LWN: Comments on "Sandboxing with Firejail"

Sandboxing with Firejail

Cyberax — Tue, 26 Jan 2016 02:24:00 +0000

You can try instructions here: http://askubuntu.com/questions/371687/how-to-carry-audio-...

I've tried it in the past to stream audio from my laptop, but the quality was not very good over the WiFi.

Sandboxing with Firejail

drag — Mon, 25 Jan 2016 19:32:38 +0000

With something like skype... if it supports pusleaudio then configure pulseaudio to listen on a TCP socket, give skype the necessary ~/.pulse/ configuration file and cookie to connect to that socket. Run it in a Xvnc server since X11 networking is so problematic.

Should work even if it's ugly.

Sandboxing with Firejail

raven667 — Sat, 23 Jan 2016 01:19:32 +0000

> Which doesn't work with programs not explicitly written for this kind of model.

Well sure, there is no such thing as a free lunch, you need to modify applications to support sandboxing in a user friendly way. The alternative is to bind mount the ~/Download directory in the sandbox but that is substantially more access.

Sandboxing with Firejail

lsl — Fri, 22 Jan 2016 23:42:20 +0000

Which doesn't work with programs not explicitly written for this kind of model. Which makes it kinda useless for most of the things you'd want to contain. See "such a bastard as skype" above.

If open(2) doesn't work for opening a file, real-world utility is going to be limited.

Sandboxing with Firejail

raven667 — Fri, 22 Jan 2016 14:16:21 +0000

The standard way to fix this is to allow am IPC socket inside the sandbox that has access control and only allows a file:open widget outside the sandbox, with file transfer over IPC between security contexts.

Sandboxing with Firejail

andrey.utkin — Fri, 22 Jan 2016 13:23:02 +0000

What about sandboxing such a bastard as skype? It needs audio & video input and output, it needs to upload and download your files when you wish so. Still, I'd wish to guard my .ssh, .gnupg, .thunderbird, .firefox etc. from it.

Currently I am achieving this by running it in separate user account.

Related projects

rwmj — Fri, 22 Jan 2016 13:04:34 +0000

And libvirt-sandbox (http://sandbox.libvirt.org/quickstart/) which gives you a choice of sandboxing in either a container or a full virtual machine.

Sandboxing with Firejail

federico3 — Wed, 20 Jan 2016 16:42:50 +0000

Firejail is really underrated. It can also create persistent overlay filesystems, limit bandwidth, trace system calls.

Related projects

sam.thursfield — Wed, 20 Jan 2016 12:30:49 +0000

Looks like an interesting project and with quite some momentum!

Some related tools:

* libsandbox <https://github.com/openjudge/sandbox> (sandboxing library written in Python)
* linux-user-chroot <https://git.gnome.org/browse/linux-user-chroot> (minimal sandboxing tool written in C, intended for use by build systems)
* Warden <https://github.com/cloudfoundry/warden> (sandboxing program used by CloudFoundry/BOSH, written in Ruby)
* xdg-app <https://github.com/alexlarsson/xdg-app> (desktop-app-specific sandboxing)

I wrote a pretty minimal and incomplete Python library for wrapping different sandboxing mechanisms called Sandboxlib, which currently only wraps linux-user-chroot or the chroot() syscall, but it would be interesting to add support for Firejail. Sandboxlib is here: <https://github.com/CodethinkLabs/sandboxlib>

Sandboxing with Firejail

nix — Tue, 19 Jan 2016 15:43:42 +0000

Thankfully, it looks like the user namespace stuff is extremely optional: all it does is stops someone elevating to root quite as easily. That means this is still usable if you consider user namespaces to be problematic security-wise on account of multiple horrible holes since introduction and disable them :)

This does look *really* useful.

Sandboxing with Firejail

flussence — Thu, 14 Jan 2016 19:46:23 +0000

This is great news; I've been wanting a program like this for *ages*! Having to configure an entire LXC environment always felt like massive overkill for a server with under a dozen services.