github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1352] What is a security purpose of fairjail? #930

New issue
Closed
opened 2026-05-05 07:10:33 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 07:10:33 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Jun 27, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1352

Hello, can someone please explain me the purpose of firejail in terms of security?
I was seeking an application to sandbox the environment and found that firejail meets my criteria to try it.

Now, if the main purpose of a sandboxing application is to sandbox everything by default (e.g. act as a blocking but transparent 'firewall' between a real filesystem and the application), why firejail acts exactly vice-versa?

I see that if I have mounted USB storage in /media or a writable directory somewhere whithin the /usr or /var, a fairjail'ed application will be able to write a file to these directories by default. The written files will remain in these folders even after I close the application that did write these files, even using --private option.

Let's now imagine a 0-day privilege escalation or just a local execution vulnerability in that application (e.g. firefox or chrome). An exploit simply gets root and installs some persistent files, or in other case, reads private data from the mounted media.

There is a similar and very related unanswered issue on https://github.com/netblue30/firejail/issues/354, which is important and can't be ignored.

Originally created by @ghost on GitHub (Jun 27, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1352 Hello, can someone please explain me the purpose of firejail in terms of security? I was seeking an application to sandbox the environment and found that firejail meets my criteria to try it. Now, if the main purpose of a sandboxing application is to sandbox everything by default (e.g. act as a blocking but transparent 'firewall' between a real filesystem and the application), why firejail acts exactly vice-versa? I see that if I have mounted USB storage in /media or a writable directory somewhere whithin the /usr or /var, a fairjail'ed application will be able to write a file to these directories by default. The written files will remain in these folders even after I close the application that did write these files, even using --private option. Let's now imagine a 0-day privilege escalation or just a local execution vulnerability in that application (e.g. firefox or chrome). An exploit simply gets root and installs some persistent files, or in other case, reads private data from the mounted media. There is a similar and very related unanswered issue on https://github.com/netblue30/firejail/issues/354, which is important and can't be ignored.
gitea-mirror 2026-05-05 07:10:33 -06:00
gitea-mirror commented 2026-05-05 07:10:36 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Jun 27, 2017):

Firejail can operate either in whitelisting mode, which is much harder to set up but does what it sounds like you want. Most profiles don't use whitelisting mode because it's much harder to get things to actually work and application updates are more likely to break with whitelisting than blacklisting.

As far as I know, firejail is actually one of the only sandboxing options on Linux that allows for whitelisting without being a full container system.

As far as the specific example you give, I can't really comment, I usually end up using firejail as an extra layer of protection inside a chroot, so that isn't anything I have specific experience with.

As far as #354, it was mostly answered, and the approximate suggestion there of building a custom chroot and running inside that is probably going to be what you need to do to achieve what you want regardless of what sandboxing tool you use unless you decide to use full-blown containers.

<!-- gh-comment-id:311334572 --> @Ferroin commented on GitHub (Jun 27, 2017): Firejail can operate either in whitelisting mode, which is much harder to set up but does what it sounds like you want. Most profiles don't use whitelisting mode because it's much harder to get things to actually work and application updates are more likely to break with whitelisting than blacklisting. As far as I know, firejail is actually one of the only sandboxing options on Linux that allows for whitelisting without being a full container system. As far as the specific example you give, I can't really comment, I usually end up using firejail as an extra layer of protection inside a chroot, so that isn't anything I have specific experience with. As far as #354, it was mostly answered, and the approximate suggestion there of building a custom chroot and running inside that is probably going to be what you need to do to achieve what you want regardless of what sandboxing tool you use unless you decide to use full-blown containers.
gitea-mirror commented 2026-05-05 07:10:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 27, 2017):

Hello, can someone please explain me the purpose of firejail in terms of security?

To prevent bugs such as this one: https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

Now, if the main purpose of a sandboxing application is to sandbox everything by default ...

No, we don't sandbox everything by default, We sandbox only for problems we know about, such as passwords and encryption keys in standard places in the file system. Example: ssh keys in /home/user/.ssh directory.

I have mounted USB storage in /media or a writable directory somewhere whithin the /usr or /var

/media is not a standard place, the user is allowed to have anything in /media. However, you can use firejail to blacklist this directory. By default we don't blacklist it.

With or without a sandbox, writable user directories under /usr or /var are a very bad idea. The user should not be allowed to write in these directories. The only places the user is allowed to write are /home/user and /tmp. Beyond that, you break the UNIX/Linux filesystem hierarchy.

<!-- gh-comment-id:311337506 --> @netblue30 commented on GitHub (Jun 27, 2017): > Hello, can someone please explain me the purpose of firejail in terms of security? To prevent bugs such as this one: https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ > Now, if the main purpose of a sandboxing application is to sandbox everything by default ... No, we don't sandbox everything by default, We sandbox only for problems we know about, such as passwords and encryption keys in standard places in the file system. Example: ssh keys in /home/user/.ssh directory. > I have mounted USB storage in /media or a writable directory somewhere whithin the /usr or /var /media is not a standard place, the user is allowed to have anything in /media. However, you can use firejail to blacklist this directory. By default we don't blacklist it. With or without a sandbox, writable user directories under /usr or /var are a very bad idea. The user should not be allowed to write in these directories. The only places the user is allowed to write are /home/user and /tmp. Beyond that, you break the UNIX/Linux filesystem hierarchy.
gitea-mirror commented 2026-05-05 07:10:41 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jun 27, 2017):

Let's now imagine a 0-day privilege escalation or just a local execution vulnerability in that application (e.g. firefox or chrome). An exploit simply gets root and installs some persistent files, or in other case, reads private data from the mounted media.

Firejail would prevent the application from getting root (at least for most applications - check the profiles; a noroot directive means the root user doesn't even exist in the jailed application's namespace). Reading private data from /media is more serious, which is why I usually end up blacklisting it myself. Then again, I ended up building a bunch of restrictive profiles - you may find them useful (https://github.com/chiraag-nataraj/firejail-profiles).

@netblue30, what is the argument for not blacklisting /media by default? As you say, the user is allowed to have anything in media, so it could very well be a sensitive location.

<!-- gh-comment-id:311361751 --> @chiraag-nataraj commented on GitHub (Jun 27, 2017): > Let's now imagine a 0-day privilege escalation or just a local execution vulnerability in that application (e.g. firefox or chrome). An exploit simply gets root and installs some persistent files, or in other case, reads private data from the mounted media. Firejail would prevent the application from getting root (at least for most applications - check the profiles; a `noroot` directive means the root user doesn't even exist in the jailed application's namespace). Reading private data from /media _is_ more serious, which is why I usually end up blacklisting it myself. Then again, I ended up building a bunch of restrictive profiles - you may find them useful (https://github.com/chiraag-nataraj/firejail-profiles). @netblue30, what is the argument for not blacklisting /media by default? As you say, the user is allowed to have anything in media, so it could very well be a sensitive location.
gitea-mirror commented 2026-05-05 07:10:41 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jun 27, 2017):

/media is not a standard place, the user is allowed to have anything in /media. However, you can use firejail to blacklist this directory. By default we don't blacklist it.

Reading private data from /media is more serious, which is why I usually end up blacklisting it myself.

I still do hope for #1231

<!-- gh-comment-id:311371551 --> @SkewedZeppelin commented on GitHub (Jun 27, 2017): > /media is not a standard place, the user is allowed to have anything in /media. However, you can use firejail to blacklist this directory. By default we don't blacklist it. > Reading private data from /media is more serious, which is why I usually end up blacklisting it myself. I still do hope for #1231
gitea-mirror commented 2026-05-05 07:10:42 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jun 27, 2017):

True. For now, though, you can blacklist /mnt or whitelist /mnt/X if you need to access specific folders inside /mnt (analogous stuff for /media).

<!-- gh-comment-id:311376239 --> @chiraag-nataraj commented on GitHub (Jun 27, 2017): True. For now, though, you can `blacklist /mnt` or `whitelist /mnt/X` if you need to access specific folders inside /mnt (analogous stuff for /media).
gitea-mirror commented 2026-05-05 07:10:44 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jun 27, 2017):

@chiraag-nataraj oh heh I don't even care much about the whitelist part. Just a simple per-profile disable-mnt as described in firejail.config is more then enough. The whitelist part would just allow users to harden profiles even further.

Disable /mnt, /media, /run/mount and /run/media access. By default access
to these directories is enabled.
disable-mnt no

Edit: the commit referenced in #1231 would allow hardening many profiles without any breakage, which would be a big win.

<!-- gh-comment-id:311377757 --> @SkewedZeppelin commented on GitHub (Jun 27, 2017): @chiraag-nataraj oh heh I don't even care much about the whitelist part. Just a simple per-profile disable-mnt as described in firejail.config is more then enough. The whitelist part would just allow users to harden profiles even further. > Disable /mnt, /media, /run/mount and /run/media access. By default access > to these directories is enabled. > disable-mnt no Edit: the commit referenced in #1231 would allow hardening many profiles without *any* breakage, which would be a big win.
gitea-mirror commented 2026-05-05 07:10:45 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 28, 2017):

OK, I'll bring in a per-profile disable-mnt. I'm not sure what applications will use it.

<!-- gh-comment-id:311710363 --> @netblue30 commented on GitHub (Jun 28, 2017): OK, I'll bring in a per-profile disable-mnt. I'm not sure what applications will use it.
gitea-mirror commented 2026-05-05 07:10:46 -06:00
Author
Owner
Copy link

@Ferroin commented on GitHub (Jun 29, 2017):

Actually, I could see that being useful as a default for quite a few things. Most of the server software for example could have that added without breaking (nginx for example should never need to access removable media).

<!-- gh-comment-id:311938065 --> @Ferroin commented on GitHub (Jun 29, 2017): Actually, I could see that being useful as a default for quite a few things. Most of the server software for example could have that added without breaking (nginx for example should never need to access removable media).
gitea-mirror commented 2026-05-05 07:10:47 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 5, 2017):

All set, disable-mnt support is in.

<!-- gh-comment-id:313084709 --> @netblue30 commented on GitHub (Jul 5, 2017): All set, disable-mnt support is in.
gitea-mirror commented 2026-05-05 07:10:48 -06:00
Author
Owner
Copy link

@g3ngr33n commented on GitHub (Mar 22, 2018):

Firejail using the default profil are mainly focused compatibility, making the sandbox work with most of the distribution Linux, without breaking any function of the target application, it's add a layer of security and will make any exploit harder to success.

That being said, when looking to harden as much a possible, you should not run the default profile but instead, taking a look of the manual (man firejail) and write your own configuration, with all the options that can reduce the capabilities / access as much as possible, depending on your need, your configuration....

For example, I'm using the following profile for firefox

https://paste.ee/p/1pIR8

Now this doesn't fit for everybody, and doing such profile as default isn't a good idea as it broke feature of firefox (sound for video online...) and will certainely not work on most of the Linux distribution, but it offer more security and this fit for my need.

Firejail is a no brainer when you are looking to harden or add an extra layer of security, but it's not a magic tool.

<!-- gh-comment-id:375292272 --> @g3ngr33n commented on GitHub (Mar 22, 2018): Firejail using the default profil are mainly focused compatibility, making the sandbox work with most of the distribution Linux, without breaking any function of the target application, it's add a layer of security and will make any exploit harder to success. That being said, when looking to harden as much a possible, you should not run the default profile but instead, taking a look of the manual (man firejail) and write your own configuration, with all the options that can reduce the capabilities / access as much as possible, depending on your need, your configuration.... For example, I'm using the following profile for firefox https://paste.ee/p/1pIR8 Now this doesn't fit for everybody, and doing such profile as default isn't a good idea as it broke feature of firefox (sound for video online...) and will certainely not work on most of the Linux distribution, but it offer more security and this fit for my need. Firejail is a no brainer when you are looking to harden or add an extra layer of security, but it's not a magic tool.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#930
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?