firejail / seccomp / More Options for Program Containment

torjunkie · December 30, 2016, 10:08am

As Yawning’s Tor Browser Firejail profile (script?) is no longer available at the link in the dev wiki, I suppose the standard Firejail FF profile is sufficient when starting Tor Browser in Whonix or Qubes-Whonix.

See discussion in “Hardening Qubes-Whonix” thread and suggested wiki entry over there for background & motivation. Basically I want to polish off the instructions so normal people can use it consistently.

Most of the primary security features seem to be enabled in the Firejail profile for Firefox already e.g. seccomp, caps.drop all etc:[1]

cat /etc/firejail/firefox.profile

Output:

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)

noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog

whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki

# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1

include /etc/firejail/whitelist-common.inc

# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

This profile is probably okay for Firefox-ESR in a straight Debian VM, but there might be further black-listing for stuff for Tor Browser in a Whonix VM.

I don’t understand that stuff about -X11 and -Xpra options (normal user here). It seems desirable because it prevents screenshots and keyloggers from accessing stuff in other displays outside of the container. Does this mean that nothing outside of the Firefox-ESR or Tor Browser VM can be snap-shotted or logged e.g. stuff running in parallel in another VM in Qubes?

@HulaHoop are you running a (working) Tor Browser Firejail profile that is heavily modified from the above in Whonix? If so, do you mind pasting it so I can reference it for other users to try?

[1] See https://firejail.wordpress.com/features-3/man-firejail/

Patrick · December 30, 2016, 12:33pm

Can firejail even be combined with bubblewrap sandboxed Tor Browser?

HulaHoop · December 30, 2016, 5:06pm

No haven’t looked into it since. Now that there is an officially supported solution you should use it instead. I don’t think there is much benefit from stacking two tools that do the same thing.

torjunkie · December 31, 2016, 7:11am

Ok - thanks.

The problem is though:

bubblewrap is currently incompatible with any Qubes VM, meaning the alpha Tor sandbox doesn’t work in straight Debian VMs or Whonix VMs in Qubes-Whonix (see Patrick’s efforts); and
32 bit binaries are no longer being built for the alpha Tor sandbox, which I thought meant that this will now be incompatible with 32-bit non-Qubes-Whonix.

Thus, Firejail is the only working solution for Qubes-Whonix & non-Qubes-Whonix currently. I don’t expect either of these problems will be solved anytime soon (bubblewrap & 64-bit non-Qubes-Whonix).

See here:

HulaHoop · December 31, 2016, 4:40pm

I see. Well I know for non-Qubes Whonix the next release (14) will be 64bit. So this is done.

Patrick · January 7, 2017, 5:55pm

Made some edits, some things don’t play out es expected:
https://www.whonix.org/w/index.php?title=Dev%2FFirejail&type=revision&diff=27605&oldid=23916

Documentation enhancements suggested by @torjunkie, currently discussed here:

torjunkie · January 24, 2017, 3:25pm

This might be better for the Firejail instructions for Tor Browser i.e. how to properly incorporate the Firefox profile (haven’t tested it yet, but will soon):

https://blog.torproject.org/comment/reply/1235/219876

You can use Tor Browser with Seccomp via Firejail, like this:

$ cat /etc/firejail/tor-browser.profile
noblacklist ~/.tor-browser-en
include /etc/firejail/firefox-esr.profile
whitelist ~/.tor-browser-en

$ firejail --seccomp --profile=/etc/firejail/tor-browser.profile /usr/bin/tor-browser-en

HulaHoop · January 15, 2018, 4:25am

https://www.phoronix.com/scan.php?page=news_item&px=KDE-Discover-Flatpak-Production

Flatpak sandboxed program support lands for KDE’s repo manager

Patrick · June 23, 2018, 5:21am

HulaHoop · June 23, 2018, 4:56pm

The advantage of Firejail is it works with programs as is instead of needing them to be specially packaged for compatibility like Flatpak would. It would be very interesting to know more from the parrotOS devs about their implementation and approach to sandboxing their system by default. I see room for collaboration/use of their work for our benefit too.

HulaHoop · June 24, 2018, 3:21am

Asked the folks at parrotos about what they do which may help.

HulaHoop · June 24, 2018, 4:44pm

Some great feedback from the ParrotOS dev. Its very doable with their technique. [0] @Patrick see if you have any further questions you would like to ask.

[0] They enable it automatically for all available programs and re-aply symlinks in event of package updates. Also the home folder is whitelisted for saving files the users wants persistent. I asked about the code and whether its deb packaged.

TNT_BOM_BOM · June 24, 2018, 7:24pm

i tried by default to run firejail and it WORKED without adding anything:

run inside whonix:

firejail torbrowser

if you installed tbb from torbrowser-downloader developed by micah lee

firejail torbrowser-laucher

and it will run magically with seccom without adding anything

HulaHoop · June 24, 2018, 8:49pm

By automatic we mean out of the box. We don’t want people to type firejail X to take advantage of its security but rather the process is completely transparent to the user.

torjunkie · June 25, 2018, 1:38am

Hi TNT_Bom_Bom

Yes I know it works, but it defaults to a “default profile” in that mode (which is not very restrictive).

We really need something to auto-select the Tor Browser profile for improved usability and stricter containment if Firejail is used.

HulaHoop · April 14, 2019, 4:04pm

packaged for Debian and includes custom code
https://dev.parrotsec.org/parrot/firejail

Patrick · June 28, 2018, 12:45am

Problem is, it is these profiles is mixed up with all the C code provided by firejail. A full fork of firejail. That would be good if it was taken by firejail developers like this and merged upstream at firejail.

Just the parts they changed (added profiles; Debian maintainer scripts) in a separate package would a lot a lot better to avoid adding C code and compilation to Whonix source code. Otherwise I’d need to verify firejail by firejail upstream vs firejail from that package matches; and compile.

HulaHoop · June 28, 2018, 3:05am

OK I suggested it.

HulaHoop · September 1, 2018, 12:39pm

Algernon · November 30, 2018, 9:52pm

Could we add firejail to the default packages being installed so it would maybe also get some more testing? The version from backports looks close to the upstream version. Also the specific profile for the torbrowser seems to work, not just the default profile.