In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

Default profiles

Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:

$ firejail firefox $ firejail chromium $ firejail midori $ firejail opera

The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:



$ firejail --debug firefox Reading /etc/firejail/firefox.profile Reading /etc/firejail/disable-mgmt.inc Reading /etc/firejail/disable-secret.inc Command name #firefox# Using the local network stack Parent pid 18770, child pid 18771 Initializing child process PID namespace installed Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var Mounting tmpfs on /run/lock on behalf of /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log [...]

Private mode reloaded

According to Mozilla’s Jorge Villalobos:

Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites.

He’s talking specifically about extensions published on Mozilla’s addon site. Addons run with full user privileges, and nothing could prevent them from accessing private data, or from sending keystrokes to a third party.

This is where Firejail private mode comes into play. It mounts an empty, temporary filesystem on top of your home directory, basically reseting your browser to factory defaults. No browser addons and no private user files are visible. Data in the temporary home directory is discarded when the browser is closed.

Use this mode when you access your bank account, or for any other private business:

$ firejail --private firefox

For regular everyday browsing, you can replace your home directory with a different one and keep all the modifications when the browsing session is ended. This is how you set it up:

$ cd ~ $ mkdir -p browser-home/Downloads $ firejail --private=~/browser-home firefox

In this new home you can install addons, extensions, whatever. When transferring files, you would need to copy them in ~/browser-home in order for your browser to see them.

Opera support

Some time ago Opera browser internals have been switched to a fork of Google Chromium. The SUID sandbox, Linux namespaces and seccomp-bpf filters from Chromium, survived the porting. This puts Opera security technology at parity with Chromium.

Recent versions of Firejail install a default Opera security profile in /etc/firejail. It is the same profile used by Chromium. Run it as firejail opera, or use the private mode as described above. It has full audio/video support:

Conclusion

Firejail is easy to use and it has a very low memory footprint. It configures a number of security features in Linux kernel and gets out of the way. It does not interact with the process running in the sandbox, there are no daemons running and no open socket connections. For more information visit the project web page.

Related Posts