3. New version of Firejail sandbox released after external security audit

New version of Firejail sandbox released after external security audit

If you configure Firejail to allow the program to access that file, and filesystem permissions allow the program to write to that file, it can write to that file. Firejail is not a malware scanner.

As I think of it, Firejail does two things for you:

  • It makes it much harder for programs to do damage to your operating system. Unpatched bugs in your operating system can potentially be exploited from programs to escalate privileges to root (at which point they own your operating system), something that is especially a risk with Internet connected programs that run untrusted remote code (e.g., web browsers, feed readers, and so on).
  • It makes it much harder for programs to access files it has no business with in your home directory. This cuts into how much damage the program can do to files of other programs, or what files it could abscond with.

For example the default Firejail profile for Firefox runs a sandbox in which the root user doesn't exist, only /tmp and /home (selected subdirectories only) are writable, the system calls that can be used are limited, all privileges are dropped, directories that have system commands are made unavailable, key system commands are made unavailable from your entire path, key system configuration files are made unavailable, and development commands (e.g., compilers, linkers, debuggers) are made unavailable. All this cuts into the toolbox malware would use to own your operating system.

In addition to that, the default Firejail profile for Firefox severely restricts what files and directories in your home directory Firefox can access. Common directories used by GUI programs are accessible, as are your Downloads directory and any directories Firefox or common add-ons for Firefox would use (configuration, cache, etc.). Where it doesn't need write access the access is made read-only. Everything else is inaccessible (not even visible); your terminal history, ssh keys, gpg keys, system keyrings, files specific to other web browsers, your Documents directory, and so on are all inaccessible.

Most default profiles are very similar to that. You can see the default profiles in /etc/firejail.

/r/linux Thread Parent Link - l3net.wordpress.com
Previous
Next

Recently removed from /r/linux

Comepress - I built a tool to automatically convert all the PNG/JPG files in your web project into Next-Gen WebP format. Reduce image bundle size by 80% with Comepress, faster site loading for users and smaller project size for devs! RISC-V only takes 12 years to achieve the milestone of 10 billion cores, 5 years faster than ARM. 2025 = Year of the Linux desktop? None of my computers supports Windows 11. How are we preparing for the 2025 Tsunami of new Linux users? What has gone wrong with Linux culture? Linux in my Job Laptop 2 months since I switched from gnome to i3 from gnome Entire file ownership and permission system is nothing more than a hurdle for regular users Saw this and thought of the linux community Linux Timeline v20.10 a new age-based cli password manager Anyone in US using open source EHR software? RMS addresses the free software community SDL (very reluctantly) moving from mercurial to github Microsoft repo installed on all Raspberry Pi’s Chef cofounder on CentOS: It's time to open source everything

More Random Comments

[Fabrizio Romano] Gareth Southgate: “These tournaments take a lot out of you and I need a bit of time to reflect. I think that's the right thing to do”. “It needs a bit of time to make sure everybody makes the right decision”, he added on his future. title paste ho rha h "I Want You To Show Me Your Panties With a Disgusted Face" Season 3 Announced Daily Slow Chat [WP] In a world of superheroes and villains, both are seen as a 9-5 jobs. It’s your first day as a villain. What's a women's thing men should absolutely start doing? It should be known that Ned and Vaemond are NOT the same. They wanted to expose bastards but Ned was doing to support the true heir, and Vaemond was doing it for his own empowerment. Viserys set the rule of inheritance regardless of gender, so even though Luc is a bastard, that means Baela is heir. My husband(22M) cheated on me(24F) the first couple of months we were married Markets in 'panic mode' as gas prices fall: expert Did you start a team sport as a beginner adult? As somebody who has suffered with agoraphobia for 30+ years, I’m so happy he was able to do this. Getting married soon. Advice if a divorce happens in the future? (Uk) It's snowing. It is so cold but when I put the heating on yesterday, it went to £7 on the smart meter. Die Umsturzpläne der Reichsbürger wurden veröffentlicht No way this is a bot… it keeps learning