Closed igor2x closed 8 years ago
The program is crashed by seccomp. They try to do a mount syscall. If you disable seccomp in the profile file, then you would also need to disable capabilities in order to give the program administrative rights, because they also run SUID binaries to mount the ISO filesystem. The bad part comes when you start running the programs in the ISO filesystem. There can be anything in there, and they have admin rights.
I would stay away form this type of applications, they are the modern equivalent of clicking on email attachments.
Thanks a lot for looking into this problem and providing your precious opinion. I just saw an article on web about portable applications. I love idea of PortableApps.com portable applications on Windows, you know running application from USB key without installation, where no superuser is required to run applications and all of the config files are saved on USB key, excellent idea for portability. But as it looks like OrbitalApps portable applications on Ubuntu 16.04 the idea is the same, but implementation is pretty much very different.
If I understand you correctly in the case of OrbitalApps portable application it is not a case for slightly adjust one of the Firejail profile to disable insignificant security features in Firejail, but critical component has to be disabled (allowing super user access). In this case there is very difficult or impossible to jail such an application. Application having superuser access is in no real point of jailing it anyway. Using this kind of portable application it is in no way possible to have portability and security at the same time. User concerned about security like me should not use OrbitalApps portable applications, because it is impossible to secure them properly like jailing them.
You can close this problem request with some status of not been possible to securely fix the problem and so problem report is irrelevant to Firejail.
Thanks a million for your precious opinion.
Hi, I'm the lead developer of ORB Applications and would like to clear some misconceptions: By design, our "ORB Launcher" never runs as root By design, we never use SUID By design, our apps don't run as root By design, the sudo password is always expired, so the ISO contents can never take advantage of the sudo password in the cache
In addition, not just the the ORB/ISO itself is cryptographically signed, but the contents are also signed (a file with all the SHA512 hashes is PGP-signed)
We believe we have a robust multi-layered security model, as can be seen here: https://www.orbital-apps.com/security
Having clarified that, we are very interested in making our apps compatible with firejail, and even further, we plan to integrate firejail and enable sandboxing by default.
Regarding this specific issue, it seems if (non-root) FUSE operations (mount) can be sandboxed with seccomp, everything else should work perfectly. Are non-root FUSE operations blocked by design? Is there a way to "whitelist" FUSE operations but leave everything else enabled?
Thanks in advance for a possible solution, Peter M
Sorry if I went overboard in my previous comment.
FUSE ends up calling a SUID binary (/bin/fusermount) to mount the filesystem. In order to run it, you would need CAP_SYS_ADMIN capability enabled (man 7 capabilities). All capabilities are disabled by the sandbox. You would also need to disable seccomp. seccomp uses an obscure kernel feature, no_new_privs https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt , for its own protection. This also disables SUID binaries.
The way it could work, in your starter program after FUSE mounting, start the application in the sandbox. Instead of "vlc" you would need to start "/usr/bin/firejail vlc". If the user doesn't have firejail installed, you just start "vlc" as usual. Or you can open a dialog window and ask the user, but basically it should work.
Hi, OrbitalApps are designed to work on Ubuntu 16.04 Desktop 64-bit. Other Linux distributions are not tested and may not work.
firejail --version
Output is: firejail version 0.9.38orb vlc_2.2.2_portable_64bits.orb
And application outputs the following info and applications starts up successfully.Note: Above are some errors probably because I run it using VirtualBox. But VLC Media Player application starts up and working fine.
firejail orb vlc_2.2.2_portable_64bits.orb
Bellow info is outputed but VLC Media Player never starts up.It looks to me that some special firejail profile should be created for OrbitApps portable. Regards