We are happy to announce the release of Firejail version 0.9.28 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains significant improvements, and a large number of enhancements and bug fixes.
Most new features in this release are network namespaces features. A network namespace is basically a new TCP/IP stack. It is created and attached to the sandbox by using –net command line option. The stack is totally isolated from the host stack, it has its own routing table, netfilter firewall, and its own set of interfaces. Regular Ethernet or bridge interfaces can be supplied as parameters to –net option.
In the examples to follow we will use the main Ethernet interface, eth0. Sandboxes created this way appear to be on the same network as the host computer.
–iprange
This command defines a range of IP addresses for an interface in a new network namespace. The address is assigned at random in the provided range, and is verified using ARP before assignment. Example:
$ firejail --net=eth0 --iprange=192.168.1.200,192.168.1.220 Parent pid 3917, child pid 3918 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-3917 da:f7:62:5a:a7:07 192.168.1.214 255.255.255.0 UP Default gateway 192.168.1.1 Child process initialized [...]
–mac
This option configures a MAC address for an interface in a new network namespace. Example:
$ firejail --net=eth0 --mac=00:11:22:33:44:55 Parent pid 3968, child pid 3969 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-3968 00:11:22:33:44:55 192.168.1.49 255.255.255.0 UP Default gateway 192.168.1.1 Child process initialized [...]
If –mac option is not used, the kernel assigns a random MAC address to the interface. Use this option when you intend to start a DHCP client inside the sandbox.
–scan
When using Ethernet interfaces, the kernel attaches a macvlan device driver to the Ethernet device, and makes it impossible for the two drivers to communicate. As a result, regular tools such as arp-scan or nmap fail to discover sandboxes running on the same host. –scan option solves this problem by doing an ARP scan of the network from inside the sandbox. Example:
$ firejail --net=eth0 --scan Parent pid 3118, child pid 3119 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-3118 02:a5:54:d2:6c:03 192.168.1.153 255.255.255.0 UP Network scan: e0:3f:49:7a:14:09 192.168.1.60 7a:c6:9a:32:58:3f 192.168.1.154 00:0f:db:c5:4f:f2 192.168.1.1 a4:ba:db:a9:f4:1c 192.168.1.51 2e:3f:43:d9:2d:5d 192.168.1.201 Default gateway 192.168.1.1 Child process initialized [...]
Network traffic shaping
Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling the amount of data that flows into and out of the sandboxes.
Firejail implements a simple rate-limiting shaper based on Linux command tc. The shaper works at sandbox level, and can be used to control sandboxes configured with new network namespaces.
This is a small example of limiting the bandwidth of a Mozilla Firefox browser running in a Firejail sandbox. We start the browser and attach a new a network namespace to the sandbox:
$ firejail --net=eth0 --name=browser firefox &
The name of the sandbox is browser. The following command configures a 80KB/s receive maximum rate and a 20KB/s transmit maximum rate on interface eth0:
$ firejail --bandwidth=browser set eth0 80 20
To adjust the bandwidth, you can issue this command as many times as necessary. To remove the bandwidth limits the command is:
$ firejail --bandwidth=browser clear eth0
Security profiles features
- New default application supported in this release: GNU Icecat, FileZilla, Pidgin, XChat, Empathy, DeaDBeeF.
- Blacklisting Opera and Chrome/Chromium directories in all profile files.
- Enable a no-root user namespace in all profile files if permitted by the kernel running the system (kernel version 3.10 or newer).
- Added an /etc/firejail/disable-common.inc file to hold common directory blacklists. The file is included in all profiles. If you need to disable a specific directory in your $HOME, add a line such as “blacklist ${HOME}/dirname” to this file.
Debian
Thanks to Reiner Herrmann, Firejail was included in Debian. If you are running Stretch or Sid, install Firejail as “sudo apt-get install firejail”.
Platform support
Firejail is supported on platforms such as Intel, MIPS, and PowerPC. The new release also solves a number of problems for ARM. If you have access to a Raspberry Pi board, please give it a try and let us know, thanks!
About
For more information please visit the project page.