search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.73k stars 561 forks source link

Firejail does not work with OrbitalApps portable applications #527

Closed igor2x closed 8 years ago

igor2x commented 8 years ago

Hi, OrbitalApps are designed to work on Ubuntu 16.04 Desktop 64-bit. Other Linux distributions are not tested and may not work.

  1. On Ubuntu 16.04 Desktop 64-bit I installed firejail from official repository.
  2. Display firejail version: firejail --version Output is: firejail version 0.9.38
  3. From OrbitalApps web page: https://www.orbital-apps.com/ download ISO file. Direct link currently is: https://www.orbital-apps.com/files/orb-launcher/orb-launcher_0.1.047.iso
  4. Save ISO file on your computer.
  5. Right click on ISO file and select Open With | Disk Image Mounter.
  6. Click on Run button and supply root password to mount image.
  7. That's it about installing program. Now download one of the applications from: https://www.orbital-apps.com/blog/2016/portable-apps-for-ubuntu-16-04 I have downloaded VLC Media Player from: https://www.orbital-apps.com/download/portable_apps_linux/vlc/ with direct download link: https://www.orbital-apps.com/download/portable_apps_linux/vlc/1463608756/vlc_2.2.2_portable_64bits.orb
  8. Rigth click on .orb file and select Open With ORB Launcher. VLC Media Player should be started. OK, close it down.
  9. Open Terminal and type in: orb vlc_2.2.2_portable_64bits.orb And application outputs the following info and applications starts up successfully.
Starting ORB Launcher 0.1.047...
Homepage: www.orbital-apps.com

ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb
ORB Launcher: OK, file exists...
ORB Launcher: OK, file is readable...
ORB Launcher: Architecture set to: x86_64
ORB_SPECIFICATION_VERSION=0.0.2
ORB_TOTAL_SIZE_BYTES=39370752
ORB_CREATION_TIMESTAMP_UNIX=1463608756
ORB_IS_PORTABLE_APP=true
ORB_METADATA_END=
ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752
ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756
ORB Launcher: OK, file size is correct
ALWAYS_CHECK_WHITELIST=false
ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false
ORB Launcher: Skipping the whitelist_check
ORB Launcher: Using the normal home at ( /home/igor )
ORB Launcher: Will not check if file is trusted or not, based on configuration.
ORB Launcher: mount_dir_iso = /tmp/tmp.H7xhvppV3T
ORB Launcher: Trying to mount file with fuseiso...
ORB Launcher: fuseiso pid: 26065
ORB Launcher: mount_dir_squashfs = /tmp/tmp.EDZ5qUTVfG
ORB Launcher: Trying to mount app.squashfs with squashfuse...
ORB Launcher: squashfuse pid: 26073
ORB Launcher: Starting autorun.sh from app.squashfs from vlc_2.2.2_portable_64bits.orb
ORB Portable App Starter: script dir: /tmp/tmp.EDZ5qUTVfG
Running vlc (without arguments) ...
VLC media player 2.2.2 Weatherwax (revision 2.2.2-0-g6259d80)
[00007ff9b7f99088] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
pci id for fd 25: 80ee:beef, driver (null)
libGL error: core dri or dri2 extension not found
libGL error: failed to load driver: vboxvideo

Note: Above are some errors probably because I run it using VirtualBox. But VLC Media Player application starts up and working fine.

  1. Close down VLC Media Player.
  2. Now start the same program by prefixing firejail: firejail orb vlc_2.2.2_portable_64bits.orb Bellow info is outputed but VLC Media Player never starts up.
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 26409, child pid 26410

Child process initialized
Starting ORB Launcher 0.1.047...
Homepage: www.orbital-apps.com

ORB Launcher: file_path: /home/igor/Downloads/vlc_2.2.2_portable_64bits.orb
ORB Launcher: OK, file exists...
ORB Launcher: OK, file is readable...
ORB Launcher: Architecture set to: x86_64
ORB_SPECIFICATION_VERSION=0.0.2
ORB_TOTAL_SIZE_BYTES=39370752
ORB_CREATION_TIMESTAMP_UNIX=1463608756
ORB_IS_PORTABLE_APP=true
ORB_METADATA_END=
ORB Launcher: ORB_TOTAL_SIZE_BYTES: 39370752
ORB Launcher: ORB_CREATION_TIMESTAMP_UNIX: 1463608756
ORB Launcher: OK, file size is correct
ALWAYS_CHECK_WHITELIST=false
ALWAYS_WARN_ABOUT_UNTRUSTED_FILES=false
ORB Launcher: Skipping the whitelist_check
ORB Launcher: Using the normal home at ( /home/igor )
ORB Launcher: Will not check if file is trusted or not, based on configuration.
ORB Launcher: mount_dir_iso = /tmp/tmp.b8XYWbrq65
ORB Launcher: Trying to mount file with fuseiso...
/usr/bin/orb: line 450:  6777 Bad system call         $fuseiso_binary "$file_path" "$mount_dir_iso" -o allow_root,ro,nosuid
ORB Launcher: There was a problem mounting the file with fuseiso
ORB Launcher: Running vlc_2.2.2_portable_64bits.orb directly...
ORB Launcher: OK, ORB file is marked as executable...
ORB Launcher: ORB file was not recognized neither as a bash nor sh script, it is not possible to run it.
ORB Launcher: Exiting without running the file...
ORB Launcher: Un-mounting mount_dir_iso with fusermount ( /tmp/tmp.b8XYWbrq65 )
ORB Launcher has finished and will now exit.

parent is shutting down, bye...

It looks to me that some special firejail profile should be created for OrbitApps portable. Regards

netblue30 commented 8 years ago

The program is crashed by seccomp. They try to do a mount syscall. If you disable seccomp in the profile file, then you would also need to disable capabilities in order to give the program administrative rights, because they also run SUID binaries to mount the ISO filesystem. The bad part comes when you start running the programs in the ISO filesystem. There can be anything in there, and they have admin rights.

I would stay away form this type of applications, they are the modern equivalent of clicking on email attachments.

igor2x commented 8 years ago

Thanks a lot for looking into this problem and providing your precious opinion. I just saw an article on web about portable applications. I love idea of PortableApps.com portable applications on Windows, you know running application from USB key without installation, where no superuser is required to run applications and all of the config files are saved on USB key, excellent idea for portability. But as it looks like OrbitalApps portable applications on Ubuntu 16.04 the idea is the same, but implementation is pretty much very different.

If I understand you correctly in the case of OrbitalApps portable application it is not a case for slightly adjust one of the Firejail profile to disable insignificant security features in Firejail, but critical component has to be disabled (allowing super user access). In this case there is very difficult or impossible to jail such an application. Application having superuser access is in no real point of jailing it anyway. Using this kind of portable application it is in no way possible to have portability and security at the same time. User concerned about security like me should not use OrbitalApps portable applications, because it is impossible to secure them properly like jailing them.

You can close this problem request with some status of not been possible to securely fix the problem and so problem report is irrelevant to Firejail.

Thanks a million for your precious opinion.

pcx862 commented 8 years ago

Hi, I'm the lead developer of ORB Applications and would like to clear some misconceptions: By design, our "ORB Launcher" never runs as root By design, we never use SUID By design, our apps don't run as root By design, the sudo password is always expired, so the ISO contents can never take advantage of the sudo password in the cache

In addition, not just the the ORB/ISO itself is cryptographically signed, but the contents are also signed (a file with all the SHA512 hashes is PGP-signed)

We believe we have a robust multi-layered security model, as can be seen here: https://www.orbital-apps.com/security

Having clarified that, we are very interested in making our apps compatible with firejail, and even further, we plan to integrate firejail and enable sandboxing by default.

Regarding this specific issue, it seems if (non-root) FUSE operations (mount) can be sandboxed with seccomp, everything else should work perfectly. Are non-root FUSE operations blocked by design? Is there a way to "whitelist" FUSE operations but leave everything else enabled?

Thanks in advance for a possible solution, Peter M

netblue30 commented 8 years ago

Sorry if I went overboard in my previous comment.

FUSE ends up calling a SUID binary (/bin/fusermount) to mount the filesystem. In order to run it, you would need CAP_SYS_ADMIN capability enabled (man 7 capabilities). All capabilities are disabled by the sandbox. You would also need to disable seccomp. seccomp uses an obscure kernel feature, no_new_privs https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt , for its own protection. This also disables SUID binaries.

The way it could work, in your starter program after FUSE mounting, start the application in the sandbox. Instead of "vlc" you would need to start "/usr/bin/firejail vlc". If the user doesn't have firejail installed, you just start "vlc" as usual. Or you can open a dialog window and ask the user, but basically it should work.