Put the fun back into computing. Use Linux, BSD. The Firejail security sandbox. Sandboxing is a term which describes isolating programs from each other (or from specific system resources) by limiting their scope or access to parts of the operating system.
23 Comments » Installed iceweasel/gnash under Raspbian. It works…though for the site I’m going to (KDFC live stream) it’s pretty ragged. Flash Player is a cross-platform browser plug-in that delivers breakthrough Web experiences to over 98% of Internet users. Method 1. If you run Etch you will want to.
DistroWatch Weekly A weekly opinion column and a summary of events from the distribution world. Issues with Adobe Flash Player in Chromium only? Here is how to fix this issue in Ubuntu 14.04. Sudo apt-get install gnash sudo apt-get install browser-plugin-gnash. Finding firefox for the Raspberry Pi can trip up alot of new users. In this tutorial I demonstrate how to install Firefox on your Raspberry Pi device. As mentioned in an earlier article, I planned to replace the computer tied to the front TV in the lobby, as it is a waste of resources. We are replacing it with the.
20 things to do after installing Kali Linux 1.x. I’ve compiled a small list of things that I always perform after installing a fresh copy of Kali Linux in this post. Adobe Flash Player is a multimedia plugin used to play video, games, streaming, and interactivity to Web pages. This how-to describes how to install the Adobe Flash.
Debian GNU/Linux 6.0.6 alsa-utils 1.0.23-3 Iceweasel 18.0-1~bpo60+1 pkg-mozilla-archive-keyring 1.1~bpo60+1 iceweasel-l10n-ja 1:18.0-1~bpo60+1 flashplugin-nonfree 1:2.8.2.
There are many forms sandboxing can take, from virtual machines to Docker containers. Other mechanisms we can use to isolate processes from resources include SELinux, App. Armor and control groups. These tools are lightweight and powerful, but they can be quite tricky to set up, especially for inexperienced users.
SELinux in particular uses a cryptic syntax which people find difficult to master. Luckily, for those of us who want lightweight, powerful security that is easy to use there is Firejail.
The Firejail project describes its software as follows. Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp- bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or App.
Armor environment, and it is integrated with Linux control groups. Firejail allows us to quickly and easily prevent a process from accessing certain files or directories, disable a process's ability to gain access to the root account, block or limit networking access and set up temporary file systems for an application to use which will later be discarded. We will get to Firejail's long list of powerful features in a moment. First, we need to actually download and install Firejail. The Firejail software is available in the repositories of Debian, Ubuntu and their derivative distributions.
The Firejail project also maintains packages and installation instructions for a variety of Linux distributions, including Fedora, Cent. OS, open. SUSE, Gentoo and Arch Linux.
Apart from the Firejail command line software, the project also maintains a desktop application which can be used to sandbox some popular applications with a base level of security. I will come back to the desktop application later, first I would like to start with the command line program. Before getting into my hands- on experiences with Firejail, I want to acknowledge Firejail has excellent documentation. The Firejail manual page clearly explains what Firejail does, covers the available options and provides a lot of practical examples we can try.
It is not often I encounter a piece of software with such clear documentation and it really gave me a good first impression of Firejail. Typically, when we want to run an application inside a Firejail sandbox, we can simply run the firejail command and pass it the name of the program we want to run. For example, we can launch Firefox using. The above command sets up a sandbox and launches Firefox.
The web browser will have limited access to our file system and only be able to save files in a few locations, such as our Downloads directory. This means that if a website hijacks our web browser, it will only be able to save files to designated places, like Downloads, but will not be able to over- write files in our Documents folder, protecting us from threats like randsomware. When we run Firejail, the sandboxing software looks at the name of the application we want to run in the sandbox - - Firefox in the above example. Firejail then looks through a list of known profiles which are stored in the /etc/firejail/ directory. When a matching profile is found, that profile's rules are loaded and enforced. Firejail ships with a default set of profiles for around 5.
Chrome, Firefox, Opera, Thunderbird, the VLC media player, XChat, Filezilla and Transmission. If we try to run an application inside a sandbox and Firejail has no existing profile for the application, a generic profile will be used.
The generic profile blocks access to most sensitive files, including common virtual machine locations. Much of our home directory becomes read- only as do important configuration files. Access to the root user account is also blocked to prevent programs run with a generic profile from causing too much trouble on our operating system. The profiles Firejail uses are written in a clear syntax with one rule on each line of the file. This makes it quite straight forward to modify existing rules or to create new ones. For instance, to block access to the /etc/ directory we could use the line.
To grant read- only access to our personal collection of programs, stored in the bin directory of our home, we can use the rule. HOME}/bin. To make sure our sandboxed program will always have access to our Downloads directory so it can save files, we can use the instruction.
DOWNLOADS}. What I like about this fairly simple style of syntax is that it tends to be easier to read than App. Armor's profile files.
Plus, it is much more clear what Firejail's instructions are doing when we compare them against SELinux's often cryptic rules. Firejail does not just allow or block access to specific files and directories, the sandboxing software provides a number of other useful features. One of the options I explored was limiting upload and download bandwidth.
Many programs include this feature built in, but bandwidth is usually a set- and- forget setting, meaning we cannot change it later. Firejail allows us to dynamically adjust bandwidth usage. This means we could start downloading a file at full speed, then limit its bandwidth with Firejail later, perhaps to allow us to stream a video. Then we can resume the download at full speed later on.
The Firejail software allows us to turn off some features. For example, we can disable sound using the "- -nosound" command line parameter. Let's say we want to run a game with the sound disabled, we can use Firejail like this.
Another feature of Firejail I liked was the ability to disable access to the root account. Firejail can block access to the root user's account, preventing many types of local exploits. Access to networking features that require root access (like the ping command) is then unavailable. Sandboxes also disable access to tools used to become root, such as sudo and the su command. Yet another aspect of Firejail I like is if we run the sandbox without any application specified, Firejail runs a command line shell in its sandbox. This allows us to run most command line programs is a very clean environment (there are just two processes visible to the sandboxed shell: Firejail and the shell itself). With access to most commands and features, but with access to root blocked and other users' processes rendered invisible, this gives us a relatively safe environment in which to experiment.
Though, by default, we can still delete many of our own files, so care should still be taken.). We can use Firejail to open a command line shell that runs in a sandbox we have already opened. This means we can manipulate the process we are running in the sandbox via the command line shell after the sandbox has been created. This can be accomplished by listing the sandboxes we are currently running and then running Firejail with the "- -join" flag.
For example. firejail vlc & firejail - -list. In the above example, we launch a sandbox with the VLC multimedia player.
The next command lists all running sandboxes with their identification numbers in the first field. We can then open a shell in the existing sandbox using the "firejail - -join" command. When we are done exploring the sandbox, typing "exit" returns us to the normal, non- sandboxed environment while VLC continues to run in its sandbox. One last feature of Firejail that I enjoyed was the ability to create a file system over top of the existing file system. This basically gives us an empty file system in which to work. Any files we create or destroy are temporary as the sandboxed file system is destroyed when our application is closed.
This is a useful feature to have when we are dealing with a potentially destructive program or we need to set up a very specific test environment. The only downside I found to this feature is it requires relatively modern kernels, the system needs to be running Linux 3. Firetools 0. 9. 3.
Running Firefox in a sandbox(full image size: 3. B, resolution: 1. Most of the powerful features of Firejail are accessible through its command line program, but the project does offer a desktop front- end that will provide the necessary features most people will want.
The desktop sandbox launcher is called Firetools. The Firetools program displays a red launch bar on our desktop with a list of popular program icons. Double- clicking on a program's icon launches the selected application in a sandbox. Right- clicking on an icon gives us the option of changing the parameters the application runs with.
There is an empty section of the Firetools launcher and right- clicking on it gives us the chance to add a new program to the launch bar. Right- clicking on the launcher and selecting "Tools" brings up an information screen where we can see a list of running applications and resource statistics. Clicking a button labelled "Join" opens a terminal window inside the selected sandbox. This is about the extent to which we can use Firetools, but it is what I think most people will find useful.
People who want to run Firefox or Thunderbird without digging down to the command line will benefit from this point- n- click interface that requires no configuration on their part. Firetools 0. 9. 3. Monitoring a sandbox(full image size: 3. B, resolution: 1. I am far from the first person to review Firejail and I peeked at some of the comments other people have made about the Firejail software. I was a bit disappointed to see many have a lukewarm opinion of the sandboxing software. Not because it lacks features or fails to produce the desired results: everyone seems to agree Firejail works as advertised.