Someone please create a FIREJAIL equivalent for FreeBSD ..... Lack of a sandbox tool is the only reason I moved back to Linux

john_rambo said:
Hi,
I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.

If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.

So it is my request to the FreeBSD devs and community please make a firejail equivalent for FreeBSD.

Under Linux if you want to run Firefox inside firejail all you need to do is $firejail firefox. That's it.

https://firejail.wordpress.com/
Click to expand...
If you're paranoid about security, you really probably shouldn't be using Linux unless it's Qubes. I've read that OpenBSD is renown for having out-of-the-box default hardening applied, along with patching many of the gaping security holes in X11. So if you're looking for a "just works" solution, OpenBSD or Qubes are about as hardcore as you can get. ... That is, if you're serious about being paranoid.

FreeBSD is more like a highly versatile template that you can do anything with. It can be hardened, jailed, VM'd, etc. I imagine it can be hardened as much as OpenBSD if you really took the time and knew what you were doing.

As others have said, just follow the guide for jailing Firefox. I run my entire system as as set of jails for literally every activity I do. Host is just a jail coordinator. Also, better to share the .X11-unix socket rather than use ssh X11 forwarding. There's no reason to encrypt the stream, it just eats resources and can cause display issues.
 
This whole thread is rather embarrassing (as usual with this topic).

1. OpenBSD doesn't even approach Qubes in terms of isolation: Qubes runs everything in a separate virtual machine with appropriate access controls, while OpenBSD does nothing of the sort. Remember that Xorg doesn't limit keyboard/screen/clipboard access in any way, not to mention potential attacks on the X server itself.

2. OpenBSD's pledge/unveil works roughly at the same level as Linux's seccomp-bpf and stuff, so they should offer a similar level of protection against browser exploits. FreeBSD lags behind both — Firefox and Chromium sandboxes are simply disabled there.

3. Firejail is unlikely to offer any additional protection over the built-in browser sandbox: it's written by people of inferior skill (in comparison to the browser developers; whatever you think about Google, Chrome devs are definitely smarter people), based on the same kernel primitives and has no insight into internal browser things. Also keep in mind that the main point of browser sandboxing is protecting your sensitive site data from other malicious or compromised sites — nothing that an external sandbox can fix.

4. Running a browser in a FreeBSD jail does actually make some sense, considering the lack built-in sandboxing there, however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities. I think it's fair to say people like that don't exist. Sorry.
 
grahamperrin Nothing I ever said had anything to do with "the Foundation's call" and I don't even know what you're talking about cause I did not respond to anything beyond the OP's initial post.

This sounds too much like a reddit thread back-and-forth, and I loathe anything reddit. You're not following anything I said and it seems you make things up as you go along, so I'm not responding anymore.
 
Perhaps, the below might be of interest to someone. Running a service in a jail is so easy.
Code: 
  /usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.co
... and although this jail has a lot of content files in it, the actual UNIX userland is only what is required to run 'lighttpd'
  # find /jails/www/usr | wc -
  4
So it's an extremely lightweight environment with very little attack surface
You can also share a lightweight environment with multiple commands - here are two other jail commands

  /usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.co
  /usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.con
... see how both jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact
  # find /jails/dns/|wc -
  9
... so, 97 files total to run both name servers.
Source: HackerNews(Item id=29649066)

Other members might have some more examples.
 
shkhln said:
however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities.
Click to expand...
I tend to use a few different solutions for jails, depending on what I am doing:

1) Host Xorg. Nothing special (easiest)
2) Xephyr. Fairly decent isolation but lose out on accelerated graphics
3) Run Xorg in the jail itself. A pain to keep switching but by nature prevents "cross X11 communication" (Which I see as a feature as well as a potential security hazard)
4) VNC. Better isolation but lose out on accelerated graphics, tends to be slowest until you go on complex websites.

I probably trust them all more than a raw Chrome (including on Linux). Mainly because Chrome might have its own clever sandboxing, but it still has raw access to Xorg on the host (which I want but don't want at the same time. Hopefully X12 will add some "per client-program connection" security here when it comes).
 
shkhln said:
This whole thread is rather embarrassing (as usual with this topic).

1. OpenBSD doesn't even approach Qubes in terms of isolation: Qubes runs everything in a separate virtual machine with appropriate access controls, while OpenBSD does nothing of the sort. Remember that Xorg doesn't limit keyboard/screen/clipboard access in any way, not to mention potential attacks on the X server itself.

2. OpenBSD's pledge/unveil works roughly at the same level as Linux's seccomp-bpf and stuff, so they should offer a similar level of protection against browser exploits. FreeBSD lags behind both — Firefox and Chromium sandboxes are simply disabled there.

3. Firejail is unlikely to offer any additional protection over the built-in browser sandbox: it's written by people of inferior skill (in comparison to the browser developers; whatever you think about Google, Chrome devs are definitely smarter people), based on the same kernel primitives and has no insight into internal browser things. Also keep in mind that the main point of browser sandboxing is protecting your sensitive site data from other malicious or compromised sites — nothing that an external sandbox can fix.

4. Running a browser in a FreeBSD jail does actually make some sense, considering the lack built-in sandboxing there, however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities. I think it's fair to say people like that don't exist. Sorry.
Click to expand...
I wasn't trying to say that OpenBSD and Qubes were similar in terms of isolation. Just that I'd read that they tried to patch up some of the X11 security holes. In the light reading I've done on this one, except for Qubes, I would overall trust OpenBSD security over almost any Linux distro (again, except for Qubes, which I do run on a laptop).
 
You must log in or register to reply here.
Back
Top