abarbarian Posted March 24, 2015 Share Posted March 24, 2015 (edited) This looks very interesting and has a Arch package in the AUR.I am typing this from a firejail firefox. https://l3net.wordpr...jects/firejail/ Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. https://l3net.wordpr...ozilla-firefox/ Seccomp is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables mounting/unmounting filesystems, loading/unloading kernel modules, system resets and tracing programs using ptrace system call. It also disables all SUID executables. The feature reduces the kernel attack surface. https://l3net.wordpr...bilities-guide/ Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list. With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system. In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel. There are quite a few pages of stuff to read and some of the comments are worth a read aswell.Of interest is the fact that you can run VLC-without internet access (or similar program) and also isolate programs like the TorBrowser and Dropbox. I ran a quick comparison opening up FF with a page with video running and it does not seem to use up any more cpu or ram than a normal FF. Edited March 24, 2015 by abarbarian 4 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.