Firejail Implementation Details


#1

Hi! Whonix dev here. You may heard of our distro a Tor centric anonymity OS for VMs (whonix.org). I’m excited to see other projects working in the same direction and am looking at potential areas of collaboration.

I’ve been looking at sandboxing solutions like Firejail for a long time now but we haven’t adopted it yet because of potential difficulties in automating it by default and making it easily usable for novices.

Its great to see the progress you guys have made and the number of profiles you’ve created. Also the fact you are contributing back to upstream. Some questions:

*Do you enable firejail to automatically sandbox applications? If so how?

*How do you handle symlink preservation across package updates?

*How easy is it to transfer files a user wants to keep out of the container?

*Is there a problem with having a profile for an application that is yet to be installed?

Thanks.


What application using for sandbox?
(Lorenzo "Palinuro" Faletra) #2

hello, we love to have you here. let me try to answer your questions

first of all we don’t contribute to upstream yet because we just customize some profiles to properly work on parrot, i don’t personally have the timento check if my fixes work outside the parrot environment, so i’m not confident at sending them back to upstream, but i hope to do more in the near future.

  1. yes, firejail is enabled by default for all the applications it is compatible with

  2. firejail has a nice script that automatically compares the available profiles with the system binaries and creates the missing symlinks. all we did was to add this script as a post installation step in the package manager, and the script is called every time packages change

  3. it’s just automatic
    the system is bind-mounted readonly, some paths are excluded while other ones in the home directory are mounted with read-write permissions.
    all you have to do is to read amd write files as usual, amd they will be automatically saved outside the sandbox if the operation is permitted.

  4. absolutely not, just write the profiles (or patch the upstream ones), call the firecfg tool to update the symlinks un /usr/local/bin/ and have fun with firejail. you can have all the profiles you want, even for applications not yet installed.

feel free to ping me if you need further help implementing it in your distro, as i would love to help you.

palinuro at parrotsec dot org


#3

Thanks for the warm welcome and reply. I look forward to collaborate beyond this too.

Can you please direct me to your firejail scripts? Are they packaged as debs?

Also please feel free to check our repos [0] for anything Tor related as we have a lot to offer. We are also working on I2P support too and integrating it with Tor Browser.

[0] github.com/Whonix/Whonix


(Patrick Schleizer) #4

[0] github.com/Whonix


#5

@palinuro do you turn on x11 isolation by default? What xserver abstraction package do you prefer? xpra or xephyr?


(Lorenzo "Palinuro" Faletra) #6

hello

link to upstream

link to debian salsa

link to parrot revision

both debian and parrot maintain the debianized source package by following the dep14 standard (https://dep-team.pages.debian.net/deps/dep14/) with git-buildpackage (gbp)

if you want i can help you customizing the firejail profiles and maintaining them for you


(Patrick Schleizer) #7

Thanks for warm welcome indeed! :slight_smile:

Many (wherever doable) packages from http://github.com/Whonix are created with reusablity by other distributions in mind and also often tested on Debian during development. Let me know if any changes for any packages would be required so you could use the package in the parrot distribution.

Our Tor Browser location by tb-updater is /home/user/.tb/tor-browser. Could you please cover that storage path in the Tor Browser profile?


#8

Can you please split your firejail package so that all your innovations are in a separate package? That way it will be easier for us to pull these changes since we depend on the upstream packages in Debian stable for easier maintenance and reproducibility (in the near future).


(Lorenzo "Palinuro" Faletra) #9

sorry for the late answer

i am working to split the firejail package and provide the firejail-profiles package separately

i’m also going to host it in a way that makes easier for other projects to import it

stay tuned :slight_smile: