You are not logged in.

#1 2016-03-06 20:22:32

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Safer browsing with Firejail

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

https://firejail.wordpress.com/

The program is now available in jessie-backports:
https://packages.debian.org/jessie-backports/firejail

Follow these instructions to add the jessie-backports repository:
https://backports.debian.org/Instructions/

Then install the package with:

sudo apt install firejail

To use Firejail, simply put the command before the program being launched, for example:

firejail iceweasel

Change the Openbox menu entries and/or keybinds as required wink

Unfortunately, it doesn't seem to work with `x-www-browser` so `iceweasel` (or whichever browser is being used) must be called directly.

Last edited by Head_on_a_Stick (2016-07-12 07:58:36)


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#2 2016-03-17 21:17:01

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Safer browsing with Firejail

firejail seems to add quite a bit of value while requiring only a modicum of technical ability to achieve some pretty sophisticated  workflows for the average user (me!) - for example: running your browser in a temporary, discarded filesystem with configurable DNS resolution, just with command line options.

Perhaps an item for the bunsen security guide?
Any enthusiasm for an 'official' bunsen backport?

red


Knowledge Ferret

Offline

#3 2016-03-17 21:20:45

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

redcollective wrote:

Any enthusiasm for an 'official' bunsen backport?

I would be very surprised if it doesn't make it into the official Debian jessie-backports pretty soon, it's just a C script so no weird dependencies to worry about.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#4 2016-03-17 22:26:10

Sector11
Tpyo Knig
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,151

Re: Safer browsing with Firejail

Any chance of explaining "in noob language" just what this is/does?  smile


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: s12 Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4)
Desktop: Openbox 3.5.2 dm: (startx) Distro: Debian GNU/Linux 8

Offline

#5 2016-03-17 22:45:47

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Safer browsing with Firejail

I'll take a stab at that: Run your applications with a virtual fence around them so they can't access important parts of your real machine... but it does other stuff too.

A quick read: https://l3net.wordpress.com/2014/09/19/ … a-firefox/

red


Knowledge Ferret

Offline

#6 2016-03-17 23:19:34

Sector11
Tpyo Knig
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,151

Re: Safer browsing with Firejail

Hi redcollective

Like your one liner.  Fence is cool.  smile  I was reading the link you posted as well.  Good stuff.

So I tried it, first words out of my wife's mouth: "WHAT DID YOU CHANGE??" She noticed that our personal persona (~/.persona) wasn't working.  Easy to miss, it's black and all of a sudden things are white.  maube if I copy them off to another partition.  smile

I like the "firejail --private " flag too!

@Head_on_a_Stick:  Thank you, for this and the .deb


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: s12 Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4)
Desktop: Openbox 3.5.2 dm: (startx) Distro: Debian GNU/Linux 8

Offline

#7 2016-03-18 06:07:10

ohnonot
...again
Registered: 2015-09-29
Posts: 3,197
Website

Re: Safer browsing with Firejail

^ S11, i noticed something similar too, but i believe firejail can be set up to be able to access your usual themes. not that i succeeded with it.
i also couldn't find my downloaded files, but i didn't really bother to RTFM so far.

the way i understand it, it adds absolutely minimal overhead because it "just" utilizes options that are already present in a linux filesystem.

Offline

#8 2016-03-18 09:19:55

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

Offline

#9 2016-03-18 11:56:51

Sector11
Tpyo Knig
From: 77345 ¡#
Registered: 2015-08-20
Posts: 5,151

Re: Safer browsing with Firejail

@ohnonot

I copied ~/.persona to /media/5/persona and I can use it there.  Since ~/ is jailed.  smile
Also I have Iceweasel set up to ask me for a location to download to, usually one of three or four directories in on /media/5 depending on the file type: ISO, .deb, ttf, etc.

@Snap - SandBox looks nice too.  I'll play with firejail for a while though.


BunsenLabs Forum Rules ---== I'm a Conky 1.9'er ==---
System:    Host: s12 Kernel: 3.16.0-4-amd64 x86_64 (64 bit gcc: 4.8.4)
Desktop: Openbox 3.5.2 dm: (startx) Distro: Debian GNU/Linux 8

Offline

#10 2016-04-04 18:33:15

mtnspine
Member
Registered: 2015-10-02
Posts: 7

Re: Safer browsing with Firejail

Snap wrote:

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

Off topic, except that you mentioned IgnorantGuru.

His blog is a very interesting read.  Not updated super often, but definitely worth reading back.  Mostly updates on development of SpaceFM, but also some interesting bits (speculative) on corporate and government infiltration into the linux ecosystem, and a good one about what it was like being security/privacy aware *nixer during the first cryptowars.  I spent several hours reading the conversations in the comments.  Very interesting for the more paranoid/conspiracy aware types.

Edit:  /rant:
just got sucked back into his blog.  I'm a two year nOOb (just getting comfy) but one of the main reasons I came to linux was for security and privacy.  And while I find myself often lost in the details of this package vs that package and the flame wars that ensue, I am very much appreciative of IG's ability to step back and look at the whole ecosystem and the politics surrounding.  It's not worth arguing about how to hang the towels on the rack if the whole house is on fire.  You know what I mean? We need to talk more about things like how heartbleed was orchestrated and not an accident. I love to see that my software is under gpl, but it's not a silver bullet. we need to maintain simple well reviewed code base that people can understand and don't require a team working for a for profit company to maintain.  While my skills in coding and administration  are well below par, I see a need for the community to do more for outreach and advocacy.  Not saying the community is poor, but that we need to do everything we can to keep our software in the hands of the community and out of the hands of corporate and nation state interests.   
/end rant. Sorry this sh*t gets me worked up sometimes. Firejail looks cool.

Last edited by mtnspine (2016-04-04 19:25:15)

Offline

#11 2016-04-05 08:20:06

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

^ This.

Offline

#12 2016-04-06 05:31:35

earlybird
ほやほや
Registered: 2015-12-16
Posts: 606
Website

Re: Safer browsing with Firejail

Back to the topic: When using firejail on Firefox (or any other browser), be aware that any child process is being put into the same sandbox as Firefox.

Most importantly, that includes e.g. PDF readers launched by Firefox when selecting "Open with...' upon clicking on a link to a PDF document, making the PDF reader application possibly unusuable: For example, okular wants to store bookmarks somewhere, read its configuration from someplace else, and perhaps you want to file the PDF document into your library folder which naturally again is someplace else.

So make sure to get the whitelists right, or include the firejail config for the PDF reader in the Firefox config file.

Just saying; I found that to get quite annoying when opening stuff in all other kinds of programs and having my workflow interrupted.

Offline

#13 2016-04-11 08:36:20

KrunchTime
Member
Registered: 2015-09-29
Posts: 857

Re: Safer browsing with Firejail

Good tip, madoromi.  Thank you for sharing.

I use firejail, but it doesn't work out-of-the-box with all browsers.  I haven't taken the time to figure out how to get it to work with all of my browsers...maybe someday.

@HoaS:  Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?

Last edited by KrunchTime (2016-04-11 08:38:53)

Offline

#14 2016-04-11 17:44:50

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

KrunchTime wrote:

Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?

None whatsoever -- I didn't realise they had downloadable .debs on the site I linked in the OP  ops

My version is the current version but when that changes I will edit the OP and direct people to SourceForge instead.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#15 2016-05-06 20:22:18

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Safer browsing with Firejail

Snap wrote:

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

SpaceFM is one of the best file managers ever made in my eyes. It really enhances the workflow. Everything is logical and intuitive, easy to use, no bugs, just works without issues. The only thing I would change is that on the same partition pulling files to an other folder means automatically "move", while on different partitions "copy". I'd prefer both the same (and maybe also a ".."-line in the active window). Just to know that Firejail is from the same developer makes me wanna try it.

Last edited by martix (2016-05-06 20:23:10)

Offline

#16 2016-05-09 19:20:43

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

^ Agreed. SpaceFm (GTK2) and ranger are the only file managers I use after trying almost anything.

Back on topic. Interesting writing about firejail by IgnorantGuru himself.

https://igurublog.wordpress.com/2016/05/09/firejail/

Offline

#17 2016-07-12 07:59:52

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

[BUMP!]

Bumping this thread to note that the firejail package is now available in the jessie-backports repository:

https://packages.debian.org/jessie-backports/firejail

OP updated with new instructions.

[/BUMP!]


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#18 2016-12-17 22:48:17

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Safer browsing with Firejail

This is a great security tool. The other day I installed the add-on BetterPrivacy, which takes care of flash cookies. They are usually in the ~/.macromedia folder. When I closed the browser, the add-on popped up a message saying: There is no folder for flash configured, do you want to do it now? Sure, clicked ok and a window with the file tree opened. However there was no ~/.macromedia folder available. !!?? First I was wondering why, and suddenly I realized: Of course, Firejail!
Let's have also a bump for this useful thread...

Offline

#19 2016-12-18 02:05:09

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 4,677
Website

Re: Safer browsing with Firejail

Thanks for the reminder HoaS. cool

...installed.

Is the default (no cli options) good enough for general use?


John
--------------------
( a boring Japan blog , Japan Links, idle twitterings  and GitStuff )
In case you forget, the rules.

Offline

#20 2016-12-18 02:10:00

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

johnraff wrote:

Is the default (no cli options) good enough for general use?

Erm, I think so, @twoion knows much more about this stuff than me big_smile

I prefer Chrom{e,ium}'s SECCOMP sandbox for untrusted websites angel


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#21 2016-12-18 02:17:46

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

Also, anybody using the non-ESR version of Firefox can (force) enable their in-house Electrolysis (e10s) namespace containerisation solution:

https://wiki.mozilla.org/Electrolysis#Force_Enable


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#22 2016-12-26 00:52:16

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

In my BL system, I have placed an executable wrapper at ~/bin/x-www-browser to launch firefox with firejail automatically whenever x-www-browser is used:

firejail firefox "@"

For system-wide usage, place the script at /usr/local/bin/foxjail instead and add it to the Debian x-www-browser alternative:

sudo update-alternatives --install /usr/bin/x-www-browser x-www-browser /usr/local/bin/foxjail 250

“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#23 2016-12-27 08:34:11

MsMattie
Member
Registered: 2015-09-29
Posts: 84

Re: Safer browsing with Firejail

Firejail will jail a number of software packages and as I looked through the list I noticed Skype. Why would anyone want to firejail skype? The only thing I can think of is if you had malicious code in Skype itself because it was from a bad source. Or, is it possible to get something bad just by talking on Skype in Linux?


...
Linux in the backwoods of the Rocky Mountains...

Offline

#24 2016-12-27 16:16:25

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Safer browsing with Firejail

MsMattie wrote:

Or, is it possible to get something bad just by talking on Skype in Linux?

Here's what I believe: Any program in general, which takes input from a user, a network or a file, is exploitable. If someone actively wants to target you in particular, they can and will. If someone's just casting a wide net, you can help avoid being caught up in it by reducing (minimising but not eliminating) your "exploitability". Practise more deliberate and safe computer use (not installing from random sources for example), and safer browsing by utilising easy to use software like firejail.

Best wishes

Red


Knowledge Ferret

Offline

#25 2016-12-27 23:00:34

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Safer browsing with Firejail

I would recommend running the Skype web client from a firejailed browser, preferably within a container running in a VM over a Xen hypervisor.

monkey

http://www.xkcd.com/1764/


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

Board footer

Powered by FluxBB