summary
- I am not fully convinced, that firejail is bad.
- Decided to no longer install firejail by default in Whonix anyhow.
firejail security
Can’t rely too much on Daniel Micay as security export because he’s (often justified…) critical on “everything”… Could as well as give up and go home following that sentiment. Reference: Daniel Micay Quotes
Firejail developers might be bias towards firejail.
Bubblewrap developers might be bias towards bubblewrap.
Under the bias thesis, both candidates aren’t ideal expert opinions here on judging the security of each tool vs each other. Their input is valued nonetheless.
Tried to wrap my head around this issue. Made some notes here:
Dev/Firejail - Kicksecure
Trying to come up with essential questions.
- Would firejail have helped against past attacks against users in the wild? Is that a useful question to ask?
- How likely is it that firejail gets specifically targeted?
Please keep expert opinions pro/contra firejail / bubblewrap / apparmor / etc. coming.
installation by default
Whonix doesn’t enable any firejail / bubblewrap profiles for anything by default yet. All such profiles are opt-in.
Whonix comes with some apparmor profiles by default. Those for its own software and those profiles maintained by Debian. Other profiles are opt-in.
Decided to no longer install firejail by default due to
- the controversy,
- higher attack surface without other advantage by default (no profiles enabled by default).
Currently Whonix has a by default a higher attack surface (due to firejail installed by default) but no security advantages (not making use by default of any firejail profiles).
Firejail was only installed decided to become installed by default for better usability. To make writing firejail profiles easier. This could be undone since we did not get any new profiles anyhow.
At the moment, major attack surface realistically is the browser, Tor Browser. If hypothetically upstream, The Tor Project maintained a firejail profile, then I would think that the security advantages outweight the security disadvantages of it. Until in-the-wild attacks proof otherwise. That would be a reason to keep firejail installed by default.
SecBrowser depends on firejail and uses it by default. But SecBrowser isn’t Whonix. For SecBrowser I’ll keep firejail enabled by default until I am convinced that it does more harm than good against realistic attacks (what happened previously in-the-wild).
future reconsideration for re-installation of firejail
- Anyone maintaining firejail profiles in Whonix for software not developed by Whonix wouldn’t be installed by default - same as for apparmor profiles.
- Anyone maintaining firejail profiles in Whonix for software developed by Whonix, and re-installation for firejail by default would be reconsidered.
- Anyone maintaining firejail profiles in Debian, and re-installation for firejail by default would be reconsidered.