Firejail Seccomp Guide

Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The sandbox is lightweight, the overhead is low. There are no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Seccomp-bpf stands for secure computing mode. It’s a simple, yet effective sandboxing tool introduced in Linux kernel 3.5. It allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel. Seccomp filters are expressed in Berkeley Packet Filter (BPF) format.

Continue reading →

Firejail 0.9.24 Release Announcement

We are happy to announce the release of Firejail version 0.9.24. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, updated default profiles, and brings in several new features:
Continue reading →

Firejail Linux Capabilities Guide

Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list.

With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.

In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

Continue reading →

Firejail 0.9.22 Release Announcement

We are happy to announce the release of Firejail version 0.9.22. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several new features:
Continue reading →

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

Default profiles

Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:

$ firejail firefox
$ firejail chromium
$ firejail midori
$ firejail opera

The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
Continue reading →

Firejail 0.9.20 Release Announcement

We are happy to announce the release of Firejail version 0.9.20. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, and brings in several user-requested new features:
Continue reading →

Lightweight Ubuntu: LXDE Desktop from Scratch

The overall Linux performance depends on the amount of system resources your desktop environment is using. Lightweight desktop environments such as LXDE consume less resources, and are ideal for older computers that can’t keep up with heavier Linux desktop environments.

This article describes how to build an Ubuntu-based LXDE system piece by piece. It is a longer process but the resulting system is as small and light as it possibly gets. I start by installing a regular Ubuntu 14.10 server system and add desktop functionality on top of it in small steps.

Server Install

The installation of Ubuntu Server is actually very straight forward. You first need to download the ISO image from the Ubuntu Website and burn it to a CD. You can also copy the ISO image to a USB flash drive.

Boot the computer from CD or USB stick and go trough the install menus one by one.

Ubuntu Server 14.10 install

Continue reading →

Running Dropbox in Firejail Sandbox

This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

The download page provides:

• source code (./configure && make && sudo make install)
• .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
• .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR.
Continue reading →

Debian/Ubuntu Cross-distro Gaming with Firejail

I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.

Ubuntu 14.04 version of AssaultCube running on Debian 7

Debian/Ubuntu setup

I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.

The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:

Continue reading →

Firejail – A Security Sandbox for Mozilla Firefox, Part 1

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:

• source code (./configure && make && sudo make install)
• .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
• .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is available in AUR.

Mozilla Firefox

The command to start Firefox in a Firejail sandbox is:

$ firejail firefox
or
$ firejail --debug firefox

Firefox browser running in a Firejail sandbox

Continue reading →