firejail whitelist not working
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
firejail whitelist not working
[ split from http://forums.linuxmint.com/viewtopic.p ... 3#p1067213 and moved here ]
i've done the log, so my understanding is good, this is all firefox need to be whitelisted
so i should copy all this log inside the file we maked before, putting "whitelist" before every line (is it correct?)
but how can i deny all the rest?
i've done the log, so my understanding is good, this is all firefox need to be whitelisted
so i should copy all this log inside the file we maked before, putting "whitelist" before every line (is it correct?)
but how can i deny all the rest?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Using firejail as security sandbox for your programs
No, look at my example. And if you whitelist a directory all its files and subdirectories are whitelisted also, so you don't whitelist the entire log but you build a profile from it that makes all those paths be whitelisted. From my example lines, you don't need to whitelist any files under .mozilla or Downloads, which for the former is probably the majority of paths in your log.niubboxp wrote:putting "whitelist" before every line (is it correct?)
Any directory or file in your home directory not explicitly whitelisted won't exist in the sandbox, unless it is in one of the whitelisted directories. Any directory or file created in the sandbox, that isn't created in one of the whitelisted directories, will be discarded after you close the sandbox.
Re: Using firejail as security sandbox for your programs
you r right i understood the subdirectory stuff, i didnt understood, if i modify the file we done before, with only this whitelist, the program understand that everything else should be blacklisted, or if there is a command to write inside the file
i mean i open
.config/firejail/firefox.profile
i delete what we wrote before, and i paste
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
plus the other directory inside the log file, the rest will be blacklisted?
i mean i open
.config/firejail/firefox.profile
i delete what we wrote before, and i paste
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
plus the other directory inside the log file, the rest will be blacklisted?
Re: Using firejail as security sandbox for your programs
Yes. But don't edit /etc/firejail/firefox.profile. Use the directory .config/firefail in your home directory for custom profiles. Edit the file ~/.config/firejail/firefox.profile.niubboxp wrote:i delete what we wrote before, and i paste
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
plus the other directory inside the log file, the rest will be blacklisted?
Re: Using firejail as security sandbox for your programs
i've done it, but now how can i know if does it work?
i've tryed to download a file in another folder "not the whitelisted" and when i closed the firefox this file wasnt delete, i dont know how should work and how test if my profile work properly
i've tryed to download a file in another folder "not the whitelisted" and when i closed the firefox this file wasnt delete, i dont know how should work and how test if my profile work properly
Re: Using firejail as security sandbox for your programs
I'd test it using the command line, but that's me. I'd run this command to test a profile, check the output of firejail, and use shell commands to test if all is as I want it. Whitelist assumes that you are using firejail 0.9.30 or newer (check with "firejail --version").
Code: Select all
firejail --profile=${HOME}/.config/firejail/firefox.profile
Re: Using firejail as security sandbox for your programs
this is the output
Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 13594, child pid 13595
Child process initializede
dont know what does it means, but imho this kind of setting shoudn't be able to save file in not whitelisted directory, i've also tryed an extension who make the backup of firefox setting, and it saved the file outside the whitelisted folder, so i dont think it work properly
this is my whitelist
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority
Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 13594, child pid 13595
Child process initializede
dont know what does it means, but imho this kind of setting shoudn't be able to save file in not whitelisted directory, i've also tryed an extension who make the backup of firefox setting, and it saved the file outside the whitelisted folder, so i dont think it work properly
this is my whitelist
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority
Re: firejail whitelist not working
There should be a dot before config on that line.niubboxp wrote:whitelist ${HOME}/config/dconf/user
I corrected the above and copied your lines to the file ~/.config/firejail/firefox.profile and then did the following to start the sandbox:
Code: Select all
firejail --profile=${HOME}/.config/firejail/firefox.profile
Code: Select all
ls -la
Re: firejail whitelist not working
if write on terminal
firejail --profile=${HOME}/.config/firejail/firefox.profile
the reply is
Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 15081, child pid 15082
Child process initialized
but firefox doesen't start (dont know if should)
then i do the other command ls -la
and this is the result
total 48
drwx------ 7 "user" "user" 180 set 16 22:40 .
drwxr-xr-x 3 root root 60 set 16 22:40 ..
drwxr-xr-x 5 root "user" 100 set 16 22:40 .cache
drwxr-xr-x 3 root "user" 80 set 16 22:40 .config
-rw------- 1 "user" "user" 22306 set 16 18:30 .ICEauthority
drwxr-xr-x 3 root "user" 60 set 16 22:40 .local
drwxr-xr-x 4 "user" "user" 4096 ago 30 15:24 .mozilla
drwxr-xr-x 2 "user" "user" 4096 set 16 22:25 Downloads
-rw------- 1 "user" "user" 126 set 16 22:40 .Xauthority
i still download file outside the whitelist directory
firejail --profile=${HOME}/.config/firejail/firefox.profile
the reply is
Reading profile /home/"user"/.config/firejail/firefox.profile
Parent pid 15081, child pid 15082
Child process initialized
but firefox doesen't start (dont know if should)
then i do the other command ls -la
and this is the result
total 48
drwx------ 7 "user" "user" 180 set 16 22:40 .
drwxr-xr-x 3 root root 60 set 16 22:40 ..
drwxr-xr-x 5 root "user" 100 set 16 22:40 .cache
drwxr-xr-x 3 root "user" 80 set 16 22:40 .config
-rw------- 1 "user" "user" 22306 set 16 18:30 .ICEauthority
drwxr-xr-x 3 root "user" 60 set 16 22:40 .local
drwxr-xr-x 4 "user" "user" 4096 ago 30 15:24 .mozilla
drwxr-xr-x 2 "user" "user" 4096 set 16 22:25 Downloads
-rw------- 1 "user" "user" 126 set 16 22:40 .Xauthority
i still download file outside the whitelist directory
Re: firejail whitelist not working
As commented earlier, running firejail without a command starts it with the bash shell. This is also clearly mentioned in the manpage. As I wrote, this is how I would test a new profile. firejail doesn't start Firefox unless you give that as the command to run.
I suggest getting more comfortable on the command line, and especially with accessing the built in documentation. A good tutorial is http://en.flossmanuals.net/command-line/.
The output of the ls command in your sandbox shows things to be as expected. Before anybody else copies & pastes your configuration, it is generally only suitable for your own system. For example if you use the LastPass extensions you'll need to add the ${HOME}/.lastpass directory to the whitelist. For other extensions or plugins additional directories or files in your home directory may need to be whitelisted. Also as you upgrade to a new Firefox version you may need to retest to confirm your whitelist configuration is enough.
I suggest getting more comfortable on the command line, and especially with accessing the built in documentation. A good tutorial is http://en.flossmanuals.net/command-line/.
The output of the ls command in your sandbox shows things to be as expected. Before anybody else copies & pastes your configuration, it is generally only suitable for your own system. For example if you use the LastPass extensions you'll need to add the ${HOME}/.lastpass directory to the whitelist. For other extensions or plugins additional directories or files in your home directory may need to be whitelisted. Also as you upgrade to a new Firefox version you may need to retest to confirm your whitelist configuration is enough.
Re: firejail whitelist not working
i understand, but i think whitelist alone doesent work, i've done some other trial
a mix of blacklist and whitelist, and this is working
include /etc/firejail/firefox.profile
blacklist ${HOME}/"user"
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/Documents
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority
whitelist ${HOME}/.gnome2
i've tryed do download a file in a not whitelisted folder inside home, and i have no access with the only exception of the desktop, i dont know why :S
now i've blacklisted all the home with the exception found on the firefox.log, i'd like also to put in the blacklist file system partition (or the folders will i dont need to run firefox) i've tryed with the boot folder putting
blacklist /boot or
blacklist $/boot
but doesent work, any suggestion for make it work properly? and which folder inside the file system partition i cant put in the blacklist?
a mix of blacklist and whitelist, and this is working
include /etc/firejail/firefox.profile
blacklist ${HOME}/"user"
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/Documents
whitelist ${HOME}/.cache/fontconfig
whitelist ${HOME}/.cache/gstreamer-1.0
whitelist ${HOME}/.cache/mozilla
whitelist ${HOME}/.config/dconf/user
whitelist ${HOME}/.config/user-dirs.dirs
whitelist ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/fonts
whitelist ${HOME}/.ICEauthority
whitelist ${HOME}/.gnome2
i've tryed do download a file in a not whitelisted folder inside home, and i have no access with the only exception of the desktop, i dont know why :S
now i've blacklisted all the home with the exception found on the firefox.log, i'd like also to put in the blacklist file system partition (or the folders will i dont need to run firefox) i've tryed with the boot folder putting
blacklist /boot or
blacklist $/boot
but doesent work, any suggestion for make it work properly? and which folder inside the file system partition i cant put in the blacklist?
Re: firejail whitelist not working
You must still be misunderstanding firejail, or doing something else wrong, because you do not need to blacklist your home directory. Read this a few more times:
Again, "ls -la" run inside the sandbox shows only the whitelisted files and directories existing. Creating a directory TEST1 and creating a file TEST2 both succeed and can be access in the sandbox. Exiting the sandbox, both are gone as per the description on how whitelist works.
As for blacklisting /boot, you're going overboard now. Re-read the tutorial or read the manpage. The sandbox is a chroot of the currently mounted filesystems, with everything except /home, /tmp, and /var mounted read-only and thus immutable. What's the point of what you are doing?
Looking further into it, if you don't blacklist /boot and you start a sandbox (with bash), what do you see? What does "ls -l /" tell you? What does "grep /boot /etc/mtab" tell you? Aha, it's mounted as a tmpfs. That's not listed in the manpage so what do you do? Download the source code https://github.com/netblue30/firejail. Extract it and then run "grep -R /boot *" from where you have extracted the files. Find something about /boot is noted in the release notes for 0.9.10. Go read the release announcement where it is explained (found quickly with Google): https://l3net.wordpress.com/2014/08/28/ ... ouncement/
I think this is all a bit pointless and if you're not confident to find such information yourself you should perhaps not be making such complex profiles for firejail.
Using your firefox.profile file with the blacklist line removed I'm testing with:xenopeek wrote:Any directory or file in your home directory not explicitly whitelisted won't exist in the sandbox, unless it is in one of the whitelisted directories. Any directory or file created in the sandbox, that isn't created in one of the whitelisted directories, will be discarded after you close the sandbox.
Code: Select all
firejail --profile=${HOME}/.config/firejail/firefox.profile
Code: Select all
$ firejail --profile=${HOME}/.config/firejail/firefox.profile
<cut for brevity>
$ mkdir TEST1
$ touch TEST2
$ ls -ld TEST*
drwxr-xr-x 2 user user 40 Sep 17 07:17 TEST1
-rw-r--r-- 1 user user 0 Sep 17 07:17 TEST2
$ exit
exit
parent is shutting down, bye...
$ ls -ld TEST*
ls: cannot access TEST*: No such file or directory
Looking further into it, if you don't blacklist /boot and you start a sandbox (with bash), what do you see? What does "ls -l /" tell you? What does "grep /boot /etc/mtab" tell you? Aha, it's mounted as a tmpfs. That's not listed in the manpage so what do you do? Download the source code https://github.com/netblue30/firejail. Extract it and then run "grep -R /boot *" from where you have extracted the files. Find something about /boot is noted in the release notes for 0.9.10. Go read the release announcement where it is explained (found quickly with Google): https://l3net.wordpress.com/2014/08/28/ ... ouncement/
I think this is all a bit pointless and if you're not confident to find such information yourself you should perhaps not be making such complex profiles for firejail.
Re: firejail whitelist not working
i know i'm a child who wanna do what his dad do but this will help me to learn stuff and maybe this time i've learned how it works
some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?) i also immagine they cant modify any file inside system except the whitelist, because the process isnt running inside the system but the sandbox, so everything is inside the box and not in the "real machine", this is right?
some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?) i also immagine they cant modify any file inside system except the whitelist, because the process isnt running inside the system but the sandbox, so everything is inside the box and not in the "real machine", this is right?
Re: firejail whitelist not working
From inside the sandbox run:niubboxp wrote:some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?)
Code: Select all
grep /home /etc/mtab
Re: firejail whitelist not working
my home is encrypted and when i do the command inside the sandbox he write me something like thisxenopeek wrote:From inside the sandbox run:niubboxp wrote:some directory of the home and file system have their acces deny, and the one who doesent have, when download or make the directory, as the test, are loaded in tmp or ram (do you know wich one?)You'll see /home is mounted as a tmpfs and all the directories and files you have whitelisted are mounted on top of that. Changes you make in whitelisted files or directories are stored to disk. Anything else created in /home exists only in the tmpfs while the sandbox is running. tmpfs is temporary filesystem in RAM and/or swap.Code: Select all
grep /home /etc/mtab
Code: Select all
/dev/sdb5 /home ext4 rw 0 0
/home/"user"/.Private /home/"user"ecryptfs ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig="various numbers"
Re: firejail whitelist not working
I use full disk encryption and it works as intended with that. Possibly the firejail developer hasn't accounted for eCryptfs (home directory encryption) for the whitelist option. Possibly you've found an issue with the whitelist option in combination with eCryptfs.
BTW, home directory encryption is much slower than full disk encryption: http://www.phoronix.com/scan.php?page=a ... encryption. Especially if you store big files in your home directory you would be better served with full disk encryption.
BTW, home directory encryption is much slower than full disk encryption: http://www.phoronix.com/scan.php?page=a ... encryption. Especially if you store big files in your home directory you would be better served with full disk encryption.
Re: firejail whitelist not working
I only found home encryption during the installation, i will open another post for know how to encrypt all the disk, thanks
Re: firejail whitelist not working
I don't know what went wrong. I retested today with Linux Mint 17.2 Cinnamon with home folder encryption (ecryptfs) and firejail 0.9.30. Starting a sandbox like this to test:
I then created a file and a new directory in my home directory. Exiting the sandbox those disappeared as expected. Anything I created in Downloads stayed.
Code: Select all
firejail --noprofile --whitelist=${HOME}/Downloads