IgnorantGuru's Blog

Linux software, news, and tips

Firejail: A New Lightweight Browser And Application Sandbox

A new security/containment tool for browsers and other graphical/network applications called Firejail is available for Linux.

From the Firejail Homepage:

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

So this appears to use newer kernel features and is not dependent on systemd.

I haven’t yet used or examined this project in detail, so this is not a review or recommendation. Mostly I’m just letting you know the project exists, but it does look well-documented and organized, a good first sign. Also, contrary to some comments on the sites, I am not a developer of Firejail or associated with the project.

Similar to my Sandfox bash script, which is still running strong years later, the Firejail C program limits access to the filesystem, yet it also does much more than Sandfox by making use of Linux namespaces. For the casual user, this script may provide some nice enhancements to browser use, limiting system access of the browser process and its children.

What I and others like about approaches like this is that unlike SELinux or systemd-based methods, this method does not create a huge central point of failure (if executed well). This seems like a nice KISS (Keep It Simple, Stupid) approach.

Even if it’s not perfect, I think using a script like Firejail will improve security for most users, limiting applications and their plugins. This is becoming especially true as new browser technologies endorse web binary executables, etc.

While I haven’t reviewed this project for security, here are a few questions and points I would keep in mind during such a review:

This is an SUID program, which means its command line interface must be bullet-proof. It must only allow a limited set of actions in a limited way, and reject all bad input. Even bad parsing of characters in the command line can create a root exploit. So that is an area of code to review in any SUID program. Yet if done well, SUID programs can be secure and effective solutions, contrary to much rumor on the subject.

Also, does it drop priviledges immediately and run most of its code unpriviledged? Again, this is vital in solid SUID designs. Only the final actions that require root should have it, thus limiting exposure to complex coding errors and oversights.

It’s also important to keep in mind that this project is still maturing, which is a learning process for the developers as well. Thus it is possible to find loopholes and exploits, such as this issue raised regarding ptrace whitelisting and seccomp. The good news is that even with tailored exploits possibly available, most generic malicious code is not going to be fined-tuned to break out, so will be stopped. Consider it an enhancement at least, especially if the SUID handling is done well.

Firejail is already available in Debian Testing and for other distros, with its sources on Github. There is a related forum discussion here. I see LWN.net also featured an article on it earlier this year.

May 9, 2016 - Posted by | News

7 Comments

  1. Can it isolate any application or just the bundled browser?

    Comment by worldhate | May 10, 2016

    • “Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc.”

      Also looks like it can even limit bandwidth to the sandbox. They have a Firetools graphical management tool there as well.

      Comment by IgnorantGuru | May 10, 2016

  2. FYI here’s an ongoing 471-posts-long forum discussion of firejail
    http://www.wilderssecurity.com/threads/firejail-linux-sandbox.369309/

    Comment by stewie | May 10, 2016

  3. Very interesting! I may have to try it out some time. Have they crafted a ‘test website’ that people can use to test if their browser is properly protected via the sandbox?

    Comment by zlg | May 15, 2016

  4. So interesting! Any connection with Firefox/Mozilla the name is similar haha?

    Comment by Cătălin Bogdan Cucu | May 16, 2016

    • IIRC, the firejail dev was initially motivated to sandbox the web browser application. Later, he expanded coverage toward sandboxing various other applications.

      Comment by stewie | May 17, 2016

  5. It’s actually a good and simple program that adds some security, have been using it for some time now. Was finally able to limit my Tor Browser access without breaking parts of it (apparmor used to break sound and some downloads). Have yet to try their gui.
    DO you plan on making a proper audit/review and post it? That would be awesome! :D

    Comment by GNUser | June 14, 2016


Sorry, the comment form is closed at this time.