firejail / seccomp / More Options for Program Containment

New proof of concept TBB isolation profile this time using bubblewrap - a subset of Flatpak:

[tor-dev] More tor browser sandboxing fun.

Not really ready for use but shows progress in this area.

1 Like

FireFox sandbox lands in nightly. They are working on tightening it up some more:

KDE Flatpak progress:

https://community.kde.org/Flatpak
http://www.proli.net/2016/06/10/kde-on-flatpak-in-randa/

1 Like

As Yawning’s Tor Browser Firejail profile (script?) is no longer available at the link in the dev wiki, I suppose the standard Firejail FF profile is sufficient when starting Tor Browser in Whonix or Qubes-Whonix.

See discussion in “Hardening Qubes-Whonix” thread and suggested wiki entry over there for background & motivation. Basically I want to polish off the instructions so normal people can use it consistently.

Most of the primary security features seem to be enabled in the Firejail profile for Firefox already e.g. seccomp, caps.drop all etc:[1]

cat /etc/firejail/firefox.profile

Output:

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)

noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog

whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki

# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1

include /etc/firejail/whitelist-common.inc

# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

This profile is probably okay for Firefox-ESR in a straight Debian VM, but there might be further black-listing for stuff for Tor Browser in a Whonix VM.

I don’t understand that stuff about -X11 and -Xpra options (normal user here). It seems desirable because it prevents screenshots and keyloggers from accessing stuff in other displays outside of the container. Does this mean that nothing outside of the Firefox-ESR or Tor Browser VM can be snap-shotted or logged e.g. stuff running in parallel in another VM in Qubes?

@HulaHoop are you running a (working) Tor Browser Firejail profile that is heavily modified from the above in Whonix? If so, do you mind pasting it so I can reference it for other users to try?

[1] See https://firejail.wordpress.com/features-3/man-firejail/

Can firejail even be combined with bubblewrap sandboxed Tor Browser?

No haven’t looked into it since. Now that there is an officially supported solution you should use it instead. I don’t think there is much benefit from stacking two tools that do the same thing.

1 Like

Ok - thanks.

The problem is though:

  • bubblewrap is currently incompatible with any Qubes VM, meaning the alpha Tor sandbox doesn’t work in straight Debian VMs or Whonix VMs in Qubes-Whonix (see Patrick’s efforts); and
  • 32 bit binaries are no longer being built for the alpha Tor sandbox, which I thought meant that this will now be incompatible with 32-bit non-Qubes-Whonix.

Thus, Firejail is the only working solution for Qubes-Whonix & non-Qubes-Whonix currently. I don’t expect either of these problems will be solved anytime soon (bubblewrap & 64-bit non-Qubes-Whonix).

See here:

1 Like

I see. Well I know for non-Qubes Whonix the next release (14) will be 64bit. So this is done.

Made some edits, some things don’t play out es expected:
Dev/Firejail: Difference between revisions - Whonix

Documentation enhancements suggested by @torjunkie, currently discussed here:

This might be better for the Firejail instructions for Tor Browser i.e. how to properly incorporate the Firefox profile (haven’t tested it yet, but will soon):

https://blog.torproject.org/comment/reply/1235/219876

You can use Tor Browser with Seccomp via Firejail, like this:

$ cat /etc/firejail/tor-browser.profile
noblacklist ~/.tor-browser-en
include /etc/firejail/firefox-esr.profile
whitelist ~/.tor-browser-en

$ firejail --seccomp --profile=/etc/firejail/tor-browser.profile /usr/bin/tor-browser-en

1 Like

Flatpak sandboxed program support lands for KDE’s repo manager

1 Like

https://forums.whonix.org/t/looking-for-firejail-seccomp-maintainer-for-better-security/2211/5?u=patrick

The advantage of Firejail is it works with programs as is instead of needing them to be specially packaged for compatibility like Flatpak would. It would be very interesting to know more from the parrotOS devs about their implementation and approach to sandboxing their system by default. I see room for collaboration/use of their work for our benefit too.

1 Like

Asked the folks at parrotos about what they do which may help.

1 Like

Some great feedback from the ParrotOS dev. Its very doable with their technique. [0] @Patrick see if you have any further questions you would like to ask.

[0] They enable it automatically for all available programs and re-aply symlinks in event of package updates. Also the home folder is whitelisted for saving files the users wants persistent. I asked about the code and whether its deb packaged.

1 Like

i tried by default to run firejail and it WORKED without adding anything:

run inside whonix:

firejail torbrowser

if you installed tbb from torbrowser-downloader developed by micah lee

firejail torbrowser-laucher

and it will run magically with seccom without adding anything

By automatic we mean out of the box. We don’t want people to type firejail X to take advantage of its security but rather the process is completely transparent to the user.

2 Likes

Hi @nurmagoz

Yes I know it works, but it defaults to a “default profile” in that mode (which is not very restrictive).

We really need something to auto-select the Tor Browser profile for improved usability and stricter containment if Firejail is used.

1 Like

packaged for Debian and includes custom code
https://dev.parrotsec.org/parrot/firejail

1 Like

Problem is, it is these profiles is mixed up with all the C code provided by firejail. A full fork of firejail. That would be good if it was taken by firejail developers like this and merged upstream at firejail.

Just the parts they changed (added profiles; Debian maintainer scripts) in a separate package would a lot a lot better to avoid adding C code and compilation to Whonix source code. Otherwise I’d need to verify firejail by firejail upstream vs firejail from that package matches; and compile.

OK I suggested it.

1 Like