Docu review done: Wed 31 Jul 2024 02:14:23 PM CEST
firejail
Table of content
Description
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Firejail allows the user to manage application security using security profiles. Each profile defines a set of permissions for a specific application or group of applications. The software includes security profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
Security Profiles
Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows:
- If a profile file is provided by the user with
--profile=FILEoption, the profile FILE is loaded. If a profile name is given, it is searched for first in the~/.config/firejaildirectory and if not found then in/etc/firejaildirectory. Profile names do not include the.profilesuffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg.--profile=:PROFILE_NAME.Example:
$ firejail --profile=/home/netblue/icecat.profile icecat
Reading profile /home/netblue/icecat.profile
[...]
$ firejail --profile=icecat icecat-wrapper.sh
Reading profile /etc/firejail/icecat.profile
[...]
- If a profile file with the same name as the application is present in
~/.config/firejaildirectory or in/etc/firejail, the profile is loaded.~/.config/firejailtakes precedence over/etc/firejail. Example:
$ firejail icecat
Command name #icecat#
Found icecat profile in /home/netblue/.config/firejail directory
Reading profile /home/netblue/.config/firejail/icecat.profile
[...]
- Use
default.profilefile if the sandbox is started by a regular user, orserver.profilefile if the sandbox is started byroot. Firejail looks for these files in~/.config/firejaildirectory, followed by/etc/firejaildirectory. To disable default profile loading, use –noprofile command option. Example:
$ firejail
Reading profile /etc/firejail/default.profile
Parent pid 8553, child pid 8554
Child process initialized
[...]
$ firejail --noprofile
Parent pid 8553, child pid 8554
Child process initialized
[...]
Filesystem
| Directory | Set as |
|---|---|
/boot | blacklisted |
/bin | read-only |
/dev | read-only; a small subset of drivers is present, everything else has been removed |
/etc | read-only; /etc/passwd and /etc/group have been modified to reference only the current user; you can enable a subset of the files by editing /etc/firejail/firefox-common.profile (uncomment private-etc line in that file) |
/home | only the current user is visible |
/lib, /lib32, /lib64 | read-only |
/proc, /sys | re-mounted to reflect the new PID namespace; only processes started by the browser are visible |
/sbin | blacklisted |
/selinux | blacklisted |
/usr | read-only; /usr/sbin blacklisted |
/var | read-only; similar to the home directory, only a skeleton filesystem is available |
/tmp | only X11 directories are present |
Insatllation
$ apt install firejail
Commands
| Command | Description |
|---|---|
firejail [application] | runs application in firejail |
--private | Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed |
--private=[/path/to/dir] | Use directory as user home. |
--private-tmp | Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets. |
--ipc-namespace | Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default for sandboxes started as root. |
--net=[NIC] | Enable a new network namespace and connect it to this ethernet interface using the standard Linux macvlan |
--net=none | Enable a new, unconnected network namespace. The only interface available in the new namespace is a new loopback interface (lo). Use this option to deny network access to programs that don’t really need network access. |
--netfilter | Enable a default firewall if a new network namespace is created inside the sandbox. This option has no effect for sandboxes using the system network namespace. |
--netfilter=filename | Enable the firewall specified by filename if a new network namespace is created inside the sandbox. This option has no effect for sandboxes using the system network namespace. |
--netstats | Monitor network namespace statistics, see MONITORING section for more details. |
--top | Monitor the most CPU-intensive sandboxes, see MONITORING section for more details. |
--trace[=filename] | Trace open, access and connect system calls. If filename is specified, log trace output to filename, otherwise log to console. |
--tree | Print a tree of all sandboxed processes, see MONITORING section for more details. |
--list | prints a list of all sandboxes. The format for each process entry is as follows: PID:USER:Sandbox Name:Command |
Network
Networkfilter Default
The default firewall is optimized for regular desktop applications. No incoming connections are accepted:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ping
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# drop STUN (WebRTC) requests
-A OUTPUT -p udp --dport 3478 -j DROP
-A OUTPUT -p udp --dport 3479 -j DROP
-A OUTPUT -p tcp --dport 3478 -j DROP
-A OUTPUT -p tcp --dport 3479 -j DROP
COMMIT
Networkfilter Specific
Please use the regular iptables-save/iptables-restore format for the filter file.
The following examples are available in /etc/firejail directory.
webserver.net is a webserver firewall that allows access only to TCP ports 80 and 443.
Example:
$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 /etc/init.d/apache2 start
nolocal.net is a desktop client firewall that disable access to local network.
Example:
$ firejail --netfilter=/etc/firejail/nolocal.net --net=eth0 firefox
Network stats
Monitor network namespace statistics, see MONITORING section for more details.
$ firejail --netstats
PID User RX(KB/s) TX(KB/s) Command
1294 netblue 53.355 1.473 firejail --net=eth0 firefox
7383 netblue 9.045 0.112 firejail --net=eth0 transmission
Samples
Firefox
by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process
$ firejail firefox -no-remote
To assign an IP address, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:
$ firejail --net=eth0 --ip=192.168.1.207 firefox
Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use
--dnsoption to configure an external DNS server:
$ firejail --net=eth0 --dns=9.9.9.9 firefox
By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter. This is a setup example, where no access to the local network is allowed:
$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
On top of that, you can even add a hosts file implementing an adblocker:
$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net --hosts-file=~/adblock firefox
In this setup we use /home/username/work directory for work, email and related Internet browsing. This is how we start all up:
$ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &
Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed.