[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

firejail / seccomp / More Options for Program Containment

The advantage of Firejail is it works with programs as is instead of needing them to be specially packaged for compatibility like Flatpak would. It would be very interesting to know more from the parrotOS devs about their implementation and approach to sandboxing their system by default. I see room for collaboration/use of their work for our benefit too.

1 Like

Asked the folks at parrotos about what they do which may help.

1 Like

Some great feedback from the ParrotOS dev. Its very doable with their technique. [0] @Patrick see if you have any further questions you would like to ask.

[0] They enable it automatically for all available programs and re-aply symlinks in event of package updates. Also the home folder is whitelisted for saving files the users wants persistent. I asked about the code and whether its deb packaged.

1 Like

i tried by default to run firejail and it WORKED without adding anything:

run inside whonix:

firejail torbrowser

if you installed tbb from torbrowser-downloader developed by micah lee

firejail torbrowser-laucher

and it will run magically with seccom without adding anything

By automatic we mean out of the box. We don’t want people to type firejail X to take advantage of its security but rather the process is completely transparent to the user.

2 Likes

Hi TNT_Bom_Bom

Yes I know it works, but it defaults to a “default profile” in that mode (which is not very restrictive).

We really need something to auto-select the Tor Browser profile for improved usability and stricter containment if Firejail is used.

1 Like

packaged for Debian and includes custom code
https://dev.parrotsec.org/parrot/firejail

1 Like

Problem is, it is these profiles is mixed up with all the C code provided by firejail. A full fork of firejail. That would be good if it was taken by firejail developers like this and merged upstream at firejail.

Just the parts they changed (added profiles; Debian maintainer scripts) in a separate package would a lot a lot better to avoid adding C code and compilation to Whonix source code. Otherwise I’d need to verify firejail by firejail upstream vs firejail from that package matches; and compile.

OK I suggested it.

1 Like
3 Likes

Could we add firejail to the default packages being installed so it would maybe also get some more testing? The version from backports looks close to the upstream version. Also the specific profile for the torbrowser seems to work, not just the default profile.

2 Likes

i already asked for that

https://phabricator.whonix.org/T869

continue discussion here

https://phabricator.whonix.org/T804

1 Like

Tickets are a bit “disorganized” since now firejail is suggested as standalone without T804. Be that as it may…

The suggestion is to add https://packages.debian.org/stretch/firejail to some Whonix meta package? Which one? Please send a pull request. Can you please test that installing firejail alone doesn’t add any regression? Does it activate by default?

I don’t think we can guarantee zero regressions, but anecdotally I have yet to find a program that doesn’t work with firejail.

From the ParrotOS thread, it appears that what happens is Firejail has a script which can automatically compare installed system binaries and reinstall symlinks as packages are reinstalled. Parrot runs this script (which I haven’t seen but haven’t really dug for yet) every time a package is installed via a post-installation step. This itself could be dangerous as perhaps a user is unaware that firejail is not reinstalled in front of a package reinstall, or perhaps they install a package that is not protected by default firejail profiles and also not ParrotOS firejail profiles and expect it to be automatically applied. User education will always solve problems where technology is lacking. We should make the user aware that firejail is in play on the system regardless of how seamless we can make the integration as they may want to review firejail and the available integrated profiles for themselves.

That all said, I am still learning and still educating myself on firejail and the current state of Whonix development itself. If I could send a pull request that would implement firejail as a default package on a meta package, and then create a post-install hook to implement firejail profile reinstallation, and then implement specific and tight firejail profiles, that would still not alleviate all of the potential problems. Again, user education is key, and I’ve noticed this mentioned a couple of times in the Whonix wiki and could not agree more.

That’s just my $.02 on the matter, for what that’s worth right now. Still learning.

2 Likes

Looks like what we were interested in this firejail issue was implemented.

2 Likes

When I run firejail --debug --seccomp torbrowser

I get this error

ERROR: Failed to start Tor Browser!

Failed to run:

systemctl --no-pager --no-block status tb-updater-first-boot.service.

systemctl output:

Failed to connect to bus: Permission denied

To see this for yourself, you could try:
Start Menu -> Applications -> System -> Terminal
Then run:
systemctl --no-pager --no-block status tb-updater-first-boot.service

Installing /run/firejail/mnt/seccomp.protocol seccomp filter
[ERROR] [torbrowser] Failed to start Tor Browser!

Failed to run:
systemctl --no-pager --no-block status tb-updater-first-boot.service.

systemctl output:

Failed to connect to bus: Permission denied

To see this for yourself, you could try: Start Menu -> Applications -> System -> Terminal
Then run:
systemctl --no-pager --no-block status tb-updater-first-boot.service
Sandbox monitor: waitpid 6 retval 6 status 1024

I use Tor Browser 8.0.6.

@0brand is it a bug for all people ? or just for me ?

Unfortunately everyone.

1 Like

Please experiment with this in Whonix 15.

sudo apt-get install firejail-profiles

(Whonix VirtualBox 15.0.0.0.7 - Debian buster based - Testers Wanted!)

Let me know if this breaks anything.
(Related to https://phabricator.whonix.org/T869#18198)

2 Likes

using this command:

firejail --debug --seccomp torbrowser

it is working!

1 Like