or_filename List container files. The container is specified by process ID. Full path is needed for dir_or_filename. Examples: $ firejail --name=mybrowser --private firefox $ firejail --ls=mybrowser ~/Downloads drwxr-xr-x netblue netblue 4096 . drwxr-xr-x netblue netblue 4096 .. -rw-r--r-- netblue netblue 7847 x11-x305.png -rw-r--r-- netblue netblue 6800 x11-x642.png -rw-r--r-- netblue netblue 34139 xpra-clipboard.png $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
Firecfg desktop configuration utility
FIRECFG(1) firecfg man page FIRECFG(1) NAME Firecfg - Desktop configuration program for Firejail software. SYNOPSIS firecfg [OPTIONS] DESCRIPTION Firecfg is the desktop configuration utility for Firejail software. The utility creates several symbolic links to firejail executable. This allows the user to sandbox applications automatically, just by clicking on a regular desktop menus and icons. The symbolic links are placed in /usr/local/bin. For more information, see DESKTOP INTEGRATION section in man 1 firejail. OPTIONS --clean Remove all firejail symbolic links. -?, --help Print options end exit. --list List all firejail symbolic links --version Print program version and exit. Example: $ sudo firecfg /usr/local/bin/firefox created /usr/local/bin/vlc created [...] $ firecfg --list /usr/local/bin/firefox /usr/local/bin/vlc [...] $ sudo firecfg --clean /usr/local/bin/firefox removed /usr/local/bin/vlc removed [...] LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Homepage: http://firejail.wordpress.com SEE ALSO firejail(1), firemon(1), firejail-profile(5), firejail-login(5) fire‐ jail-config(5) 0.9.40 May 2016 FIRECFG(1)
Compile time and run time configuration support
Most Linux kernel security features require root privileges during configuration. The same is true for kernel networking features. Firejail (SUID binary) opens the access to these features to regular users. The privilege escalation is restricted to the sandbox being configured, and is not extended to the rest of the system. This arrangement works fine for user desktops or servers where the access is already limited.
If you not happy with a particular feature, all the support can be eliminated from SUID binary at compile time, or at run time by editing /etc/firejail/firejail.config file.
The following features can be enabled or disabled:
$ cat /etc/firejail/firejail.config [...] # Enable or disable bind support, default enabled. # bind yes # Enable or disable chroot support, default enabled. # chroot yes # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable or disable networking features, default enabled. # network yes # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. # seccomp yes # Enable or disable user namespace support, default enabled. # userns yes # Enable or disable X11 sandboxing support, default enabled. # x11 yes # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration # that is partially under their control. Default disabled # force-nonewprivs no # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024
STUN/WebRTC disabled in default netfilter configuration
The current netfilter configuration (–netfilter option) looks like this:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # allow ping -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # drop STUN (WebRTC) requests -A OUTPUT -p udp --dport 3478 -j DROP -A OUTPUT -p udp --dport 3479 -j DROP -A OUTPUT -p tcp --dport 3478 -j DROP -A OUTPUT -p tcp --dport 3479 -j DROP COMMIT
The filter is loaded by default for Firefox if a network namespace is configured:
$ firejail --net=eth0 firefox
Set sandbox nice value
--nice=value Set nice value for all processes running inside the sandbox. Example: $ firejail --nice=-5 firefox
New security profiles
The number of applications with default security profiles is 95, and going up with each release. Applications without a security profiles use by default a very restrictive profile from /etc/firejail/default.profile file.
New profiles in this release: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril, qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars, qTox, OpenSSH client, OpenBox window manager, Dillo, cmus, dnsmasq, PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100, okular, gwenview, Gpredict, Aweather, Stellarium, Google-Play-Music-Desktop-Player, quiterss, cyberfox, generic Ubuntu snap application profile, xplayer, xreader, xviewer, mcabber, Psi+, Corebird, Konversation, Brave.
For more information please visit the project page.
Firejail 0.9.40-rc1 gives a warning (“Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features in a /bin/sh shell”) when hidepid=1 or hidepid=2 is enabled for /proc.
Firejail 0.9.38 works fine with hidepid>0.
hidepid>0 should not be considered as sandbox as it only hides processes of other users.
Can you please fix this?
Thanks in advance.
Yes, it think it is a bug. How do you configure hidepid?
You just have to configure it on fstab: http://pastebin.com/ht0KBe1w
How about firejail using waitpid() so daemons won’t be automatically terminated. As of now, we have to use “firejail && sleep inf”
If you run “firejail /etc/init.d/nginx start”, this will wait for the daemon to finish. Or you can start a session and send it in the background: “firejail /etc/init.d/nginx start &”
Do you need firejail itself to be a daemon and to detach from the session?
Pingback: Links 8/5/2016: Parsix GNU/Linux 8.5r1, Slackware Live Edition | Techrights
Pingback: #Firejail 0.9.40-rc1 Release Announcement https://l3net.wordpress.c… | Dr. Roy Schestowitz (罗伊)
It would be nice if version 1.0 would be rewritten in Rust before being released. They say it’s best to rewrite your 1.0 version anyway knowing all the things you’ve learned before then.
Hello. We’re evaluating using firejail as a security measure. I’m building 0.9.40 in an ARM / embedded environment and I get a compilation error in protocol.c, line 176 ‘EM_ARM’ undeclared (first use in this function) VALIDATE_ARCHITECTURE,
This is a build based on buildroot targeting armv7a (32 bit) ARM machine.
Any suggestions appreciated. I read that it has been ported to ARM, but we are a strictly embedded ARM build (no package manager) so we can’t just use other packages and need to build it for the target system.
On my machine EM_ARM is resolved in /usr/include/linux/elf-em.h as:
Add this line in src/firejail/seccomp.h at the top of the file, it should solve the problem.
ARM is fully supported, Debian is also building packages for ARM (https://packages.debian.org/unstable/main/firejail)
Firefox tells me that it runs as super user when I run “firejail firefox” (Arch Linux)
This is weird as ps aux report is as running as my user, and firejail –tree gives the following:
I did read in one of your answers to an older comment that this could be a bug in firefox; does that happens to every users or just those using a specific version of firefox? (i’m using firefox version 46.0.1, with firejail version 0.9.40).
Is there any fix? I have a hard time feeling comfortable reading that my firefox is running as root, even though it seems that it isn’t…
It is very easy to check the user running firefox. In a terminal run “ps aux | grep firefox”. I am on Debian stable, so for me firefox is called iceweasel:
Everybody, including the sandbox processes, are running as regular user. This is a Firefox bug.
Firefox now runs as superuser and I ran the command I saw at the bottom of this comments section and my termial looks like this:
efff@Jeffs-Streambook ~ $ ps aux | grep firefox
root 2532 0.0 0.1 16232 2192 ? S 20:04 0:00 firejail firefox
root 2535 0.0 0.1 16232 2000 ? S 20:04 0:00 firejail firefox
jefff 2536 23.7 21.1 1071000 402556 ? Sl 20:04 2:18 /usr/lib/firefox/firefox
jefff 2581 14.1 13.7 751380 261048 ? Sl 20:04 1:22 /usr/lib/firefox/plugin-container -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 2 true tab
jefff 3595 0.0 0.0 14224 956 pts/0 S+ 20:14 0:00 grep –color=auto firefox
> jefff 2536 23.7 21.1 1071000 402556 ? Sl 20:04 2:18 /usr/lib/firefox/firefox
This line means firefox runs as jefff. The sandbox itself runs as root, the programs in the sandbox run as regular user.
Has anyone else not been able to get “sudo firecfg” to work on Ubuntu based systems? I’ve tried it on Ubuntu MATE and Xubuntu and each time I get “sudo: firecfg: command not found”
firecfg utility was introduced in version 0.9.40, probably you are running on the LTS branch (0.9.38).
Yes just realized that. Any idea when 0.9.40 will be coming to Ubuntu?
* xenial (16.04) – 0.9.38-1
* yakkety (16.10) – 0.9.40-3
* zesty – 0.9.44.4-1
Pingback: Firejail – Xt@rget