Firejail is now available in jessie-backports!

[Fred Barclay]

G'day mates! Just wanted to spread the word that firejail is now available in Jessie's backports repo--currently version 0.9.38 (the latest stable version). While we used to have to add the Testing repos to install firejail with apt, you can now add backports and install from there (which is less risky than adding Testing repos).

Code: Select all

fred@aussie ~ $ apt policy firejail
firejail:
  Installed: 0.9.40~rc2-1
  Candidate: 0.9.40~rc2-1
  Version table:
 *** 0.9.40~rc2-1 0
        100 /var/lib/dpkg/status
     0.9.38-1 0
        500 http://httpredir.debian.org/debian/ testing/main amd64 Packages
     0.9.38-1~bpo8+1 0
        500 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages

(I install from source on GitHub which is why 0.9.40~rc2 is on my system).

[Monsta]

Nice
Looks like now Betsy users can make use of xenopeek's tutorial as well: viewtopic.php?f=42&t=202735

[killer de bug]

I noticed this a few days ago. It will be easier than downloading the latest version before installing it.

[Crewp]

Thanks Fred, good to know.

[Fred Barclay]

It will be easier than downloading the latest version before installing it.

Bah humbug!

I personally prefer this approach:

Code: Select all

#!/bin/bash
if [ $EUID != 0 ]; then
	sudo "$0" "$@"
	exit $?
fi
mkdir /home/fred/FireJail
cd /home/fred/FireJail
git clone https://github.com/netblue30/firejail.git
cd firejail
./configure
make deb
sudo dpkg -i firejail*.deb
cd ../..
rm -rf /home/fred/FireJail
echo 'Installation Complete!'
sleep 3
exit

I get all the latest features. Of course, I also get all of the latest bugs...

[killer de bug]

I personally prefer this approach:

I get all the latest features. Of course, I also get all of the latest bugs...

I prefer a case by case installation after reading the release notes. I have been burned once or twice and don't like this

[mike acker]

Success

I just now installed firejail from the backports --
i started it per recomendation:

Code: Select all

~/Desktop $ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 5193, child pid 5194
Blacklist violations are logged to syslog
Child process initialized
1474478613724	addons.xpi	WARN	Bootstrap state is invalid (missing add-ons: /home/bill/.mozilla/firefox/mwad0hks.default/extensions/firefox-hotfix@mozilla.org.xpi)

--- and --- what you are reading here is from Firefox/firejail! (reserve/research LMDE/2 System)

Next: I need to study the guide to figure out how to configure the jail,--

supposedly JAVA-SCRIPT can only read/write COOKIES -- but -- we all know a lot of stuff happens -- that ain't supposed to,...

[Fred Barclay]

Hey Mike - congrats!
The more people we can get on this, the better!

Release 0.9.42 was the best yet, imho. Some new features and lots of tighter, more secure profiles.

Feel free to post here or PM/email me if you want to chat about firejail or try some experiments.
Firejail is sort of my hobby, much like GPG and encryption is yours.

[mike acker]

Hey Mike - congrats!
The more people we can get on this, the better!

Release 0.9.42 was the best yet, imho. Some new features and lots of tighter, more secure profiles.

Feel free to post here or PM/email me if you want to chat about firejail or try some experiments.
Firejail is sort of my hobby, much like GPG and encryption is yours.

thanks, Fred--

Q: did you edit the Firefox start Icon? I can start firefox from terminal but if i edit the start icon -- i wouldn't need to do that , --

++

we are getting into the finer points of security, addressing not only the question of whether to allow access to a resource -- but further -- we need to control access to resources based on the program to be used;

one of the main problems with a PC is that the operator's User ID is good on any app for any user data ( sudo restrictions do a good job protecting root level resources -- in Linux -- ) ;

For example: I would prefer that a Java script does not read my /Correspondence file -- from a web page;

[Fred Barclay]

Q: did you edit the Firefox start Icon? I can start firefox from terminal but if i edit the start icon -- i wouldn't need to do that , --

In the Mint menu? Yep, you can do that.
If you have a panel icon for Firefox, you can edit it to use firejail as well. Just prefix the command with firejail.
Example: /usr/bin/google-chrome-stable --incognito -start-maximized becomes firejail /usr/bin/google-chrome-stable --incognito -start-maximized

There's also the firecfg utility, which creates launchers in /usr/share/bin, for any program with a firejail profile (you can see which programs have profiles with ls /etc/firejail. If you use it, you no longer have to edit menus/launchers; everything with a profile will be launched inside firejail, no matter if you click the menu launcher, click a panel, or start the program from the terminal.

If you want to try it, sudo firecfg creates the launchers (I'm not quite sure if they're simlinks or what exactly they are). sudo firecfg --clean removes 'em if you don't want 'em any more.

[mike acker]

Executable Documents

many modern documents contains macros or scripts -- that have to execute -- in order to produce the desired presentation. Simple examples would include Java Script in Web Pages and VBS scripting or macros in office documents; more complex examples could include discussion of Adobe/Flash or other similar widgets that can be fed raw data off the net;

What these documents effect is unpredictable;

One of the current problems is "ransom ware"
Ransomware Report

Ransomware is often distributed via e/Mail "Phishing" campaigns; These e/Mails are made to appear to be legitimate messages from known and/or important parties -- but actually contain un-authorized programs -- that run -- or are interpreted -- when the message is opened;

In the case of Ransomware -- the un-authorized program or script* can encrypt the victim's entire hard-drive(s),-- PLUS -- all other accessible network drives;

Paying the ransom is a poor idea: you have no guarantee your data will be decrypted -- or -- even if it is -- that the decrypt will be accurate;

The direction here is to underscore the need for effective security practices -- not just snake oil band-aids;

One of the items we have discussed is the need to authenticate e/Mail messages -- Fred alluded to our discussions of PGP/GPG on this topic;

But, for some time now, I've wondered -- what to do with these executable documents;

Running them is this "firejail" will likely help; particularly if the FireJail will report back any attempts by the suspect document at un-authorized access; While we are thinking about this it is important to remember: hackers are known to test their environments for "honey pot traps" -- i.e. virtual environments -- before launching their evils;

I'm going to continue working with Firejail -- I think it's a huge step in the right direction -- regarding Computer Security: here we can address mis-direction of a script-interpreter -- a step beyond simply preventing execution of an un-authorized binary,-- (which Linux is already pretty good at ) ;

~~~
*script: remember: we all have tools like GPG2 and ZIP -- available on our hard-drives---

[Fred Barclay]

Running them is this "firejail" will likely help; particularly if the FireJail will report back any attempts by the suspect document at un-authorized access;

It does to a large degree; the profiles for Atril and Xreader both include the tracelog option, so both LMDE Mate and Mint 18 Cinnamon, MATE, and Xfce are covered.
Mike, you're using Cinnnamon, right? What is the default pdf reader?


From the firejail man page:

--tracelog
This option enables auditing blacklisted files and directories. A message is sent to syslog in case the file or the directory is accessed.

Example:
$ firejail --tracelog firefox

Sample messages:
$ sudo tail -f /var/log/syslog
[...]
Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot
[...]

[mike acker]

thanks, Fred

the default PDF Viewer in LMDE/2 Cinamon is "Document Viewer" :

doc-viewer.png

.pdf documents are also a known vector -- so -- making certain programs -- especially known vectors -- always run from jail -- makes a lot of sense to me

[Fred Barclay]

Oh I see. Isn't "Document Viewer" the generic name? It looks like Evince to me.

Evince doesn't use tracelog currently, but this pull request will add it in.


I haven't gone the firecfg route on this computer, but most of my programmes (browsers, pdf readers, video and music players, photo viewers) run in firejail by default.

[Cosmo.]

Oh I see. Isn't "Document Viewer" the generic name? It looks like Evince to me.

Therefor it reads at the bottom: The Evince authors.

[ostracized]

Hey Fred, are you having any issues with VLC and firejail 0.9.42 installed? I had some trouble opening VLC as it wouldn't open but I sym'd linked it to firejail as seen in this thread. I'm curious what your code is to open VLC yourself?

Supposedly according to the firejail devs, they backported the security updates to the LTS release of 0.9.38...the Ubuntu repo's have the version "0.9.38-1"...the sourceforge page for the LTS version shows version "0.9.38.2" but the modified date is 26 Aug, verses the latest version on 9 Sep so idk...

[Fred Barclay]

I just right-click on the file (say "video.mp4"), and say "Open With Other Application", choose "Use a custom command", and type in firejail vlc and then hit Open.
From now on, any mp4's I double-click will be automatically opened in a firejailed vlc.

No issues on my end. Personally I'm using firejail 0.9.43 (the current development code) but I have to compile it myself (I've written a script to make this a one-click, two-minute deal). If you want a later version than 0.9.38 then you could always grab 0.9.42 (the latest stable release) from sourceforge. I don't use 0.9.38 since there have been many new features and program support added since that release.

[ostracized]

From now on, any mp4's I double-click will be automatically opened in a firejailed vlc.

What do you mean by that? Did you implement @xenopeek's code in that thread?

[ostracized]

Looks like commenting out private-tmp in the default vlc firejail profile works for me.

@Fred: update?

[Fred Barclay]

Oh, I'm so sorry! I forgot about this!

So...
No, I didn't use xeno's tutorial or code.
For anything I want started with firejail, I just prefix the launchers myself.

Example:
For the Pale Moon and Chrome launchers on my panel, I right-click, choose "Properties", and then change the command to begin with "firejail."

For items in the menu, I do much the same.

For opening files with a program (like opening all mp4's with firejailed vlc), I right click on any random mp4, then Open With, then Use a custom command, and then type in "firejail vlc".
From then on all my mp4's will be opened in a firejailed VLC window when I double-click them.

Ditto with other types of files - PDFs are opened with "firejail xreader", mp3s with "firejail xplayer", and so on.