Jump to content

Recommended Posts

Posted (edited)

This looks very interesting and has a Arch package in the AUR.I am typing this from a firejail firefox.

 

https://l3net.wordpr...jects/firejail/

 

 

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

 

https://l3net.wordpr...ozilla-firefox/

 

Seccomp is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables mounting/unmounting filesystems, loading/unloading kernel modules, system resets and tracing programs using ptrace system call. It also disables all SUID executables. The feature reduces the kernel attack surface.

 

https://l3net.wordpr...bilities-guide/

 

 

Traditional UNIX implementations distinguish between two categories of processes: privileged and unprivileged. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on effective user and group ids (UID/GID), and supplementary group list.

With the introduction of capabilities in Linux kernel 2.2, this has changed. Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. For instance, it is possible to deny filesystem mount operations, deny kernel module loading, prevent packet spoofing by denying access to raw sockets, deny altering attributes in the file system.

In this article I describe the Linux capabilities feature of Firejail security sandbox. Firejail allows the user to start programs with a specified set of capabilities. The set is applied to all processes running inside the sandbox, thus restricting what processes can do, and somehow reducing the attack surface of the kernel.

 

There are quite a few pages of stuff to read and some of the comments are worth a read aswell.Of interest is the fact that you can run VLC-without internet access (or similar program) and also isolate programs like the TorBrowser and Dropbox.

I ran a quick comparison opening up FF with a page with video running and it does not seem to use up any more cpu or ram than a normal FF.

 

:breakfast:

Edited by abarbarian
  • Like 4
securitybreach
Posted

Neat stuff, I'll have to check it out.

securitybreach
Posted

Of interest is the fact that you can run TorBrowser,Dropbox,VLC-without internet access and a host of other programs.

 

I am kind of confused by this statement..... VLC is a media player that doesn't need internet at all (unless your trying to stream something) and TorBrowser/Dropbox cannot function without being online as both are located in the cloud.

 

I use Tor-Browser all the time and the first thing it does is "Connecting to the Tor network". How could it function without connecting to nodes? Perhaps I am just confused as I just woke up B)

Posted

You must have been in start up mode when you read the info. :shifty:

 

My writing was a little confusing I must admit but I was too lazy to write the few extra words needed for clarity.

 

"VLC-without internet access" should have been separated from the other two programs. For folks like me that do not do streaming or music collection data, ie: album covers etc, there is no need to have a program like VLC to have internet access. So I guess stopping it from being able to go surfing would be a decent security feature if not totally necessary.

 

Here is a walk through on using DropBox with Firejail.

 

https://l3net.wordpress.com/2014/11/18/running-dropbox-in-firejail-sandbox/

 

To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.

The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.

 

A link for creating your own Firejail program sandbox,

 

https://l3net.wordpress.com/projects/firejail/building-custom-profiles/

 

 

Building Custom Profiles

 

 

Several Firejail command line configuration options can be passed to the program using profile files. User-defined profiles are stored in ~/.config/firejail directory. Assuming app_name is the name of command you use to start the application, the steps for building a custom profile are as follows:

 

 

An a link for setting up a WordPress installation in a Firejail,

 

https://www.digitalocean.com/community/tutorials/how-to-use-firejail-to-set-up-a-wordpress-installation-in-a-jailed-environment

 

 

 

Introduction

 

When running a web server that is available to the public, striking a balance between making your content accessible and establishing a secure configuration can become difficult. There are many different areas that should be subject to careful scrutiny. One of these is process isolation and visibility.

A project called firejail seeks to assist in this area by providing a lightweight security containerization mechanism that utilizes kernel namespacing to enforce separation policies. This makes the chroot environments extremely lightweight.

 

In this guide, we will show you how to use firejail in order to isolate processes in their own chroot environment. To demonstrate this with a real example, we'll be setting up two chroot environments, one with an Nginx web server serving WordPress, and the other with a MySQL database that will handle the site data. These two instances will have their own filesystems and installations and will communicate through a bridged network device.

 

 

I like the way you can set up different ways to launch FF. The private browsing mode for banking seems like a very good idea even on a linux box.

 

Private mode reloaded

 

According to Mozilla’s Jorge Villalobos:

Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.

He’s talking specifically about extensions published on Mozilla’s addon site. Addons run with full user privileges, and nothing could prevent them from accessing private data, or from sending keystrokes to a third party.

This is where Firejail private mode comes into play. It mounts an empty, temporary filesystem on top of your home directory, basically reseting your browser to factory defaults. No browser addons and no private user files are visible. Data in the temporary home directory is discarded when the browser is closed.

Use this mode when you access your bank account, or for any other private business:

$ firejail --private firefox

For regular everyday browsing, you can replace your home directory with a different one and keep all the modifications when the browsing session is ended. This is how you set it up:

$ cd ~

$ mkdir -p browser-home/Downloads

$ firejail --private=~/browser-home firefox

In this new home you can install addons, extensions, whatever. When transferring files, you would need to copy them in ~/browser-home in order for your browser to see them.

 

 

I must say I am impressed with the documentation for this program. The developer seems to be right on top of taking notice in the comments sections and takes up and implements suggestions.

The WordPress guide is one of the best I have read and I am guessing that even a barbarian could follow it and have a successful set up.

 

All in all it seems a neat and easy way to implement some extra security with little or no overhead cost.

 

:breakfast:

  • Like 1
securitybreach
Posted

Awesome, thanks for the info man! :thumbup:

Posted (edited)

Just tried ,

 

$ firejail --private firefox

 

an a totally new browser appeared. No bookmarks,or any sign of my main profile, all brand spanking new. It worked just fine with my on-line banking.Do I really need it to protect my 12.5p savings, you bet I do I'm a Tyke an no one is getting their hands on my loot. :Laughing:

 

Gave "$ firejail vlc" a try and it works just fine.

I do not have pulse set up as I use alsa. On starting the program I got a warning that pulse had failed to start however sound worked ok.Ran four videos and playback was the same as normal so no problems to report. I was going to show the terminal output but it has disappeared well silly me it had not disappeared more sort of camouflaged itself into the border on me desktop. You start firejail in a terminal and it gives output showing what is going on. The terminal stays around for a while and the quietly disappears, keeps your desktop uncluttered at least. :breakfast:

 

VLC terminal output,

 

$ firejail vlc
Reading profile /etc/firejail/vlc.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Parent pid 1203, child pid 1204
Interface		 IP				 Mask			 Status			
lo				 127.0.0.1		 255.0.0.0		 UP				
enp0s16			 192.168.1.3		 255.255.255.0	 UP				

Child process initialized
VLC media player 2.2.0 Weatherwax (revision 2.2.0-0-g1349ef2)
[000000000218d458] pulse audio output error: PulseAudio server connection failure: Connection refused
[0000000002082118] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[000000000217c918] core playlist: stopping playback
[00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.
[00007f8d98d15818] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.
[00007f8d98e3b098] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 346.47 Thu Feb 19 18:12:33 PST 2015 for hardware decoding.

Edited by abarbarian
  • Like 1
Posted

Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: :hysterical: :hysterical:

Posted

Your 12.5 credit balance has just become a 2pound 50 deficit due to bank charges :hysterical: :hysterical: :hysterical:

 

I ain't paid a penny in bank charges in over thirty years. :whistling:

  • Like 1
  • 6 months later...
Posted (edited)

Caught up with " firejail " again. Here are some links to a three part run through with some examples of what firejail is and what you can do.

 

Firejail – A Security Sandbox for Mozilla Firefox, Part 1

 

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

 

Firejail – A Security Sandbox for Mozilla Firefox, Part 3

 

The project page has a explanation on the GUI for firejail which is called " firetools ",

 

Firejail project

 

Firetools section,

 

Firetools is the graphical user interface

 

The AUR packages for Arch can be found here,

 

https://aur.archlinu...ckages/firejail

 

https://aur.archlinu...ages/firetools/

 

Naturally there are packages for other flavours of linux.

 

I tried out firetools and it works however it does not play properly with window maker and I do not have the time to sort it at the present. I did make it so that I could run transmission-qt firejailed by adding it to a icon in the dock. So now I can open a firejailed transission-qt with one click.

Below is a screenshot showing some of the stuff I described above.

 

bhRhgHF.png

 

:breakfast:

Edited by abarbarian
  • Like 2
Posted

Prpjqea.jpg

 

Breaking News.............wrong thread. :whistling:

securitybreach
Posted

Breaking News.............wrong thread. :whistling:

 

Yeah, sorry deleting.

  • 1 month later...
Posted

I tried to use firejail on my Makulu Mate which is a Debian based os and ran into some glitches.

 

I could not get firejail to run chrome at all to start with,

 

~$ firejail chrome

 

Seems that Makulu does not use chrome but "google-chrome-stable" but that did not work either,

 

~$ firejail google-chrome-stable

Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 16774, child pid 16775
Warning: --protocol not supported on this platform
Child process initialized
[1:1:1130/132810:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

parent is shutting down, bye...

 

nor did

 

~$ firejail --private google-chrome-stable

Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 16177, child pid 16178
Warning: --protocol not supported on this platform
Child process initialized
[1:1:1130/132447:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755.

parent is shutting down, bye...

 

this seems to keep the terminal active but at a dead end

 


~$ firejail --private --noprofile google-chrome-stable

Parent pid 16806, child pid 16807
Child process initialized
[35:35:1130/132824:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process
[1:31:1130/132846:ERROR:channel.cc(300)] RawChannel read error (connection broken)

 

but this gets me a firejail chrome up and running

 

 


~$ firejail --noprofile google-chrome-stable

Parent pid 18253, child pid 18254
Child process initialized
[34:34:1130/133622:ERROR:sandbox_linux.cc(345)] InitializeSandbox() called with multiple threads in process gpu-process

 

With the above I get a running chrome. Not sure what the "error" is all about but chrome does run and work.

 

So if you are using firejail and are having problems getting stuff to work then it is worth checking that you have the right name for the program you are trying to start.

 

:breakfast:

securitybreach
Posted

That's because chrome (google-chrome-stable) is not one of the built in profiles. The profiles are listed in /etc/firejail and you can copy any of them to ~/.config/firejail to customize.

 

Zlrzgbi.png

 

It looks like you will need to change both /etc/firejail/chromium-browser.profile and /etc/firejail/chromium.profile to reflect the changes.

 

To do this, just copy both the files to ~/.config/firejail/ and rename them to chrome.profile and chrome-browser.profile if you like. You may need to create the directory.

 

In ~/.config/firejail/chromium-browser.profile, change this:

include /etc/firejail/chromium.profile

to

include ~/.config/firejail/chrome.profile

 

In ~/.config/firejail/chrome-browser.profile, change these two lines:

noblacklist ${HOME}/.config/chromium

to

noblacklist ${HOME}/.conf/google-chrome

 

whitelist ~/.config/chromium

to

whitelist~/.config/google-chrome

 

I have not attempted this but these are the resources I read through:

https://l3net.wordpr...rejail-profile/

https://wiki.archlin...ex.php/Firejail

https://l3net.wordpr...jail/firejail1/

  • 3 years later...
Posted (edited)

I revisited the Firejail site and found that they have moved to a new WordPress site. This new site contains more useful information on firejail and its use. This is just part of the excellent section on FireFox set up and use.

 

Firefox Sandboxing Guide

 

 

 

High security browser setup

 

Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.

Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote

 

The two DNS servers above belong to Google, and at least one national security agency has access to logging information. Don’t use them for anything else than banking. We also add -no-remote so we don’t end up by mistake in an already running “entertainment” browser.

 

The above set up is the one that I use for banking. I created a three letter alias and run from a new terminal , banking done I shut down the terminal. Just make sure you take note of this,

 

 

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

 

Here is a handy tip I found whilst reading through the site,

 

You can always check if your application was sandboxed by running "firejail --list" in a terminal. Or you can keep a terminal running "firejail --top" to track your sandboxes.

top1.png?w=625

Monitoring sandboxes with “firejail –top”

 

 

:breakfast:

Edited by abarbarian
  • Like 1
securitybreach
Posted

It's also in the normal Archlinux repos now.

  • Like 1
  • 4 weeks later...
Posted

I was sure that I had started a thread about ZIM but it seems I have not. Just wanted to show how useful a program it is for forgetful folk like meself. I have created a Zim notebook called ArchWay that has a alphabetical menu running down the right hand side. So here is my ZIM entry for Firejail in my ArchWay notebook.

 

yAFZYgD.png

 

BPp45xl.png

 

2PhvnbA.png

 

I find Zim to be a most useful program. I like the way it automatically creates links, saves on shutdown, the coloured highlighting,the way you can link to other relevant pages. image inclusion etc etc .

 

:breakfast:

  • Like 2
securitybreach
Posted

Neat stuff. I've never used Zim but I may give it a shot.

  • Like 1
Posted

I'm sure we had a thread about Zim before. Maybe the forum doesn't like searching for 3 letter words.

 

I've used it for years and find it invaluable.

  • Like 1
securitybreach
Posted

Possibly but I dont remember

Posted

I'm sure we had a thread about Zim before. Maybe the forum doesn't like searching for 3 letter words.

 

I've used it for years and find it invaluable.

 

I remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here.

 

I chanced across using zim as a web site creator in the wiki. Here is a rather neat and simple example,

 

http://vegetationmap4africa.org/Vegetation_map.html

 

here is the wiki page,

 

https://github.com/jaap-karssenberg/zim-wiki/wiki/Templates

 

I may have to investigate further. :breakfast:

securitybreach
Posted

remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here.

 

Nah, you're thinking of zsh:

https://ohmyz.sh/

https://www.zsh.org/

Posted (edited)

remember you saying that you were a long time zim user sometime ago. Possibly zim got mention in a thread concerning something other than zim, as here.

 

Nah, you're thinking of zsh:

https://ohmyz.sh/

https://www.zsh.org/

 

Nope I a'int. I never ever think of zsh, fish maybe but never zsh.

 

I definite remember sunrat posting that he was a zim fan. Can not find where as the site does not seem to want to find "zim" or "Zim" or "ZIM"

 

Zim's own website was written in Zim. ;)

 

https://zim-wiki.org/

 

Neat. :breakfast:

Edited by abarbarian
  • Like 1
  • 1 year later...
Posted (edited)

Simple application sandboxing using AppArmor and Firejail


 

Quote

 

Security is one of the most important and overlooked aspects of modern computing. We tend to let the default security configurations do the work, or on Windows, we simply install some anti-virus and be done with it. However, applications are increasingly privileged and we find ourselves running programs that could represent a security vulnerability to our systems and, more importantly, to our information.

Sandboxing allows us to limit what each application can see and what it can access, as well as what it can do in your system. Clearly not all applications need sandboxing, for example, your text editor probably isn’t a security vulnerability. Regardless, applications like browsers are the source of many security vulnerabilities, even though they already do some sandboxing themselves.

In this post, we will use a very simple sandboxing method using Firejail and AppArmor on Linux.

 

 

 

I particularly like the part of the article detailing Firejail use with a separate x server. 😎

Edited by abarbarian

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...