I noticed that about a lot of people who lack ability.
Hello all,
There is a thread on the freebsd-hackers@freebsd.org mailing list seeking project ideas. If you have ideas about projects that the Foundation could support, please leave your feedback.
--
Joe (with Foundation hat on)
I have submitted my request in that thread. Let's hope for the best.
Posting there will gain you nothing. …
I prefer to think that the Foundation will decide.
If you're paranoid about security, you really probably shouldn't be using Linux unless it's Qubes. I've read that OpenBSD is renown for having out-of-the-box default hardening applied, along with patching many of the gaping security holes in X11. So if you're looking for a "just works" solution, OpenBSD or Qubes are about as hardcore as you can get. ... That is, if you're serious about being paranoid.Hi,
I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.
If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.
So it is my request to the FreeBSD devs and community please make a firejail equivalent for FreeBSD.
Under Linux if you want to run Firefox inside firejail all you need to do is $firejail firefox. That's it.
https://firejail.wordpress.com/
These forums are not "the Foundation".
not following
/usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.co
... and although this jail has a lot of content files in it, the actual UNIX userland is only what is required to run 'lighttpd'
# find /jails/www/usr | wc -
4
So it's an extremely lightweight environment with very little attack surface
You can also share a lightweight environment with multiple commands - here are two other jail commands
/usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.co
/usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.con
... see how both jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact
# find /jails/dns/|wc -
9
... so, 97 files total to run both name servers.
Source: HackerNews(Item id=29649066)
Someone please create a FIREJAIL equivalent for FreeBSD
I tend to use a few different solutions for jails, depending on what I am doing:however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities.
OK, sorry to spam then.
I wasn't trying to say that OpenBSD and Qubes were similar in terms of isolation. Just that I'd read that they tried to patch up some of the X11 security holes. In the light reading I've done on this one, except for Qubes, I would overall trust OpenBSD security over almost any Linux distro (again, except for Qubes, which I do run on a laptop).This whole thread is rather embarrassing (as usual with this topic).
1. OpenBSD doesn't even approach Qubes in terms of isolation: Qubes runs everything in a separate virtual machine with appropriate access controls, while OpenBSD does nothing of the sort. Remember that Xorg doesn't limit keyboard/screen/clipboard access in any way, not to mention potential attacks on the X server itself.
2. OpenBSD's pledge/unveil works roughly at the same level as Linux's seccomp-bpf and stuff, so they should offer a similar level of protection against browser exploits. FreeBSD lags behind both — Firefox and Chromium sandboxes are simply disabled there.
3. Firejail is unlikely to offer any additional protection over the built-in browser sandbox: it's written by people of inferior skill (in comparison to the browser developers; whatever you think about Google, Chrome devs are definitely smarter people), based on the same kernel primitives and has no insight into internal browser things. Also keep in mind that the main point of browser sandboxing is protecting your sensitive site data from other malicious or compromised sites — nothing that an external sandbox can fix.
4. Running a browser in a FreeBSD jail does actually make some sense, considering the lack built-in sandboxing there, however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities. I think it's fair to say people like that don't exist. Sorry.