Using firejail as security sandbox for your programs

[Pjotr]

Maybe a tip for your tutorial: Firejail can also be downloaded from the Ubuntu Universe repo, like this:
http://archive.ubuntu.com/ubuntu/pool/u ... /firejail/

It just feels better to get a .deb installer from an official Ubuntu repo, instead of from Sourceforge.

[xenopeek]

SourceForge has a new owner, that is taking actions to rebuild community trust (doing away with the bundle installers): https://sourceforge.net/blog/sourceforg ... ure-plans/. In any case, firejail downloads from SourceForge were never an issue but use whatever works for you. It's temporary anyway as with Linux Mint 18 it will be in the repositories.

[majpooper]

I have a few puzzling behaviors -although chrome seems to be working OK I get this output.
(64bit 17.3 Cinnamon)

majpooper@1150z ~ $ firejail google-chrome
Reading profile /etc/firejail/google-chrome.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3675, child pid 3676

Child process initialized
[2:2:0214/203300:ERROR:logging.h(808)] Failed to call method: org.freedesktop.DBus.ObjectManager.GetManagedObjects: object_path= /: org.freedesktop.DBus.Error.UnknownMethod: Method "GetManagedObjects" with signature "" on interface "org.freedesktop.DBus.ObjectManager" doesn't exist

libGL error: open uki failed (Operation not permitted)
libGL error: reverting to (slow) indirect rendering
[2:2:0214/203300:ERROR:logging.h(808)] Failed to call method: org.freedesktop.DBus.ObjectManager.GetManagedObjects: object_path= /: org.freedesktop.DBus.Error.UnknownMethod: Method "GetManagedObjects" with signature "" on interface "org.freedesktop.DBus.ObjectManager" doesn't exist

On my wife's PC also 64 bit 17.3 Cinnamon
Launched from Firetools
fluffy@HP700 ~ $ firejail --list
3562:fluffy:firejail firefox

Lauched from desktop
fluffy@HP700 ~ $ firejail --list
3345:fluffy:firejail --seccomp --debug firefox

[majpooper]

I also have one question

Is there a way to the CL cmd
$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote
into the .profile ? in /etc/firejail? Will it work from the menu editor? I would like to make it persistent and not have to launch from the terminal every time I go online for banking.

[xenopeek]

That's covered in the Usage section of the tutorial. Mind that this is a tutorial and support questions should be asked in the support forums.

[RonC]

Maybe a tip for your tutorial: Firejail can also be downloaded from the Ubuntu Universe repo, like this:
http://archive.ubuntu.com/ubuntu/pool/u ... /firejail/

This must be a 'noob' question ... because otherwise, it would have been posted here.
But, what's the reason this was not mentioned?

• To enable universe repository,
  sudo add-apt-repository universe

This comes from Ask Ubuntu.

[xenopeek]

1) the Universe repository is enabled by default on Linux Mint
2) Linux Mint 17.x are based on Ubuntu 14.04 "trusty", which doesn't have firejail in its repositories

As I noted somewhere, Linux Mint 18 will have firejail in its repositories (Ubuntu added it to its repositories from 15.10) so you will be able to install it through Software Manager on that.

If you prefer to download the .deb file from Ubuntu and use that on Linux Mint go ahead. I take it they repackaged it; the .debian.tar.xz didn't look to have any significant difference from the official firejail source. I didn't mention this because, why? There is an official .deb file that you can download so why bother with the Ubuntu one. There is no benefit; unlike with LMDE 2 where you can add the Debian testing repo to install firejail, using the Ubuntu .deb file doesn't provide you with automatic updates. You'll still have to manually download updates. So why not just use the official package.

[RonC]

... sing the Ubuntu .deb file [from that repo?] doesn't provide you with automatic updates. You'll still have to manually download updates. So why not just use the official package.

Thanks, you guessed why I was asking about adding the repo. I thought doing it this way would give me automatic updates, and you're right, if it doesn't, then there would be no advantage.

Actually, I don't see the Universe repo, when looking at 'Additional Repositories' in synaptic, on my installation. I assume that's where it would be, if it were there? I take your word that it should be there, however, and I'm likely to blame for losing it during a misguided cleaning attempt, in the past.

[majpooper]

I been playing with firejail and found a few nuances. And before I get lectured - I have read the tutorial (several times) and have read the man pages (several times). One thing is if you edit the menu with the firejail command that will make it persistent which is great but it won't effect an already existing shortcut say like on your desktop. The solution for me was to delete the shortcut and remake it from the menu after editing the command. In hind sight I guess that is an obvious behavior but it was puzzling at first.

The other thing that is not clear to me is blacklist/whitelist. I understand the concept well enough - I even worked with it extensively on another platform in another life actually. I just cannot see how to toggle that I want to blacklist everything as the default or whitelist everything by default so that I can blacklist/whitelist the exceptions. I see profiles with a line that starts with "noblacklist" then further down specific whitelist paths this does not seem intuitive - why would I have to whitelist anything if there are noblacklist. On the other hand I see profiles that just show specific "blacklist" paths - so by default everything is whitelisted? And the opposite - profiles where only specific "whitelist" paths are defined. Does just by simply defining one specific whitelist/blacklist path render by default everything else the opposite? - then why the noblacklist? I get the include disable profiles with the habitual blacklists even the whitelist common profile. I just have not figured out how to whitelist/blacklist everything and be sure I am setting only the exceptions.

If none of this makes sense - no problem - I will figure it out eventually.

[xenopeek]

whitelist
- by default everything in your home directory is visible to the sandbox
- whitelist makes only the specific paths you whitelist visible to the sandbox; any files or directories created in your home directory outside of those paths are discarded after the sandbox closes
- whitelist is thus a way to say "dear program X, you can see and modify this part of my home directory, but everything else in my home direcotry I'll keep secret and if you write anything there I'll just toss it away once you are done"

blacklist
- makes the given path inaccessible; it can't be read from or written to (if it's a directory you can't see its content)
- has no relation to whitelist

noblacklist
- the default profiles use include (.inc) files with default blacklist rules
- for some programs you may need to make an exception to those defaults, which is what noblacklist does—disable blacklisting of a specific path

[RonC]

Anyone following this thread may be interested in an exchange with the Firejail developer, and colleagues, about whether it could sandbox files in a volume that's not of the Extn filesystem. The answer is yes, it can.

Details are in the linked thread, as to the reason for the question.

[majpooper]

If I put "blacklist /media" in my firefox.profile will this ensure there is no access to any thumbdrives that happen to be in a USB port?

[xenopeek]

If that is where your thumbdrives are mounted, then yes blacklist would prefer access to it.

[majpooper]

THX X - I have been playing with firejail - I guess it is as much a toy as a tool - probably not quite the right way to put it but I enjoy tinkering with it.

One more question - if I install DNScrypt would it be OK to edit the fairjail command to dns=127.0.0.2 or should I just remove it?

[majpooper]

I tested DNScrypt with firejail dns=8.8.8.8 firejail dns=8.8.8.8 will override DNScrypt
DNScrypt works fine when firejail dn=8.8.8.8 is removed
I tried dns=127.0.0.2 and dns=176.56.237.171 but they fail to even launch the browser.

I was trying to get the combined benefits of both firejail and DNScrypt with out going through a VPN

[majpooper]

Not sure what I was doing wrong but dns=127.0.0.2 command does in fact work in firejail and gets me to the DNScrypt servers.

[Kurt3162]

Linux Mint 18 will have firejail in its repositories

One year later, can somebody tell me which version of firejail one can actually find in the Mint 18 repositories? The current one (0.9.44.8)? The LTS one (0.9.38.10)? A different one?

(Looking for reasons to upgrade my Mint...)

[Pjotr]

Linux Mint 18 will have firejail in its repositories

One year later, can somebody tell me which version of firejail one can actually find in the Mint 18 repositories? The current one (0.9.44.? The LTS one (0.9.38.10)? A different one?

(Looking for reasons to upgrade my Mint...)

Currently 0.9.38-1ubuntu0.1, which is essentially 0.9.38.1 with some added cherry-picked security fixes from later versions.

However, the process for getting the latest of the upstream Firejail LTS branch (0.9.38.10) into the official Ubuntu repo's for 16.04 Xenial (and therefore for Mint 18.x), has started:
https://bugs.launchpad.net/ubuntu/xenia ... ug/1658824

It'll probably be a matter of days before the SRU Verification team of Ubuntu, will release 0.9.38.10 for Xenial (and Mint 18.x): the micro release has already been committed and verified.

[xdicey]

I've been following the latest posts re firejail just to make sure my 17.2 Cinnamon is up to date.
So,

Code: Select all

firejail --version

shows me this

Code: Select all

firejail version 0.9.38

Firetools is

Code: Select all

Firetools version 0.9.30

Synaptic Mgr shows me this

Code: Select all

firejail installed 0.9.38-1

for both installed and latest version. Firetools is 0.9.30-1, both installed and latest.

Since they have to be manually installed, which have I really got installed or, are they the same but the CL just didn't show the .10? Is my FJ quite up to date then?

thanks

[Pjotr]

I've been following the latest posts re firejail just to make sure my 17.2 Cinnamon is up to date.

Since they have to be manually installed, which have I really got installed or, are they the same but the CL just didn't show the .10? Is my FJ quite up to date then?

No. Firejail isn't in the repo's for Mint 17.x (Ubuntu 14.04), and never will be.... In Mint 17.x you have to install Firejail manually, and keep it updated manually as well.