Tag Archives: Firejail

Firejail 0.9.42 Release Announcement

We are happy to announce the release of Firejail version 0.9.42 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. We provide software security for Average Joe and Jane’s Humble Distro. If you are a corporate player in the security field, please be aware you are competing with a weekend project. Now let’s cut to the chase and see what’s new:

Continue reading

Firejail 0.9.40 Release Announcement

We are happy to announce the release of Firejail version 0.9.40 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release includes a number of major features, such as X11 sandboxing support, file transfers between sandboxes and the host system, run-time configuration support, AppArmor and Grsecurity support, and firecfg, a desktop configuration utility. A number of smaller features, documentation and bugfixes are also included:

Continue reading

Firejail 0.9.38 Release Announcement

We are happy to announce the release of Firejail version 0.9.38 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. The release brings in a number of new features, program interface changes, new application profiles and bugfixes:

Continue reading

Firejail Target Practice: CVE-2016-0728

CVE-2016-0728 just came out. The vulnerability was present in the kernel code since 2012, and it was discovered by Perception Point. Sample exploit code is available.

“It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine […]. Every Linux server needs to be patched as soon the patch is out.” (Yevgeny Pats, cofounder and CEO of Perception Point)

A patch is already out, and a fix is available in Debian. Before “apt-get update && apt-get upgrade” let’s see what is all about. I grab the sample code, compile it and try it out. The exploit program runs for a long time:

Continue reading

Firejail 0.9.34 Release Announcement

We are happy to announce the release of Firejail version 0.9.34 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes:

Continue reading

Firejail – A Security Sandbox for Mozilla Firefox, Part 3

In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.

I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.

The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.

A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

Continue reading