Hard to do "secure by default" profiles

[jjakob]

As someone who just started using firejail I had quite a few problems. The biggest issue I have is there is no "secure by default" mode, where the profile could start with zero permissions and gradually add to them. By zero permissions I mean something like a container or VM, where the only mounted filesystems are tmpfs, all required files to run are made from scratch (not copied from the host which could expose the host's identity in the sandbox, which is how it currently works for a lot of files in /etc: passwd, resolv.conf,...), there is no network, the host's username and environment are not copied in, and so on.

1. filesystem
   Regarding blacklist specifically, I found that blacklist /* breaks everything, because blacklist seems to be processed as the last step when building the filesystem, so even any mounts and directories created by firejail itself (for example private-etc, private-bin, private-lib,...) are blacklisted and return "permission denied" inside the sandbox. I could not figure out how to "unblacklist" only specific directories after a blacklist /* - I tried noblacklist, whitelist, did not work, so I had to create a long list of blacklist directives that specifically excluded things like: /tmp, /dev, /bin, /sbin, /usr/lib, /usr/lib64, /lib, /lib64, /home, /proc. This is made worse by the fact that blacklist only supports basic globbing and so you cannot exclude just one directory from the glob /usr/*: I wanted to not blacklist /usr/share or /usr/lib, so I had to separately blacklist these: /usr/[a-k]* /usr/[m-r]* /usr/s[br]* /usr/[t-z]*. Maybe I am completely misunderstanding how blacklist, whitelist, noblacklist, ignore blacklist work, but I could not figure out any other way. And in order to make a file accessible, not blacklisting is not enough, it also has to be whitelisted? Not blacklisting it and not whitelisting it does not make it accessible if I understand correctly?

2. private-lib
   If you specify a path to a lib file, firejail will put the file directly into /lib, it will not recreate the original path components (for example: private-lib my/libexample.so will put it in /lib/libexample.so even though it was in /lib/my/example.so.). This breaks some programs that are hardcoded to search in a particular path. If you specify a directory, the directory is recreated with all its contents, for example private-lib my. This works around the previous problem but then you can't select just one lib file inside a directory because it will copy all of them.
   In combination with private-bin it does not find all libraries binaries depend on. In my case it did not find libstdc++.so.6 and libgcc_s.so.1, which I found a lot of issues here saying the same thing. Seems like a bug. (it also did not find libatomic.so or libGL.so)

3. private-bin
   It does not work on /usr/libexec. For example /usr/libexec/webkit2gtk-4.1 which contains binaries for webkit-gtk. So you have to whitelist the path manually. This means private-lib will not automatically find the libraries those binaries depend on so you have to add them by hand to private-lib. Ideally it would also work on and create /usr/libexec inside the sandbox (preserve the full path as it is on the host, in case something expects a hardcoded path to those binaries) and allow private-lib to find libraries those binaries depend on.

4. rmenv, env
   There's no way to clear all environment from the host, for example just rmenv could clear all host environment.
   env could then work like this: env HOME would copy HOME from the host into the sandbox. (no need for fixed assignment).
   I worked around this by copying env and sh executables into the sandbox and executing a shell script like so: sh -c 'env -i HOME="$HOME" USER="$USER" DISPLAY="$DISPLAY" command' which is ugly. env -i unsets all environment except that set by its arguments, but only for the executed command passed as arguments. I have not found a simple way to unset all env variables for the entire shell script (shell unset does not have a "unset all" mode).

5. add a random username function
   Currently the host's username is copied into the sandbox. This is identifying information, it should be possible to have a feature that randomizes the username, or even better uses a very common username, for example 'ubuntu'. It would also need to work with private in order to change the home directory name, and set environment variables accordingly.

In general I think it is better to always write default behavior to be as secure as possible, even if it makes creating custom profiles more tedious because every single thing must be specifically allowed - that is much better than having a default to allow and having to disallow access to a list. I don't think it would be such a problem to hinder functionality or ease of use. Ease of use and security are roughly inversely proportionate to one another.

[rusty-snake]

2. private-lib was never really on a 1.0 level. Actually it was always in an experimental stage and never left it because it did not saw relevant development after the initial implementation. See private-lib + python is broken #3236 for example.

---

4. rmenv, env

Open a feature request for it (and then open a PR with the implementation 😉 ).

For scripting, something like that should be possible:

#!/bin/bash
if [[ $ENVCLEARED != true ]]; then
    exec env -i ENVCLEARED=true HOME="$HOME" USER="$USER" DISPLAY="$DISPLAY" /bin/bash "$@"
fi

[jjakob]

2. Python and interpreted languages are another thing. Each one is a special case that would require special handling. The problem with it not adding gcc libs is not related to that. I don't know why it does not add them, they are C libraries, which are shown in the output of ldd for the binaries I copy in with private-bin.

---

4. will create a feature request

[rusty-snake]

2. Don't know if you looked at it but the problem is not specific to python/interpreters.

[rusty-snake]

I found that blacklist /* breaks everything

Yes. Why do you want to blacklist everything?

I could not figure out how to "unblacklist" only specific directories after a blacklist /*

You can not. Once blacklisted it is blacklisted forever. However you can exclude paths from being blacklisted like

noblacklist /mnt/hdd01
blacklist /mnt/*

/tmp, /dev, /bin, /sbin, /usr/lib, /usr/lib64, /lib, /lib64, /home, /proc

So how long is the list of blacklisted stuff?

This is made worse by the fact that blacklist only supports basic globbing and so you cannot exclude just one directory from the glob /usr/*:

But you can strip it after the glob, see above.

Maybe I am completely misunderstanding how blacklist, whitelist, noblacklist, ignore blacklist work, but I could not figure out any other way

You don't completely misunderstand it but it is way to complex and unintuitive for new users.

And in order to make a file accessible, not blacklisting is not enough, it also has to be whitelisted? Not blacklisting it and not whitelisting it does not make it accessible if I understand correctly?

Depends (see also #3041).

Think of black and whitelising as two independent things. There is no code in firejail that links them together, only the kernel does it if you apply both to the same paths, like x + 1 and x / 2 do not know each other but if you do x + 1 / 2 you get a result influenced by both.

How blacklisting does work. When a file is accessible from the blacklisting PoV.

flowchart LR
    A{Next Command} -->|noblacklist| B
    B(Push the path to the list of paths that should not be blacklisted.) --> A
    A -->|blacklist| C
    C(Expand globbing) --> D
    D{Does this path match any entry in the noblacklist-list?} -->|Yes| A
    D -->|No| E(blacklist it now) --> A

Loading

This means a file is accessible from the blacklisting PoV if

• neither the file itself nor any parent directory are blacklisted
• or this blacklist is skipped because of a matching noblacklist

  • Note: The noblacklist must exactly match the blacklist.

    # ~/Pictures is blacklisted
    noblacklist ${HOME}/Pictures/Trains
    blacklist ${HOME}/Pictures
    
    # ~/Pictures/Trains is *not* blacklisted
    noblacklist ${HOME}/Pictures/Trains
    blacklist ${HOME}/Pictures/Trains
    
    # ~/Pictures/Trains is blacklisted
    noblacklist ${HOME}/Pictures
    blacklist ${HOME}/Pictures/Trains
    
    # ~/Pictures/Trains is *not* blacklisted
    noblacklist ${HOME}/Pictures/Trains
    blacklist ${HOME}/Pictures/*
    

  • Note: A noblacklist only affects later blacklist

    # ~/Pictures is *not* blacklisted
    noblacklist ${HOME}/Pictures
    blacklist ${HOME}/Pictures
    
    # ~/Pictures *is* blacklisted
    blacklist ${HOME}/Pictures
    noblacklist ${HOME}/Pictures
    

• or if the file was created after the sandbox was started

How whitelisting does work. When a file is accessible from the whitelisting PoV.

First of, whitelisting is opt-in.

whitelist has something called top-directory. The following top-directories are defined: /* (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and /usr/*.

So a file is accessible from the whitelisting PoV if

• there isn't any whitelist for it's top-directory
• there is a whitelist for it's top-directory and there is a whitelist for the file itself or one of it parent directories within the top-directory

# ~/Pictures/Trains is accessible (from whitelisting PoV).
# _Nothing_

# ~/Pictures/Trains is accessible (from whitelisting PoV).
whitelist /mnt/hdd01

# ~/Pictures/Trains is accessible (from whitelisting PoV).
whitelist ${HOME}/Downloads
whitelist ${HOME}/Pictures/Trains

# ~/Pictures/Trains is accessible (from whitelisting PoV).
whitelist ${HOME}/Downloads
whitelist ${HOME}/Pictures

# ~/Pictures/Trains is *not* accessible (from whitelisting PoV). Actually it is invisible.
whitelist ${HOME}/Downloads

# ~/Pictures/Trains is accessible (from whitelisting PoV). It only contains `Engines`
whitelist ${HOME}/Downloads
whitelist ${HOME}/Pictures/Trains/Engines

[jjakob]

Thanks for this explanation, I think I understand it much better now.
A couple more questions regarding whitelist:

1. If a whitelist top-level directory is not referenced by any whitelist command, it is whitelisted by default?
2. If it's then referenced in a whitelist command, only the paths defined by the whitelist command are whitelisted for that particular top-level directory, no longer the entire top-level directory?
3. How does whitelist interact with "private" command? For example, if "private" is used with "whitelist $HOME/file", is file bind-mounted into the temporary home mount? Does "private" effectively disable the default HOME whitelist if no explicit whitelist for HOME is configured? (it would have to, in order to work like described?)

[jjakob]

I tried this

noblacklist /usr/share/icons
noblacklist /usr/share/mime
noblacklist /usr/share/mime-info
noblacklist /usr/share/fonts
noblacklist /usr/libexec/webkit2gtk-4.1
noblacklist /usr/share/ca-certificates
blacklist /usr/*

but it did not work. Still blacklisted entire /usr.
Then this:

noblacklist /usr/share/icons
noblacklist /usr/share/mime
noblacklist /usr/share/mime-info
noblacklist /usr/share/fonts
noblacklist /usr/libexec/webkit2gtk-4.1
noblacklist /usr/share/ca-certificates
blacklist /usr/share/*
noblacklist /usr/share
blacklist /usr/libexec/*
noblacklist /usr/libexec
blacklist /usr/*

Does work, but the problem is /usr/ still contains all the directories even if they should not be blacklisted (are not in noblacklist). Same in /usr/libexec and /usr/share. /usr/share is the biggest problem here really as it has the biggest number of directories used by applications and gives a lot of information on what applications the host system has installed. They are not accessible ("permission denied" within the sandbox) but still, that's not good. I don't want them to even be present.

[rusty-snake]

If a whitelist top-level directory is not referenced by any whitelist command, it is whitelisted by default?

Depends on how you understand "whitelisted by default". Whitelisting is opt-in, so if there isn't any whitelist for this top-dir, whitelisting is not enabled for this top-dir (i.e. everything is allowed from whitelist PoV).

If it's then referenced in a whitelist command, only the paths defined by the whitelist command are whitelisted for that particular top-level directory, no longer the entire top-level directory?

Correct.
_{Caution on correct/agreeing understanding of terms.}

How does whitelist interact with "private" command? For example, if "private" is used with "whitelist $HOME/file", is file bind-mounted into the temporary home mount? Does "private" effectively disable the default HOME whitelist if no explicit whitelist for HOME is configured? (it would have to, in order to work like described?)

private really means private. whitelist is going to be ignored (effectively).

There is no default whitelist. whitelisting is opt-in.

I tried this [] but it did not work.

Because "the noblacklist must exactly match the blacklist."

Does work, but the problem is /usr/ still contains all the directories even if they should not be blacklisted (are not in noblacklist). Same in /usr/libexec and /usr/share. /usr/share is the biggest problem here really as it has the biggest number of directories used by applications and gives a lot of information on what applications the host system has installed. They are not accessible ("permission denied" within the sandbox) but still, that's not good. I don't want them to even be present.

You do not want blacklist. You want whitelist.

• blacklist makes files inaccessible.
  • Technically it's mount --bind file_of_same_type_with_perms_000 target
  • It's the same as InaccessiblePaths= in systemd.
• whitelist, is more complex
  • It hides paths that are not whitelisted
  • Technically it's (simplified)

    mount tmpfs $new_usr_share
    mkdir $new_usr_share/icons
    mount --bind /usr/share/icons $new_usr_share/icons
    mkdir $new_usr_share/fonts
    mount --bind /usr/share/fonts $new_usr_share/fonts
    $new_usr_share -> /usr/share
    

  • This comes with some restrictions.

[jjakob]

I replaced it with

whitelist-ro /usr/share/icons
whitelist-ro /usr/share/mime
whitelist-ro /usr/share/mime-info
whitelist-ro /usr/share/fonts
whitelist-ro /usr/share/ca-certificates
whitelist-ro /usr/libexec/webkit2gtk-4.1

but still the entire /usr is copied and accessible with all subdirectories. It's not even as good as the blacklist I had before which at least disallowed access to the paths I did not want.

[rusty-snake]

Remember:

The following top-directories are defined: /* (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and /usr/*.

The top-directory is unfortunately implicit.

For everything that is not a top-dir (or where whitelisting can not be used for other reasons), you have to got with blacklist /foo/bar/*. Everything else, that's inside a top-dir, you can use whitelist.

Edit: Also you should see that the situation in /usr/share and /usr/libexec is better now.

[rusty-snake]

By zero permissions I mean something like a container or VM, where the only mounted filesystems are tmpfs, all required files to run are made from scratch (not copied from the host which could expose the host's identity in the sandbox, which is how it currently works for a lot of files in /etc: passwd, resolv.conf,...), there is no network, the host's username and environment are not copied in, and so on.

If you want that, is firejail the right tool for you?

Firejail has a chroot command that can be the base for this.

[jjakob]

Do you know of a tool to create a throwaway chroot for each application run, preferably created with the same method that private-bin and private-lib do from the host system? I know I could have template based chroots, or have preinstalled rootfs images of various OS. But managing and updating those would be much harder than firejail. It's the reason I like firejail, because it can create a rootfs from scratch, copying the required files from the host. Maybe you know of some other tool that can do it?

[rusty-snake]

flatpak?

Where/How should the programs be installed?

For bubblejail IDK how much rootfs is shared by default.

crablock isn't ready yet ☹️

[rusty-snake]

In general I think it is better to always write default behavior to be as secure as possible, even if it makes creating custom profiles more tedious because every single thing must be specifically allowed - that is much better than having a default to allow and having to disallow access to a list. I don't think it would be such a problem to hinder functionality or ease of use.

The problem is compatibility. What when you get a new kind for permission, like restrict-namespaces in 0.9.72 or noprinters in 0.9.68. Profiles need a marker to what base-profile version they are written (like targetSdk in the Android world).

Ease of use and security are roughly inversely proportionate to one another.

Agree and Disagree. From a technical PoV you are absolutely right (in 90% of the cases). However if it is to tricky (see above) you will end up with no security because

• it is too complicated to setup and you give up
• it is too unfriendly during use, you can not do your work and drop it
• it is too complicated to setup and you make something wrong (that is the point a lot of people how switch from firejail to plain bubblewrap get)

therefore you sometimes have to go with less security than technical possible so you get more security in the end.