Skip to content

netblue30/firejail

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Firejail

Build Status

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Firejail Firefox Demo

Project webpage: https://firejail.wordpress.com/

Download and Installation: https://firejail.wordpress.com/download-2/

Features: https://firejail.wordpress.com/features-3/

Documentation: https://firejail.wordpress.com/documentation-2/

FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/

Travis-CI status: https://travis-ci.org/netblue30/firejail

Compile and install

$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make && sudo make install-strip

On Debian/Ubuntu you will need to install git and a compiler:

$ sudo apt-get install git build-essential

Running the sandbox

To start the sandbox, prefix your command with “firejail”:

$ firejail firefox            # starting Mozilla Firefox
$ firejail transmission-gtk   # starting Transmission BitTorrent
$ firejail vlc                # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start

Run "firejail --list" in a terminal to list all active sandboxes. Example:

$ firejail --list
1617:netblue:/usr/bin/firejail /usr/bin/firefox-esr
7719:netblue:/usr/bin/firejail /usr/bin/transmission-qt
7779:netblue:/usr/bin/firejail /usr/bin/galculator
7874:netblue:/usr/bin/firejail /usr/bin/vlc --started-from-file file:https:///home/netblue/firejail-whitelist.mp4
7916:netblue:firejail --list

Desktop integration

Integrate your sandbox into your desktop by running the following two commands:

$ firecfg --fix-sound
$ sudo firecfg

The first command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The second command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in current Firejail version, and the number goes up with every new release. We keep the application list in /usr/lib/firejail/firecfg.config file.

Security profiles

Most Firejail command line options can be passed to the sandbox using profile files. You can find the profiles for all supported applications in /etc/firejail directory.

If you keep additional Firejail security profiles in a public repository, please give us a link:

Use this issue to request new profiles: #1139


Current development version: 0.9.53

Spectre mitigation

If your gcc compiler version supports it, -mindirect-branch=thunk is inserted into EXTRA_CFLAGS during software configuration. The patch was introduced in gcc version 8, and it was backported to gcc 7. You'll also find it on older versions, for example on Debian stable running on gcc 6.3.0. This is how you check it:

$ ./configure --prefix=/usr
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking for Spectre mitigation support in gcc compiler... yes
[...]
Configuration options:
   prefix: /usr
   sysconfdir: /etc
   seccomp: -DHAVE_SECCOMP
   <linux/seccomp.h>: -DHAVE_SECCOMP_H
   apparmor:
   global config: -DHAVE_GLOBALCFG
   chroot: -DHAVE_CHROOT
   bind: -DHAVE_BIND
   network: -DHAVE_NETWORK
   user namespace: -DHAVE_USERNS
   X11 sandboxing support: -DHAVE_X11
   whitelisting: -DHAVE_WHITELIST
   private home support: -DHAVE_PRIVATE_HOME
   file transfer support: -DHAVE_FILE_TRANSFER
   overlayfs support: -DHAVE_OVERLAYFS
   git install support:
   busybox workaround: no
   Spectre compiler patch: yes
   EXTRA_LDFLAGS:
   EXTRA_CFLAGS:  -mindirect-branch=thunk
   fatal warnings:
   Gcov instrumentation:
   Install contrib scripts: yes

This feature is also supported for LLVM/clang compiler

New command line options

       --nodbus
              Disable D-Bus access. Only the regular UNIX socket is handled by
              this command. To disable the abstract socket you would  need  to
              request  a  new  network  namespace using --net command. Another
              option is to remove unix from --protocol set.

              Example:
              $ firejail --nodbus --net=none

AppImage development

Support for private-bin, private-lib and shell none has been disabled while running AppImage archives. This allows us to use our regular profile files for appimages. We don't have a way to extract the name of the executable, so the profile will have to be passed on the command line. Example:

$ firejail --profile=/etc/firejail/kdenlive.profile --appimage --apparmor ~/bin/Kdenlive-17.12.0d-x86_64.AppImage

Also, we have full AppArmor support for AppImages:


$ firejail --apparmor --appimage ~/bin/Kdenlive-17.12.0d-x86_64.AppImage

Seccomp development

Replaced the our seccomp disassembler with a real disassembler lifted from libseccomp (GPLv2, Paul Moore, Red Hat). The code is in src/fsec-print directory.

$ firejail --seccomp.print=browser
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
 0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
 0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
 000a: 15 3e 00 00000137   jeq process_vm_writev 0049 (false 000b)
 000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
 000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
 000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
 000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
 000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
 0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
 0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
 0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
 0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
 0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
 0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
 0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
 0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
 0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
 0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
 001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
 001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
 001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
 001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
 001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
 001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
 0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
 0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
 0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
 0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
 0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
 0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
 0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
 0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
 0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
 0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
 002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
 002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
 002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
 002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
 002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
 002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
 0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
 0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
 0034: 15 14 00 00000130   jeq open_by_handle_at 0049 (false 0035)
 0035: 15 13 00 0000012f   jeq name_to_handle_at 0049 (false 0036)
 0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
 0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
 0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
 0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
 003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
 003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
 003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
 003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
 003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
 003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
 0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
 0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
 0042: 15 06 00 000000d8   jeq remap_file_pages 0049 (false 0043)
 0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
 0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
 0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
 0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
 0048: 06 00 00 7fff0000   ret ALLOW
 0049: 06 00 01 00000000   ret KILL

We are also introducing a seccomp optimizer, to be run directly on seccomp machine code filters produced by Firejail. The code is in src/fsec-optimize. Currently only the default seccomp filters built at compile time are run trough the optimizer. It will be extended and applied at run time on all filters.

AppArmor development

AppArmor features are supported on overlayfs and chroot sandboxes.

We are in the process of streamlining our AppArmor profile. The restrictions for /proc, /sys and /run/user directories were moved out of the profile into firejail executable. We are also adding a "apparmor yes/no" flag in /etc/firejail/firejail.config file allows the user to enable/disable apparmor functionality globally. By default the flag is enabled.

AppArmor deployment: we are starting apparmor by default for the following programs:

  • web browsers: firefox (firefox-common.profile), chromium (chromium-common.profile)
  • torrent clients: transmission-qt, transmission-gtk, qbittorrent
  • media players: vlc, mpv, audacious, kodi, smplayer
  • media editing: kdenlive, audacity, handbrake, inkscape, gimp, krita, openshot
  • archive managers: ark, engrampa, file-roller
  • etc.: digikam, libreoffice, okular, gwenview, galculator, kcalc

Checking apparmor status:

$ firejail --apparmor.print=browser
2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
  AppArmor: firejail-default enforce

$ firemon --apparmor
2072:netblue:firejail --chroot=/chroot/sid --net=eth0
  AppArmor: unconfined
2146:netblue:/usr/bin/firejail /usr/bin/firefox-esr
  AppArmor: firejail-default enforce
4835:netblue:/usr/bin/firejail /usr/bin/vlc
  AppArmor: firejail-default enforce

Browser profile unification

All Chromium and Firefox browsers have been unified to instead extend chromium-common.profile and firefox-common.profile respectively. This allows for reduced maintenance and ease of adding new browsers. NOTE: All users of Firefox-based browsers who use addons and plugins that read/write from ${HOME} will need to uncomment the includes for firefox-common-addons.inc in firefox-common.profile.

New profiles

Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary, pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, thunderbird-beta, ncdu