firejail whitelist not working

[niubboxp]

[ split from http://forums.linuxmint.com/viewtopic.p ... 3#p1067213 and moved here ]

i've done the log, so my understanding is good, this is all firefox need to be whitelisted

so i should copy all this log inside the file we maked before, putting "whitelist" before every line (is it correct?)
but how can i deny all the rest?

[xenopeek]

putting "whitelist" before every line (is it correct?)

No, look at my example. And if you whitelist a directory all its files and subdirectories are whitelisted also, so you don't whitelist the entire log but you build a profile from it that makes all those paths be whitelisted. From my example lines, you don't need to whitelist any files under .mozilla or Downloads, which for the former is probably the majority of paths in your log.

Any directory or file in your home directory not explicitly whitelisted won't exist in the sandbox, unless it is in one of the whitelisted directories. Any directory or file created in the sandbox, that isn't created in one of the whitelisted directories, will be discarded after you close the sandbox.

[niubboxp]

you r right i understood the subdirectory stuff, i didnt understood, if i modify the file we done before, with only this whitelist, the program understand that everything else should be blacklisted, or if there is a command to write inside the file

i mean i open
.config/firejail/firefox.profile
i delete what we wrote before, and i paste

whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
plus the other directory inside the log file, the rest will be blacklisted?

[xenopeek]

i delete what we wrote before, and i paste

whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
plus the other directory inside the log file, the rest will be blacklisted?

Yes. But don't edit /etc/firejail/firefox.profile. Use the directory .config/firefail in your home directory for custom profiles. Edit the file ~/.config/firejail/firefox.profile.

[niubboxp]

i've done it, but now how can i know if does it work?

i've tryed to download a file in another folder "not the whitelisted" and when i closed the firefox this file wasnt delete, i dont know how should work and how test if my profile work properly

[xenopeek]

I'd test it using the command line, but that's me. I'd run this command to test a profile, check the output of firejail, and use shell commands to test if all is as I want it. Whitelist assumes that you are using firejail 0.9.30 or newer (check with "firejail --version").

Code: Select all

firejail --profile=${HOME}/.config/firejail/firefox.profile

[niubboxp]

this is the output
Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 13594, child pid 13595
Child process initializede

dont know what does it means, but imho this kind of setting shoudn't be able to save file in not whitelisted directory, i've also tryed an extension who make the backup of firefox setting, and it saved the file outside the whitelisted folder, so i dont think it work properly

this is my whitelist

whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority

[xenopeek]

whitelist ${HOME}/config/dconf/user

There should be a dot before config on that line.

I corrected the above and copied your lines to the file ~/.config/firejail/firefox.profile and then did the following to start the sandbox:

Code: Select all

firejail --profile=${HOME}/.config/firejail/firefox.profile

After it starts I ran the following command:

Code: Select all

ls -la

Which shows only the directories and files you whitelisted are visible. Creating a directory or file there (not in one of the whitelisted directories) and exiting the sandbox again, that directory and file do not exist.

[niubboxp]

if write on terminal

firejail --profile=${HOME}/.config/firejail/firefox.profile

the reply is

Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 15081, child pid 15082
Child process initialized

but firefox doesen't start (dont know if should)

then i do the other command ls -la
and this is the result

total 48
drwx------ 7 "user" "user" 180 set 16 22:40 .
drwxr-xr-x 3 root root 60 set 16 22:40 ..
drwxr-xr-x 5 root "user" 100 set 16 22:40 .cache
drwxr-xr-x 3 root "user" 80 set 16 22:40 .config
-rw------- 1 "user" "user" 22306 set 16 18:30 .ICEauthority
drwxr-xr-x 3 root "user" 60 set 16 22:40 .local
drwxr-xr-x 4 "user" "user" 4096 ago 30 15:24 .mozilla
drwxr-xr-x 2 "user" "user" 4096 set 16 22:25 Downloads
-rw------- 1 "user" "user" 126 set 16 22:40 .Xauthority



i still download file outside the whitelist directory

[xenopeek]

As commented earlier, running firejail without a command starts it with the bash shell. This is also clearly mentioned in the manpage. As I wrote, this is how I would test a new profile. firejail doesn't start Firefox unless you give that as the command to run.

I suggest getting more comfortable on the command line, and especially with accessing the built in documentation. A good tutorial is http://en.flossmanuals.net/command-line/.

The output of the ls command in your sandbox shows things to be as expected. Before anybody else copies & pastes your configuration, it is generally only suitable for your own system. For example if you use the LastPass extensions you'll need to add the ${HOME}/.lastpass directory to the whitelist. For other extensions or plugins additional directories or files in your home directory may need to be whitelisted. Also as you upgrade to a new Firefox version you may need to retest to confirm your whitelist configuration is enough.

[niubboxp]

i understand, but i think whitelist alone doesent work, i've done some other trial
a mix of blacklist and whitelist, and this is working

include /etc/firejail/firefox.profile
blacklist ${HOME}/"user"
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/Documents
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority
whitelist ${HOME}/.gnome2

i've tryed do download a file in a not whitelisted folder inside home, and i have no access with the only exception of the desktop, i dont know why :S

now i've blacklisted all the home with the exception found on the firefox.log, i'd like also to put in the blacklist file system partition (or the folders will i dont need to run firefox) i've tryed with the boot folder putting

blacklist /boot or
blacklist $/boot

but doesent work, any suggestion for make it work properly? and which folder inside the file system partition i cant put in the blacklist?

[xenopeek]

You must still be misunderstanding firejail, or doing something else wrong, because you do not need to blacklist your home directory. Read this a few more times:

Any directory or file in your home directory not explicitly whitelisted won't exist in the sandbox, unless it is in one of the whitelisted directories. Any directory or file created in the sandbox, that isn't created in one of the whitelisted directories, will be discarded after you close the sandbox.

Using your firefox.profile file with the blacklist line removed I'm testing with:

Code: Select all

firejail --profile=${HOME}/.config/firejail/firefox.profile

Again, "ls -la" run inside the sandbox shows only the whitelisted files and directories existing. Creating a directory TEST1 and creating a file TEST2 both succeed and can be access in the sandbox. Exiting the sandbox, both are gone as per the description on how whitelist works.

Code: Select all

$ firejail --profile=${HOME}/.config/firejail/firefox.profile
<cut for brevity>
$ mkdir TEST1
$ touch TEST2
$ ls -ld TEST*
drwxr-xr-x 2 user    user    40 Sep 17 07:17 TEST1
-rw-r--r-- 1 user    user     0 Sep 17 07:17 TEST2
$ exit
exit

parent is shutting down, bye...
$ ls -ld TEST*
ls: cannot access TEST*: No such file or directory

As for blacklisting /boot, you're going overboard now. Re-read the tutorial or read the manpage. The sandbox is a chroot of the currently mounted filesystems, with everything except /home, /tmp, and /var mounted read-only and thus immutable. What's the point of what you are doing?

Looking further into it, if you don't blacklist /boot and you start a sandbox (with bash), what do you see? What does "ls -l /" tell you? What does "grep /boot /etc/mtab" tell you? Aha, it's mounted as a tmpfs. That's not listed in the manpage so what do you do? Download the source code https://github.com/netblue30/firejail. Extract it and then run "grep -R /boot *" from where you have extracted the files. Find something about /boot is noted in the release notes for 0.9.10. Go read the release announcement where it is explained (found quickly with Google): https://l3net.wordpress.com/2014/08/28/ ... ouncement/

I think this is all a bit pointless and if you're not confident to find such information yourself you should perhaps not be making such complex profiles for firejail.

[niubboxp]

i know i'm a child who wanna do what his dad do but this will help me to learn stuff and maybe this time i've learned how it works

some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?) i also immagine they cant modify any file inside system except the whitelist, because the process isnt running inside the system but the sandbox, so everything is inside the box and not in the "real machine", this is right?

[xenopeek]

some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?)

From inside the sandbox run:

Code: Select all

grep /home /etc/mtab

You'll see /home is mounted as a tmpfs and all the directories and files you have whitelisted are mounted on top of that. Changes you make in whitelisted files or directories are stored to disk. Anything else created in /home exists only in the tmpfs while the sandbox is running. tmpfs is temporary filesystem in RAM and/or swap.

[niubboxp]

some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?)

From inside the sandbox run:

Code: Select all

grep /home /etc/mtab

You'll see /home is mounted as a tmpfs and all the directories and files you have whitelisted are mounted on top of that. Changes you make in whitelisted files or directories are stored to disk. Anything else created in /home exists only in the tmpfs while the sandbox is running. tmpfs is temporary filesystem in RAM and/or swap.

my home is encrypted and when i do the command inside the sandbox he write me something like this

Code: Select all

/dev/sdb5 /home ext4 rw 0 0
/home/"user"/.Private /home/"user"ecryptfs ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig="various numbers"

[xenopeek]

I use full disk encryption and it works as intended with that. Possibly the firejail developer hasn't accounted for eCryptfs (home directory encryption) for the whitelist option. Possibly you've found an issue with the whitelist option in combination with eCryptfs.

BTW, home directory encryption is much slower than full disk encryption: http://www.phoronix.com/scan.php?page=a ... encryption. Especially if you store big files in your home directory you would be better served with full disk encryption.

[niubboxp]

I only found home encryption during the installation, i will open another post for know how to encrypt all the disk, thanks

[xenopeek]

I don't know what went wrong. I retested today with Linux Mint 17.2 Cinnamon with home folder encryption (ecryptfs) and firejail 0.9.30. Starting a sandbox like this to test:

Code: Select all

firejail --noprofile --whitelist=${HOME}/Downloads

I then created a file and a new directory in my home directory. Exiting the sandbox those disappeared as expected. Anything I created in Downloads stayed.