project release , within which a system is being developed for the isolated execution of graphical, console and server applications. Using Firejail minimizes the risk of compromising the main system when running untrustworthy or potentially vulnerable programs. The program is written in C language licensed under the GPLv2 and can run on any Linux distribution with a kernel older than 3.0. Ready packages with Firejail in deb (Debian, Ubuntu) and rpm (CentOS, Fedora) formats.
For isolation in Firejail namespaces (namespaces), AppArmor and system call filtering (seccomp-bpf) on Linux. Once started, the program and all its child processes use separate representations of kernel resources such as the network stack, process table, and mount points. Applications that are dependent on each other can be combined into one common sandbox. If desired, Firejail can also be used to run Docker, LXC and OpenVZ containers.
Unlike container isolation, firejail is extremely in the configuration and does not require the preparation of a system image - the composition of the container is formed on the fly based on the contents of the current file system and is deleted after the application ends. Flexible tools are provided for setting access rules to the file system, you can determine which files and directories are allowed or denied access, connect temporary file systems (tmpfs) for data, restrict access to files or directories to read only, combine directories via bind-mount and overlayfs.
For a large number of popular applications, including Firefox, Chromium, VLC and Transmission, ready-made system call isolation. To execute a program in isolation mode, it is enough to specify the name of the application as an argument to the firejail utility, for example, "firejail firefox" or "sudo firejail /etc/init.d/nginx start".
In the new release:
- Addressed a vulnerability that could allow a malicious process to bypass the system call restriction mechanism. The essence of the vulnerability is that Seccomp filters are copied to the /run/firejail/mnt directory, which is writable inside the isolated environment. Malicious processes running in isolation mode can modify these files, which will cause new processes running in the same environment to be executed without applying the system call filter;
- The memory-deny-write-execute filter now blocks the "memfd_create" call;
- Added new option "private-cwd" to change working directory for jail;
- Added "--nodbus" option to block D-Bus sockets;
- Returned support for CentOS 6;
- support for packages in formats ΠΈ .
that these packages should use their own toolkit; - Added new isolation profiles for 87 additional programs, including mypaint, nano, xfce4-mixer, gnome-keyring, redshift, font-manager, gconf-editor, gsettings, freeciv, lincity-ng, openttd, torcs, tremulous, warsow, freemind, kid3, freecol, opencity, utox, freeoffice-planmaker, freeoffice-presentations, freeoffice-textmaker, inkview, meteo-qt, ktouch, yelp and cantata.
Source: opennet.ru