Firejail 0.9.42 Release Announcement

We are happy to announce the release of Firejail version 0.9.42 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. We provide software security for Average Joe and Jane’s Humble Distro. If you are a corporate player in the security field, please be aware you are competing with a weekend project. Now let’s cut to the chase and see what’s new:

AppArmor

Firejail works by default on top of AppArmor, for example on Ubuntu and Debian where AppArmor profiles are available for several applications. In this release we bring in support for our own AppArmor profiles. If you run Firejail with –apparmor flag, the sandbox will use a generic AppArmor profile provided by Firejail, instead of the profile provided by your distro.

The feature is disabled by default at compile time. Use –enable-apparmor to enable it, and compile the software:

$ ./configure --prefix=/usr --enable-apparmor
$ make
$ sudo make install

During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command:

$ sudo aa-enforce firejail-default

The profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:

  • Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running commands such as “top” and “ps aux”.
  • Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running programs and scripts from user home or other directories writable by the user is not allowed.
  • Disable D-Bus. D-Bus has long been a huge security hole, and most programs don’t use it anyway. You should have no problems running Chromium or Firefox.

Example:

$ firejail --apparmor firefox

You can also include apparmor command in a Firejail profile file.

AppImage

AppImage is what you use when you are planning a fundraising campaign for your open-source project. You would start from an older base, such as Debian Jessie or Ubuntu 14.04, and as you find you need newer libraries, you bring them into your package one by one. The result is an ISO autorun image that will work on most distros. Starting with your base, it will cover a few years worth of Ubuntu, Debian and Mint releases, all the way up to the latest Arch and Gentoo.

In this Firejail release we bring in native support for AppImage executables. This is an example:

I download Firefox Developer Edition ISO maintained by Simon Peter, AppImage packaging system author and developer, then I start the sandbox:

$ firejail --appimage --private --net=eth0 --x11 ~/Downloads/Firefox-Dev-48.0a2.en.glibc2.3.3-x86_64.AppImage

I have an empty home directory (–private), a network namespace isolating the ssh server running on my workstation (–net=eth0), and I place everything in a different X11 server (–x11). Seccomp, namespaces and the rest are enabled by default.

Firefox AppImage running in Firejail

Firefox AppImage running in Firejail

You can find more information on our AppImage Support page.

Sandbox auditing

Firejail’s audit feature allows the user to point out gaps in security profiles. The implementation replaces the program to be sandboxed with a test program. By default, we use /usr/lib/firejail/faudit distributed with Firejail. A custom test program can also be supplied by the user. Examples:

$ firejail --audit transmission-gtk
$ firejail --audit=~/sandbox-test transmission-gtk

In the examples above, the sandbox configures transmission-gtk profile and starts the test program. The real program, transmission-gtk, will not be started.

$ firejail --audit transmission-gtk
Reading profile /etc/firejail/transmission-gtk.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 23146, child pid 23147
Blacklist violations are logged to syslog


---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------
INFO: starting /usr/lib/firejail/faudit.
GOOD: process 5 is running in a PID namespace.
INFO: container/sandbox firejail.

GOOD: seccomp BPF enabled.
checking syscalls: mount... umount2... ptrace... swapon... swapoff... init_module... delete_module... chroot... pivot_root... iopl... ioperm... 

GOOD: all capabilities are disabled.

GOOD: I cannot access files in /home/netblue/.ssh directory.
GOOD: I cannot access files in /home/netblue/.gnupg directory.
GOOD: I cannot access files in /home/netblue/.mozilla directory.
GOOD: I cannot access files in /home/netblue/.config/chromium directory.
GOOD: I cannot access files in /home/netblue/.icedove directory.
GOOD: I cannot access files in /home/netblue/.thunderbird directory.

MAYBE: an SSH server is accessible on localhost. It could be a good idea to create a new network namespace using "--net=none" or "--net=eth0".
GOOD: HTTP server not available on localhost.
GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.

MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using "--net=none" or "--net=eth0".

INFO: files visible in /dev directory: ptmx, pts, tty, urandom, random, full, null, zero, shm, dri, snd, log, 
GOOD: Access to /dev directory is restricted.

--------------------------------------------------------------------------------

Parent is shutting down, bye...

As test program you can use anything you want, even a simple bash script:

#!/bin/bash
cat ~/.ssh/known_hosts

Snaps and flatpaks

With my shiny new auditing toy all fired up and ready to go, it was time to insert it in snap and flatpak packages and run them. There were some surprises:

  • Snap uses seccomp. It is not marketed as such, but later I’ve found a description buried deep in documentation. It has a good generic whitelist filter – actually I like the way they implemented it.
  • AppArmor plays a major role in snap strategy. I would say you really need it if you are running snaps on a different Linux distribution.
  • The home directory exposes user’s files, but not dot files. All this is done in the AppArmor profile. Your .ssh and .gnupg files are not available inside the sandbox.

For sandboxing snaps we use the same strategy we used for Chromium: we let them fully configure what they have, and we insert Firejail in the security pipeline.

We use a simple snap.profile to whitelist the home directory – only Downloads is visible inside user home. We also add a proper PID namespace and some other miscellaneous items. Example:

$ firejail --profile=/etc/firejail/snap.profile /snap/bin/ubuntu-clock-app.clock

This is how Firetools is reporting the home directory:

User home directory for a snap package.

User home directory for a snap package.

The story with flatpak is a little bit different.

  • Flatpak is more a container engine than a sandbox, and has the same problems as any other container system out there: heavy downloads from untrusted sources. At least under Docker you can build your own container, but here you really have to download it.
  • The software has a number of dependencies such as Gnome libraries, systemd, but the most surprising one is PulseAudio – at least for me ALSA refused to work with flatpak.
  • On the security side, Flatpak exposes the home directory. You can read and write anything you want in there, including your .ssh and .gnupg files:
Editing files in ~/.ssh directory using the latest LibreOffice flatpak package

Editing files in ~/.ssh directory using the latest LibreOffice flatpak package

Flatpack is still under heavy development, we don’t plan to add flatpak support in Firejail at this time.

New security profiles

Gitter, gThumb, mpv, Franz messenger, LibreOffice, pix, audacity, xz, xzdec, gzip, cpio, less, Atom Beta, Atom, jitsi, eom, uudeview, tar (gtar), unzip, unrar, file, skypeforlinux, strings, inox, Slack, gnome-chess. Gajim IM client, DOSBox

About

For more information please visit the project page.

Advertisements

15 thoughts on “Firejail 0.9.42 Release Announcement

  1. Bob

    Hi NetBlue,
    I have a question. Is it possible to retrieve downloads if one is using the command firejail –private-home=.mozilla firefox with the default firefox profile?

    Best regards,
    Bob

    Reply
  2. WG

    The –private-bin option conflicts with firejail replacement binaries/scripts in /usr/local/bin (and is a reason why bug #422 is a bad idea). I can’t load programs like eog (eom) because the private-bin profile is trying to add my /usr/local/bin version as the only binary, which doesn’t work (it’s calling itself, or really it’s calling firejail, which doesn’t exist, which is trying to jail the binary that is being called, so the process quits immediately). I confirmed this behavior by renaming /usr/local/bin/eog to eog and then executing firejail /usr/bin/eog. This works, but with /usr/local/bin, it doesn’t. I have /usr/local/bin higher in my path so that applications call the firejail version (I use a custom profile that I don’t want in /etc/firejail, so I need to use /usr/local/bin for wrapper scripts). The same problem exists for profiles with private-bin in them (how I first found it).

    If there were a way to specify which binaries to use (e.g., firejail –private-bin=/usr/bin/eog /usr/bin/eog), that would be appreciated. As is, I can’t use this great feature.

    Reply
  3. T.K.

    Building firejail-0.9.42 as non-root fails on my distribution (Mageia 6), because /etc/login.defs is not readable (640 owned by root:shadow). Maybe also add a -r test for that file in mkuid.sh?

    Reply
  4. Stephan Sokolow

    Disable D-Bus. D-Bus has long been a huge security hole, and most programs don’t use it anyway. You should have no problems running Chromium or Firefox.

    That depends on how the user defines “no problems”. I’d personally consider “web notifications regress to the XUL fallback for lack of D-Bus access” to be a big problem. (I put a lot of effort into arguing for Firefox to integrate web notifications into the system rather than using popup windows.)

    Reply
  5. Ed

    On my system, whereas Chromium runs beautiful with firejails default apparmor profile, Google Chrome for some reason fails to start….

    with firejail –apparmor –debug /usr/bin/google-chrome I get:
    …. lots of text …..
    AppArmor enabled
    Running ‘/usr/bin/google-chrome’ command through /bin/bash
    execvp argument 0: /bin/bash
    execvp argument 1: -c
    execvp argument 2: ‘/usr/bin/google-chrome’
    Child process initialized
    /bin/bash: /usr/bin/google-chrome: No permission
    monitoring pid 2
    Sandbox monitor: waitpid 2 retval 2 status 32256
    Parent is shutting down, bye…

    Reply
    1. netblue30 Post author

      Where is Google Chrome installed? Is /usr/bin/google-chrome a symbolic link or some script calling the real program in a different directory?

      Reply
  6. Ed

    There is indeed a cascade of links:
    /usr/bin/google-chrome -> /etc/alternatives/google-chrome
    /etc/alternatives/google-chrome -> /usr/bin/google-chrome-stable
    /usr/bin/google-chrome-stable -> /opt/google/chrome/google-chrome

    But when I call directly firejail –apparmor /opt/google/chrome/google-chrome, the result is the same (permission denied).
    I also tried running apparmor in complain mode, but this didn’t give additional insight…

    Reply
    1. netblue30 Post author

      I found the bug in apparmor profile. This is how you fix it:

      1. Disable firejail apparmor profile: sudo aa-disable firejail-default

      2. In a text editor, open /etc/apparmor.d/firejail-default and add the following two lines: “/opt/ r,” and “/opt/** r,”. It will look something like this:

      [...]
      /usr/sbin/** ix,
      /usr/local/** ix,
      /usr/lib/** ix,
      /usr/games/** ix,
      /opt/ r,
      /opt/** r,
      /opt/** ix,
      #/home/** ix,
      [...]
      

      3. Enable firejail apparmor profile: sudo aa-enforce firejail-default

      I’ll have the fix in git by the end of the day, you can also try that version.

      Reply
      1. Ed

        Thanks netblue…. what you are doing – not only development-wise, but also support-wise, is *A*M*A*Z*I*N*G

  7. Ed

    Dear netblue30, as far as I understand, no program except those from the ecryptfs-utils package needs access to these three folders, which contain sensitive data in encrypted form:
    /home/.ecryptfs
    ${HOME}/.ecryptfs
    ${HOME}/.Private
    Do you think blacklisting these locations would make sense?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s