[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

firejail / seccomp / More Options for Program Containment


#41

Worth checking out… Quote: Tails report for January, 2016

Change to systemd as init system and use it to:

  • Sandbox many services using Linux namespaces and make them harder to exploit.

systemd SystemCallFilter= containment option seccomp hardening
https://phabricator.whonix.org/T362


#42

Is this a firejail bug or a feature request for a non-standard way we do things?

EDIT: seems symbolis took care of it :slight_smile:


#43

I think both mechanisms compliment each other - systemd for services and Firejail for Desktop programs.


#44

I meant checking out any containments they configured for “many services”. Perhaps we can re-use their work.


#45

I think this means they are going to make use of it later but nothing has been done with it yet. They just switched to it recently.

My searches of their git logs hasn’t turned up anything useful:

https://git-tails.immerda.ch/tails/tree/


#46

https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/lib/systemd/system but does not look like something portable.


#47

The Tor Project firejail start-tor-browser bug report:
strange Tor control auth cookie default path
https://lists.torproject.org/pipermail/tor-dev/2016-July/011226.html

The bug report got a wontfix, but at least now these variables are configurable by environment variables. Reference:
https://lists.torproject.org/pipermail/tor-dev/2016-July/011227.html


#48

Process sandboxing coming to FF sometime this year. Its not as robust as the syscall whitelisting Firejail can do but its a good move and stackable with other protection.

https://blog.mozilla.org/futurereleases/2016/08/02/whats-next-for-multi-process-firefox/


#49

New proof of concept TBB isolation profile this time using bubblewrap - a subset of Flatpak:

https://lists.torproject.org/pipermail/tor-dev/2016-September/011444.html

Not really ready for use but shows progress in this area.


#50

FireFox sandbox lands in nightly. They are working on tightening it up some more:

KDE Flatpak progress:

https://community.kde.org/Flatpak


#51

As Yawning’s Tor Browser Firejail profile (script?) is no longer available at the link in the dev wiki, I suppose the standard Firejail FF profile is sufficient when starting Tor Browser in Whonix or Qubes-Whonix.

See discussion in “Hardening Qubes-Whonix” thread and suggested wiki entry over there for background & motivation. Basically I want to polish off the instructions so normal people can use it consistently.

Most of the primary security features seem to be enabled in the Firejail profile for Firefox already e.g. seccomp, caps.drop all etc:[1]

cat /etc/firejail/firefox.profile

Output:

# Firejail profile for Mozilla Firefox (Iceweasel in Debian)

noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog

whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki

# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1

include /etc/firejail/whitelist-common.inc

# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

This profile is probably okay for Firefox-ESR in a straight Debian VM, but there might be further black-listing for stuff for Tor Browser in a Whonix VM.

I don’t understand that stuff about -X11 and -Xpra options (normal user here). It seems desirable because it prevents screenshots and keyloggers from accessing stuff in other displays outside of the container. Does this mean that nothing outside of the Firefox-ESR or Tor Browser VM can be snap-shotted or logged e.g. stuff running in parallel in another VM in Qubes?

@HulaHoop are you running a (working) Tor Browser Firejail profile that is heavily modified from the above in Whonix? If so, do you mind pasting it so I can reference it for other users to try?

[1] See https://firejail.wordpress.com/features-3/man-firejail/


#52

Can firejail even be combined with bubblewrap sandboxed Tor Browser?


#53

No haven’t looked into it since. Now that there is an officially supported solution you should use it instead. I don’t think there is much benefit from stacking two tools that do the same thing.


#54

Ok - thanks.

The problem is though:

  • bubblewrap is currently incompatible with any Qubes VM, meaning the alpha Tor sandbox doesn’t work in straight Debian VMs or Whonix VMs in Qubes-Whonix (see Patrick’s efforts); and
  • 32 bit binaries are no longer being built for the alpha Tor sandbox, which I thought meant that this will now be incompatible with 32-bit non-Qubes-Whonix.

Thus, Firejail is the only working solution for Qubes-Whonix & non-Qubes-Whonix currently. I don’t expect either of these problems will be solved anytime soon (bubblewrap & 64-bit non-Qubes-Whonix).

See here:


#55

I see. Well I know for non-Qubes Whonix the next release (14) will be 64bit. So this is done.


#56

Made some edits, some things don’t play out es expected:
https://www.whonix.org/w/index.php?title=Dev%2FFirejail&type=revision&diff=27605&oldid=23916

Documentation enhancements suggested by @torjunkie, currently discussed here:


#57

This might be better for the Firejail instructions for Tor Browser i.e. how to properly incorporate the Firefox profile (haven’t tested it yet, but will soon):

https://blog.torproject.org/comment/reply/1235/219876

You can use Tor Browser with Seccomp via Firejail, like this:

$ cat /etc/firejail/tor-browser.profile
noblacklist ~/.tor-browser-en
include /etc/firejail/firefox-esr.profile
whitelist ~/.tor-browser-en

$ firejail --seccomp --profile=/etc/firejail/tor-browser.profile /usr/bin/tor-browser-en


#58

https://www.phoronix.com/scan.php?page=news_item&px=KDE-Discover-Flatpak-Production

Flatpak sandboxed program support lands for KDE’s repo manager


#59

#60

The advantage of Firejail is it works with programs as is instead of needing them to be specially packaged for compatibility like Flatpak would. It would be very interesting to know more from the parrotOS devs about their implementation and approach to sandboxing their system by default. I see room for collaboration/use of their work for our benefit too.