You are not logged in.

#1 2016-03-06 20:22:32

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Safer browsing with Firejail

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

https://firejail.wordpress.com/

The program is now available in jessie-backports:
https://packages.debian.org/jessie-backports/firejail

Follow these instructions to add the jessie-backports repository:
https://backports.debian.org/Instructions/

Then install the package with:

sudo apt install firejail

To use Firejail, simply put the command before the program being launched, for example:

firejail iceweasel

Change the Openbox menu entries and/or keybinds as required wink

Unfortunately, it doesn't seem to work with `x-www-browser` so `iceweasel` (or whichever browser is being used) must be called directly.

Last edited by Head_on_a_Stick (2016-07-12 07:58:36)

Offline

#2 2016-03-17 21:17:01

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Safer browsing with Firejail

firejail seems to add quite a bit of value while requiring only a modicum of technical ability to achieve some pretty sophisticated  workflows for the average user (me!) - for example: running your browser in a temporary, discarded filesystem with configurable DNS resolution, just with command line options.

Perhaps an item for the bunsen security guide?
Any enthusiasm for an 'official' bunsen backport?

red


Knowledge Ferret

Offline

#3 2016-03-17 21:20:45

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Safer browsing with Firejail

redcollective wrote:

Any enthusiasm for an 'official' bunsen backport?

I would be very surprised if it doesn't make it into the official Debian jessie-backports pretty soon, it's just a C script so no weird dependencies to worry about.

Offline

#4 2016-03-17 22:26:10

Sector11
Mod Squid Tpyo Knig
From: Upstairs
Registered: 2015-08-20
Posts: 8,028

Re: Safer browsing with Firejail

Any chance of explaining "in noob language" just what this is/does?  smile


Debian 12 Beardog, SoxDog and still a Conky 1.9er

Offline

#5 2016-03-17 22:45:47

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Safer browsing with Firejail

I'll take a stab at that: Run your applications with a virtual fence around them so they can't access important parts of your real machine... but it does other stuff too.

A quick read: https://l3net.wordpress.com/2014/09/19/ … a-firefox/

red


Knowledge Ferret

Offline

#6 2016-03-17 23:19:34

Sector11
Mod Squid Tpyo Knig
From: Upstairs
Registered: 2015-08-20
Posts: 8,028

Re: Safer browsing with Firejail

Hi redcollective

Like your one liner.  Fence is cool.  smile  I was reading the link you posted as well.  Good stuff.

So I tried it, first words out of my wife's mouth: "WHAT DID YOU CHANGE??" She noticed that our personal persona (~/.persona) wasn't working.  Easy to miss, it's black and all of a sudden things are white.  maube if I copy them off to another partition.  smile

I like the "firejail --private " flag too!

@Head_on_a_Stick:  Thank you, for this and the .deb


Debian 12 Beardog, SoxDog and still a Conky 1.9er

Offline

#7 2016-03-18 06:07:10

ohnonot
...again
Registered: 2015-09-29
Posts: 5,592

Re: Safer browsing with Firejail

^ S11, i noticed something similar too, but i believe firejail can be set up to be able to access your usual themes. not that i succeeded with it.
i also couldn't find my downloaded files, but i didn't really bother to RTFM so far.

the way i understand it, it adds absolutely minimal overhead because it "just" utilizes options that are already present in a linux filesystem.

Offline

#8 2016-03-18 09:19:55

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

Offline

#9 2016-03-18 11:56:51

Sector11
Mod Squid Tpyo Knig
From: Upstairs
Registered: 2015-08-20
Posts: 8,028

Re: Safer browsing with Firejail

@ohnonot

I copied ~/.persona to /media/5/persona and I can use it there.  Since ~/ is jailed.  smile
Also I have Iceweasel set up to ask me for a location to download to, usually one of three or four directories in on /media/5 depending on the file type: ISO, .deb, ttf, etc.

@Snap - SandBox looks nice too.  I'll play with firejail for a while though.


Debian 12 Beardog, SoxDog and still a Conky 1.9er

Offline

#10 2016-04-04 18:33:15

mtnspine
Member
Registered: 2015-10-02
Posts: 7

Re: Safer browsing with Firejail

Snap wrote:

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

Off topic, except that you mentioned IgnorantGuru.

His blog is a very interesting read.  Not updated super often, but definitely worth reading back.  Mostly updates on development of SpaceFM, but also some interesting bits (speculative) on corporate and government infiltration into the linux ecosystem, and a good one about what it was like being security/privacy aware *nixer during the first cryptowars.  I spent several hours reading the conversations in the comments.  Very interesting for the more paranoid/conspiracy aware types.

Edit:  /rant:
just got sucked back into his blog.  I'm a two year nOOb (just getting comfy) but one of the main reasons I came to linux was for security and privacy.  And while I find myself often lost in the details of this package vs that package and the flame wars that ensue, I am very much appreciative of IG's ability to step back and look at the whole ecosystem and the politics surrounding.  It's not worth arguing about how to hang the towels on the rack if the whole house is on fire.  You know what I mean? We need to talk more about things like how heartbleed was orchestrated and not an accident. I love to see that my software is under gpl, but it's not a silver bullet. we need to maintain simple well reviewed code base that people can understand and don't require a team working for a for profit company to maintain.  While my skills in coding and administration  are well below par, I see a need for the community to do more for outreach and advocacy.  Not saying the community is poor, but that we need to do everything we can to keep our software in the hands of the community and out of the hands of corporate and nation state interests.   
/end rant. Sorry this sh*t gets me worked up sometimes. Firejail looks cool.

Last edited by mtnspine (2016-04-04 19:25:15)

Offline

#11 2016-04-05 08:20:06

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

^ This.

Offline

#12 2016-04-11 08:36:20

KrunchTime
Member
Registered: 2015-09-29
Posts: 857

Re: Safer browsing with Firejail

Good tip, madoromi.  Thank you for sharing.

I use firejail, but it doesn't work out-of-the-box with all browsers.  I haven't taken the time to figure out how to get it to work with all of my browsers...maybe someday.

@HoaS:  Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?

Last edited by KrunchTime (2016-04-11 08:38:53)

Offline

#13 2016-04-11 17:44:50

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Safer browsing with Firejail

KrunchTime wrote:

Any benefit to using a personal backport from Debian Testing/Unstable versus using the deb available from Sourceforge?

None whatsoever -- I didn't realise they had downloadable .debs on the site I linked in the OP  :8

My version is the current version but when that changes I will edit the OP and direct people to SourceForge instead.

Offline

#14 2016-05-06 20:22:18

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Safer browsing with Firejail

Snap wrote:

There's a nice alternative: Sandfox by IgnorantGuru. The developer of the excellent SpaceFM file manager and its udevil companion. All his software is top notch.

SpaceFM is one of the best file managers ever made in my eyes. It really enhances the workflow. Everything is logical and intuitive, easy to use, no bugs, just works without issues. The only thing I would change is that on the same partition pulling files to an other folder means automatically "move", while on different partitions "copy". I'd prefer both the same (and maybe also a ".."-line in the active window). Just to know that Firejail is from the same developer makes me wanna try it.

Last edited by martix (2016-05-06 20:23:10)

Offline

#15 2016-05-09 19:20:43

Snap
Member
Registered: 2015-10-02
Posts: 465

Re: Safer browsing with Firejail

^ Agreed. SpaceFm (GTK2) and ranger are the only file managers I use after trying almost anything.

Back on topic. Interesting writing about firejail by IgnorantGuru himself.

https://igurublog.wordpress.com/2016/05/09/firejail/

Offline

#16 2016-07-12 07:59:52

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Safer browsing with Firejail

[BUMP!]

Bumping this thread to note that the firejail package is now available in the jessie-backports repository:

https://packages.debian.org/jessie-backports/firejail

OP updated with new instructions.

[/BUMP!]

Offline

#17 2016-12-17 22:48:17

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: Safer browsing with Firejail

This is a great security tool. The other day I installed the add-on BetterPrivacy, which takes care of flash cookies. They are usually in the ~/.macromedia folder. When I closed the browser, the add-on popped up a message saying: There is no folder for flash configured, do you want to do it now? Sure, clicked ok and a window with the file tree opened. However there was no ~/.macromedia folder available. !!?? First I was wondering why, and suddenly I realized: Of course, Firejail!
Let's have also a bump for this useful thread...

Offline

#18 2016-12-18 02:05:09

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 12,654
Website

Re: Safer browsing with Firejail

Thanks for the reminder HoaS. cool

...installed.

Is the default (no cli options) good enough for general use?


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), now on Bluesky, there's also some GitStuff )

Introduction to the Bunsenlabs Boron Desktop

Offline

#19 2016-12-18 02:10:00

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Safer browsing with Firejail

johnraff wrote:

Is the default (no cli options) good enough for general use?

Erm, I think so, @nobody knows much more about this stuff than me big_smile

I prefer Chrom{e,ium}'s SECCOMP sandbox for untrusted websites o:)

Offline

#20 2016-12-18 02:17:46

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 9,093
Website

Re: Safer browsing with Firejail

Also, anybody using the non-ESR version of Firefox can (force) enable their in-house Electrolysis (e10s) namespace containerisation solution:

https://wiki.mozilla.org/Electrolysis#Force_Enable

Offline

Board footer

Powered by FluxBB