Using firejail as security sandbox for your programs

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
Pjotr
Level 17
Level 17
Posts: 7656
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Using firejail as security sandbox for your programs

Postby Pjotr » Sun Feb 14, 2016 1:31 pm

Maybe a tip for your tutorial: Firejail can also be downloaded from the Ubuntu Universe repo, like this:
http://archive.ubuntu.com/ubuntu/pool/u ... /firejail/

It just feels better to get a .deb installer from an official Ubuntu repo, instead of from Sourceforge. :)
Tip: 10 things to do after installing Linux Mint 18.1 Serena
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
xenopeek
Level 24
Level 24
Posts: 20512
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Using firejail as security sandbox for your programs

Postby xenopeek » Sun Feb 14, 2016 4:23 pm

SourceForge has a new owner, that is taking actions to rebuild community trust (doing away with the bundle installers): https://sourceforge.net/blog/sourceforg ... ure-plans/. In any case, firejail downloads from SourceForge were never an issue but use whatever works for you. It's temporary anyway as with Linux Mint 18 it will be in the repositories.
Image

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Sun Feb 14, 2016 9:58 pm

I have a few puzzling behaviors -although chrome seems to be working OK I get this output.
(64bit 17.3 Cinnamon)

majpooper@1150z ~ $ firejail google-chrome
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3675, child pid 3676

Child process initialized
[2:2:0214/203300:ERROR:logging.h(808)] Failed to call method: org.freedesktop.DBus.ObjectManager.GetManagedObjects: object_path= /: org.freedesktop.DBus.Error.UnknownMethod: Method "GetManagedObjects" with signature "" on interface "org.freedesktop.DBus.ObjectManager" doesn't exist

libGL error: open uki failed (Operation not permitted)
libGL error: reverting to (slow) indirect rendering
[2:2:0214/203300:ERROR:logging.h(808)] Failed to call method: org.freedesktop.DBus.ObjectManager.GetManagedObjects: object_path= /: org.freedesktop.DBus.Error.UnknownMethod: Method "GetManagedObjects" with signature "" on interface "org.freedesktop.DBus.ObjectManager" doesn't exist

On my wife's PC also 64 bit 17.3 Cinnamon
Launched from Firetools
fluffy@HP700 ~ $ firejail --list
3562:fluffy:firejail firefox

Lauched from desktop
fluffy@HP700 ~ $ firejail --list
3345:fluffy:firejail --seccomp --debug firefox

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Sun Feb 14, 2016 10:05 pm

I also have one question

Is there a way to the CL cmd
$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote
into the .profile ? in /etc/firejail? Will it work from the menu editor? I would like to make it persistent and not have to launch from the terminal every time I go online for banking.

User avatar
xenopeek
Level 24
Level 24
Posts: 20512
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Using firejail as security sandbox for your programs

Postby xenopeek » Mon Feb 15, 2016 2:23 am

That's covered in the Usage section of the tutorial. Mind that this is a tutorial and support questions should be asked in the support forums.
Image

RonC
Level 4
Level 4
Posts: 217
Joined: Mon Mar 19, 2012 8:21 pm
Location: Funchal

Re: Using firejail as security sandbox for your programs

Postby RonC » Thu Feb 18, 2016 4:05 pm

Pjotr wrote:Maybe a tip for your tutorial: Firejail can also be downloaded from the Ubuntu Universe repo, like this:
http://archive.ubuntu.com/ubuntu/pool/u ... /firejail/

:? This must be a 'noob' question ... because otherwise, it would have been posted here.
But, what's the reason this was not mentioned?

    To enable universe repository,
    sudo add-apt-repository universe
This comes from Ask Ubuntu.
LinuxMint 17.3 Rosa / KDE (32-bit), and
Linuxmint 18.0 Sarah /KDE (32-bit)

User avatar
xenopeek
Level 24
Level 24
Posts: 20512
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Using firejail as security sandbox for your programs

Postby xenopeek » Thu Feb 18, 2016 4:30 pm

1) the Universe repository is enabled by default on Linux Mint
2) Linux Mint 17.x are based on Ubuntu 14.04 "trusty", which doesn't have firejail in its repositories

As I noted somewhere, Linux Mint 18 will have firejail in its repositories (Ubuntu added it to its repositories from 15.10) so you will be able to install it through Software Manager on that.

If you prefer to download the .deb file from Ubuntu and use that on Linux Mint go ahead. I take it they repackaged it; the .debian.tar.xz didn't look to have any significant difference from the official firejail source. I didn't mention this because, why? There is an official .deb file that you can download so why bother with the Ubuntu one. There is no benefit; unlike with LMDE 2 where you can add the Debian testing repo to install firejail, using the Ubuntu .deb file doesn't provide you with automatic updates. You'll still have to manually download updates. So why not just use the official package.
Image

RonC
Level 4
Level 4
Posts: 217
Joined: Mon Mar 19, 2012 8:21 pm
Location: Funchal

Re: Using firejail as security sandbox for your programs

Postby RonC » Thu Feb 18, 2016 7:36 pm

xenopeek wrote:... [U]sing the Ubuntu .deb file [from that repo?] doesn't provide you with automatic updates. You'll still have to manually download updates. So why not just use the official package.
Thanks, you guessed why I was asking about adding the repo. I thought doing it this way would give me automatic updates, and you're right, if it doesn't, then there would be no advantage.

Actually, I don't see the Universe repo, when looking at 'Additional Repositories' in synaptic, on my installation. I assume that's where it would be, if it were there? I take your word that it should be there, however, and I'm likely to blame for losing it during a misguided cleaning attempt, in the past.
LinuxMint 17.3 Rosa / KDE (32-bit), and
Linuxmint 18.0 Sarah /KDE (32-bit)

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Thu Feb 18, 2016 11:28 pm

I been playing with firejail and found a few nuances. And before I get lectured - I have read the tutorial (several times) and have read the man pages (several times). One thing is if you edit the menu with the firejail command that will make it persistent which is great but it won't effect an already existing shortcut say like on your desktop. The solution for me was to delete the shortcut and remake it from the menu after editing the command. In hind sight I guess that is an obvious behavior but it was puzzling at first.

The other thing that is not clear to me is blacklist/whitelist. I understand the concept well enough - I even worked with it extensively on another platform in another life actually. I just cannot see how to toggle that I want to blacklist everything as the default or whitelist everything by default so that I can blacklist/whitelist the exceptions. I see profiles with a line that starts with "noblacklist" then further down specific whitelist paths this does not seem intuitive - why would I have to whitelist anything if there are noblacklist. On the other hand I see profiles that just show specific "blacklist" paths - so by default everything is whitelisted? And the opposite - profiles where only specific "whitelist" paths are defined. Does just by simply defining one specific whitelist/blacklist path render by default everything else the opposite? - then why the noblacklist? I get the include disable profiles with the habitual blacklists even the whitelist common profile. I just have not figured out how to whitelist/blacklist everything and be sure I am setting only the exceptions.

If none of this makes sense - no problem - I will figure it out eventually.

User avatar
xenopeek
Level 24
Level 24
Posts: 20512
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Using firejail as security sandbox for your programs

Postby xenopeek » Fri Feb 19, 2016 2:34 am

whitelist
- by default everything in your home directory is visible to the sandbox
- whitelist makes only the specific paths you whitelist visible to the sandbox; any files or directories created in your home directory outside of those paths are discarded after the sandbox closes
- whitelist is thus a way to say "dear program X, you can see and modify this part of my home directory, but everything else in my home direcotry I'll keep secret and if you write anything there I'll just toss it away once you are done"

blacklist
- makes the given path inaccessible; it can't be read from or written to (if it's a directory you can't see its content)
- has no relation to whitelist

noblacklist
- the default profiles use include (.inc) files with default blacklist rules
- for some programs you may need to make an exception to those defaults, which is what noblacklist does—disable blacklisting of a specific path
Image

RonC
Level 4
Level 4
Posts: 217
Joined: Mon Mar 19, 2012 8:21 pm
Location: Funchal

Re: Using firejail as security sandbox for your programs

Postby RonC » Sun Feb 28, 2016 8:20 pm

Anyone following this thread may be interested in an exchange with the Firejail developer, and colleagues, about whether it could sandbox files in a volume that's not of the Extn filesystem. The answer is yes, it can.

Details are in the linked thread, as to the reason for the question.
LinuxMint 17.3 Rosa / KDE (32-bit), and
Linuxmint 18.0 Sarah /KDE (32-bit)

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Sat Apr 16, 2016 7:16 pm

If I put "blacklist /media" in my firefox.profile will this ensure there is no access to any thumbdrives that happen to be in a USB port?

User avatar
xenopeek
Level 24
Level 24
Posts: 20512
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Using firejail as security sandbox for your programs

Postby xenopeek » Sun Apr 17, 2016 2:59 am

If that is where your thumbdrives are mounted, then yes blacklist would prefer access to it.
Image

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Mon Apr 18, 2016 12:28 pm

THX X - I have been playing with firejail - I guess it is as much a toy as a tool - probably not quite the right way to put it but I enjoy tinkering with it.

One more question - if I install DNScrypt would it be OK to edit the fairjail command to dns=127.0.0.2 or should I just remove it?

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Mon Apr 18, 2016 5:20 pm

I tested DNScrypt with firejail dns=8.8.8.8 firejail dns=8.8.8.8 will override DNScrypt
DNScrypt works fine when firejail dn=8.8.8.8 is removed
I tried dns=127.0.0.2 and dns=176.56.237.171 but they fail to even launch the browser.

I was trying to get the combined benefits of both firejail and DNScrypt with out going through a VPN

User avatar
majpooper
Level 4
Level 4
Posts: 267
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: Using firejail as security sandbox for your programs

Postby majpooper » Wed Apr 20, 2016 1:32 pm

Not sure what I was doing wrong but dns=127.0.0.2 command does in fact work in firejail and gets me to the DNScrypt servers.

Kurt3162
Level 3
Level 3
Posts: 171
Joined: Wed Apr 02, 2014 2:05 pm

Re: Using firejail as security sandbox for your programs

Postby Kurt3162 » Sun Jan 29, 2017 11:40 am

xenopeek wrote:Linux Mint 18 will have firejail in its repositories

One year later, can somebody tell me which version of firejail one can actually find in the Mint 18 repositories? The current one (0.9.44.8)? The LTS one (0.9.38.10)? A different one?

(Looking for reasons to upgrade my Mint...)

User avatar
Pjotr
Level 17
Level 17
Posts: 7656
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Using firejail as security sandbox for your programs

Postby Pjotr » Sun Jan 29, 2017 11:56 am

Kurt3162 wrote:
xenopeek wrote:Linux Mint 18 will have firejail in its repositories

One year later, can somebody tell me which version of firejail one can actually find in the Mint 18 repositories? The current one (0.9.44.8)? The LTS one (0.9.38.10)? A different one?

(Looking for reasons to upgrade my Mint...)

Currently 0.9.38-1ubuntu0.1, which is essentially 0.9.38.1 with some added cherry-picked security fixes from later versions.

However, the process for getting the latest of the upstream Firejail LTS branch (0.9.38.10) into the official Ubuntu repo's for 16.04 Xenial (and therefore for Mint 18.x), has started:
https://bugs.launchpad.net/ubuntu/xenia ... ug/1658824

It'll probably be a matter of days before the SRU Verification team of Ubuntu, will release 0.9.38.10 for Xenial (and Mint 18.x): the micro release has already been committed and verified.
Tip: 10 things to do after installing Linux Mint 18.1 Serena
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

xdicey
Level 4
Level 4
Posts: 461
Joined: Wed Sep 16, 2015 2:42 pm

Re: Using firejail as security sandbox for your programs

Postby xdicey » Sun Jan 29, 2017 3:19 pm

I've been following the latest posts re firejail just to make sure my 17.2 Cinnamon is up to date.
So,

Code: Select all

firejail --version
shows me this

Code: Select all

firejail version 0.9.38
Firetools is

Code: Select all

Firetools version 0.9.30


Synaptic Mgr shows me this

Code: Select all

firejail installed 0.9.38-1
for both installed and latest version. Firetools is 0.9.30-1, both installed and latest.

Since they have to be manually installed, which have I really got installed or, are they the same but the CL just didn't show the .10? Is my FJ quite up to date then?

thanks
Rafaela Cinnamon 17.2, V 2.16, 64 bit, Kernel: 4.4.0-45
DELL Inspiron2350
-AIO TouchScreen
-QUAD CORE Intel Core i7-4700MQ CPU (-HT-MCP-) 2.40GHz x4
-12GB RAM, 1 TB SSHD
-Graphics Card: Intel 4th Gen Core Processor Integrated Graphics Controller

User avatar
Pjotr
Level 17
Level 17
Posts: 7656
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Using firejail as security sandbox for your programs

Postby Pjotr » Sun Jan 29, 2017 3:28 pm

xdicey wrote:I've been following the latest posts re firejail just to make sure my 17.2 Cinnamon is up to date.

Since they have to be manually installed, which have I really got installed or, are they the same but the CL just didn't show the .10? Is my FJ quite up to date then?

No. Firejail isn't in the repo's for Mint 17.x (Ubuntu 14.04), and never will be.... In Mint 17.x you have to install Firejail manually, and keep it updated manually as well.
Tip: 10 things to do after installing Linux Mint 18.1 Serena
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 2 guests