Users browsing this thread: 1 Guest(s)
robotchaos
Long time nixers
Just wanted to see what you guys think of firejail. Anyone tried it?

https://firejail.wordpress.com/

I started playing with it yesterday and I have to say, I am certainly impressed. The default profile when loading `firejail st` protects most of the stuff I was concerned about. I used st to load a shell as an example to see what I could access. It denied access to /boot, /sbin, sudo explicitly, .password-store, .gnupg, .ssh, sets ~/bin to read-only, and most of your config files get set to read-only as well. Like I said, running a shell in this firejail was only a test. I actually only run firefox, ssh ( client ), nodejs, nginx, surf, libreoffice, pidgin, and evolution in a firejail.

I was looking for something to protect my sensitive files from internet-facing applications, such as surf and firefox. So if something happened, it couldn't run away with my data. firejail seems to fit this bill rather nicely.

In fact, with the --private=dir switch, you can run the program in its own private home directory if you wanted to go that far.
venam
Administrators
I mentioned it in the podcast about Browsers.

Quote:* paranoid:
web sites i know to be evil, or just i think probably can be malicious,
or just i want to be reasonabily sure it’s hard for them to trace me
and my identity.

https://firejail.wordpress.com/
https://www.nexlab.net/2016/08/06/deskto...nd-theory/

He builds a sanboxed webbrowser using firejail:

The paranoid version runs in a jail, with a different user with different
permissions.
It will not access to sound, mic or cam at all. It will access network
only through tor, and it will run on a separate networking namespace.
Also, it will NOT share clipboard with the X11 session, as it will run
on a completely separate session using xpra.
It also passes through a proxy or tor.
Saves all the download to a temporary file system to make it more volatile.
Sagitarius also mentioned it in the "help secure your OS" thread: https://nixers.net/showthread.php?tid=17...8#pid14658

So overall we didn't have any in depth talk about it yet.
It would be fruitful if you could log/note whatever you learn along the way and share it.
robotchaos
Long time nixers
Quick update: been loving what I can do with firejail so far. Can disable all networking except loopback. It doesn't seem possible to keep it from accessing lo. But for things I know and should not have net, you can remove it from its stack. You can also restrict which binaries a program then has access to. For example, pidgin by default only has access to one binary, the pidgin binary. Clicking on a link results in an error of 'unable to find xdg-open'.

Modifying profiles to suit your needs is easy enough. I then modified the pidgin profile to allow for xdg-open but it doesn't seem to open it in the running firefox instance that is also currently in its own firejail. So I see there is an option to name the namespace the firejail is running as, and that option I believe will give pidgin access to open links in that firefox. More to follow.
robotchaos
Long time nixers
Learning new, using the option --net=none also creates a new loopback interface for that program. So it can't even use the loopback to get to the real machine. Quick note, pretty cool. I use this option to prevent programs from accessing the network if they aren't supposed to. Paranoid enough to make sure they are unable to.
josuah
Long time nixers
I am glad to discover ways to make the use of the browser more secure. Thank you for sharing you both.
oldnix
Registered
Put some time in on firejail recently, see http://unix.stackexchange.com/questions/...vpn-client

Currently typing this in a firefox firejail sandbox with network isolation (--net=...) and a private chroot dir, Xpra viewer.

I'd be happier with Xephyr - would have to configure a window manager for window resizing to work, also though Xephyr has no clipboard code built in (Xpra can be configured to copy the clipboard in and out). Running firejail without disabling the X11 abstract Unix socket (which would enable the native X11 clipboard) defeats the object. I could do to find a solution to this, an optional viewer would be useful.

Apart from Xpra and Xephyr, are there any other remote viewers out there?