Firejail, a SUID security sandbox program (Linux)

Everything that does not fit anywhere else
Post Reply
User avatar
lgillis
Posts: 137
Joined: Mon May 09, 2022 8:40 am

Firejail, a SUID security sandbox program (Linux)

Post by lgillis »

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Homepage: https://firejail.wordpress.com

By untrusted, I mean any program that is potentially capable of deleting or modifying all data under $HOME. In other words, any installed program.

Firejail already includes some profiles for common programs, including one for the i2prouter. Profiles can be derived from these for the programs we are using here (java*, qbittorrent …).
Top
User avatar
lgillis
Posts: 137
Joined: Mon May 09, 2022 8:40 am

Re: Firejail, a SUID security sandbox program (Linux)

Post by lgillis »

Code: Select all

### $HOME/.config/firejail/biglybt.profile
### A rudimentary Firejail profile for BiglyBT,
### a BitTorrent client written in Java.
### The focus is on the withdrawal of
### global read and write permissions.

# BiglyBT is installed in the directory:
whitelist /opt/biglybt

# Requires write permissions in the user configuration directory:
noblacklist ${HOME}/.biglybt/
noblacklist ${HOME}/.swt/
noblacklist ${HOME}/.java/
mkdir ${HOME}/.biglybt
mkdir ${HOME}/.swt
mkdir ${HOME}/.java
whitelist ${HOME}/.biglybt/
whitelist ${HOME}/.swt/
whitelist ${HOME}/.java/

# The directory where all downloads are stored:
whitelist /your/personalized/download/directory

# Enable the desktop theme and basic settings:
include whitelist-common.inc

# No access to the following directories:
blacklist /media
blacklist /mnt
blacklist /srv
blacklist /private
blacklist /moreprivate

# blacklist /etc (mandatory)

# Allow Java:
include allow-java.inc

# Prohibit everything that is not needed:
include disable-common.inc
# include disable-exec.inc  (prevents the use of BBT's SWT GUI)
# Not yet tested:
# include disable-devel.inc
# include disable-interpreters.inc
# include disable-proc.inc
# include disable-programs.inc
# include disable-shell.inc
# include disable-write-mnt.inc
# include disable-X11.inc
# include disable-xdg.inc

# Disable /mnt, /media, /run/mount and /run/media access:
disable-mnt
The call for this example would be:

Code: Select all

firejail --profile=$HOME/.config/firejail/biglybt.profile /opt/biglybt/biglybt
or as a desktop file:

Code: Select all

[Desktop Entry]
Comment=
Exec=firejail /opt/biglybt/biglybt %U
GenericName=BitTorrent Client
Icon=/opt/biglybt/biglybt.png
Keywords=file transfer;P2P
MimeType=x-scheme-handler/magnet;application/x-bittorrent;application/x-biglybt;x-scheme-handler/biglybt;
Name=BiglyBT local
NoDisplay=false
Path=
StartupNotify=true
StartupWMClass=BiglyBT
Terminal=false
TerminalOptions=
Type=Application
X-KDE-SubstituteUID=false
X-KDE-Username=
Firejail should find the profile even without the explicit entry.
Top
Post Reply

Return to “Banter and Chitchat”