You are not logged in.
Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
https://firejail.wordpress.com/
The program is now available in jessie-backports:
https://packages.debian.org/jessie-backports/firejail
Follow these instructions to add the jessie-backports repository:
https://backports.debian.org/Instructions/
Then install the package with:
sudo apt install firejail
To use Firejail, simply put the command before the program being launched, for example:
firejail iceweasel
Change the Openbox menu entries and/or keybinds as required
Unfortunately, it doesn't seem to work with `x-www-browser` so `iceweasel` (or whichever browser is being used) must be called directly.
Last edited by Head_on_a_Stick (2016-07-12 07:58:36)
Offline
firejail seems to add quite a bit of value while requiring only a modicum of technical ability to achieve some pretty sophisticated workflows for the average user (me!) - for example: running your browser in a temporary, discarded filesystem with configurable DNS resolution, just with command line options.
Perhaps an item for the bunsen security guide?
Any enthusiasm for an 'official' bunsen backport?
red
Knowledge Ferret
Offline
Any enthusiasm for an 'official' bunsen backport?
I would be very surprised if it doesn't make it into the official Debian jessie-backports pretty soon, it's just a C script so no weird dependencies to worry about.
Offline
Any chance of explaining "in noob language" just what this is/does?
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
I'll take a stab at that: Run your applications with a virtual fence around them so they can't access important parts of your real machine... but it does other stuff too.
A quick read: https://l3net.wordpress.com/2014/09/19/ … a-firefox/
red
Knowledge Ferret
Offline
Hi redcollective
Like your one liner. Fence is cool. I was reading the link you posted as well. Good stuff.
So I tried it, first words out of my wife's mouth: "WHAT DID YOU CHANGE??" She noticed that our personal persona (~/.persona) wasn't working. Easy to miss, it's black and all of a sudden things are white. maube if I copy them off to another partition.
I like the "firejail --private " flag too!
@Head_on_a_Stick: Thank you, for this and the .deb
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
^ S11, i noticed something similar too, but i believe firejail can be set up to be able to access your usual themes. not that i succeeded with it.
i also couldn't find my downloaded files, but i didn't really bother to RTFM so far.
the way i understand it, it adds absolutely minimal overhead because it "just" utilizes options that are already present in a linux filesystem.
Offline
There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.
Offline
@ohnonot
I copied ~/.persona to /media/5/persona and I can use it there. Since ~/ is jailed.
Also I have Iceweasel set up to ask me for a location to download to, usually one of three or four directories in on /media/5 depending on the file type: ISO, .deb, ttf, etc.
@Snap - SandBox looks nice too. I'll play with firejail for a while though.
Debian 12 Beardog, SoxDog and still a Conky 1.9er
Offline
There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.
Off topic, except that you mentioned IgnorantGuru.
His blog is a very interesting read. Not updated super often, but definitely worth reading back. Mostly updates on development of SpaceFM, but also some interesting bits (speculative) on corporate and government infiltration into the linux ecosystem, and a good one about what it was like being security/privacy aware *nixer during the first cryptowars. I spent several hours reading the conversations in the comments. Very interesting for the more paranoid/conspiracy aware types.
Edit: /rant:
just got sucked back into his blog. I'm a two year nOOb (just getting comfy) but one of the main reasons I came to linux was for security and privacy. And while I find myself often lost in the details of this package vs that package and the flame wars that ensue, I am very much appreciative of IG's ability to step back and look at the whole ecosystem and the politics surrounding. It's not worth arguing about how to hang the towels on the rack if the whole house is on fire. You know what I mean? We need to talk more about things like how heartbleed was orchestrated and not an accident. I love to see that my software is under gpl, but it's not a silver bullet. we need to maintain simple well reviewed code base that people can understand and don't require a team working for a for profit company to maintain. While my skills in coding and administration are well below par, I see a need for the community to do more for outreach and advocacy. Not saying the community is poor, but that we need to do everything we can to keep our software in the hands of the community and out of the hands of corporate and nation state interests.
/end rant. Sorry this sh*t gets me worked up sometimes. Firejail looks cool.
Last edited by mtnspine (2016-04-04 19:25:15)
Offline
^ This.
Offline
Good tip, madoromi. Thank you for sharing.
I use firejail, but it doesn't work out-of-the-box with all browsers. I haven't taken the time to figure out how to get it to work with all of my browsers...maybe someday.
@HoaS: Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?
Last edited by KrunchTime (2016-04-11 08:38:53)
Offline
Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?
None whatsoever -- I didn't realise they had downloadable .debs on the site I linked in the OP :8
My version is the current version but when that changes I will edit the OP and direct people to SourceForge instead.
Offline
There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.
SpaceFM is one of the best file managers ever made in my eyes. It really enhances the workflow. Everything is logical and intuitive, easy to use, no bugs, just works without issues. The only thing I would change is that on the same partition pulling files to an other folder means automatically "move", while on different partitions "copy". I'd prefer both the same (and maybe also a ".."-line in the active window). Just to know that Firejail is from the same developer makes me wanna try it.
Last edited by martix (2016-05-06 20:23:10)
Offline
^ Agreed. SpaceFm (GTK2) and ranger are the only file managers I use after trying almost anything.
Back on topic. Interesting writing about firejail by IgnorantGuru himself.
Offline
[BUMP!]
Bumping this thread to note that the firejail package is now available in the jessie-backports repository:
https://packages.debian.org/jessie-backports/firejail
OP updated with new instructions.
[/BUMP!]
Offline
This is a great security tool. The other day I installed the add-on BetterPrivacy, which takes care of flash cookies. They are usually in the ~/.macromedia folder. When I closed the browser, the add-on popped up a message saying: There is no folder for flash configured, do you want to do it now? Sure, clicked ok and a window with the file tree opened. However there was no ~/.macromedia folder available. !!?? First I was wondering why, and suddenly I realized: Of course, Firejail!
Let's have also a bump for this useful thread...
Offline
Thanks for the reminder HoaS.
...installed.
Is the default (no cli options) good enough for general use?
...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )
Offline
Is the default (no cli options) good enough for general use?
Erm, I think so, @nobody knows much more about this stuff than me
I prefer Chrom{e,ium}'s SECCOMP sandbox for untrusted websites o:)
Offline
Also, anybody using the non-ESR version of Firefox can (force) enable their in-house Electrolysis (e10s) namespace containerisation solution:
Offline