Firejail

From PeerFreedom Wiki
Jump to navigation Jump to search

Goal of this tutorial is providing way to fully sandbox any program inside Debian. Application should be fully chrooted, and running in separated X server.

Prerequisites

You should enable backports repo, and make sure that AppArmor is enabled.

Installation

# apt-get -t buster-backports install firejail firejail-profiles xserver-xephyr firetools openbox debootstrap
# apparmor_parser -r /etc/apparmor.d/firejail-default


Using for one application

This will just run an application as you, but in some isolation (namespace, seccomp, drop caps and other methods).

No extra disk space, no extra memory. Process runs as your user.

Are X isolated(?) probably depends on X method...

Filesystem view is more or less isolated (depending also on firejail profile settings).

Quite easy and transparent (besides bugs in profiles) but not too secure - this is the minimal protection.

Install

As given user on host, run once sudo firecfg (might need to add that host user e.g. john, to visudo and to /etc/firejail/firejail.users.

After that, applications resolve to usr/local, e.g.

$ which mumble
/usr/local/bin/mumble

$ file /usr/local/bin/mumble
/usr/local/bin/mumble: symbolic link to /usr/bin/firejail

So it captures the bash commands using $PATH, and also should capture desktop shortcuts and alike - it runs that app as firejail app with applying profile protections from /etc/firejail/APPNAME.profile .

Use

Just start application like

mumble

and it will use above mechanism to start in firejail. You can still run

/usr/bin/mumble

to run the application normally, without firejail.

Using as chroot

Stronger protection: is to run a desktop (or application) in firejail in own chroot.

The result is similar to a very light weight "virtual machine" with one user (uses separate / so e.g. 10-20 GB of filesystem, can be shared on normal host filesystems, uses no extra RAM it seems).

It has separated file system and does not see any files of the host.

Downsides: not sure how to update the applications in such "system" (crontab/unattended-upgrades not working?)

Preparing chroot dirs

# mkdir /chroot1
# mkdir /chroot2
# mkdir /chroot3
# mkdir /foo/bar
etc.

# debootstrap --arch=amd64 buster /chroot1
# debootstrap --arch=amd64 buster /chroot2
# debootstrap --arch=amd64 buster /chroot3
# debootstrap --arch=amd64 buster /foo/bar
etc.

# firejail --noprofile --chroot=/chroot1
# adduser <your_user_name_here>
# apt-get update
# apt-get install openbox <application1_you_wish_to_run_in_chroot1> <application2> ...
# exit

# firejail --noprofile --chroot=/chroot2
# adduser <your_user_name_here>
# apt-get install openbox <application1_you_wish_to_run_in_chroot2> <application2> ...
# exit

and so on

See ConfigLinux

Running example application

To run a chroot with firejail container, as the normal host user (in X) run:

$ firejail --x11=xephyr --apparmor --chroot=/chroot1 openbox

Better example:

HOME=/home/blacksmith /usr/bin/firejail --allow-debuggers --x11=xephyr --xephyr-screen=3200x1800  --apparmor --chroot=/blacksmith.jails/jail-blacksmith-devel/        awesome

This example also uses /usr/bin/firejail to avoid firejailing the firejail itself (for some reason it was not working at first when running on user who is configured to automatically use firejail on programs).

That will star entire DM like openbox (also awesomewm is nice) from which you can run more programs.


$ firemon --x11
7299:<username>::firejail --apparmor --chroot=/chroot1 openbox
  DISPLAY :756

$ DISPLAY=:756 firejail --apparmor --chroot=/chroot1 firefox

FAQ

DBUS and run

Q: problems with /run/user/ it does not exist inside chroot

Q: e.g.:

awesome: a_dbus_connect:611: Could not connect to D-Bus session bus: Failed to connect to socket /run/user/1001/bus: No such file or directory awesome: a_dbus_connect:611: Could not connect to D-Bus system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory

A1: if you run firejail, as in firejail awesome --chroot==.... (see chapter on running as Chroot) then start that firejail using /usr/bin/firejail

A2: otherwise, some applications will have problems with using dbus (especially applications inside the chroot), sometimes creating the directory /run/user/ or /run/user/1001 (or other UID than 1001, the one of your user) seems to resolve problems

Using VPN

Q: Use the hosts's VPN connection, and block hosts's other networks, inside jirejail

A: Currently you can NOT just use VPN of your host (if you wish to only use VPN - to isolate networking), option firejail ..... --net=openvpn would do it, BUT it can not work (can not work on tun devices).

Problem: - https://github.com/netblue30/firejail/issues/59 - https://github.com/netblue30/firejail/issues/1600#issuecomment-335847527 - https://github.com/netblue30/firejail/issues/2032

There might be a work around: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

Another option would be to allow only --net=eth0 ?(or other main network device of host) and login again into VPN as another VPN client from inside the firejail.

Misc

Q: I have error when I try to run apt-get update W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

A: Permissions of chroot directory was changed. Restore them.

Q: How to change resolution of Xephyr?

A: xephyr-screen WidthxHeight can be set in /etc/firejail/firejail.config in host where Width and Height are in pixels and based on your screen resolution.

Q: error in bash etc: "I have no name!"

A: this user (UID) does not exist in jailed system - you forgot to run adduser/addgroup (logout and do it)


Q:

Openbox-Message: A window manager is already running on screen 0
Parent is shutting down, bye...

maybe also mentioning xpra e.g.:

...
2019-11-19 15:10:08,744 xpra is ready.
2019-11-19 15:10:08,750 15.6GB of system memory
*** Attaching to xpra display ... ***
...

A: it is important to use --x11=xephyr (as seen in firejail --help) above it was trying to user Xpra instead of Xephyr

Application specific

Mumble on Debian Buster

start

If your Mumble does not work correctly edit /etc/firejail/mumble.profile and comment out line:

memory-deny-write-execute

result:

#memory-deny-write-execute

load config server

It does not remember Server settings (but does load other settings).

See also