Question: Firejail vs using Apparmor only? What are some the advantages #2248
Comments
|
Firejail uses private mount namespaces to achieve similar access controls compared to Apparmor and capability restrictions are also similar. In addition to those, Firejail can set up system call filtering with seccomp and restrict networking. Then Apparmor can restrict mapping of files to memory which Firejail is not able to do. Executing SUID programs elevate user's privileges temporarily. This is used in Firejail to for example setup mounts, which is not allowed normally. |
|
In general you may use AppArmor OR firejail but not both at the same time for the same app as this will lead only for trouble. If you set tight AppArmor profile already then you may stick with it. I assume you know that AppArmor available features vary across kernels versions and distros. |
|
@Vincent43 what trouble would you see? There's surely overlap, but they can also complement each other. For example, you could use AppArmor for path based access control, but then Firejail for seccomp and capabilities. I'm using TOMOYO, Yama and Firejail without problems. |
|
You would need to add more privileges in AppArmor than it's needed without firejail to make it work. You would need to use less firejail features otherwise it would be broken with AppArmor. In the result they will cancel each out rather than complement. We had multiple reports about broken apps when AppArmor and firejail are used at the same time. Keep in mind that AppArmor is mandatory when enabled while firejail can be easily circumvented (intentionally or not). |
|
I see, maybe the paths of the private mounts used by Firejail do not match what AppArmor expects? Anyway, it should be possible to use Firejail for seccomp and network control, those will not conflict with AppArmor. |
|
I did notice that some things in AppArmor profile were ignored when I ran firejail. Files that I specifically denied access to reading with my AA-enforce enabled can be accessed while running the same app on firejail. So, I don't think they're complimentary. @Vincent43 What do you mean when you say that firejail can be easily circumvented? Can you be more specific with some examples? |
As a user you can simply directly run a known vulnerable application and compromise the computer. As a malicious program you can abuse DBus or the X server and take control of the computer from there, which you would then use another vulnerable program to elevate privs. OT: welcome back @topimiettinen |
|
@SkewedZeppelin, thanks for that. I'll have to get more educated about DBus vulnerabilities because I really don't know anything about them. Do you have any recommendations for a starting point or should I just google it? With regards to the user issue, I'm the only user, so that would be a moot point for my setup. With regards to apps using x exploits, I'm on Wayland and running Wayland apps (even my FF is Wayland), so X server issues aren't an issue for me. Unless AA have features that mitigate such vulnerabilities that I'm not aware of, I imagine that Xorg kb and screen cap snooping in other Xorg GUI apps also exist under AppArmor. firejails X users can also use --x11=xpra which tells the app to use an xpra layer instead of xorg. xpra is basically x without any of the kb/screen sharing features (so no keylogging or screen capping). So, as far I can tell, Firejail is actually superior to AA in this department. |
|
I'm going to go ahead and close this as the discussion seems to have died out ;) |
Hi, I'm just starting with Firejail. It seems like a really interesting tool and I'm trying to understand it a little more. Not sure if this is the appropriate place to ask but I didn't know where else to post my question.
I'm currently using an AppArmor enforce mode profile that I've heavily modded and tweaked to limit Firefox's access to my system resources, home directory, documents and configuration files...
I was just wondering what additional security features does firejail offer over running Apparmor alone? What is a SUID sandbox?
The text was updated successfully, but these errors were encountered: