How to lock down Mint
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
How to lock down Mint
How to lock down mint with Apparmor and Firejail properly?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
- Level 5
- Posts: 558
- Joined: Sat Jan 02, 2021 4:44 pm
Re: How to lock down Mint
What I did:
- Installed it via Software Manager (I think). I might have installed the .deb file. Try from the Software Manager, and if it's not there, get it here and follow the instructions: https://firejail.wordpress.com/download-2/
- Once installed, you have to run
- If some applications don't run after installing firejail, just delete their symlink from in
More info:
https://firejail.wordpress.com/2017/05/ ... ing-guide/
Have you looked into "UbuChk"?
Handy tool for helping to secure your system:
https://github.com/terminalforlife/Perl ... rce/ubuchk
It doesn't make any changes to your system, it just gives recommendations.
I think AppArmor is installed by default in Linux Mint? I'm not 100% sure, though, maybe someone else can confirm.
Some other useful security info:
https://easylinuxtipsproject.blogspot.c ... urity.html
Personally, I'd also highly advise OpenSnitch:
https://github.com/gustavo-iniguez-goya/opensnitch/wiki
https://github.com/evilsocket/opensnitch
I think they also (opensnitchd and opensnitch-ui) might be in the Software Manager, two packages, one is the UI.
You might also consider "masking" the geoclue service (removing it isn't enough since it gets reinstalled by other applications as a dependency).
https://medium.com/@codingmaths/service ... 265d9b2181
This service is used by applets like Weather and Redshift, when you can use a static file for both (Redshift calls geoclue to get your location from Mozilla's online location service amost every 10mins or so... totally unnecessary imho). Applications like Gnome Maps use it to detect your location. But you probably know where you are. Right? Anyway, if you want this, leave it as is, if it is annoying, as I think it is, you can mask this service.
Which web browser do you use?
- Installed it via Software Manager (I think). I might have installed the .deb file. Try from the Software Manager, and if it's not there, get it here and follow the instructions: https://firejail.wordpress.com/download-2/
- Once installed, you have to run
sudo firecfg
in a terminal.- If some applications don't run after installing firejail, just delete their symlink from in
/usr/local/bin
(this was very frustrating and took me awhile to figure out how to fix it - still no idea why an application doesn't run, but at least I know how to fix it).More info:
https://firejail.wordpress.com/2017/05/ ... ing-guide/
Have you looked into "UbuChk"?
Handy tool for helping to secure your system:
https://github.com/terminalforlife/Perl ... rce/ubuchk
It doesn't make any changes to your system, it just gives recommendations.
I think AppArmor is installed by default in Linux Mint? I'm not 100% sure, though, maybe someone else can confirm.
Some other useful security info:
https://easylinuxtipsproject.blogspot.c ... urity.html
Personally, I'd also highly advise OpenSnitch:
https://github.com/gustavo-iniguez-goya/opensnitch/wiki
https://github.com/evilsocket/opensnitch
I think they also (opensnitchd and opensnitch-ui) might be in the Software Manager, two packages, one is the UI.
You might also consider "masking" the geoclue service (removing it isn't enough since it gets reinstalled by other applications as a dependency).
https://medium.com/@codingmaths/service ... 265d9b2181
sudo systemctl disable geoclue.service
sudo systemctl mask geoclue.service
This service is used by applets like Weather and Redshift, when you can use a static file for both (Redshift calls geoclue to get your location from Mozilla's online location service amost every 10mins or so... totally unnecessary imho). Applications like Gnome Maps use it to detect your location. But you probably know where you are. Right? Anyway, if you want this, leave it as is, if it is annoying, as I think it is, you can mask this service.
Which web browser do you use?
Re: How to lock down Mint
I am a bit reluctant to mess with OpenSnitch and UbuChk cause i'm not familiar with them and I need to do a little research first so I know what the heck i'm doing
Does it support 32 bit systems?
Chromium is my main browser
Yes, AppArmor has always been installed/ enabled since I've been using Linux Mint.
Last edited by karlchen on Thu Apr 08, 2021 5:29 pm, edited 1 time in total.
Reason: full quote of post right above shortened
Reason: full quote of post right above shortened
-
- Level 5
- Posts: 558
- Joined: Sat Jan 02, 2021 4:44 pm
Re: How to lock down Mint
Not sure if they support 32 bit systems, sorry.
Great you're doing your research, more people should do just that!
As for your browser, have you looked into Ungooged-Chromium? Worthy of some research. I use it.
Great you're doing your research, more people should do just that!
As for your browser, have you looked into Ungooged-Chromium? Worthy of some research. I use it.
Re: How to lock down Mint
If something doesn't run in firejail properly, you can run it from the command line to see what's being loaded / restricted etc. There's even a debug option for more verbose information. E.g.
In many cases for me, it's simply that I don't necessarily store data files where the default profile assumes that I do. Within each of the supplied profiles (in /etc/firejail) they are set to look for and include a local file containing your personal tweaks. So for example, I have a file $HOME/.config/firejail/keepassxc.local which has a noblacklist directive for where I store the database file.
Code: Select all
firejail --debug --profile=keepassxc keepassxc
-
- Level 5
- Posts: 558
- Joined: Sat Jan 02, 2021 4:44 pm
Re: How to lock down Mint
Thanks for sharing this, dave0808, I did not know about this. What exactly does that noblacklist directive look like (the syntax) in a profile file, if I were to create one? What else do I need to put in the profile file? And if I wanted to re-create the symlink I deleted (KeepassXC was one of the ones I deleted because it wasn't working) do I just usedave0808 wrote: ⤴Fri Apr 09, 2021 4:40 am If something doesn't run in firejail properly, you can run it from the command line to see what's being loaded / restricted etc. There's even a debug option for more verbose information. E.g.In many cases for me, it's simply that I don't necessarily store data files where the default profile assumes that I do. Within each of the supplied profiles (in /etc/firejail) they are set to look for and include a local file containing your personal tweaks. So for example, I have a file $HOME/.config/firejail/keepassxc.local which has a noblacklist directive for where I store the database file.Code: Select all
firejail --debug --profile=keepassxc keepassxc
ln -s
or can I run fireconfig again? Thanks again.Re: How to lock down Mint
Actually not. Some tutorials recommend it, others don't. I wrestled with this and other stuff, especially editing profiles (actually adding overrides - don't edit the profiles cos they'll be overwritten when Firejail updates). At the end of it all I thought it might help to write a summary as a novice (corrections welcome) - or there's all the wrestling here and here.newlyminted7 wrote: ⤴Tue Apr 06, 2021 12:41 am - Once installed, you have to runsudo firecfg
in a terminal.
-
- Level 5
- Posts: 558
- Joined: Sat Jan 02, 2021 4:44 pm
Re: How to lock down Mint
I ony suggested
Personally, I'd still advise newbies run
I understand your perspective, though, and I think it's great information, I appreciate it and I learned from it, but to me, it's the "next level up" from installing firejail as a total newbie (like me).
sudo firecfg
because the devs suggest it. I see now why someone might not want to run it, though, thanks to your post, although that requires a bit more understanding (which many newbies may not have, such as myself).Personally, I'd still advise newbies run
sudo firecfg
and since it sandboxes more applications by default, and then educate them on how to remove the (few) symlinks to applications that have problems running - rather than expecting the user to set up all the symlinks themselves just to get firejail to work. Just my 2c, anyway.I understand your perspective, though, and I think it's great information, I appreciate it and I learned from it, but to me, it's the "next level up" from installing firejail as a total newbie (like me).
Re: How to lock down Mint
I didn't use firecfg, so can't speak for re-running it. However it's trivial to recreate a symlink with the command that you highlighted. For example:-newlyminted7 wrote: ⤴Fri Apr 09, 2021 2:41 pm Thanks for sharing this, dave0808, I did not know about this. What exactly does that noblacklist directive look like (the syntax) in a profile file, if I were to create one? What else do I need to put in the profile file? And if I wanted to re-create the symlink I deleted (KeepassXC was one of the ones I deleted because it wasn't working) do I just useln -s
or can I run fireconfig again? Thanks again.
Code: Select all
sudo ln -s /usr/bin/firejail /usr/local/bin/thunderbird
/etc/firejail/thunderbird.profile
. If we look at that file we can see that there are a few comment lines, followed by an include thunderbird.local
to pull in your local overrides. The rest can be of academic interest and you'll see the first line that isn't an 'include' is a 'noblacklist':-
Code: Select all
noblacklist ${HOME}/.cache/thunderbird
Code: Select all
echo "noblacklist ${HOME}/my_share/images" >> ~/.config/firejail/thunderbird.local
Finally, you can always load a shell rather than the application in order to test your settings:-
Code: Select all
$ firejail --profile=thunderbird bash
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8552, child pid 8553
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 88.64 ms
dave0808@home:~$ ls
Downloads
dave0808@home:~$ id
uid=1000(dave0808) gid=1000(dave0808) groups=1000(dave0808)
dave0808@home:~$ exit
Parent is shutting down, bye...
-
- Level 5
- Posts: 558
- Joined: Sat Jan 02, 2021 4:44 pm
Re: How to lock down Mint
Thanks, dave0808, I'll look into doing this.
Re: How to lock down Mint
Just to clarify that even if you've not runnewlyminted7 wrote: ⤴Sat Apr 10, 2021 2:39 pm I ony suggestedsudo firecfg
because the devs suggest it. I see now why someone might not want to run it, though, thanks to your post, although that requires a bit more understanding (which many newbies may not have, such as myself).
Personally, I'd still advise newbies runsudo firecfg
and since it sandboxes more applications by default, and then educate them on how to remove the (few) symlinks to applications that have problems running - rather than expecting the user to set up all the symlinks themselves just to get firejail to work. Just my 2c, anyway.
I understand your perspective, though, and I think it's great information, I appreciate it and I learned from it, but to me, it's the "next level up" from installing firejail as a total newbie (like me).
sudo firecfg
, you don’t need to setup symlinks. The other route is to get the panel to always launch an application in a sandbox, eg. R-click Firefox Icon on Panel → Properties → General tab → R-click Firefox item → Edit → Command = ‘firejail firefox %u’ → Save → Close. (Though to be fair, I did have trouble applying the same approach to the Mint Menu launcher.) I got that from this tutorial.So to my mind the non-firecfg approach is easy too. Probably it all depends whether you want most applications sandboxed (so
sudo firecfg
+ removing a few symlinks sounds good) or only a couple of applications sandboxed (then the above works well). I took the approach of only sandboxing external-facing applications (Firefox and Thunderbird).What I do think is ‘next level up’ – and as a novice took me a lot of work to figure out – was getting back as much as poss of the communication between applications, but still in safe way. That was a load of stuff on overrides, whilelisting, blacklisting, no-blacklisting .
My 2p worth . I appreciate we all have different needs and preferences.
Re: How to lock down Mint
Editing the panel launcher only, means that if another application invokes that program, it isn't run under firejail. For example, if there's a URL showing in a terminal window and you right click on that and choose the option to open the URL.
By setting up the symlinks in a higher priority path directory, it will nearly always get invoked under firejail. There is a potential edge case whereby some program could invoke firefox (for example) and use an absolute path. One would hope not, but stranger things have happened
By setting up the symlinks in a higher priority path directory, it will nearly always get invoked under firejail. There is a potential edge case whereby some program could invoke firefox (for example) and use an absolute path. One would hope not, but stranger things have happened
Re: How to lock down Mint
For me, Firefox is always open, and then other apps open links in that sandboxed instance. I hadn't tested what happens with Firefox closed, so yeh, agree that'd be a drawback.