Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. –netblue30
For our third Hackathon ( codename PB) at Hackers.mu, we tackled Firejail a very flexible Sandboxing program for Linux. Different profiles were made & committed. For my part, I made 2 profiles one for Deluge a BitTorrent client & Gzip a compressing and decompressing tool. Two versions of each profile were made, one for public use the other one for private use by me on my machine.
Deluge is a highly risky program as it involves connection to lots of peers and high amount of data transferring. Packets can be crafted or switched leading to data being compromised. An exploit was recently discovered and patched, the exploit can be found here. The exploit allowed context-dependent attackers to cause a denial of service (stack exhaustion and crash) via a crafted bencoded message. The Firejail profile below can limit to which extent a hacker can get access to your system if ever the app is compromised.
The profile made limited system calls by means of the function seccomp.keep to allow only calls needed for a stock untampered version of the app to function. Several directories that are not needed for the app to function have been blacklisted, meaning they are no longer accessible to the app. The Private function was used to create a temporary directory where the files are stored when the app is active. Furthermore, when the app is closed each and every change done by the app to the system is discarded files downloaded are also inclusive so, we have to remove the files downloaded from the sandbox before closing the app. Doing so, by means of Syslog we can find out if the files downloaded has a malicious intent or is doing things not intended.
Gzip the second app which was tackled is used to decompress files, those files can be as risky as running commands without the user knowing meaning it can do much harm to the user’s system. There are also lots of vulnerabilities which were discovered by the community Gzip vulnerablities and you can guess how much more haven’t been discovered yet. By using the profile below we can mitigate the severity of the damage that a hacker can cause by using the several functions of firejail.
Firejail being a really flexible program would be a great topic for research. Expect something concerning it in the future.