Closed osevan closed 3 years ago
I've implemented something similar with a combination of SELinux policies, NFTables firewall rules and NetLabel configuration. The unprivileged user user_u:user_r:user_t:s0
isn't allowed to use network, but for example user_u:user_r:mozilla_t:s0
can connect to TCP ports 80 and 443 and user_u:user_r:ssh_t:s0
can connect to TCP port 22. This may not be airtight considering various methods how processes could influence others but it's something.
I don't know how to implement this with Firejail, but it would surely be great addition. If the user's shell would be firejailed and no way to escape firejailing, maybe everything could be run with 'network=none`, except for the explicitly allowed applications? In your proxy setup, the address of the proxy or crypto key to access it could be disclosed in a file, which would not be accessible by unprivileged applications and only the explicitly allowed applications could be allowed access via Firejail config?
Im experimenting with additional user creation and grepping id.
I plant userid here: ID 1001 for user with internet access. iptables -A OUTPUT -m owner --uid-owner 1001 -j ALLOW 0 for root and other IDs what I want block : iptables -A OUTPUT -m owner --uid-owner 0 -j REJECT
iptables -A OUTPUT -m owner --uid-owner 1000 -j REJECT
But my problem is, I cannot start firejail with different user and Firefox.
Sudo su -m internetaccessuser -c "firejail --debug Firefox" wont start - even when internetaccessuser are in sudoers group. ...
Maybe netblue can help
But my problem is, I cannot start firejail with different user and Firefox. Sudo su -m internetaccessuser -c "firejail --debug Firefox" wing.start - even when internetaccessuser are in sudoers group. ...
Do you get any error? Does firefox start w/o firejail? Do you can start firejail curl
or so? If you have a /etc/firejail/firejail.users
is internetaccessuser in it? Do you use X11 or Wayland?
But my problem is, I cannot start firejail with different user and Firefox. Sudo su -m internetaccessuser -c "firejail --debug Firefox" wing.start - even when internetaccessuser are in sudoers group. ...
Do you get any error? Does firefox start w/o firejail? Do you can start
firejail curl
or so? If you have a/etc/firejail/firejail.users
is internetaccessuser in it? Do you use X11 or Wayland?
Woow, Thanks for reply.
I can start Firefox with firejail with my default user and root.
I did not know about firejail.users file.
I will test this tomorrow.
Im using x11 and Firefox will be x11 sandboxed with xpra latest from xpra owns repository.
firejail curl inside user shell works fine
$ whoami
internet
$ firejail --version
firejail version 0.9.65
Compile time support:
- Always force nonewprivs support is disabled
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled
$ firejail curl gogole.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
EDIT by @rusty-snake: code-block
here when i try to start
firejail --debug firefox
EDIT by @rusty-snake: code-block and details-summary
firefox.profile works everything with success with default user:
# Firejail profile for firefox
# Description: Safe and easy web browser from Mozilla
# This file is overwritten after every install/update
# Persistent local customizations
include firefox.local
# Persistent global definitions
include globals.local
# NOTE: sandboxing web browsers is as important as it is complex. Users might be
# interested in creating custom profiles depending on use case (e.g. one for
# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
# info. Here are a few links to get you going.
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
#firefox nightly using
#noblacklist /home/ra/compile/firefox/mozilla-unified/
#ignore noexec ${HOME}
#whitelist /home/ra/compile/firefox/mozilla-unified/
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla
# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
whitelist /usr/share/doc
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist /usr/share/gtk-doc/html
whitelist /usr/share/mozilla
whitelist /usr/share/webext
include whitelist-usr-share-common.inc
# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too.
#private-etc firefox
dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next two lines to your firefox.local to allow screen sharing under wayland.
#whitelist ${RUNUSER}/pipewire-0
#dbus-user.talk org.freedesktop.portal.*
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
ignore dbus-user none
# Redirect
include firefox-common.profile
apparmor
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
nogroups
seccomp
#seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,swi$
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
#tracelog
# experimental features
private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,$
private-dev
#private-bin firefox-esr
private-tmp
private-cache
private-lib /usr/lib/firefox-esr/libmozgtk.so,/usr/lib/firefox-esr/libxul.so
noexec ${HOME}
noexec /tmp
noexec ${DOWNLOADS}
#memory-deny-write-execute
EDIT by @rusty-snake: code-block
i did xhost +local:internet
and than sudo -u internet -H firejail --debug firefox
this do this magic trick now all works very well...
please update documents and changelog for this fix
i want start on my host machine squid proxy inside firejail with hardened config.
what i want next is, allowing internet access only from "firejail squid ip address containerjail" ;everything outside of firejail squid jail container should not have internet access - for both ingress and egress.
i know its possible with iptables on hostside.. but how to tell iptables to allow only from firejail container internet and NOTHING ELSE.
i want connect with my browser to internet over squid proxy or other proxy and want start like this one:
firejail --proxy="idofsquidjail/or ip" --x11=xpra firefox
after than every application what i want should run with this command above --proxy.... should have internet access , but all other apps should not have access.
benefits:
everything on hostside cannot access to internet
kernel modules havent any internet access -big attack surface solved
whole /usr/bin havent any internet access - big attack surface solved
every binary not started with firejail --proxy command or proxychains functions in combination with firejail, cannot have access to internet ,because binary dont know how to route traffic out ....
only the admin know the way out and starting firejail smart and tidy :-)
Thanks and
Best Regards