Author Archives: netblue30

Firejail 0.9.38 Release Announcement

We are happy to announce the release of Firejail version 0.9.38 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. The release brings in a number of new features, program interface changes, new application profiles and bugfixes:

Continue reading

Firejail Target Practice: CVE-2016-0728

CVE-2016-0728 just came out. The vulnerability was present in the kernel code since 2012, and it was discovered by Perception Point. Sample exploit code is available.

“It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine […]. Every Linux server needs to be patched as soon the patch is out.” (Yevgeny Pats, cofounder and CEO of Perception Point)

A patch is already out, and a fix is available in Debian. Before “apt-get update && apt-get upgrade” let’s see what is all about. I grab the sample code, compile it and try it out. The exploit program runs for a long time:

Continue reading

Firejail 0.9.34 Release Announcement

We are happy to announce the release of Firejail version 0.9.34 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes:

Continue reading

Firejail – A Security Sandbox for Mozilla Firefox, Part 3

In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.

I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.

The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.

A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

Continue reading

Firejail 0.9.30 Release Announcement

We are happy to announce the release of Firejail version 0.9.30 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains a large number of bug fixes, several changes to the existing sandbox interface, and the following new features:

Continue reading

Firejail 0.9.28 Release Announcement

We are happy to announce the release of Firejail version 0.9.28 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains significant improvements, and a large number of enhancements and bug fixes.

Most new features in this release are network namespaces features. A network namespace is basically a new TCP/IP stack. It is created and attached to the sandbox by using –net command line option. The stack is totally isolated from the host stack, it has its own routing table, netfilter firewall, and its own set of interfaces. Regular Ethernet or bridge interfaces can be supplied as parameters to –net option.

In the examples to follow we will use the main Ethernet interface, eth0. Sandboxes created this way appear to be on the same network as the host computer.

Continue reading