Jump to content


Firejail .....

security container fire fox containers chrome dropbox firefox

  • Please log in to reply
14 replies to this topic

#1 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 24 March 2015 - 06:21 AM

This looks very interesting and has a Arch package in the AUR.I am typing this from a firejail firefox.

https://l3net.wordpr...jects/firejail/


Quote

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

https://l3net.wordpr...ozilla-firefox/

Quote

Seccomp is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables mounting/unmounting filesystems, loading/unloading kernel modules, system resets and tracing programs using ptrace system call. It also disables all SUID executables. The feature reduces the kernel attack surface.

https://l3net.wordpr...bilities-guide/


Quote

Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list.
With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.
In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

There are quite a few pages of stuff to read and some of the comments are worth a read aswell.Of interest is the fact that you can run VLC-without internet access (or similar program) and also isolate programs like the TorBrowser and Dropbox.
I ran a quick comparison opening up FF with a page with video running and it does not seem to use up any more cpu or ram than a normal FF.

:breakfast:

Edited by abarbarian, 24 March 2015 - 02:20 PM.

Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#2 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 24 March 2015 - 09:29 AM

Neat stuff, I'll have to check it out.
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 24 March 2015 - 09:36 AM

This seemed familiar, so I looked around and it seems that Chromium/Chrome already does this but only for the browser.

Posted Image

https://www.reddit.c...firefox/ckwrii0
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 24 March 2015 - 09:42 AM

View Postabarbarian, on 24 March 2015 - 06:21 AM, said:

Of interest is the fact that you can run TorBrowser,Dropbox,VLC-without internet access and a host of other programs.

I am kind of confused by this statement..... VLC is a media player that doesn't need internet at all (unless your trying to stream something) and TorBrowser/Dropbox cannot function without being online as both are located in the cloud.

I use Tor-Browser all the time and the first thing it does is  "Connecting to the Tor network". How could it function without connecting to nodes? Perhaps I am just confused as I just woke up B)
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#5 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 24 March 2015 - 02:15 PM

You must have been in start up mode when you read the info. :shifty:

My writing was a little confusing I must admit but I was too lazy to write the few extra words needed for clarity.

"VLC-without internet access" should have been separated from the other two programs. For folks like me that do not do streaming or music collection data, ie: album covers etc, there is no need to have a program like VLC to have internet access. So I guess stopping it from being able to go surfing would be a decent security feature if not totally necessary.

Here is a walk through on using DropBox with Firejail.

https://l3net.wordpr...rejail-sandbox/

Quote

To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.
The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.

A link for creating your own Firejail program sandbox,

https://l3net.wordpr...ustom-profiles/



Quote

Building Custom Profiles


Several Firejail command line configuration options can be passed to the program using profile files. User-defined profiles are stored in ~/.config/firejail directory. Assuming app_name is the name of command you use to start the application, the steps for building a custom profile are as follows:


An a link for setting up a WordPress installation in a Firejail,

https://www.digitalo...led-environment



Quote


Introduction

When running a web server that is available to the public, striking a balance between making your content accessible and establishing a secure configuration can become difficult. There are many different areas that should be subject to careful scrutiny. One of these is process isolation and visibility.
A project called firejail seeks to assist in this area by providing a lightweight security containerization mechanism that utilizes kernel namespacing to enforce separation policies. This makes the chroot environments extremely lightweight.

In this guide, we will show you how to use firejail in order to isolate processes in their own chroot environment. To demonstrate this with a real example, we'll be setting up two chroot environments, one with an Nginx web server serving WordPress, and the other with a MySQL database that will handle the site data. These two instances will have their own filesystems and installations and will communicate through a bridged network device.


I like the way you can set up different ways to launch FF. The private browsing mode for banking seems like a very good idea even on a linux box.

Quote

Private mode reloaded

According to Mozilla’s Jorge Villalobos:


Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.

He’s talking specifically about extensions published on Mozilla’s addon site. Addons run with full user privileges, and nothing could prevent them from accessing private data, or from sending keystrokes to a third party.
This is where Firejail private mode comes into play. It mounts an empty, temporary filesystem on top of your home directory, basically reseting your browser to factory defaults. No browser addons and no private user files are visible. Data in the temporary home directory is discarded when the browser is closed.
Use this mode when you access your bank account, or for any other private business:


$ firejail --private firefox

For regular everyday browsing, you can replace your home directory with a different one and keep all the modifications when the browsing session is ended. This is how you set it up:


$ cd ~
$ mkdir -p browser-home/Downloads
$ firejail --private=~/browser-home firefox

In this new home you can install addons, extensions, whatever. When transferring files, you would need to copy them in ~/browser-home in order for your browser to see them.



I must say I am impressed with the documentation for this program. The developer seems to be right on top of taking notice in the comments sections and takes up and implements suggestions.
The WordPress guide is one of the best I have read and I am guessing that even a barbarian could follow it and have a successful set up.

All in all it seems a neat and easy way to implement some extra security with little or no overhead cost.

:breakfast:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#6 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 24 March 2015 - 02:22 PM

Awesome, thanks for the info man! :thumbup:
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#7 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 24 March 2015 - 05:05 PM

Just  tried ,

$ firejail --private firefox

an a totally new browser appeared. No bookmarks,or any sign of my main profile, all brand spanking new. It worked just fine with my on-line banking.Do I really need it to protect my 12.5p savings, you bet I do I'm a Tyke an no one is getting their hands on my loot. :Laughing:

Gave "$ firejail vlc" a try and it works just fine.
I do not have pulse set up as I use alsa. On starting the program I got a warning that pulse had failed to start however sound worked ok.Ran four videos and playback was the same as normal so no problems to report. I was going to show the terminal output but it has disappeared well silly me it had not disappeared more sort of camouflaged itself into the border on me desktop. You start firejail in a terminal and it gives output showing what is going on. The terminal stays around for a while and the quietly disappears, keeps your desktop uncluttered at least. :breakfast:

VLC terminal output,

$ firejail vlc
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Parent pid 1203, child pid 1204
Interface		 IP				 Mask			 Status			
lo				 127.0.0.1		 255.0.0.0		 UP				
enp0s16			 192.168.1.3		 255.255.255.0	 UP				

Child process initialized
VLC media player 2.2.0 Weatherwax (revision 2.2.0-0-g1349ef2)
[000000000218d458] pulse audio output error: PulseAudio server connection failure: Connection refused
[0000000002082118] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[000000000217c918] core playlist: stopping playback
[00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.
[00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.
[00007f8d98e3b098] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.

Edited by abarbarian, 25 March 2015 - 06:05 AM.

Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#8 OFFLINE   Capt.Crow

Capt.Crow

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,237 posts

Posted 24 March 2015 - 06:07 PM

Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: :hysterical: :hysterical:
Linux counter no . 393441

#9 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 24 March 2015 - 07:50 PM

View PostCapt.Crow, on 24 March 2015 - 06:07 PM, said:

Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: :hysterical: :hysterical:

I ain't paid a penny in bank charges in over thirty years. :whistling:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#10 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 12 October 2015 - 02:27 PM

Caught up with " firejail " again. Here are some links to a three part run through with some examples of what firejail is and what you can do.

Firejail – A Security Sandbox for Mozilla Firefox, Part 1

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

Firejail – A Security Sandbox for Mozilla Firefox, Part 3

The project page has a explanation on the GUI for firejail which is called " firetools ",

Firejail project

Firetools section,

Firetools is the graphical user interface

The AUR packages for Arch can be found here,

https://aur.archlinu...ckages/firejail

https://aur.archlinu...ages/firetools/

Naturally there are packages for other flavours of linux.

I tried out firetools and it works however it does not play properly with window maker and I do not have the time to sort it at the present. I did make it so that I could run transmission-qt firejailed by adding it to a icon in the dock. So now I can open a firejailed transission-qt with one click.
Below is a screenshot showing some of the stuff I described above.

Posted Image

:breakfast:

Edited by abarbarian, 12 October 2015 - 02:30 PM.

Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#11 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 12 October 2015 - 05:43 PM

Neat stuff, thanks
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#12 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 13 October 2015 - 02:28 PM

View Postsecuritybreach, on 13 October 2015 - 12:51 PM, said:

Posted Image

Breaking News.............wrong thread. :whistling:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#13 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 13 October 2015 - 03:18 PM

View Postabarbarian, on 13 October 2015 - 02:28 PM, said:

Breaking News.............wrong thread. :whistling:

Yeah, sorry deleting.
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#14 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,432 posts

Posted 30 November 2015 - 09:41 AM

I tried to use firejail  on my Makulu Mate which is a Debian based os and ran into some glitches.

I could not get firejail to run chrome at all to start with,

~$ firejail chrome

Seems that Makulu does not use chrome but "google-chrome-stable" but that did not work either,

~$ firejail google-chrome-stable

Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 16774, child pid 16775
Warning: --protocol not supported on this platform
Child process initialized
[1:1:1130/132810:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

parent is shutting down, bye...

nor did

~$ firejail --private google-chrome-stable

Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 16177, child pid 16178
Warning: --protocol not supported on this platform
Child process initialized
[1:1:1130/132447:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

parent is shutting down, bye...

this seems to keep the terminal active but at a dead end


~$ firejail --private --noprofile google-chrome-stable

Parent pid 16806, child pid 16807
Child process initialized
[35:35:1130/132824:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process
[1:31:1130/132846:ERROR:channel.cc(300)] RawChannel read error (connection broken)

but this gets me a firejail chrome up and running



~$ firejail --noprofile google-chrome-stable

Parent pid 18253, child pid 18254
Child process initialized
[34:34:1130/133622:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process

With the above I get a running chrome. Not sure what the "error" is all about but chrome does run and work.

So if you are using firejail  and are having problems getting stuff to work then it is worth checking that you have the right name for the program you are trying to start.

:breakfast:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#15 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 23,327 posts

Posted 30 November 2015 - 11:08 AM

That's because chrome (google-chrome-stable) is not one of the built in profiles. The profiles are listed in /etc/firejail and you can copy any of them to ~/.config/firejail to customize.

Posted Image

It looks like you will need to change both /etc/firejail/chromium-browser.profile and /etc/firejail/chromium.profile to reflect the changes.

To do this, just copy both the files to ~/.config/firejail/ and rename them to chrome.profile and chrome-browser.profile if you like. You may need to create the directory.

In ~/.config/firejail/chromium-browser.profile, change this:

Quote

include /etc/firejail/chromium.profile  
to
include ~/.config/firejail/chrome.profile


In ~/.config/firejail/chrome-browser.profile, change these two lines:

Quote

noblacklist ${HOME}/.config/chromium
to
noblacklist ${HOME}/.conf/google-chrome

whitelist ~/.config/chromium
to
whitelist~/.config/google-chrome


I have not attempted this but these are the resources I read through:
https://l3net.wordpr...rejail-profile/
https://wiki.archlin...ex.php/Firejail
https://l3net.wordpr...jail/firejail1/
Posted ImagePosted Image Posted Image
CNI Radio/G+ Profile/Configs/PGP Key/comhack π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984





Also tagged with one or more of these keywords: security, container, fire fox, containers, chrome, dropbox, firefox

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users