Safer browsing with Firejail

Head_on_a_Stick · 2016-12-26 00:52:16

In my BL system, I have placed an executable wrapper at ~/bin/x-www-browser to launch firefox with firejail automatically whenever x-www-browser is used:

firejail firefox "@"

For system-wide usage, place the script at /usr/local/bin/foxjail instead and add it to the Debian x-www-browser alternative:

sudo update-alternatives --install /usr/bin/x-www-browser x-www-browser /usr/local/bin/foxjail 250

MsMattie · 2016-12-27 08:34:11

Firejail will jail a number of software packages and as I looked through the list I noticed Skype. Why would anyone want to firejail skype? The only thing I can think of is if you had malicious code in Skype itself because it was from a bad source. Or, is it possible to get something bad just by talking on Skype in Linux?

redcollective · 2016-12-27 16:16:25

MsMattie wrote:

Or, is it possible to get something bad just by talking on Skype in Linux?

Here's what I believe: Any program in general, which takes input from a user, a network or a file, is exploitable. If someone actively wants to target you in particular, they can and will. If someone's just casting a wide net, you can help avoid being caught up in it by reducing (minimising but not eliminating) your "exploitability". Practise more deliberate and safe computer use (not installing from random sources for example), and safer browsing by utilising easy to use software like firejail.

Best wishes

Red

Head_on_a_Stick · 2016-12-27 23:00:34

I would recommend running the Skype web client from a firejailed browser, preferably within a container running in a VM over a Xen hypervisor.

8o

http://www.xkcd.com/1764/

redcollective · 2016-12-28 09:45:53

Head_on_a_Stick wrote:

I would recommend running the Skype web client from a firejailed browser, preferably within a container running in a VM over a Xen hypervisor.
8o
http://www.xkcd.com/1764/

thanks for the laugh.

Red

ohnonot · 2016-12-31 09:19:32

MsMattie wrote:

Firejail will jail a number of software packages and as I looked through the list I noticed Skype. Why would anyone want to firejail skype? The only thing I can think of is if you had malicious code in Skype itself because it was from a bad source. Or, is it possible to get something bad just by talking on Skype in Linux?

people really have to let go of the old "computer virus" concept.
surely this is still an issue (though i think it is much more concentrated on financial gain these days), but the common, everyday threat is that applications routinely have access to the internet, can sift your filesystem for exploitable data without you even noticing (it takes just 1s) and transmit it back to whoever "owns" the app/service (and you know who that is for skype).
firjail, if i understand it correctly, addresses both issues (malicious code & data mining) by presenting the app with a "jailed" environment, i.e. they never see your actual filesystem.
if you would start storing sensitive data inside the jail, at least the second point (data mining) would evtl. become moot, btw.

johnraff · 2017-01-05 09:46:43

A question: does the "jail" persist after closing down the browser or whatever?

To put it another way, is it possible to use 'firejail firefox http://siteA.com' and 'firejail firefox http://siteB.com' without any risk of siteB having access to data left by siteA?

vasa1 · 2017-01-05 13:30:17

For what it's worth, here's a really long-running thread on
FireJail - Linux sandbox

Head_on_a_Stick · 2017-01-05 22:27:42

johnraff wrote:

is it possible to use 'firejail firefox http://siteA.com' and 'firejail firefox http://siteB.com' without any risk of siteB having access to data left by siteA?

Yes, both instances would "see" different filesystem trees — check this by trying to upload something from the individual browser's file managers.

ohnonot · 2017-01-06 05:14:15

Head_on_a_Stick wrote:

Yes, both instances would "see" different filesystem trees

isn't this really the same as saying the data is destroyed after closing that instance of firejail?
and is that configurable (meaning, in some instances it might be desirable to "return to a previously used jail")?
just checking if i understand the mechanism correctly.

johnraff · 2017-01-06 06:36:52

Ah, it seems you need to use the --private option:

man firejail wrote:

--private
Mount new /root and /home/user directories in temporary filesystems.
All modifications are discarded when the sandbox is closed.
Example:
$ firejail --private firefox

I suppose that implies the data is not discarded otherwise?

EDIT Here:
https://firejail.wordpress.com/document … e/#private

"You can also use an existing directory as home directory for your sandbox, allowing you to have a persistent sandbox home."

Last edited by johnraff (2017-01-06 06:41:37)

martix · 2017-03-03 23:49:40

There is Firetools, which is basically a starter for firejailed applications. E.g. I had Midori installed and on Firetools there is the Midori icon available, so I can start the firejailed browser that way. Same with e.g. Firefox, Filezilla, VLC, etc. However: Firejail works with mpv, but its icon does not show up in Firetools (nor e.g. for Kate).

#21 2016-12-26 00:52:16

Re: Safer browsing with Firejail

#22 2016-12-27 08:34:11

Re: Safer browsing with Firejail

#23 2016-12-27 16:16:25

Re: Safer browsing with Firejail

#24 2016-12-27 23:00:34

Re: Safer browsing with Firejail

#25 2016-12-28 09:45:53

Re: Safer browsing with Firejail

#26 2016-12-31 09:19:32

Re: Safer browsing with Firejail

#27 2017-01-05 09:46:43

Re: Safer browsing with Firejail

#28 2017-01-05 13:30:17

Re: Safer browsing with Firejail

#29 2017-01-05 22:27:42

Re: Safer browsing with Firejail

#30 2017-01-06 05:14:15

Re: Safer browsing with Firejail

#31 2017-01-06 06:36:52

Re: Safer browsing with Firejail

#32 2017-03-03 23:49:40

Re: Safer browsing with Firejail

Board footer