-
Notifications
You must be signed in to change notification settings - Fork 561
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement hardened internet sandbox needed #4339
Comments
I've implemented something similar with a combination of SELinux policies, NFTables firewall rules and NetLabel configuration. The unprivileged user I don't know how to implement this with Firejail, but it would surely be great addition. If the user's shell would be firejailed and no way to escape firejailing, maybe everything could be run with 'network=none`, except for the explicitly allowed applications? In your proxy setup, the address of the proxy or crypto key to access it could be disclosed in a file, which would not be accessible by unprivileged applications and only the explicitly allowed applications could be allowed access via Firejail config? |
Im experimenting with additional user creation and grepping id. I plant userid here: iptables -A OUTPUT -m owner --uid-owner 1000 -j REJECT But my problem is, I cannot start firejail with different user and Firefox. Sudo su -m internetaccessuser -c "firejail --debug Firefox" wont start - even when internetaccessuser are in sudoers group. ... Maybe netblue can help |
Do you get any error? Does firefox start w/o firejail? Do you can start |
Woow, Thanks for reply. I can start Firefox with firejail with my default user and root. I will test this tomorrow. Im using x11 and Firefox will be x11 sandboxed with xpra latest from xpra owns repository. |
firejail curl inside user shell works fine
EDIT by @rusty-snake: code-block |
here when i try to start
|
firefox.profile works everything with success with default user:
EDIT by @rusty-snake: code-block |
i did xhost +local:internet and than sudo -u internet -H firejail --debug firefox this do this magic trick now all works very well... please update documents and changelog for this fix |
i want start on my host machine squid proxy inside firejail with hardened config.
what i want next is, allowing internet access only from "firejail squid ip address containerjail" ;everything outside of firejail squid jail container should not have internet access - for both ingress and egress.
i know its possible with iptables on hostside.. but how to tell iptables to allow only from firejail container internet and NOTHING ELSE.
i want connect with my browser to internet over squid proxy or other proxy and want start like this one:
firejail --proxy="idofsquidjail/or ip" --x11=xpra firefox
after than every application what i want should run with this command above --proxy.... should have internet access , but all other apps should not have access.
benefits:
everything on hostside cannot access to internet
kernel modules havent any internet access -big attack surface solved
whole /usr/bin havent any internet access - big attack surface solved
every binary not started with firejail --proxy command or proxychains functions in combination with firejail, cannot have access to internet ,because binary dont know how to route traffic out ....
only the admin know the way out and starting firejail smart and tidy :-)
Thanks and
Best Regards
The text was updated successfully, but these errors were encountered: