mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #2248] Question: Firejail vs using Apparmor only? What are some the advantages #1506
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#1506
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @thebunnyrules on GitHub (Nov 6, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2248
Hi, I'm just starting with Firejail. It seems like a really interesting tool and I'm trying to understand it a little more. Not sure if this is the appropriate place to ask but I didn't know where else to post my question.
I'm currently using an AppArmor enforce mode profile that I've heavily modded and tweaked to limit Firefox's access to my system resources, home directory, documents and configuration files...
I was just wondering what additional security features does firejail offer over running Apparmor alone? What is a SUID sandbox?
@topimiettinen commented on GitHub (Nov 6, 2018):
Firejail uses private mount namespaces to achieve similar access controls compared to Apparmor and capability restrictions are also similar. In addition to those, Firejail can set up system call filtering with seccomp and restrict networking. Then Apparmor can restrict mapping of files to memory which Firejail is not able to do.
Executing SUID programs elevate user's privileges temporarily. This is used in Firejail to for example setup mounts, which is not allowed normally.
@Vincent43 commented on GitHub (Nov 7, 2018):
In general you may use AppArmor OR firejail but not both at the same time for the same app as this will lead only for trouble. If you set tight AppArmor profile already then you may stick with it. I assume you know that AppArmor available features vary across kernels versions and distros.
@topimiettinen commented on GitHub (Nov 7, 2018):
@Vincent43 what trouble would you see? There's surely overlap, but they can also complement each other. For example, you could use AppArmor for path based access control, but then Firejail for seccomp and capabilities. I'm using TOMOYO, Yama and Firejail without problems.
@Vincent43 commented on GitHub (Nov 8, 2018):
You would need to add more privileges in AppArmor than it's needed without firejail to make it work. You would need to use less firejail features otherwise it would be broken with AppArmor. In the result they will cancel each out rather than complement. We had multiple reports about broken apps when AppArmor and firejail are used at the same time.
Keep in mind that AppArmor is mandatory when enabled while firejail can be easily circumvented (intentionally or not).
@topimiettinen commented on GitHub (Nov 8, 2018):
I see, maybe the paths of the private mounts used by Firejail do not match what AppArmor expects? Anyway, it should be possible to use Firejail for seccomp and network control, those will not conflict with AppArmor.
@thebunnyrules commented on GitHub (Nov 8, 2018):
I did notice that some things in AppArmor profile were ignored when I ran firejail. Files that I specifically denied access to reading with my AA-enforce enabled can be accessed while running the same app on firejail. So, I don't think they're complimentary.
@Vincent43 What do you mean when you say that firejail can be easily circumvented? Can you be more specific with some examples?
@SkewedZeppelin commented on GitHub (Nov 8, 2018):
As a user you can simply directly run a known vulnerable application and compromise the computer.
As a malicious program you can abuse DBus or the X server and take control of the computer from there, which you would then use another vulnerable program to elevate privs.
OT: welcome back @topimiettinen
@thebunnyrules commented on GitHub (Nov 8, 2018):
@SkewedZeppelin, thanks for that. I'll have to get more educated about DBus vulnerabilities because I really don't know anything about them. Do you have any recommendations for a starting point or should I just google it?
With regards to the user issue, I'm the only user, so that would be a moot point for my setup.
With regards to apps using x exploits, I'm on Wayland and running Wayland apps (even my FF is Wayland), so X server issues aren't an issue for me. Unless AA have features that mitigate such vulnerabilities that I'm not aware of, I imagine that Xorg kb and screen cap snooping in other Xorg GUI apps also exist under AppArmor. firejails X users can also use --x11=xpra which tells the app to use an xpra layer instead of xorg. xpra is basically x without any of the kb/screen sharing features (so no keylogging or screen capping). So, as far I can tell, Firejail is actually superior to AA in this department.
@chiraag-nataraj commented on GitHub (May 20, 2019):
I'm going to go ahead and close this as the discussion seems to have died out ;)