abarbarian Posted March 24, 2015 Posted March 24, 2015 (edited) This looks very interesting and has a Arch package in the AUR.I am typing this from a firejail firefox. https://l3net.wordpr...jects/firejail/ Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. https://l3net.wordpr...ozilla-firefox/ Seccomp is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables mounting/unmounting filesystems, loading/unloading kernel modules, system resets and tracing programs using ptrace system call. It also disables all SUID executables. The feature reduces the kernel attack surface. https://l3net.wordpr...bilities-guide/ Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list. With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system. In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel. There are quite a few pages of stuff to read and some of the comments are worth a read aswell.Of interest is the fact that you can run VLC-without internet access (or similar program) and also isolate programs like the TorBrowser and Dropbox. I ran a quick comparison opening up FF with a page with video running and it does not seem to use up any more cpu or ram than a normal FF. Edited March 24, 2015 by abarbarian 4 Quote
securitybreach Posted March 24, 2015 Posted March 24, 2015 Neat stuff, I'll have to check it out. Quote
securitybreach Posted March 24, 2015 Posted March 24, 2015 This seemed familiar, so I looked around and it seems that Chromium/Chrome already does this but only for the browser. https://www.reddit.c...firefox/ckwrii0 Quote
securitybreach Posted March 24, 2015 Posted March 24, 2015 Of interest is the fact that you can run TorBrowser,Dropbox,VLC-without internet access and a host of other programs. I am kind of confused by this statement..... VLC is a media player that doesn't need internet at all (unless your trying to stream something) and TorBrowser/Dropbox cannot function without being online as both are located in the cloud. I use Tor-Browser all the time and the first thing it does is "Connecting to the Tor network". How could it function without connecting to nodes? Perhaps I am just confused as I just woke up Quote
abarbarian Posted March 24, 2015 Author Posted March 24, 2015 You must have been in start up mode when you read the info. My writing was a little confusing I must admit but I was too lazy to write the few extra words needed for clarity. "VLC-without internet access" should have been separated from the other two programs. For folks like me that do not do streaming or music collection data, ie: album covers etc, there is no need to have a program like VLC to have internet access. So I guess stopping it from being able to go surfing would be a decent security feature if not totally necessary. Here is a walk through on using DropBox with Firejail. https://l3net.wordpress.com/2014/11/18/running-dropbox-in-firejail-sandbox/ To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process. The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox. A link for creating your own Firejail program sandbox, https://l3net.wordpress.com/projects/firejail/building-custom-profiles/ Building Custom Profiles Several Firejail command line configuration options can be passed to the program using profile files. User-defined profiles are stored in ~/.config/firejail directory. Assuming app_name is the name of command you use to start the application, the steps for building a custom profile are as follows: An a link for setting up a WordPress installation in a Firejail, https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-installation-in-a-jailed-environment Introduction When running a web server that is available to the public, striking a balance between making your content accessible and establishing a secure configuration can become difficult. There are many different areas that should be subject to careful scrutiny. One of these is process isolation and visibility. A project called firejail seeks to assist in this area by providing a lightweight security containerization mechanism that utilizes kernel namespacing to enforce separation policies. This makes the chroot environments extremely lightweight. In this guide, we will show you how to use firejail in order to isolate processes in their own chroot environment. To demonstrate this with a real example, we'll be setting up two chroot environments, one with an Nginx web server serving WordPress, and the other with a MySQL database that will handle the site data. These two instances will have their own filesystems and installations and will communicate through a bridged network device. I like the way you can set up different ways to launch FF. The private browsing mode for banking seems like a very good idea even on a linux box. Private mode reloaded According to Mozilla’s Jorge Villalobos: Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. He’s talking specifically about extensions published on Mozilla’s addon site. Addons run with full user privileges, and nothing could prevent them from accessing private data, or from sending keystrokes to a third party. This is where Firejail private mode comes into play. It mounts an empty, temporary filesystem on top of your home directory, basically reseting your browser to factory defaults. No browser addons and no private user files are visible. Data in the temporary home directory is discarded when the browser is closed. Use this mode when you access your bank account, or for any other private business: $ firejail --private firefox For regular everyday browsing, you can replace your home directory with a different one and keep all the modifications when the browsing session is ended. This is how you set it up: $ cd ~ $ mkdir -p browser-home/Downloads $ firejail --private=~/browser-home firefox In this new home you can install addons, extensions, whatever. When transferring files, you would need to copy them in ~/browser-home in order for your browser to see them. I must say I am impressed with the documentation for this program. The developer seems to be right on top of taking notice in the comments sections and takes up and implements suggestions. The WordPress guide is one of the best I have read and I am guessing that even a barbarian could follow it and have a successful set up. All in all it seems a neat and easy way to implement some extra security with little or no overhead cost. 1 Quote
abarbarian Posted March 24, 2015 Author Posted March 24, 2015 (edited) Just tried , $ firejail --private firefox an a totally new browser appeared. No bookmarks,or any sign of my main profile, all brand spanking new. It worked just fine with my on-line banking.Do I really need it to protect my 12.5p savings, you bet I do I'm a Tyke an no one is getting their hands on my loot. Gave "$ firejail vlc" a try and it works just fine. I do not have pulse set up as I use alsa. On starting the program I got a warning that pulse had failed to start however sound worked ok.Ran four videos and playback was the same as normal so no problems to report. I was going to show the terminal output but it has disappeared well silly me it had not disappeared more sort of camouflaged itself into the border on me desktop. You start firejail in a terminal and it gives output showing what is going on. The terminal stays around for a while and the quietly disappears, keeps your desktop uncluttered at least. VLC terminal output, $ firejail vlc Reading profile /etc/firejail/vlc.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Parent pid 1203, child pid 1204 Interface IP Mask Status lo 127.0.0.1 255.0.0.0 UP enp0s16 192.168.1.3 255.255.255.0 UP Child process initialized VLC media player 2.2.0 Weatherwax (revision 2.2.0-0-g1349ef2) [000000000218d458] pulse audio output error: PulseAudio server connection failure: Connection refused [0000000002082118] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [000000000217c918] core playlist: stopping playback [00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding. [00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding. [00007f8d98e3b098] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding. Edited March 25, 2015 by abarbarian 1 Quote
Capt.Crow Posted March 24, 2015 Posted March 24, 2015 Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: Quote
abarbarian Posted March 24, 2015 Author Posted March 24, 2015 Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: I ain't paid a penny in bank charges in over thirty years. 1 Quote
abarbarian Posted October 12, 2015 Author Posted October 12, 2015 (edited) Caught up with " firejail " again. Here are some links to a three part run through with some examples of what firejail is and what you can do. Firejail – A Security Sandbox for Mozilla Firefox, Part 1 Firejail – A Security Sandbox for Mozilla Firefox, Part 2 Firejail – A Security Sandbox for Mozilla Firefox, Part 3 The project page has a explanation on the GUI for firejail which is called " firetools ", Firejail project Firetools section, Firetools is the graphical user interface The AUR packages for Arch can be found here, https://aur.archlinu...ckages/firejail https://aur.archlinu...ages/firetools/ Naturally there are packages for other flavours of linux. I tried out firetools and it works however it does not play properly with window maker and I do not have the time to sort it at the present. I did make it so that I could run transmission-qt firejailed by adding it to a icon in the dock. So now I can open a firejailed transission-qt with one click. Below is a screenshot showing some of the stuff I described above. Edited October 12, 2015 by abarbarian 2 Quote
abarbarian Posted October 13, 2015 Author Posted October 13, 2015 Breaking News.............wrong thread. Quote
securitybreach Posted October 13, 2015 Posted October 13, 2015 Breaking News.............wrong thread. Yeah, sorry deleting. Quote
abarbarian Posted November 30, 2015 Author Posted November 30, 2015 I tried to use firejail on my Makulu Mate which is a Debian based os and ran into some glitches. I could not get firejail to run chrome at all to start with, ~$ firejail chrome Seems that Makulu does not use chrome but "google-chrome-stable" but that did not work either, ~$ firejail google-chrome-stable Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 16774, child pid 16775 Warning: --protocol not supported on this platform Child process initialized [1:1:1130/132810:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755. parent is shutting down, bye... nor did ~$ firejail --private google-chrome-stable Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 16177, child pid 16178 Warning: --protocol not supported on this platform Child process initialized [1:1:1130/132447:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755. parent is shutting down, bye... this seems to keep the terminal active but at a dead end ~$ firejail --private --noprofile google-chrome-stable Parent pid 16806, child pid 16807 Child process initialized [35:35:1130/132824:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process [1:31:1130/132846:ERROR:channel.cc(300)] RawChannel read error (connection broken) but this gets me a firejail chrome up and running ~$ firejail --noprofile google-chrome-stable Parent pid 18253, child pid 18254 Child process initialized [34:34:1130/133622:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process With the above I get a running chrome. Not sure what the "error" is all about but chrome does run and work. So if you are using firejail and are having problems getting stuff to work then it is worth checking that you have the right name for the program you are trying to start. Quote
securitybreach Posted November 30, 2015 Posted November 30, 2015 That's because chrome (google-chrome-stable) is not one of the built in profiles. The profiles are listed in /etc/firejail and you can copy any of them to ~/.config/firejail to customize. It looks like you will need to change both /etc/firejail/chromium-browser.profile and /etc/firejail/chromium.profile to reflect the changes. To do this, just copy both the files to ~/.config/firejail/ and rename them to chrome.profile and chrome-browser.profile if you like. You may need to create the directory. In ~/.config/firejail/chromium-browser.profile, change this: include /etc/firejail/chromium.profile to include ~/.config/firejail/chrome.profile In ~/.config/firejail/chrome-browser.profile, change these two lines: noblacklist ${HOME}/.config/chromium to noblacklist ${HOME}/.conf/google-chrome whitelist ~/.config/chromium to whitelist~/.config/google-chrome I have not attempted this but these are the resources I read through: https://l3net.wordpr...rejail-profile/ https://wiki.archlin...ex.php/Firejail https://l3net.wordpr...jail/firejail1/ Quote
abarbarian Posted June 28, 2019 Author Posted June 28, 2019 (edited) I revisited the Firejail site and found that they have moved to a new WordPress site. This new site contains more useful information on firejail and its use. This is just part of the excellent section on FireFox set up and use. Firefox Sandboxing Guide High security browser setup Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory. Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox: $ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote The two DNS servers above belong to Google, and at least one national security agency has access to logging information. Don’t use them for anything else than banking. We also add -no-remote so we don’t end up by mistake in an already running “entertainment” browser. The above set up is the one that I use for banking. I created a three letter alias and run from a new terminal , banking done I shut down the terminal. Just make sure you take note of this, Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process: Here is a handy tip I found whilst reading through the site, You can always check if your application was sandboxed by running "firejail --list" in a terminal. Or you can keep a terminal running "firejail --top" to track your sandboxes. Monitoring sandboxes with “firejail –top” Edited June 28, 2019 by abarbarian 1 Quote
securitybreach Posted June 28, 2019 Posted June 28, 2019 It's also in the normal Archlinux repos now. 1 Quote
abarbarian Posted June 29, 2019 Author Posted June 29, 2019 It's also in the normal Archlinux repos now. That is neat as it was a AUR item. Arch has a pretty good wiki page for Firejail. https://wiki.archlinux.org/index.php/Firejail Quote
abarbarian Posted July 21, 2019 Author Posted July 21, 2019 I was sure that I had started a thread about ZIM but it seems I have not. Just wanted to show how useful a program it is for forgetful folk like meself. I have created a Zim notebook called ArchWay that has a alphabetical menu running down the right hand side. So here is my ZIM entry for Firejail in my ArchWay notebook. I find Zim to be a most useful program. I like the way it automatically creates links, saves on shutdown, the coloured highlighting,the way you can link to other relevant pages. image inclusion etc etc . 2 Quote
securitybreach Posted July 21, 2019 Posted July 21, 2019 Neat stuff. I've never used Zim but I may give it a shot. 1 Quote
sunrat Posted July 21, 2019 Posted July 21, 2019 I'm sure we had a thread about Zim before. Maybe the forum doesn't like searching for 3 letter words. I've used it for years and find it invaluable. 1 Quote
abarbarian Posted July 21, 2019 Author Posted July 21, 2019 I'm sure we had a thread about Zim before. Maybe the forum doesn't like searching for 3 letter words. I've used it for years and find it invaluable. I remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here. I chanced across using zim as a web site creator in the wiki. Here is a rather neat and simple example, http://vegetationmap4africa.org/Vegetation_map.html here is the wiki page, https://github.com/jaap-karssenberg/zim-wiki/wiki/Templates I may have to investigate further. Quote
securitybreach Posted July 21, 2019 Posted July 21, 2019 remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here. Nah, you're thinking of zsh: https://ohmyz.sh/ https://www.zsh.org/ Quote
sunrat Posted July 21, 2019 Posted July 21, 2019 Zim's own website was written in Zim. https://zim-wiki.org/ Quote
abarbarian Posted July 22, 2019 Author Posted July 22, 2019 (edited) remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here. Nah, you're thinking of zsh: https://ohmyz.sh/ https://www.zsh.org/ Nope I a'int. I never ever think of zsh, fish maybe but never zsh. I definite remember sunrat posting that he was a zim fan. Can not find where as the site does not seem to want to find "zim" or "Zim" or "ZIM" Zim's own website was written in Zim. https://zim-wiki.org/ Neat. Edited July 22, 2019 by abarbarian 1 Quote
abarbarian Posted August 23, 2020 Author Posted August 23, 2020 (edited) Simple application sandboxing using AppArmor and Firejail Quote Security is one of the most important and overlooked aspects of modern computing. We tend to let the default security configurations do the work, or on Windows, we simply install some anti-virus and be done with it. However, applications are increasingly privileged and we find ourselves running programs that could represent a security vulnerability to our systems and, more importantly, to our information. Sandboxing allows us to limit what each application can see and what it can access, as well as what it can do in your system. Clearly not all applications need sandboxing, for example, your text editor probably isn’t a security vulnerability. Regardless, applications like browsers are the source of many security vulnerabilities, even though they already do some sandboxing themselves. In this post, we will use a very simple sandboxing method using Firejail and AppArmor on Linux. I particularly like the part of the article detailing Firejail use with a separate x server. Edited August 23, 2020 by abarbarian Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.