「Firejail」の版間の差分

提供: ArchWiki
ナビゲーションに移動 検索に移動
(→‎Firetools: add == Creating custom profiles ==)
(→‎Firetools: add == Firejail with Xephyr ==)
140行目: 140行目:
   
 
{{Note|The audit feature is not implemented for --x11 commands.}}
 
{{Note|The audit feature is not implemented for --x11 commands.}}
  +
  +
== Firejail with Xephyr ==
  +
  +
[[Xephyr]] will allow you to sandbox [[Xorg]]. If you want to be able to resize windows, install a window manager such as [[Openbox]].
  +
  +
{{ic|xephyr-screen ''Width''x''Height''}} can be set in {{ic|/etc/firejail/firejail.config}} where {{ic|''Width''}} and {{ic|''Height''}} are in pixels and based on your screen resolution.
  +
  +
To open the sandbox:
  +
  +
$ firejail --x11 --net=''device'' openbox
  +
  +
{{ic|''device''}} is your active [[network interface]]. Then right click and select your applications to run.
  +
  +
{{Note|If you use [[Unbound]], [[dnsmasq]], [[Pdnsd]] or any other local cache as your resolver on 127.0.0.1 for example, you would leave {{ic|1=--net=''device''}} out of the command as your network should work automatically.}}
  +
  +
A great guide can be found on the [https://firejail.wordpress.com/documentation-2/x11-guide/#configurexephyr Firejail Wordpress].
  +
  +
According to the guide:
  +
  +
:The sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server.
  +
  +
Note that the statement:
  +
  +
:The only way to disable the abstract socket {{ic|@/tmp/.X11-unix/X0}} is by using a network namespace. If for any reasons you cannot use a network namespace, the abstract socket will still be visible inside the sandbox. Hackers can attach keylogger and screenshot programs to this socket.
  +
  +
is incorrect, [[Xinit#xserverrc|xserverrc]] can be edited to {{ic|-nolisten local}} which disables the abstract sockets of X11 and helps isolate it.
  +
  +
=== Sandboxing a browser ===
  +
  +
[[Openbox]] can be configured to start a certain browser at startup. {{ic|''program''.profile}} is the respective profile contained in {{ic|/etc/firejail}}, and {{ic|--startup "''command''"}} is the command line used to start the program. For example, to start Chromium in the sandbox:
  +
  +
$ firejail --x11 --profile=/etc/firejail/chromium.profile openbox --startup "chromium"
   
 
==Firetools==
 
==Firetools==

2021年1月27日 (水) 11:46時点における版

関連記事

Firejail は Linux の名前空間や seccomp-bpf、Linux のケイパビリティを使うことで、信頼のおけないアプリケーションの実行環境を制限することでセキュリティのリスクを減らす、使いやすい SUID サンドボックスプログラムです。単体で使えるだけでなく、Grsecurity などの他のカーネル防護システムと一緒に使用することでセキュリティをさらに高めることができます。Firejail はブラウザやデスクトップアプリケーション、デーモン/サーバーなどで使うのに適しています。

インストール

firejail または firejail-gitAUR パッケージをインストールしてください。Firejail で使用するためのGUIアプリケーション、firetools も用意されています。

ノート: For information about user_namespaces(7) support in Arch Linux kernels see Security#Sandboxing applications. Firejail can use it even if it is disabled.
警告: While upstream is gradually adopting whitelists, (cf /etc/firejail/firefox.profile,) most of the supplied profiles still rely heavily on blacklists. This means that anything not explicitly forbidden by the profile will be accessible to the application. For example, if you have btrfs snapshots available in /mnt/btrfs, a jailed program may be forbidden from accessing $HOME/.ssh, but would still be able to access /mnt/btrfs/@some-snapshot/$HOME/.ssh. Make sure to audit your profiles, see #Testing profiles

Apparmor integration

Since 0.9.60-1, firejail, has supported more direct integration with Apparmor through a generic apparmor profile. During installation, the profile, firejail-default, is placed in /etc/apparmor.d directory, and needs to be loaded into the kernel by running the following command as root:

# apparmor_parser -r /etc/apparmor.d/firejail-default

To quote the manual:

The installed profile is supplemental for main firejail functions and among other things does the following:
  • Disable ptrace. With ptrace it is possible to inspect and hijack running programs. Usually this is needed only for debugging.
  • Whitelist write access to several files under /run, /proc and /sys.
  • Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Those paths are available as read-only. Running programs and scripts from user home or other directories writable by the user is not allowed.
  • Prevent using non-standard network sockets. Only unix, inet, inet6, netlink, raw and packet are allowed.
  • Deny access to known sensitive paths like .snapshots.

Local customizations of the apparmor profile are supported by editing the file /etc/apparmor.d/local/firejail-local

設定

Firejail は実行するアプリケーションごとにプロファイルを使います。デフォルトのプロファイルは /etc/firejail/application.profile にあります。デフォルトのプロファイルを修正したり、デフォルトに含まれていないアプリケーションのカスタムプロファイルを作成する場合、~/.config/firejail に新しいルールやデフォルトのコピーを配置することができます。

空白が含まれるパス

カスタムプロファイルを使ってディレクトリを参照したりホワイトリスト・ブラックリストに入れる場合、次のように絶対パスを使ってください (例: palemoonAUR): /home/user/.moonchild productions

使用方法

firejail で seccomp を使ってアプリケーションを実行するには (例: okular)、以下を実行:

$ firejail --seccomp okular

プライベートモード

Firejail にはワンタイムのプライベートモードも存在します。プライベートモードでは chroot でホームディレクトリのマウントがされません。ディスクに何の痕跡も残さないでアプリケーションを実行することが可能です。例えば、okular をプライベートモードで実行するには、以下を実行:

$ firejail --seccomp --private okular

デフォルトで Firejail を使う

デフォルトで Firejail でアプリケーションを実行するには、以下のように /usr/bin/firejail のシンボリックリンクを作成してください:

$ ln -s /usr/bin/firejail /usr/local/bin/okular

また、コンソールや .desktop ファイルからアプリケーションを起動している場合、それぞれのアプリケーションのランチャーを /usr/local/bin に作成することができます。例えば、okular なら以下のファイルを作成して実行可能権限を付与してください:

/usr/local/bin/okular
firejail --seccomp /usr/bin/okular $@

デスクトップファイル

標準のパスを使わないアプリケーションも存在します。そのようなアプリケーションでは /usr/share/applications/*.desktop.desktop ランチャーを ~/.local/share/applications/ にコピーして EXEC 行に firejail (や seccomp) を記述すれば firejail を使うことができます。

デーモン

デーモンの場合、デーモンの systemd ユニットファイルを上書きして firejail を呼び出すようにしてください。systemd#ユニットファイルの編集を参照。

ノート

Firejail では上手く動作しないアプリケーションや、特別な設定を必要とするアプリケーションが存在します。特定のアプリケーションで全てのディレクトリが使用できない、ブラックリストに入れられている場合、プロファイルを編集してアプリケーションからアクセスする必要がある非標準のディレクトリを有効化してください。例えば Wine がそれに当てはまります。Wine は大抵の場合 seccomp を使用していると動作しません。

他の設定も存在します。firejail の開発は変更が激しいので詳しくは firejail の man ページを参照してください。

Creating custom profiles

Whitelists and Blacklists

Blacklists are permissive:

  • Permit everything not explicitly forbidden: blacklist <location/file>
  • Permit file or location in any later blacklist: noblacklist <location/file>

Whitelists are restrictive:

  • Forbid everything not explicitly permitted: whitelist <location/file>
  • Forbid file or location in any later whitelist: nowhitelist <location/file>

Profile writing

The basic process is:

  1. Copy the default profile (which uses blacklists) to your work folder and give it a unique name
  2. Change the line include /etc/firejail/default.local to include /etc/firejail/ProfileName.local
  3. Gradually comment/uncomment the various options while checking at each stage that the application runs inside the new sandbox
  4. Desirable options not available in the copied default profile can be found by consulting the manual
  5. Build a whitelist of permitted locations. For portability, it may be advisable to place at least some of this list it in a .local file
  6. Test the profile for security holes, see #Testing profiles
  7. Once satisfied, copy your new profile to either /etc/firejail/ or ~/.config/firejail/

You may find the following to be useful:

  1. firejail --debug $OtherOptions $PathToProfile $Program > $PathToOutputFile Gives a detailed breakdown of the sandbox
  2. firejail --debug-caps gives a list of caps supported by the current Firejail software build. This is useful when building a caps whitelist.
  3. firejail --help for a full list of --debug options
  4. firemon PID monitors the running process. See firemon --help for details
  5. checksec may also be useful in testing which standard security features are being used
ノート:
  • The idea is to be as restrictive as possible, while still maintaining usability. This may involve sacrificing potentially dangerous functionality and a change in cavalier work habits.
  • By default, seccomp filters work on a blacklist (which can be found in the manual). It is possible to use seccomp.keep to build a custom whitelist of filters for an application. [1].
  • The list of possible options for a firejail profile is extensive, and users should consult the firejail-profile(5) man page.

Persistent local customisation

The standard profile layout now includes the capability to make persistent local customisations through the inclusion of .local files. Basically, each officially supported profile contains the lines include /etc/firejail/ProgramName.local and include /etc/firejail/globals.local. Since the order of precedence is determined by which is read first, this makes for a very powerful way of making local customisations. For example, with reference this firejail question, to globally enable Apparmor and disable Internet connectivity, one could simply create/edit /etc/firejail/globals.local to include the lines

# enable Apparmor and disable Internet globally
net none
apparmor

Then, to allow, for example, "curl" to connect to the internet, yet still maintain its apparmor confinement, one would create/edit /etc/firejail/curl.local to include the lines.

# enable internet for curl
ignore net

Since curl.local is read before globals.local, ignore net overrides net none, and, as a bonus, the above changes would be persistent across future updates.

Testing profiles

Firejail's built in audit feature allows the user to find gaps in a security profile by replacing the program to be sandboxed with a test program. By default, firejail uses the faudit program distributed with Firejail. (Note: A custom test program supplied by the user can also be used.) Examples:

  1. Run the default audit program: $ firejail --audit transmission-gtk
  2. Run a custom audit program: $ firejail --audit=~/sandbox-test transmission-gtk

In the examples above, the sandbox configures the transmission-gtk profile and starts the test program. The real program, transmission-gtk, will not be started.

ノート: The audit feature is not implemented for --x11 commands.

Firejail with Xephyr

Xephyr will allow you to sandbox Xorg. If you want to be able to resize windows, install a window manager such as Openbox.

xephyr-screen WidthxHeight can be set in /etc/firejail/firejail.config where Width and Height are in pixels and based on your screen resolution.

To open the sandbox:

$ firejail --x11 --net=device openbox

device is your active network interface. Then right click and select your applications to run.

ノート: If you use Unbound, dnsmasq, Pdnsd or any other local cache as your resolver on 127.0.0.1 for example, you would leave --net=device out of the command as your network should work automatically.

A great guide can be found on the Firejail Wordpress.

According to the guide:

The sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server.

Note that the statement:

The only way to disable the abstract socket @/tmp/.X11-unix/X0 is by using a network namespace. If for any reasons you cannot use a network namespace, the abstract socket will still be visible inside the sandbox. Hackers can attach keylogger and screenshot programs to this socket.

is incorrect, xserverrc can be edited to -nolisten local which disables the abstract sockets of X11 and helps isolate it.

Sandboxing a browser

Openbox can be configured to start a certain browser at startup. program.profile is the respective profile contained in /etc/firejail, and --startup "command" is the command line used to start the program. For example, to start Chromium in the sandbox:

$ firejail --x11 --profile=/etc/firejail/chromium.profile openbox --startup "chromium"

Firetools

Firejail を使用するための GUI アプリケーションが存在します: firetools

トラブルシューティング

PulseAudio

Firejail で PulseAudio が上手く動作しないという 既知の問題 が存在します。一時的に解決する方法:

cp /etc/pulse/client.conf ~/.config/pulse/
echo "enable-shm = no" >> ~/.config/pulse/client.conf

参照