Someone please create a FIREJAIL equivalent for FreeBSD ..... Lack of a sandbox tool is the only reason I moved back to Linux

john_rambo

Active Member

Reaction score: 9
Messages: 178

Hi,
I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.

If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.

So it is my request to the FreeBSD devs and community please make a firejail equivalent for FreeBSD.

Under Linux if you want to run Firefox inside firejail all you need to do is $firejail firefox. That's it.

https://firejail.wordpress.com/
 

drhowarddrfine

Son of Beastie

Reaction score: 2,508
Messages: 4,457

I have submitted my request in that thread. Let's hope for the best.

Posting there will gain you nothing. This is a user's forum, not a feature request forum that developers regularly visit.

In addition, I don't know what firejail is but is this a tool for a tool for a tool? Or is it almost the same as what we already have and Linux has it so we have to? In that case, no.
 

tgl

Active Member

Reaction score: 41
Messages: 114

Firejail had serious vulnerabilities in the past, ending up to increase the surface attack rather than reducing it. I don't believe the situation has been improved so far, since other technologies came out after.
 

kpedersen

Son of Beastie

Reaction score: 2,250
Messages: 3,080

I run all web browsers in a jail. I thought this was common practice.

OP: I highly recommend following this: https://docs.freebsd.org/en/books/handbook/jails/

Take your time to learn how to do it right. If you are happy to sacrifice some security for convenience, you can also just use a chroot (this is useful for OpenBSD, Linux and other operating systems lacking a real Jails system).
 

Zare

Well-Known Member

Reaction score: 73
Messages: 425

...and if you're up for simple web experience you might use minimalistic browser, whose attack sufrace is next to none, as a native process.

Hi,
I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.

If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.

So it is my request to the FreeBSD devs and community please make a firejail equivalent for FreeBSD.

Under Linux if you want to run Firefox inside firejail all you need to do is $firejail firefox. That's it.

https://firejail.wordpress.com/

Are you aware you can run those programs from different user accounts?

You're paranoid about security but you would use an application (on Linux) that has a history of exploits as your security driver and helper?

If you don't know much in-depth about OS security but you would like to have best possible protection with least effort just follow the basics - firewall for network security, users/groups segmentation for files and programs.

If you know but don't know how to prevent certain attack vector on FreeBSD do write what your use case is about and I'll be glad to help

In case of #1 - FreeBSD already provides some groups that allow user to achieve certain capability.

For instance if you
- make a non wheel account - firefox_user
- add it to the video group
- remove r/x permissions from $HOME dir of your main account
- use xhost to add permission for another account to connect to your session
- set $DISPLAY env in context of firefox user and run firefox from that shell

The browser runs natively but the user account it runs under can't reach your files.
Technically, a normal user application will write to users home and /tmp, and it will read from /usr/local/, /dev/, procfs...
So you can use permissions to hide entire system-wide configuration and enable 'limited' users of this kind only to see what's going on in their home or default packages path.

While you can't just apply sandbox and you need to know what kind of resources application consumes, I'm pretty much certain that a user-local installation of firefox would only require r/w access of $HOME and /tmp with read access to devfs and procfs.

Any exploitation of firefox would result in a shell of limited user account. Whether it can be exploited further via privilege escalation is not to be concerned with in this particular layer of security.

Granted, sandboxes with browsers make things automatic and the browser itself sets security features of a certain loaded page but I prefer the OS generic approach.
 

Alain De Vos

Son of Beastie

Reaction score: 875
Messages: 2,832

My 5-cent,if you want to be safe use openbsd. I seriously doubt firejail on linux is safer.
Or if you trust mozilla foundation ,just use firefox on freebsd.
 
  • Like
Reactions: tgl

ct85711

Active Member

Reaction score: 77
Messages: 107

Two other options you can securely run firefox; is first install it inside a chroot environment. It isn't too secure (better than firejail will ever be), but you have to poke holes to give access to outside the set folder. Like mentioned above, jail will be more secure. Even more above jails, would be running firefox within a complete VM environment. It would be significantly more resource intensive; but every interaction to the system/hardware is emulated. Another bonus putting firefox in a full vm, allows you to share/move the image to other systems/OS and also give you an option that you can rollback any/all changes whenever you want without affecting the base system.
 

Alain De Vos

Son of Beastie

Reaction score: 875
Messages: 2,832

When not doing ssh-forwarding because it will fail, the other option is running a vnc-server in a jail or a nested x-server.
 

Zare

Well-Known Member

Reaction score: 73
Messages: 425

I wanted to say this with first sentence of my previous post; if you can use a browser over VNC or X11, you most certainly do not require "modern web features", what's the point of security isolation of a modern browser then? User in that scenario can try to utilize a number of minimal browsers from ports that shouldn't have any of the capabilities, any of the "millions of lines of code" that are bound to be exploitable.

I ran FF over wired LAN over X11. It was slow and it would simply stop to work. Usage over "corporate intranet" and those kind of sites, hardly the modern web demand. Over VNC it runs fine but with a significant lag. It would be unusable for multimedia, either protocol.
 

kpedersen

Son of Beastie

Reaction score: 2,250
Messages: 3,080

I wanted to say this with first sentence of my previous post; if you can use a browser over VNC or X11, you most certainly do not require "modern web features"
Annoyingly web developers tend to overconsume features. You can barely load google (or these forums!) without a "modern" browser.

Plus, even something as terrible as Facebook runs fine over VNC and X11/ssh (especially over localhost).

X11 can also be run directly via a UNIX socket (with direct access to the /dev/* if you are willing to sacrifice some security for WebGL features).
 

Alain De Vos

Son of Beastie

Reaction score: 875
Messages: 2,832

I like websites you can visit with lynx, elinks, links. I think javascript is a pain.
 

drhowarddrfine

Son of Beastie

Reaction score: 2,508
Messages: 4,457

grahamperrin No. How did you come up with that?

The original post says it's making a request to the devs and the community. This community, in general, is not composed of those who do such work. Requests for software has other places for such things. Here it will most likely fall on deaf ears.
 
Top