Is my Firejail set up and working correctly?

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour,

I am trying Firejail.
$ firejail --version
firejail version 0.9.60
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Download comes from https://firejail.wordpress.com/download-2/
Installation is made by dpkg -i firejail_0.9.60_1_amd64.deb
Command was $ sudo firejail firefox
then $firejail firefox %u
then $sudo firecfg
then $sudo apparmor_parser -r /etc/apparmor.d/firejail-default
then reboot
Firefox start with in the control bar file:///home/ In the page: Index de file:///home/ Directory for Leloup
If you look at /home/Leloup/ with the file explorer, you can see many files of all types. So it looks like a mess.
These are the same files than the file:///home/ ones. Is that correct? Or did I make a mistake somewhere? :?: :?:
Otherwise, Firefox works perfectly. I mean like before Firejail. :D


$ firejail --list
__5025:Leloup::/usr/bin/firejail /usr/bin/firefox
$ firejail --tree
__5025:Leloup::/usr/bin/firejail /usr/bin/firefox
____5026:Leloup::/usr/bin/firejail /usr/bin/firefox
______5035:Leloup::/usr/lib/firefox/firefox
________5130:Leloup::/usr/lib/firefox/firefox -contentproc -.............../usr/lib/firefox/browser 9 true tab
________5217:Leloup::/usr/lib/firefox/firefox -contentproc .................usr/lib/firefox/browser 9 true tab
________5509:Leloup::/usr/lib/firefox/firefox -contentproc ................./usr/lib/firefox/browser 9 true tab
________6356:Leloup::/usr/lib/firefox/firefox -contentproc...................usr/lib/firefox/browser 9 true tab

If I take a look at ps -edf
PID PPID CMD
5025 1432 /usr/bin/firejail /usr/bin/firef
5026 5025 /usr/bin/firejail /usr/bin/firef
5035 5026 /usr/lib/firefox/firefox
12122 1 /usr/bin/firejail /usr/bin/xview
12125 12122 /usr/bin/firejail /usr/bin/xview
12283 12125 /usr/bin/xviewer /home/Leloup/B


When I look at the result of Firejail --tree, I see two offset lines with the same content. I feel like I created two Sandboxes containing each other. No?
Isn't there a mistake? :?: :?:
Let me know your point of view.

Regards,

Leloup
Last edited by xenopeek on Sat Dec 07, 2019 2:43 pm, edited 1 time in total.
Reason: this isn't a tutorial so moved it here instead; clarified subject

gittiest personITW
Level 6
Level 6
Posts: 1121
Joined: Tue May 28, 2019 4:27 pm

Re: Is my Firejail set up and working correctly?

Post by gittiest personITW »

Hi,
Try and save anything to your documents folder and your home folder.
It might look as if it is saving ok.
Look with a file browser and if you can't see the file you attempted to download then its looking good.

User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Re: Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour gittiest personITW,

I downloaded one piece of music in mp3 and one document in pdf from two different sites. I tried to open them from firefox but that failed. This is not a surprise. Then, I tried to open them from the file browser and that worked. :D The document looks correct :D while music is not so good. In the ear, it seems saturated at times. :?

Regards,

Leloup

User avatar
racer-x
Level 4
Level 4
Posts: 404
Joined: Sun Oct 02, 2016 9:05 am
Location: Area 51

Re: Is my Firejail set up and working correctly?

Post by racer-x »

It's not supposed to be able to download to anywhere other than the download folder. It looks like you have a problem with firejail. I generally add the firejail command in the shortcuts to the browsers.

User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Re: Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour,

I added Thunderbird:
Leloup@Leloup:~$ sudo firejail --list
7966:Leloup::/usr/bin/firejail /usr/bin/firefox
8479:Leloup::/usr/bin/firejail /usr/bin/thunderbird
Leloup@Leloup:~$ sudo firejail --tree
7966:Leloup::/usr/bin/firejail /usr/bin/firefox
__7967:Leloup::/usr/bin/firejail /usr/bin/firefox
____7981:Leloup::/usr/lib/firefox/firefox
______8044:Leloup::/usr/lib/firefox/firefox.....tab
______8091:Leloup::/usr/lib/firefox/firefox.... tab
______8128:Leloup::/usr/lib/firefox/firefox.....tab
8479:Leloup::/usr/bin/firejail /usr/bin/thunderbird
__8480:Leloup::/usr/bin/firejail /usr/bin/thunderbird
____8489:Leloup::/usr/lib/thunderbird/thunderbird
______9274:Leloup::/usr/bin/gpg --....... --gen-key
At first glance, it seems to work. :D
Are the two applications Firefox and Thunderbird each in a sandbox and independent or are they dependent? :?: :?:
I opened a new message under Thunderbird and navigated with the explorer to search for a file and I saw that I didn't have access to personal folders OK but I did access to system files. :!: That's not normal. Isn't it? If I selected one of these files, Thunderbird crashed. :oops:
Something looks wrong. :?
Did I miss something? Let me know.

Regards,
Leloup

gittiest personITW
Level 6
Level 6
Posts: 1121
Joined: Tue May 28, 2019 4:27 pm

Re: Is my Firejail set up and working correctly?

Post by gittiest personITW »

Bonjour leloup.

If you have a shortcut of Firefox on your desktop, right-click it.
In the Command box, copy/paste the following:

Code: Select all

firejail firefox %u
That will ensure that Firefox is opened within the protective jacket of Firejail.

Now, do a couple of things......
Firstly, open Firefox (using the shortcut you have just altered) and try to save something (anything - you can right-click on anything in any webpage pretty much and save it to '/Downloads' folder). Save something else on the page to your /Documents folder - or try to.
Now use your file browser (Nemo, Caja, Commander etc) to see if the file has been saved in your /Downloads folder. Now check if the file is present in your /Documents folder.
It shouldn't be in your /Documents folder but should be in your /Downloads folder.

If something is in your /Documents folder, with Firefox still open, go into terminal and type

Code: Select all

firejail --tree
Copy/paste the output to here.
If it hasn't saved to your/ Documents folder but has to your /Downloads folder, then it is working as it should - come back and tell us either way.
Bon chance.

ps.
Your Thunderbird and Firefox are in their own little sandboxes playing happily.
Do be careful though as it may look as if you have saved a file somewhere else (like /Documents - especially using Thunderbird) but it will only in reality save in /Downloads.

User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Re: Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour gittiest personITW,

I opened Firefox using the shortcut I have just altered by the command firejail firefox %u. I downloaded some mp3 files. These files was in the download folder and I did not see any additional file in the document folder. I can copy one of these files then browse in many folder but I couldn't paste it at all area I tried. At home/leloup/ I only saw the download folder. I navigated until where the firewall file is but I couldn't open it. :)

That looks OK. No?

Thank you for your help.
Regards,

Leloup

User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Re: Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour,

Before the Firejail tests were with the Linux Mint 19 Xfce now they are with the Linux Mint 19.2 Mate. But it's not the same story any more. Installation fails as you see below: :x

$ sudo -i
[sudo] Leloup password :
# firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
[b]Warning: noroot option is not available[/b]
Parent pid 2708, child pid 2709
The new log directory is /proc/2709/root/var/log ( :?: :?: I don't find it)
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
***
*** Warning: cannot whitelist ${DOWNLOADS} directory
*** Any file saved in this directory will be lost when the sandbox is closed.
***
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice,
Child process initialized in 185.39 ms
No protocol specified
Unable to init server: Impossible to connect : Refused connexion :oops:
Error: cannot open display: :0

Parent is shutting down, bye...
root@Leloup-VirtualBox:~# firejail --tree

root@Leloup-VirtualBox:~# firejail --list

Do you have any idea what do to fix this issue? :mrgreen:

Regards,

Leloup

User avatar
Leloup
Level 3
Level 3
Posts: 102
Joined: Sun Oct 08, 2017 1:43 pm

Re: Is my Firejail set up and working correctly?

Post by Leloup »

Bonjour all,

Some answers:
noroot is not supported for sandboxes started as root (see man firejail). Trying to run firefox as root will get you into all kinds of trouble. Drop the sudo and you should be fine.
I reinstalled firejail
Download comes from https://firejail.wordpress.com/download-2/
disconnect the network
then suppressed the firewall more precisely, all traffic is allowed.
For example with iptables
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
Installation is made by dpkg -i firejail_0.9.60_1_amd64.deb (The last version)
To re-enable the Firewall
connect the network
Then $sudo firecfg (This is the list for authorized applications)
then $sudo apparmor_parser -r /etc/apparmor.d/firejail-default
then $firejail firefox %u (or $firejail firefox)
The result is not immediate but by insisting a little it ends up working :D :lol: :roll: :D

Tested with Linux Mint 18.2 19.2 Mate and Linux Mint 18.3 Cinnamon.

The interesting link in relation with issue is: https://github.com/netblue30/firejail/issues/3079

Regards,
Leloup

Post Reply

Return to “Software & Applications”