Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

MEPIS 12/MX 14 Community Repo: The Firejail Thread

News about updates on package status for CR packages compiled for MEPIS 12.0
Message
Author
User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 16175
Joined: Fri Dec 15, 2006 8:07 pm

MEPIS 12/MX 14 Community Repo: The Firejail Thread

#1 Post by Stevo » Thu Aug 04, 2016 3:21 pm

We now have Firejail 9.40-3 in the test repository. Usage is as simple as

Code: Select all

firejail <program>
It's a security sandboxing program that includes built-in profiles for many popular programs. This release includes changes:

added –nice option
added –x11 option
added –x11=xpra option
added –x11=xephyr option
added –cpu.print option
added filetransfer options –ls and –get
added –writable-etc and –writable-var options
added –read-only option
added mkdir, ipc-namespace, and nosound profile commands
added net, ip, defaultgw, ip6, mac, mtu and iprange profile commands
–version also prints compile options
–output option also redirects stderr
added compile-time option to restrict –net= to root only
run time config support, man firejail-config
added firecfg utility
AppArmor fixes
default seccomp filter update
disable STUN/WebRTC in default netfilter configuration
new profiles: lxterminal, Epiphany, cherrytree, Polari, Vivaldi, Atril
new profiles: qutebrowser, SlimJet, Battle for Wesnoth, Hedgewars
new profiles: qTox, OpenSSH client, OpenBox, Dillo, cmus, dnsmasq
new profiles: PaleMoon, Icedove, abrowser, 0ad, netsurf, Warzone2100
new profiles: okular, gwenview, Google-Play-Music-Desktop-Player
new profiles: Aweather, Stellarium, gpredict, quiterss, cyberfox
new profiles: generic Ubuntu snap application profile, xplayer
new profiles: xreader, xviewer, mcabber, Psi+, Corebird, Konversation
new profiles: Brave
generic.profile renamed default.profile
build rpm packages using “make rpms”

User avatar
linexer2016
Forum Regular
Forum Regular
Posts: 308
Joined: Thu Dec 15, 2016 9:15 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#2 Post by linexer2016 » Sat Dec 17, 2016 2:55 am

Hello Stevo,
With the recent published proof of concept vulnerability, it turned my mind to how to create a sandboxed browser. Firejail was indicated however, having set the Debian Backports and downloaded and installed firejail, I am finding it somewhat unintuitive as to whether it actually is sandboxing my firefox session. You see, the issue I have is I seem to have to:
1. in a terminal type firejail firefox
1.1 if firefox is not already running nothing appears to happen so
2. start firefox and then command line firejail firefox opens another window of firefox (but there's no real indication that the second window is in fact "firejailed")
2.1 I know I can at the command line type firejail --tree and that should show if firefox is indeed protected - it does not.
3. If I run say audacious with the firejail command it reports that it is protected via the firejail --tree call.

So, it seems to me that firefox has some issues working with firejail if I understand the published functionality of firejail correctly. I mean, Audacious appears to work as per the label but as I have mentioned, I just can't seem to get the same confirmation from firefox.

Any suggestions would be very much appreciated and indeed if there are any suggestions from anyone regarding sandboxing programs generally.
Perhaps that vulnerability that was published just the other day has been addressed or will be addressed shortly but a sandbox type program unfortunately seems to becoming nearly as important in linux as it has always been in windows.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 16175
Joined: Fri Dec 15, 2006 8:07 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#3 Post by Stevo » Sat Dec 17, 2016 1:56 pm

First, if you installed from jessie-backports, I'm going to guess you have either MX 15 or 16, and you're posting in the wrong thread.

I've sent new 0.9.44 versions of firejail and firetools to the MX 15/16 test repository; please use the test repo tool in MX-Tools to upgrade to those versions and test those. When I launched Firefox from the Firetools GUI, it reports the browser as running in a sandbox.

skidoo
Forum Regular
Forum Regular
Posts: 850
Joined: Tue Sep 22, 2015 6:56 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#4 Post by skidoo » Sat Dec 17, 2016 3:22 pm

somewhat unintuitive as to whether it actually is sandboxing my firefox session.
I agree, it's both unintuitive AND is unreliable, in the sense that sandboxing is not forced-by-default.
Suppose you're running whatever program and click its toolbar Help--}About link.
Whoops, surprise! The program provides no local helpdocs ~~ your click invokes "xdg-open hxxp://somesite.url/blablah"
and, more surprise: that program hasn't been updated in recent years. Domain at the intended link has expired and was re-registered by perp serving drive-by injections...

So, my suggestion is to mv / rename the browser's executable file (/usr/bin/firefox, /usr/bin/firefox-esr, /usr/bin/whatever)
and replace with a same-named bash script which invokes "firejail firefox".

note: the above is a "suggestion" not a "recommendation". I'm currently only using firejail for its "nonet" wrapper capability.
Separately, I do use, and recommend, the following to preclude accidentally launching a sudo-permissioned browser instance:

Code: Select all

rm /root/.mozilla (if it exists)
ln -s /root/.mozilla /dev/null

User avatar
linexer2016
Forum Regular
Forum Regular
Posts: 308
Joined: Thu Dec 15, 2016 9:15 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#5 Post by linexer2016 » Sun Dec 18, 2016 12:21 am

Stevo, thanks, I didn't realise you had to post a query about a program such as this in any specific MX14-16 thread so I will try your recommendation regarding the installer from the correct (test) repository.
skidoo, and thank you too, however, your post raises a couple more questions .... 1. you say sandboxing is not forced-by-default - surely sandboxing should be forced whenever one invokes firejail firefox for if sandboxing doesn't then exist how do you in fact force it? 2. are you saying that your suggestion re mv / rename etc is an extra layer of protection and one that improves the firejail functionality? and your use and recommendation to preclude accidental launch of a sudo browser is also in the same vein? It would appear from what Stevo said though, that if one can successfully install from the test repository both firejail and firetools that really should be all that's needed going by his comment that "... When I launched Firefox from the Firetools GUI, it reports the browser as running in a sandbox...".

User avatar
Gordon Cooper
Forum Guide
Forum Guide
Posts: 1997
Joined: Mon Nov 21, 2011 5:50 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#6 Post by Gordon Cooper » Sun Dec 18, 2016 12:38 am

At my age , I think of a sandbox as either something for the children to play in, or a carefully built and impressed mould for the casting of metals. What does this device achieve in IT?
Homebrew64 bit Intel duo core 2 GB RAM, 120 GB Kingston SSD, Seagate1TB.
Primary OS : MX-17.1 64bit. Also MX17, Kubuntu14.04 & Puppy 6.3.
Dell9010, MX-17.1, Win7

User avatar
linexer2016
Forum Regular
Forum Regular
Posts: 308
Joined: Thu Dec 15, 2016 9:15 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#7 Post by linexer2016 » Sun Dec 18, 2016 1:02 am

Gordon, firejail which like all "sandboxes" in a computer context, is intended to isolate say your browser so that anything you do or interact with in that browser session can't cause system wide damage. My interest in firejail came from my experience with an excellent program called sandboxie in windows. I was/am hoping that firejail affords similar functionality and my interest was sharpened by the recently published important vulnerability that although is at this stage apparently only a "proof of concept" chances are that it might become a real danger going forward. It is a real pity that the long run linux secure system seems now to be getting challenges from such malware that has equally long been an issue in windows.

Stevo, I might say that originally I did install firejail from the MX test repository via the inbuilt tool "MX Text Repo Installer" and before your post, I had uninstalled the program because I couldn't get it to work properly. Following your post, I reinstalled from that same repository and via the same tool not only firejail (as I had done the first time) but this time, also firetools. Now, the same phenomena continues to occur .... 1. if I launch firetools and double click on firefox, nothing appears to happen, however, if I right click on the firefox icon, I see what is likely a similar output to the command line firejail --tree command and that is that firefox is sandboxed. Why then firefox the program doesn't run I have no idea. 2. if I try to launch firefox from the command line via firejail firefox, again the screen output doesn't inform this writer what might be happening but the firefox program still fails to launch and should I at the desktop click on firefox separately, I get an error message that firefox is already running and to close that instance or restart the system. 3. as I mentioned in my original post, audacious runs as per the label both via the firetools program and the command line. So, it remains that for me at least, firefox just doesn't seem to want to play in that virtual sandbox with firejail.

skidoo
Forum Regular
Forum Regular
Posts: 850
Joined: Tue Sep 22, 2015 6:56 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#8 Post by skidoo » Sun Dec 18, 2016 3:37 am

With win+sandboxie, regardless the path a given program has been installed to (not necessarily installed to a path under sandboxie) you can right-click its launcher icon and choose "run sandboxed". Firejail doesn't have that same degree of integration. Unless you use commandline, or use a firetools icon to launch a program, the program won't be sandboxed.

If you double-click an html file in filebrowser, or (per my example in previous post) click an About--}Help link in the toolbar of some program, in such instances you don't have any opportunity to specify "run sandboxed"...and, unless you've setup a diversion (renamed the browser executable and substituted a wrapper script at the expected path) the browser get launched UNsandboxed.

User avatar
linexer2016
Forum Regular
Forum Regular
Posts: 308
Joined: Thu Dec 15, 2016 9:15 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#9 Post by linexer2016 » Sun Dec 18, 2016 5:57 am

skidoo ... I am not as concerned about clicking a link in an about field of any given program as I am in trying to get firejail to actually play with firefox and as I've found, thunderbird. It seems to have some issues (at least on my system) of not seeing the existing browser or mail client for when I run firejail firefox (or Tbird) from the command line, neither program launches let alone is sandboxed at all. Yet, as I've previously described, audacious has no issues at all from either the command line or the firetools icon. I think I might have to forgo sandboxing for the time being as this thread appears to have reached its end as far as any other contributions. Hopefully the developers and administrators etc will be working quick time to patch that vulnerability that was aired a few days ago.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 16175
Joined: Fri Dec 15, 2006 8:07 pm

Re: MEPIS 12/MX 14 Community Repo: The Firejail Thread

#10 Post by Stevo » Sun Dec 18, 2016 4:02 pm

I tested both "firejail firefox" and the firetools launcher with the latest version of both from the test repo on a fresh install of MX 16, and they both worked. Are you running MX 16, MX 15, or what?

The version in testing was backported for Debian Sid, and seems to be the release that fixes the security holes, too:

Code: Select all

Version 0.9.44.2, Sunday, December 4, 2016

    security: overwrite /etc/resolv.conf found by Martin Carpenter
    secuirty: TOCTOU exploit for –get and –put found by Daniel Hodson
    security: invalid environment exploit found by Martin Carpenter
    security: several security enhancements
    bugfix: crashing VLC by pressing Ctrl-O
    bugfix: use user configured icons in KDE
    bugfix: mkdir and mkfile are not applied to private directories
    bugfix: cannot open files on Deluge running under KDE
    bugfix: –private=dir where dir is the user home directory
    bugfix: cannot start Vivaldi browser
    bugfix: cannot start mupdf
    bugfix: ssh profile problems
    bugfix: –quiet
    bugfix: quiet in git profile
    bugfix: memory corruption
Anyway, I'll ask that they be moved to main, since they fix vunerabilities.

Post Reply

Return to “Package Status - 12.0 Beta”