github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #311] Protecting data files, not on /home, from ransomware coming through browser #217

New issue
Closed
opened 2026-05-05 05:20:34 -06:00 by gitea-mirror · 5 comments
gitea-mirror commented 2026-05-05 05:20:34 -06:00
Owner
Copy link

Originally created by @RonCam on GitHub (Feb 21, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/311

Is it possible to create a firefox profile that will block ransomware from encrypting data on volumes other that those in the operating system's own files? In my case, I have a quite a few files going back many years, in my old \Data directory on a NTFS volume, dating back to before I moved to GNU/Linux. I access this as needed from the Linux partitions. Still, I don't want to risk having it encrypted by malware.

? Is there any way of shielding this with a Firejail 'overlay' -- or, is the only answer to copy all of data from NTFS volumes to the ext4 /home partition?

This solution would create a problem if I were to boot into the Microsoft operating system, and then find needed data to be inaccessible.

I'm assuming the ransomware would be able to take advantage of Linux's compatibility with MS's filesystems, and cause potential damage by reaching out from the ext4 filesystem, making some sort of protection necessary? Or, might this not be the case?

Originally created by @RonCam on GitHub (Feb 21, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/311 Is it possible to create a firefox profile that will block ransomware from encrypting data on volumes other that those in the operating system's own files? In my case, I have a quite a few files going back many years, in my old \Data directory on a NTFS volume, dating back to before I moved to GNU/Linux. I access this as needed from the Linux partitions. Still, I don't want to risk having it encrypted by malware. **?** Is there any way of shielding this with a Firejail 'overlay' -- or, is the only answer to copy all of data from NTFS volumes to the ext4 /home partition? This solution would create a problem if I were to boot into the Microsoft operating system, and then find needed data to be inaccessible. I'm assuming the ransomware would be able to take advantage of Linux's compatibility with MS's filesystems, and cause potential damage by reaching out from the ext4 filesystem, making some sort of protection necessary? Or, might this not be the case?
gitea-mirror 2026-05-05 05:20:34 -06:00
gitea-mirror commented 2026-05-05 05:20:38 -06:00
Author
Owner
Copy link

@genodeftest commented on GitHub (Feb 21, 2016):

If you are running firefox within firejail, it should not be able to access ~/Desktop (just try to open any file there with Ctrl+O or Ctrl+S). In case this ransomware would be started from firefox, firejail will protect you from direct attacks. Although I should note that firejail might not be mature enough to protect you from indirect attacks through installing itself somewhere from firefox where it will be invoked later.
Firejail cannot protect you from anything running inside Windows. It also will not block anything from being accessible to Windows, since it works with a temporary overlay filesystem that is not created on disk but just inside the linux kernel.
I doubt any malware inside Windows would be getting active on Linux. I haven't seen any cross-platform malware on both Windows and Linux and I don't think this exists.

If you don't have your data below /home, just add your blacklisted folder into firejail config files.

I didn't get your "issue" here. If your answer is solved, please close this issue report.

<!-- gh-comment-id:186777158 --> @genodeftest commented on GitHub (Feb 21, 2016): If you are running firefox within firejail, it should not be able to access ~/Desktop (just try to open any file there with Ctrl+O or Ctrl+S). In case this ransomware would be started from firefox, firejail will protect you from direct attacks. Although I should note that firejail might not be mature enough to protect you from indirect attacks through installing itself somewhere from firefox where it will be invoked later. Firejail cannot protect you from anything running inside Windows. It also will not block anything from being accessible to Windows, since it works with a temporary overlay filesystem that is not created on disk but just inside the linux kernel. I doubt any malware inside Windows would be getting active on Linux. I haven't seen any cross-platform malware on both Windows and Linux and I don't think this exists. If you don't have your data below /home, just add your blacklisted folder into firejail config files. I didn't get your "issue" here. If your answer is solved, please close this issue report.
gitea-mirror commented 2026-05-05 05:20:41 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Feb 21, 2016):

Not a problem, we make all system directories read-only.

<!-- gh-comment-id:186820503 --> @netblue30 commented on GitHub (Feb 21, 2016): Not a problem, we make all system directories read-only.
gitea-mirror commented 2026-05-05 05:20:43 -06:00
Author
Owner
Copy link

@RonCam commented on GitHub (Feb 23, 2016):

@genodeftest wrote:

If you don't have your data below /home, just add your blacklisted folder into firejail config files.

Sorry I wasn't clear, but thanks for letting me know -- it might help if I explain I'm running a triple-boot with two MS OS's plus LinuxMint. There's a separate /data partition that I'd rather not have encrypted by ransomware.

The /data partition began years ago, has been carried forward from one OS version to another, and so it is in the NTFS format. I was hoping to retain access to /data from all operating systems, for as long as possible.

When you said, 'just to make that [my /data partiton] as a blacklisted folder in the Firejail config files' -- do you mean that would still be possible, even though it's not ext4? If that's a 'yes' -- then that solves the problem. 😄

@genodeftest wrote:

I haven't seen any cross-platform malware on both Windows and Linux and I don't think this exists.

This is the news item that motivated me to 'get moving' on sandboxing the Mint installation.

@netblue30 wrote:

Not a problem, we make all system directories read-only.

Actually, for this kind of ransomware, I'm more concerned about data files than about system files. I think this kind of malware leaves the system files alone?

Is there any way of protecting the Windows NTFS data files from cross-platform ransomware (reference to above link) running in Mint's (or Firefox's) java installation? I'm pretty sure any data files in Mint's ext-filesystem would be safe, however.

If genodeftest answers 'yes' -- just put these NTFS partitions and directories into the Firejail config files -- then -- problem is solved.

Thanks for your patience -- I'm very new to Firejail -- and my thinking was, could it possibly protect volumes having two different file systems, that happen to reside on the same computer? This would be great, but I thought if it can be done, some special configuration might be required.

@genodeftest wrote:

Firejail cannot protect you from anything running inside Windows.

No problem there. I've been running Sandboxie ever since Windows 2000 Pro. Even there, I realize that ransomware could still run, but anything it encrypts would be in the sandbox, and therefore these files would disappear, as soon as the sandbox is 'dumped'. And I'm pretty sure anything running inside Windows couldn't/wouldn't affect any ext-filesystem volumes -- well, Windows can't even see them. 😏

<!-- gh-comment-id:187465306 --> @RonCam commented on GitHub (Feb 23, 2016): @genodeftest wrote: > If you don't have your data below /home, just add your blacklisted folder into firejail config files. Sorry I wasn't clear, but thanks for letting me know -- it might help if I explain I'm running a triple-boot with two MS OS's plus LinuxMint. There's a separate /data partition that I'd rather not have encrypted by ransomware. The /data partition began years ago, has been carried forward from one OS version to another, and so it is in the NTFS format. I was hoping to retain access to /data from all operating systems, for as long as possible. When you said, 'just to make that [my /data partiton] as a blacklisted folder in the Firejail config files' -- do you mean that would still be possible, even though it's not ext4? If that's a 'yes' -- then that solves the problem. :smile: @genodeftest wrote: > I haven't seen any cross-platform malware on both Windows and Linux and I don't think this exists. [This is the news item that motivated me to 'get moving' on sandboxing the Mint installation.](http://thehackernews.com/2016/01/javascript-ransomware-malware.html) @netblue30 wrote: > Not a problem, we make all system directories read-only. Actually, for this kind of ransomware, I'm more concerned about data files than about system files. I think this kind of malware leaves the system files alone? Is there any way of protecting the Windows NTFS data files from cross-platform ransomware (reference to above link) running in Mint's (or Firefox's) java installation? I'm pretty sure any data files in Mint's ext-filesystem would be safe, however. If _genodeftest_ answers 'yes' -- just put these NTFS partitions and directories into the Firejail config files -- then -- problem is solved. Thanks for your patience -- I'm very new to Firejail -- and my thinking was, could it possibly protect volumes having two different file systems, that happen to reside on the same computer? This would be great, but I thought if it can be done, some special configuration might be required. @genodeftest wrote: > Firejail cannot protect you from anything running inside Windows. No problem there. I've been running Sandboxie ever since Windows 2000 Pro. Even there, I realize that ransomware could still run, but anything it encrypts would be in the sandbox, and therefore these files would disappear, as soon as the sandbox is 'dumped'. And I'm pretty sure anything running inside Windows couldn't/wouldn't affect any ext-filesystem volumes -- well, Windows can't even see them. :smirk:
gitea-mirror commented 2026-05-05 05:20:47 -06:00
Author
Owner
Copy link

@genodeftest commented on GitHub (Feb 23, 2016):

LinuxMint? I wouldn't use that any more after they have seen 2 major security breaches in just one week and don't seem to care about security at all… Just my 2 cents.

What firejail does is putting a virtual filesystem on top of all filesystems. In this virtual filesystem any file/directory can have different permissions that outside. This is independent of what "real" filesystem you are using on the physical layer. So that's a "yes". This is what netblue ment:
@RonCam wrote:

@netblue30 wrote:

Not a problem, we make all system directories read-only.
Actually, for this kind of ransomware, I'm more concerned about data files than about system files. I think this kind of malware leaves the system files alone?

/data is considered a system directory, because it is not below /home.

If you are running Java (don't confuse it with JavaScript!) within your browser, you probably already lost. This is so broken and insecure you really never should do that.

@RonCam wrote:

Is there any way of protecting the Windows NTFS data files from cross-platform ransomware (reference to above link) running in Mint's (or Firefox's) java installation? I'm pretty sure any data files in Mint's ext-filesystem would be safe, however.

I am not sure I get what you want to say here. You can protect the NTFS partition e.g. with firejail. You can also change permissions, e.g. to make it visible only to some users or to remove the write flag. Look up man 8 mount for details.
"safe" for Mint's ext-filesystem is relative. Complete safety doesn't exist. You should ask yourself what you want to protect yourself from.

my thinking was, could it possibly protect volumes having two different file systems, that happen to reside on the same computer?
See above: What do you want to protect these volumes from?

And I'm pretty sure anything running inside Windows couldn't/wouldn't affect any ext-filesystem volumes -- well, Windows can't even see them.
That depends on the type of malware you are running into. There are also bootkits/rootkits which install in a special part of your harddisk (MBR on older computers) so they will be loaded before your OS is starting. There's no real help for that.
And as a Windows admin you could also damage the ext filesystem. That's pretty rare and unlikely that you catch malware doing this though.

<!-- gh-comment-id:187763296 --> @genodeftest commented on GitHub (Feb 23, 2016): LinuxMint? I wouldn't use that any more after they have seen 2 major security breaches in just one week and don't seem to care about security at all… Just my 2 cents. What firejail does is putting a virtual filesystem on top of all filesystems. In this virtual filesystem any file/directory can have different permissions that outside. This is independent of what "real" filesystem you are using on the physical layer. So that's a "yes". This is what netblue ment: @RonCam wrote: > @netblue30 wrote: > > > Not a problem, we make all system directories read-only. > > Actually, for this kind of ransomware, I'm more concerned about data files than about system files. I think this kind of malware leaves the system files alone? `/data` is considered a system directory, because it is not below `/home`. If you are running Java (don't confuse it with JavaScript!) within your browser, you probably already lost. This is so broken and insecure you really never should do that. @RonCam wrote: > Is there any way of protecting the Windows NTFS data files from cross-platform ransomware (reference to above link) running in Mint's (or Firefox's) java installation? I'm pretty sure any data files in Mint's ext-filesystem would be safe, however. I am not sure I get what you want to say here. You can protect the NTFS partition e.g. with firejail. You can also change permissions, e.g. to make it visible only to some users or to remove the write flag. Look up `man 8 mount` for details. "safe" for Mint's ext-filesystem is relative. Complete safety doesn't exist. You should ask yourself what you want to protect yourself from. > my thinking was, could it possibly protect volumes having two different file systems, that happen to reside on the same computer? > See above: What do you want to protect these volumes from? > > And I'm pretty sure anything running inside Windows couldn't/wouldn't affect any ext-filesystem volumes -- well, Windows can't even see them. > That depends on the type of malware you are running into. There are also bootkits/rootkits which install in a special part of your harddisk (MBR on older computers) so they will be loaded before your OS is starting. There's no real help for that. > And as a Windows admin you could also damage the ext filesystem. That's pretty rare and unlikely that you catch malware doing this though.
gitea-mirror commented 2026-05-05 05:20:51 -06:00
Author
Owner
Copy link

@RonCam commented on GitHub (Feb 23, 2016):

@genodeftest wrote, and 'hit the nail on the head', with that response: 👍

What firejail does is putting a virtual filesystem on top of all filesystems. In this virtual filesystem any file/directory can have different permissions that outside. This is independent of what "real" filesystem you are using on the physical layer. So that's a "yes". ... [emphasis added]

That's fine. Now I know Firejail's design permits doing what I had hoped it would do. Now I just have to get down to studying the documentation to make sure I do it right. Thanks for pointing me in the right direction, so I know to where to look.

As to what level of protection I'm hoping to obtain -- I honestly couldn't give an adequate answer at my level of knowledge, of all probable and reasonable threats to avoid, except to say I'll be very happy to have the same level of protection as has been provided to my Microsoft operating systems for over ten years, by Sandboxie. And, it sounds as if Firejail can do that.

The question of absolute security used to come up from time to time on the Sandboxie forum -- and on Wilders, as well -- and even the Sandboxie developer would always say that absolute security isn't possible. And, I'm comfortable with that. All I can say is, I ran a good anti-virus along with Sandboxie, and in ten years of use, the the anti-virus/malware utility (AVG, for most of the time) never found anything, at least, not after the sandbox dumped.

With Firejail plus GNU/Linux's inherently better protection against intrusion (IMO only -- feel free to comment if that's not so!) I'll be getting what I need. Thanks again for the mini-tutorial on Firejail's capabilities, for all who come across this thread. The question is fully answered.

As a side note on the Linux Mint issue, the best source of information is now their Blog, until the forum servers once again come online. For about one day, .iso download attempts for one of its versions were being redirected to a rogue site which provided an .iso which wouldn't pass an MD5 test, or at least, it wouldn't have passed for anyone who took the trouble to do it. By the way, downloads for all versions just became available, so apparently something was done to block the redirects. I run KDE, so I would not have been affected, in any event -- only 64-bit Cinnamon users are being advised to delete any downloads made during the published time-frame.

Congratulations to the Firejail team -- the GNU/Linux community is fortunate to have you! 👏

<!-- gh-comment-id:187944407 --> @RonCam commented on GitHub (Feb 23, 2016): @genodeftest wrote, and 'hit the nail on the head', with that response: :+1: > What firejail does is putting a virtual filesystem on top of **all filesystems**. In this virtual filesystem any file/directory can have different permissions that outside. This is independent of what "real" filesystem you are using on the physical layer. **So that's a "yes"**. ... [emphasis added] That's fine. Now I know _Firejail's_ design permits doing what I had hoped it would do. Now I just have to get down to studying the documentation to make sure I do it right. Thanks for pointing me in the right direction, so I know to where to look. As to what level of protection I'm hoping to obtain -- I honestly couldn't give an adequate answer at my level of knowledge, of all probable and reasonable threats to avoid, except to say I'll be very happy to have the same level of protection as has been provided to my Microsoft operating systems for over ten years, by _Sandboxie_. And, it sounds as if _Firejail_ can do that. The question of absolute security used to come up from time to time on the _Sandboxie_ forum -- and on _Wilders_, as well -- and even the Sandboxie developer would always say that absolute security isn't possible. And, I'm comfortable with that. All I can say is, I ran a good anti-virus along with _Sandboxie_, and in ten years of use, the the anti-virus/malware utility (AVG, for most of the time) never found anything, at least, not after the sandbox dumped. With _Firejail_ plus GNU/Linux's inherently better protection against intrusion (IMO only -- feel free to comment if that's not so!) I'll be getting what I need. Thanks again for the mini-tutorial on _Firejail's_ capabilities, for all who come across this thread. The question is fully answered. As a side note on the Linux Mint issue, [the best source of information is now their Blog](http://blog.linuxmint.com/?p=2994), until the forum servers once again come online. For about one day, .iso download attempts for one of its versions were being redirected to a rogue site which provided an .iso which wouldn't pass an MD5 test, or at least, it wouldn't have passed for anyone who took the trouble to do it. By the way, downloads for all versions just became available, so apparently something was done to block the redirects. I run KDE, so I would not have been affected, in any event -- only 64-bit Cinnamon users are being advised to delete any downloads made during the published time-frame. Congratulations to the _Firejail_ team -- the GNU/Linux community is fortunate to have you! :clap:
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#217
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?