Using firejail as security sandbox for your programs

[xenopeek]

This tutorial is outdated. Please go to viewtopic.php?f=42&t=240157 instead.

[ Split from original support question here: http://forums.linuxmint.com/viewtopic.php?f=47&t=202257 ]

Setting up firejail is relatively easy, and the included default profiles thoroughly enhance security for the programs they are for. You can configure firejail for further needs and for additional programs. How complex you want to make it is up to you. I'll provide an overview below first of how to install it and how to use the default profiles. Then if you want it you can look in to fine-tuning the default profiles or writing your own profile files.

While there are a lot of options for fine-tuning and writing your own profiles, I'll try and show you foremost the possibilities that I think will be of common interest to those that want to take firejail further. But again, the default profiles already boost your security so there is no need to go here unless you want to.

The website best summarizes what firejail does:

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”.

Installation
Whether you are using Linux Mint 17.x or LMDE 2 the installation of firejail is as easy as:

• Download and save to disk the firetools .deb file for your architecture (32 bit or 64 bit) from the website: http://sourceforge.net/projects/firejai ... /firejail/. If you also want the GUI firetools program find that here (firetools will give you a menu window from which to launch applications for which it has a profile): http://sourceforge.net/projects/firejai ... firetools/.
• Double-click the downloaded file in your file manager to launch the installer. It should install without problems.

If you're using LMDE 2 you can also find firejail in the Debian testing and unstable repositories. So if you have either configured on your system (or if you add it remember to also add the testing security repository and set the pin-priority for testing and unstable lower than 500—tutorial here) you can just install it from there.

Usage
Firejail comes with a bunch of default profiles for common programs that are either Internet connected or run untrusted code on your computer. You can find the default profiles in /etc/firejail. To start a program using one of these profiles just prefix the command with "firejail". So for example to start Firefox with the default firejail profile run the command "firejail firefox" (close running Firefox first). Even if you start a program with firejail for which there is no profile defined, it will get some default confinement (see at the end of this comment for the defaults).

Now this isn't very convenient so you'll want to customize the menu launcher for applications you want to run with firejail. AFAIK on all Linux Mint editions you can right-click on the menu button and from one of the options in the context menu go to the menu editor. There you can edit the command associated with a menu launcher. Just prefix the command with "firejail ".

You can also manually copy the .desktop file for the application you want to run with firejail from /usr/share/applications to ~/.local/share/applications and edit the copied file (this is what the menu editor also does). Replace the "Exec=" line to start with "Exec=firejail ". We can also do this in one go for all installed applications for which there is a default firejail profile with this one command:

Code: Select all

mkdir -p ~/.local/share/applications; for profile in $(basename -s .profile /etc/firejail/*.profile); do if [[ -f /usr/share/applications/$profile.desktop ]]; then sed -r 's/^(Exec=)/\1firejail /' /usr/share/applications/$profile.desktop > ~/.local/share/applications/$profile.desktop; echo $profile configured to run in firejail; fi; done

You can see which applications are running in a sandbox provided by firejail with this command (in case you want to check you set things up correctly):

Code: Select all

firejail --list

A more verbose listing, showing also sub-processes running in the sandbox, is with:

Code: Select all

firejail --tree

Fine-tuning default profiles
I would recommend you don't edit the profiles in /etc/firejail as these will be overwritten when you install another version of firejail. If you have one or two options you want to add for a program you can just add them as command line parameters to firejail. So for example say you want to blacklist your /backups directory, you would start firefox as: "firejail --blacklist=/backups -- firefox". (The -- before the firefox command signals the end of options for firejail.) This would use the default firefox profile but with this additional parameter.

You can find parameters you can use in the firejail manpage ("man firejail"). You don't need to add parameters for your program to already benefit from additional security. If you have certain additional needs this can be a quick and easy way to tailor the default profiles.

Some common parameters you might have a need for to add:

• --blacklist=dirname_or_filename — makes the directory or file inaccessible
• --cpu=cpu-number,cpu-number,cpu-number — sets which CPU cores the program will be able to use
• --net=none — deny the program network access
• --private — gives the program a private copy of your home directory that is discarded after the program closes
• --private=directory — use the given directory as the home directory for the program, it is not discarded after the program closes
• --tmpfs=dirname — gives the program an empty directory for the given directory that is discarded after the program closes

Finally, what can be handy for testing is that you can join a running sandbox. For this you have to use the parameter "--name=name" for starting the sandbox. For example "firejail --name=mybrowser firefox". To join the sandbox where Firefox is running you enter "firejail --join=mybrowser". This will give you a bash session where you can test containmentis as you want it easily (type exit to leave).

Custom profiles / understanding default profiles
You might want to write your own profiles for further customization of the default profiles or to add profiles for other applications. Custom profiles you can store in ~/.config/firejail. You can find information on the available settings in the firejail-profile manpage ("man firejail-profile").

If you want to understand the default profiles that information is also very useful.

Let's look at Firefox's default profile as an example (/etc/firejail/firefox.profile):

Code: Select all

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc

You see lines starting with a hash (#) are comments. At first this profile includes four other files, and at the end it includes another file. You can look into these on your own but to summarize:

• disable-mgmt.inc — makes inaccessible system management commands (/sbin and /usr/sbin directories, and a couple of commands)
• disable-secret.inc — makes inaccessible secret files in your home directory (SSH keys, Gnome and KDE keyrings, GPG keys, etc.)
• disable-common.inc — makes inaccessible files from other browsers, with the above "noblacklist ${HOME}/.mozilla" line ensuring the files for Firefox aren't made inaccessible (=blacklisted).
  disable-devel.inc — makes inaccessible development commands (like compilers, debug tools, scripting tools, and so on)
  whitelist-common.inc — make accessible common files and directories that most graphical programs will need

The "caps.drop all" line blocks all so called "Linux capabilities". Linux caps are a fine-grained control over superuser permissions, so that instead of giving a program all superuser permissions it can be given it just for those type of actions it needs. But we don't want Firefox to have any option to have superuser permission so it is blocked.

The "seccomp" line enables a filter for which system calls the program can make. Better explained on the firejail blog: https://l3net.wordpress.com/2015/04/13/ ... omp-guide/. The "protocol" line further tailors the system call filter for networking.

The "netfilter" is there so a default network filter is enabled for if you set up a new network namespace.

The "tracelog" line makes it so any violations where the program tries to access blacklisted files or directories will be logged in /var/log/syslog.

The "noroot" line disables the root user in the sandbox.

The "whitelist" lines that follow make accessible files and directories that would be used by Firefox. The modifications to whitelisted files and directories are persistent, everything else written to your home directory is discarded when the sandbox is closed.

On top of this also the defaults apply:

The sandbox consists of a chroot filesystem build in a new mount namespace, and new PID [can't see processes running outside the sandbox] and UTS [can have its own hostname] namespaces. The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. Only /home and /tmp and directories are writeable [unless overruled with whitelist, blacklist, tmpfs, or private settings].

[Frustrated Fred]

Cheers, xenopeek. To be quite honest the installation seems simple, setting it up and using it on the other hand, not so much! I will see if I can work this.

[niubboxp]

hi all, thanks for this post, i've installed firejail and firejail tools, i see in the website screenshot the tx and rx data, but with my firefox i see no data transmission if i surf on the web, how can i know if doese it work properly or not?

[xenopeek]

I've not used firetools and don't so why I would. You probably didn't set up a new network namespace? As the monitoring section of the manpage tells, network statistics are only available for sandboxes using a new network namespace. You can display network statistics for such sandboxes also with the command:

Code: Select all

firejail --netstats

If you didn't set up a new network namespace you'd use regular tools to track network statistics of your system (iftop, nethogs, and so on http://www.binarytides.com/linux-comman ... r-network/).

Assuming you have started Firefox manually with firejail or configured your menu launcher for it, you can run this command on the terminal to list all current programs run in a firejail sandbox:

Code: Select all

firejail --list

Is Firefox listed there? That's confirmation. If you want to join the sandbox in which Firefox is run, for example to test out you can indeed not access certain directories you blacklisted, then you take the number at the beginning of the line (the process identifier or PID for short) and run this command where you replace PID with that number:

Code: Select all

firejail --join=PID

You now have a bash session in the sandbox where Firefox is also running. For example run the command "ps -e" to list all processes running in this sandbox. Type "exit" to leave the sandbox.

[niubboxp]

thanks for the answer, when i do firejail --list i will see firefox inside so i think is running properly
now, i'm noob, so for the other stuff i have some questions

1) with default setting on firejail, what firefox cant do? i mean, the reason i wanna use it, is for avoid malware and rootkit do be downloaded in my system, skipping all "java and company" problems, but i'd like also be safe for the rest of my HD, i'd like to avoid any kind of damage, with firefox i just wanna browse and download files, not modify data and system files, i'm ok with default profile or i should so something else for improve my security?

2) doing firejail --netstats i see nothing, so maybe i should set something, for make it works, i've tryed nethogs and work itself but doesent change anything inside the firejail statistics, can i do something about that or is better forget it and use the external tool in "stand alone mode"

3) " firejail --join=PID


You now have a bash session in the sandbox where Firefox is also running. For example run the command "ps -e" to list all processes running in this sandbox. Type "exit" to leave the sandbox."

i didnt understood what i do with this commands

4) if i launch firejail with amule, and i dont have any configuration files for this program, what does happen? i'm still protected or not? i see it in the list with firefox

thanks for help

[xenopeek]

1) The default Firefox profile does several things:

• It disables several ways through which Firefox might gain root privileges;
• It even makes it so the root account does not even exist in the sandbox;
• It makes the firejail profiles inaccessible;
• It makes system binary directories and several system binaries on any directory in your path inaccessible;
• It makes secret keys (session keyrings, GnuPG keys, SSH keys, etc.) inaccessible;
• It makes your user files of other web browsers, FTP clients, and chat programs inaccessible;
• It makes your console history files inaccessible (history from bash, less, etc.);
• Firefox can't see other processes on your system;
• Firefox can only write files to /home, /tmp and /var directories (if it has permission there) and all other directories are immutable.

This makes it a lot less likely that malicious code run in Firefox (JavaScript, Java, Flash, etc.) would be able to gain root access on your system or would be able to access files it shouldn't.

With the default profile it could still access files in your Documents and Pictures folders for example. Can be remedied in several ways (using for example --blacklist, --whitelist, --private, or --private-home options; whichever suits your needs best). Whether the default profile is enough for you only you can decide. Let's put it this way, using the default profile is a whole lot better than not using a security sandbox

2) Like I said, you'd have to set up a new network namespace if you want to use firejail or firetools to monitor network statistics. See the --net= options. I'd just use commands like nethogs and others I linked to for monitoring network statistics.

3) firejail sets up a sandbox for the command you call it with. So "firejail firefox" sets up a sandbox and runs Firefox in it. Each time you run firejail it creates a new sandbox. if you want, you can add programs to run in an existing sandbox. If you run firejail without giving a command it will default to run bash, the default command interpreter (aka shell) also run when you open a terminal. With the "firejail --join=PID" option you can, if you will, "log in" to a running sandbox and get a shell there. This can be useful for testing. If you're not comfortable on the command line, forget it

4) Certainly. It would use the generic profile. That does exactly the same thing as the Firefox profile discussed under answer 1. The only difference is that the Firefox profile permits access to your user files for Firefox (~/.mozilla directory) while the generic profile doesn't.

The profiles are stored in /etc/firejail and are short and I'd say pretty readable. See the firejail manpage for all the options available with the firejail command. See the firejail-profile manpage for documentation on the profile files. In case you're not comfortable reading manpages on the terminal here are web links:
https://firejail.wordpress.com/features-3/man-firejail/
https://firejail.wordpress.com/features-3/man-firejail-profile/

[niubboxp]

Thank you very much for the reply, just a last question

With general profile if i run a sandboxed amule or tixati i have all my personal setting so i think they can read my home, is ok or something is wrong?

[xenopeek]

With the general profile programs can (if permitted; Linux file system permissions are also in effect) indeed read all files on your system except those that are blacklisted. From the list under 1) in my previous comment, in your home directory only these three are blacklisted:

It makes secret keys (session keyrings, GnuPG keys, SSH keys, etc.) inaccessible;
It makes your user files of other web browsers, FTP clients, and chat programs inaccessible;
It makes your console history files inaccessible (history from bash, less, etc.);

All other files in your home directory are visible unless you create a custom profile to further blacklist directories or add that as an option to the launcher command.

[niubboxp]

maybe i'm a bit paranoic, but i'd like to setup firefox and p2p program to be able to read and write only their data (.firefox .amule) and their temp and download folder (i've changed the default with an external hd), how can i do that? there is a bilion of code to write in the profile or is easy/something to copy paste (remember i'm a noob :p)

[xenopeek]

Step 1) Create the directory ~/.config/firejail if it doesn't exist yet. Either with your file manager or with the command:

Code: Select all

mkdir -pv ~/.config/firejail

Step 2) Let's use Firefox for this example. Create a new profile file in ~/.config/firejail called firefox.profile. Assuming Cinnamon you can create and edit the file with this command:

Code: Select all

gedit ~/.config/firejail/firefox.profile

Step 3) As the first line put this in the file to include the default Firefox profile:

Code: Select all

include /etc/firejail/firefox.profile

Step 4) Add lines afterwards for what else you want to have for this profile. For example let's blacklist your Desktop, Documents, Music, Pictures, Public, Templates, and Videos directories:

Code: Select all

blacklist ${HOME}/Desktop
blacklist ${HOME}/Documents
blacklist ${HOME}/Music
blacklist ${HOME}/Pictures
blacklist ${HOME}/Public
blacklist ${HOME}/Templates
blacklist ${HOME}/Videos

Step 5) Save and close the file. Done. To test all works as expected run "firejail firefox" command and as first two lines you should see:

Code: Select all

Reading profile /home/username/.config/firejail/firefox.profile
Reading profile /etc/firejail/firefox.profile

Repeat for other programs, creating a <name>.profile file where <name> should be the exact name of the command to start the program. For programs that don't have a default profile include /etc/firejail/generic.profile instead.

This uses blacklisting, forbidding access only to specified directories and files. Notable this doesn't forbid access to ~/.cache, ~/.config, and ~/.local directories (or any other hidden directories and files not blacklisted by the default profile—secret keys and selected directories of web browser, FTP clients, and chat programs are blacklisted by the default profile).

The alternative with the current version of firejail is whitelisting, where you specify which directories and files from your home directory should be accessible and anything not specified is inaccessible. You can't get away with the "i'm a noob" excuse if you want to use whitelisting For whitelisting you will need to know exactly which directories your program will need to have access to or else it won't work right. I'd use strace for that, to find out what directories a program accesses but this isn't noob territory. If you want to be even more thorough with firejail you'll have to dig in and get out of noob mode.

[niubboxp]

yes it works ^^

i'd like to get out from noob mode

so i'd like to deny all except my withelist

could u pls make the same guide u done before, but with the whitelist method? everything will be the same like u write because extension, firefox data are the same for everyone, with exeption of "download" folder where firefox will download the files

with this way i will feel really safe, and i can do some try, downloading stuff in another folder wich isnt inside the whitelist, it should be denied right? and if everything works good i can also try to do something like that, using your model also with other programs like amule

[xenopeek]

You can't escape having to delve into this yourself as it is specific to each application (or even extension for Firefox) and your system. It is a bunch of work to get right and certainly more involved and time consuming than making a blacklist profile.

To give you an example of what you'll have to work with, close all Firefox windows and then start Firefox as follows from the terminal:

Code: Select all

strace firefox |& grep '^open("/home/' | grep -v '= -1 ENOENT ' | sed 's/^open("\/home\/[^/]*\///' | sed 's/".*$//' | sort | uniq > firefox.log

(This command will do a system call trace on Firefox, collect all the info about Firefox opening files in your home directory [might not 100% complete to which files Firefox needs access to, as Firefox also uses stat calls and mkdir for example], exclude those lines where Firefox tried to open a file that doesn't exist, and finally use sed twice to cut the text from the lines except the file path and then sort the list of file paths and report only the unique ones to you and save the output in firefox.log.)

After Firefox starts do some things you would normally do like download something to where you want to be able to download. Then close Firefox and you'll find the file firefox.log has been created which contains a log of all the file paths that Firefox tried to open from your home directory. You'll have to go through that list and build a whitelist profile that makes all the file paths available to Firefox. For example in your ~/.config/firejail/firefox.profile file you'd obviously put:

Code: Select all

whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads

But the list of file paths to whitelist will be longer.

[xenopeek]

Several posts about problems to follow the above moved to viewtopic.php?f=47&t=205215. This is a tutorial forum, not a support forum.

[killer de bug]

[*]Firefox can only write files to /home, /tmp and /var directories (if it has permission there) and all other directories are immutable.

Firejail 0.9.34 is installed on my system since yesterday. Update from 0.9.32.
I got a very strange surprise this afternoon. I downloaded a pdf file this afternoon from Firefox and was unable to find it in the download folder. A few seconds before, I printed a booking confirmation and was unable to find the pdf in my home folder. I had never seen this issue in the past.

Browsing the web, I discovered that Firejail is now blacklisting my home folder. By default version 0.9.34 use a specific non permanent home folder. It's like if the private mode is always on!


I reverted to the previous version of firejail. This is way to aggressive for me. I have not been able to find a command that whitelist my entire home folder and I don't want to give a clearance for every single folder.

[xenopeek]

Correct. If you look at the file /etc/firejail/firefox.profile you'll see what directories specifically are whitelisted in your home directory. Anything not whitelisted is mounted to the sandbox as empty directories and files written there disappear after closing the sandbox.

Code: Select all

whitelist ~/.mozilla
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl

# common
whitelist ~/.fonts
whitelist ~/.fonts.d
whitelist ~/.fontconfig
whitelist ~/.fonts.conf
whitelist ~/.fonts.conf.d

In short, your Downloads directory is the only one where you can save files.

If you want to revert to the old behavior, copy the file /etc/firejail/firefox.profile to ~/.config/firejail/ and edit it to remove all the lines with "whitelist".

firejail is moving quickly feature-wise. I'll write a new tutorial in a while.

[killer de bug]

Hi xenopeek,

I was more or less expecting this. Seems that as soon as you whitelist a folder, you need to do it for every folders you want to be able to access.
To be honest this new way of working with a small /home folder would be ok. But the default configuration is not working with non english systems. My download (Téléchargement) folder is not used with this config.

[xenopeek]

Aha! Well that sounds something worth to report an issue for (https://github.com/netblue30/firejail/issues). There are a couple of special directories, like for downloads, that can be found regardless of locale by interpreting the ~/.config/user-dirs.dirs file. Would be a useful addition if the default profiles could use that to whitelist the downloads directory for any language locale.

[killer de bug]

I have reported this bug and mentioned the ~/.config/user-dirs.dirs trick.
https://github.com/netblue30/firejail/issues/155

Thanks for your help.

[killer de bug]

It seems that it was fixed: https://github.com/netblue30/firejail/c ... 2c0e1e9493

[leadwtZ]

Hi,

Just out of interest I installed firejail and firetools and everything started up first time no problem. However 2nd time around neither Firefox nor Thunderbird would start. No problems with Pale Moon and other items which appeared by default in the firetools 'menu'.

Thanks to the tutorials produced by xenopeek I found that inserting '--noprofile' sorted the issue. i.e 'firejail --noprofile firefox'.

Nothing else yet causing me to go "Doh!"