How to lock down Mint

[Overkill]

How to lock down mint with Apparmor and Firejail properly?

[newlyminted7]

What I did:
- Installed it via Software Manager (I think). I might have installed the .deb file. Try from the Software Manager, and if it's not there, get it here and follow the instructions: https://firejail.wordpress.com/download-2/
- Once installed, you have to run sudo firecfg in a terminal.
- If some applications don't run after installing firejail, just delete their symlink from in /usr/local/bin (this was very frustrating and took me awhile to figure out how to fix it - still no idea why an application doesn't run, but at least I know how to fix it).

More info:
https://firejail.wordpress.com/2017/05/ ... ing-guide/

Have you looked into "UbuChk"?
Handy tool for helping to secure your system:
https://github.com/terminalforlife/Perl ... rce/ubuchk
It doesn't make any changes to your system, it just gives recommendations.

I think AppArmor is installed by default in Linux Mint? I'm not 100% sure, though, maybe someone else can confirm.

Some other useful security info:
https://easylinuxtipsproject.blogspot.c ... urity.html

Personally, I'd also highly advise OpenSnitch:
https://github.com/gustavo-iniguez-goya/opensnitch/wiki
https://github.com/evilsocket/opensnitch
I think they also (opensnitchd and opensnitch-ui) might be in the Software Manager, two packages, one is the UI.

You might also consider "masking" the geoclue service (removing it isn't enough since it gets reinstalled by other applications as a dependency).
https://medium.com/@codingmaths/service ... 265d9b2181
sudo systemctl disable geoclue.service
sudo systemctl mask geoclue.service
This service is used by applets like Weather and Redshift, when you can use a static file for both (Redshift calls geoclue to get your location from Mozilla's online location service amost every 10mins or so... totally unnecessary imho). Applications like Gnome Maps use it to detect your location. But you probably know where you are. Right? Anyway, if you want this, leave it as is, if it is annoying, as I think it is, you can mask this service.

Which web browser do you use?

[Overkill]

I am a bit reluctant to mess with OpenSnitch and UbuChk cause i'm not familiar with them and I need to do a little research first so I know what the heck i'm doing
Does it support 32 bit systems?
Chromium is my main browser
Yes, AppArmor has always been installed/ enabled since I've been using Linux Mint.

[newlyminted7]

Not sure if they support 32 bit systems, sorry.
Great you're doing your research, more people should do just that!
As for your browser, have you looked into Ungooged-Chromium? Worthy of some research. I use it.

[dave0808]

If something doesn't run in firejail properly, you can run it from the command line to see what's being loaded / restricted etc. There's even a debug option for more verbose information. E.g.

Code: Select all

firejail --debug --profile=keepassxc keepassxc

In many cases for me, it's simply that I don't necessarily store data files where the default profile assumes that I do. Within each of the supplied profiles (in /etc/firejail) they are set to look for and include a local file containing your personal tweaks. So for example, I have a file $HOME/.config/firejail/keepassxc.local which has a noblacklist directive for where I store the database file.

[newlyminted7]

If something doesn't run in firejail properly, you can run it from the command line to see what's being loaded / restricted etc. There's even a debug option for more verbose information. E.g.

Code: Select all

firejail --debug --profile=keepassxc keepassxc

In many cases for me, it's simply that I don't necessarily store data files where the default profile assumes that I do. Within each of the supplied profiles (in /etc/firejail) they are set to look for and include a local file containing your personal tweaks. So for example, I have a file $HOME/.config/firejail/keepassxc.local which has a noblacklist directive for where I store the database file.

Thanks for sharing this, dave0808, I did not know about this. What exactly does that noblacklist directive look like (the syntax) in a profile file, if I were to create one? What else do I need to put in the profile file? And if I wanted to re-create the symlink I deleted (KeepassXC was one of the ones I deleted because it wasn't working) do I just use ln -s or can I run fireconfig again? Thanks again.

[TiBike]

- Once installed, you have to run sudo firecfg in a terminal.

Actually not. Some tutorials recommend it, others don't. I wrestled with this and other stuff, especially editing profiles (actually adding overrides - don't edit the profiles cos they'll be overwritten when Firejail updates). At the end of it all I thought it might help to write a summary as a novice (corrections welcome) - or there's all the wrestling here and here.

[newlyminted7]

I ony suggested sudo firecfg because the devs suggest it. I see now why someone might not want to run it, though, thanks to your post, although that requires a bit more understanding (which many newbies may not have, such as myself).

Personally, I'd still advise newbies run sudo firecfg and since it sandboxes more applications by default, and then educate them on how to remove the (few) symlinks to applications that have problems running - rather than expecting the user to set up all the symlinks themselves just to get firejail to work. Just my 2c, anyway.

I understand your perspective, though, and I think it's great information, I appreciate it and I learned from it, but to me, it's the "next level up" from installing firejail as a total newbie (like me).

[dave0808]

Thanks for sharing this, dave0808, I did not know about this. What exactly does that noblacklist directive look like (the syntax) in a profile file, if I were to create one? What else do I need to put in the profile file? And if I wanted to re-create the symlink I deleted (KeepassXC was one of the ones I deleted because it wasn't working) do I just use ln -s or can I run fireconfig again? Thanks again.

I didn't use firecfg, so can't speak for re-running it. However it's trivial to recreate a symlink with the command that you highlighted. For example:-

Code: Select all

sudo ln -s /usr/bin/firejail /usr/local/bin/thunderbird

As for the noblacklist directive, it's followed by the path that you want the application to access. But first, let's go through the loading process in case it's not clear. Keeping with Thunderbird for the example, firejail will load the config file /etc/firejail/thunderbird.profile. If we look at that file we can see that there are a few comment lines, followed by an include thunderbird.local to pull in your local overrides. The rest can be of academic interest and you'll see the first line that isn't an 'include' is a 'noblacklist':-

Code: Select all

noblacklist ${HOME}/.cache/thunderbird

So let's say that you have some images that you like to attach to emails sometimes and that they are stored in a folder specific to you that isn't expected. You can create your own local file and add the directive, for example:-

Code: Select all

echo "noblacklist ${HOME}/my_share/images" >> ~/.config/firejail/thunderbird.local

Note that because this local file is loaded first, the 'noblacklist' is specified upfront and prevents any subsequent 'blacklist' directives from blocking access to the file or directory.

Finally, you can always load a shell rather than the application in order to test your settings:-

Code: Select all

$ firejail --profile=thunderbird bash
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 8552, child pid 8553
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 88.64 ms
dave0808@home:~$ ls
Downloads
dave0808@home:~$ id
uid=1000(dave0808) gid=1000(dave0808) groups=1000(dave0808)
dave0808@home:~$ exit
Parent is shutting down, bye...

Note the lack of any directories asides from 'Downloads' and all the groups have been stripped out.

[newlyminted7]

Thanks, dave0808, I'll look into doing this.

[TiBike]

I ony suggested sudo firecfg because the devs suggest it. I see now why someone might not want to run it, though, thanks to your post, although that requires a bit more understanding (which many newbies may not have, such as myself).

Personally, I'd still advise newbies run sudo firecfg and since it sandboxes more applications by default, and then educate them on how to remove the (few) symlinks to applications that have problems running - rather than expecting the user to set up all the symlinks themselves just to get firejail to work. Just my 2c, anyway.

I understand your perspective, though, and I think it's great information, I appreciate it and I learned from it, but to me, it's the "next level up" from installing firejail as a total newbie (like me).

Just to clarify that even if you've not run sudo firecfg, you don’t need to setup symlinks. The other route is to get the panel to always launch an application in a sandbox, eg. R-click Firefox Icon on Panel → Properties → General tab → R-click Firefox item → Edit → Command = ‘firejail firefox %u’ → Save → Close. (Though to be fair, I did have trouble applying the same approach to the Mint Menu launcher.) I got that from this tutorial.

So to my mind the non-firecfg approach is easy too. Probably it all depends whether you want most applications sandboxed (so sudo firecfg + removing a few symlinks sounds good) or only a couple of applications sandboxed (then the above works well). I took the approach of only sandboxing external-facing applications (Firefox and Thunderbird).

What I do think is ‘next level up’ – and as a novice took me a lot of work to figure out – was getting back as much as poss of the communication between applications, but still in safe way. That was a load of stuff on overrides, whilelisting, blacklisting, no-blacklisting .

My 2p worth . I appreciate we all have different needs and preferences.

[dave0808]

Editing the panel launcher only, means that if another application invokes that program, it isn't run under firejail. For example, if there's a URL showing in a terminal window and you right click on that and choose the option to open the URL.

By setting up the symlinks in a higher priority path directory, it will nearly always get invoked under firejail. There is a potential edge case whereby some program could invoke firefox (for example) and use an absolute path. One would hope not, but stranger things have happened

[TiBike]

For me, Firefox is always open, and then other apps open links in that sandboxed instance. I hadn't tested what happens with Firefox closed, so yeh, agree that'd be a drawback.