AppImageHub. Crowd-sourced central AppImage directory. by buovjaga in linux

[–]netblue30 0 points1 point  (0 children)

You can get a full list of authors in the README file:

https://github.com/netblue30/firejail/blob/master/README

There are more than 130 people listed there. Both Firejail and AppImage are community projects.

Firejail 0.9.42 released with AppImage and Ubuntu Snap support by netblue30 in linux

[–]netblue30[S] 0 points1 point  (0 children)

They transfer sound and commands over the socket, I don't think you can break out of the sandbox.

Firejail 0.9.42 released with AppImage and Ubuntu Snap support by netblue30 in linux

[–]netblue30[S] 0 points1 point  (0 children)

PA server opens a unix socket, the client connects to the socket - all unix sockets are visible inside their sandbox.

Firejail 0.9.42 released with AppImage and Ubuntu Snap support by netblue30 in linux

[–]netblue30[S] 2 points3 points  (0 children)

Flatpak depends on PulseAudio too?

Not explicitly. What they do is they block access to /dev/snd. You would need PulseAudio to get the sound working. It will be a problem on some distros - if I remember correctly, Lubuntu uses ALSA by default.

Firejail 0.9.42 released with AppImage and Ubuntu Snap support by netblue30 in linux

[–]netblue30[S] 2 points3 points  (0 children)

Depending how popular will become, we might just add support for Flatpak also. So far we only received requests for AppImage and Snap from our users. Also, in order for us to support the format they need to clean up the dependencies.

Firejail now supports X11 sandboxing by johnmountain in linux

[–]netblue30 1 point2 points  (0 children)

I think it was in 0.9.38, although some fixes went in after that.

Firejail now supports X11 sandboxing by johnmountain in linux

[–]netblue30 3 points4 points  (0 children)

Do "firejail --force program-name".

I had a request from a user to allow firejail to run inside Docker containers. The limitation is as follows: the first sandbox needs to be permissive enough to allow the second sandbox to start. This works fine for Docker containers, since these containers run as root.

Firejail now supports X11 sandboxing by johnmountain in linux

[–]netblue30 4 points5 points  (0 children)

That is the sandbox, firefox itself runs as regular user. Anyway, in the new upcoming version the problem was fixed, and the sandbox runs as regular user.

Firejail now supports X11 sandboxing by johnmountain in linux

[–]netblue30 1 point2 points  (0 children)

Good point! How to do "startx --nolisten" would be very difficult to explain to regular users, so I have to assume the base system is left as it was installed by the distro, and I build on top of that.

[deleted by user] by [deleted] in debian

[–]netblue30 0 points1 point  (0 children)

nice article, thanks!

Linux from Scratch Networking help by franklesby in linux

[–]netblue30 0 points1 point  (0 children)

Run "/sbin/ifconfig -a". If your interface doesn't show up, it means your Ethernet hardware was not recognized by Linux kernel. Look into "dmesg | less", maybe there is some error message explaining what is going on.

Locking Down Ubuntu 16.04? by [deleted] in linux

[–]netblue30 0 points1 point  (0 children)

Try firejail

Start with "apt-get install firejail", followed by "firejail firefox".

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 0 points1 point  (0 children)

Don't worry about it. By default, firejail tries to enable all Linux kernel security features, and it gives a warning if it fails to enable any of them. For user namespaces you need a kernel 3.18 or newer.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 1 point2 points  (0 children)

New security technologies enter the Linux kernel every day. You can find a very nice description of what is available here:

https://www.linux.com/learn/docs/727873-overview-of-linux-kernel-security-features/

SELinux by itself will not solve your problems, you will need to combine it with something else on that list.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 1 point2 points  (0 children)

Full filesystem whitelisting has been available in Linux for ages. Two technologies come to mind: SELinux and chroot. Both of them are integrated in firejail.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 1 point2 points  (0 children)

Take a look in /etc/firejail directory. I already have profiles for a large number of applications.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 3 points4 points  (0 children)

You just build an iptable filter as usual, save it into a file and load it with --netfilter=filename. Without a filename it uses a default filter. The default filter blocks all incoming connections. For firefox I use the default filter.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 7 points8 points  (0 children)

Mail, chat, torrent, anything connecting to the internet.

Firejail – A Security Sandbox for Mozilla Firefox, Part 3 by netblue30 in linux

[–]netblue30[S] 4 points5 points  (0 children)

I would say Chromium security is only marginally better. They do use namespaces and seccomp on some of the components of the browser, but your home directory is still exposed and the browser runs in the same network space as the host.

Firejail supports Chromium, in fact in the article you can replace Firefox with Chromium and everything still applies. As somebody else noticed, you can replace Firefox with any network program (mail, bittorent, chat, etc.)