#Firejail
LibreOffice confined by Firejail ignores all keystrokes #keyboard #libreoffice #firejail
LibreOffice ignoring all keystrokes #keyboard #libreoffice #firejail
***LAST EDITED*** 2/9/23
#AUR
#AboutConfig
#AnnaMadrigal
#Arch
#ArchInstall
#ArchLinux
#Archie
#Archies
#Atheism
#AusPol
#Beatles
#Biodiversity
#BirdMakeup
#CSLewis
#ChangeTheSystem
#ClimateChange
#ClimateCrisis
#DarwinAwards
#Debian
#Distrobox
#DoctorWho
#DouglasAdams
#DrHelenMagnus
#EnidBlyton
#FOSS
#FamousFive
#Fascism
#FediTips
#Fedia
#Fedora
#Firefish
#FirefishBugs
#Firefox
#FirefoxBeta
#FirefoxNightly
#Firejail
#Friendica
#FriendicaHelp
#fsckALLreligion
#FsckChristoFascists
#FsckRWNJs
#FsckThePatriarchy
#FuckAroundAndFindOut
#Gaia
#GilmoreGirls
#GlitchSoc
#GlitchSocial
#GnuCash
#Grammar
#Greens
#HHGTTG
#HumanRights
#JRRTolkien
#KDE
#KDEPlasma
#KMyMoney
#Kbin
#Kinoite
#LauraTingle
#Lesbian
#LibreOffice
#Linux
#LinuxWomen
#Logic
#MichaelWestMedia
#MicroOS
#Misanthropy
#Misdirection
#Misogyny
#MontyPython
#MontyPythonsFlyingCircus
#MostlyHarmless
#MrsMadrigal
#Narnia
#NationStates
#Nihilism
#openSUSE
#Overshoot
#Penguinistas
#Plasma
#PostOp
#ProgIndies
#PulseBrowser
#RWNJs
#RedFireAnts
#RenewableEnergy
#RightToProtest
#RippingYarns
#searX
#Semantics
#Sidebery
#SlowMode
#StateCapture
#SteamEngine
#SteamLocomotive
#SteamLocomotives
#TheDoctor
#TheLordOfTheRings
#TheSpanishInquisition
#TreeStyleTab
#Tumbleweed
#UserJS
#VM
#VPN
#VerticalTabs
#Vivaldi
#VivaldiBrowser
#VivaldiSnapshot
#VivaldiStable
#Wayland
#WeAreSelfishCruelBastards
#WeAreTotallyFscked
#Whimsy
#Whovians
#WindowRules
#Xfce
#YellowCrazyAnts
@tag-AUR@relay.fedi.buzz
@tag-arch
@tag-ArchLinux@relay.fedi.buzz
@tag-Distrobox@relay.fedi.buzz
@tag-FriendicaHelp@relay.fedi.buzz
@tag-fsckALLreligion@relay.fedi.buzz
@tag-FsckChristoFascists@relay.fedi.buzz
@tag-FsckRWNJs@relay.fedi.buzz
@tag-FsckThePatriarchy@relay.fedi.buzz
@tag-hhgttg
@tag-KMyMoney@relay.fedi.buzz
@tag-LinuxWomen@relay.fedi.buzz
@tag-MontyPython@relay.fedi.buzz
@tag-MostlyHarmless@relay.fedi.buzz
@tag-Penguinistas@relay.fedi.buzz
@tag-PostOp@relay.fedi.buzz
@tag-WeAreSelfishCruelBastards@relay.fedi.buzz
@tag-WeAreTotallyFscked@relay.fedi.buzz
@tag-Whimsy@relay.fedi.buzz
So today I discovered a tool called #FireJail. You can use it to launch on-the-fly "jails", sort of like chroot jails, but faster and easier to set up. There are a variety of options, but the most likely ones I'll probably take advantage of are --noroot and --private=somedir . It even hides the existence of other home directories. So for example you could do:
firejail --name=somejail --private=/pathtoworkingdir --noroot ./exefilename
So... Apparently, #FireJail breaks if I put the user's home directory inside /run/user/[uid]/home
@TiffyBelle @flaminghohners T/y. That was an interesting read, & ostensibly disturbing. Ostensibly.
My geeky-user-but-NO-expert familiarity with #Firefox [#Nightly, specifically] & chromium-based browsers [on my (#Linux only) pc's that's #VivaldiSnapshot & #Chromium] extends to matters of features, functions & privacy. Security, in the context of that paper & its links, is way beyond my knowledge, so it'd be silly of me to attempt any technical disparagement of that paper.
I shall note, though, that browser development is a pretty fast-paced project, such that i do wonder about the contemporary validity of any paper written several years ago. The paper was last edited March 19th, 2022, so clearly not too bad. However, & IMO most unfortunately, ALL its purportedly supportive links to external references are VERY old, ranging from newest of 2020, to oldest of 2011, with a perceived median around 2016.
For instance, the linked paper's linked paper "Exploiting and Protecting Dynamic Code Generation", says on p10, within "A. Setup", that
>The operating system is the 64-bit Ubuntu 13.04 with kernel 3.8.0-35-generic
That version was released in early 2013.
I suspect this potential "technological aging" makes many or maybe most of the underlying claims rather dubious today, unless & until a contemporary reappraisal by technically competent peeps were done, based on current #Firefox code, not on how it used to be many years ago. Maybe the conclusion would not change? Maybe it would? 🤷♀️
Other Thoughts, fwiw.
Even with a generous assumption that all claims in that paper remain technically valid today [tbc], for many browser users in countries / jurisdictions not overtly fascist & dictatorial, who as individuals are unlikely to be targeted by state-actors, i respectively opine that the larger more probable safety hazard to them might come from #privacy, not #security, breaches. To that extent, i note these:
- #uBlockOrigin is more powerful in Firefox than in chromium browsers, due to the latter having no support for CNAME-uncloaking
- Google is actively striving, via its Mv3 replacement for Mv2, & its egregious FLoC / Topics crap, to further weaken uBO & all other #adblockers. Otoh, Mozilla intends indefinite Firefox support for Mv2, albeit also with added Mv3 compatibility.
- #AddOns / #Extensions like #uBO are far more than "only" adblockers. By running in "hard mode" for instance, & liberally creating a suite of global & per-site dynamic filters, AND having #Javascript globally disabled but allowed by the user on favoured sites, great privacy protection is afforded. Google's plans are to actively weaken this user privacy in Chromium.
- sadly, silly insecure-by-design MS Windows remains the world's dominant OS. Yet for those alert to the Windows hazards & willing to make a change, #Linux provides vastly more security & privacy by design.
- As well, both dominant #Linux #DesktopEnvironments & at least one #WindowManager, now provide stable everyday #Wayland capability instead of the ancient insecure #X11 / #Xorg #DisplayServer, thus eliminating one classic security vulnerability mentioned in the paper/s.
- Linux users can avail themselves of even more privacy by #sandboxing their apps. There's several choices; i use #Firejail. Therefore browsers [& all other relevant apps] cannot access any of the user's private data beyond the sandbox's bounds.
DNS: Warum ist ein DNScrypt-Proxy sinnvoll?
So ist man sicherer im Netz unterwegs.
I just learned about bubblejail, a replacement for #FireJail which uses bwrap. It is currently not packaged for #Gentoo, but making an ebuild should be straightforward.
Has anyone around here heard of it or used it, and is it worth to go through the effort? I would like various programs I use to be better sandboxed, and this seems like on of the easier tools to get a good foundation going.
@fbievan @brandont @omglinux
...
I use mitigating controls like #firejail where appropriate to avoid losses due to the un-auditable nature of the software.
To just blithely install non-FOSS software without taking any considerations of the risks is kinda silly, TBH. To supply said software without the slightest warning is negligent.
@thunderbird @JohnDal #Mutt can be configured to call a /sandboxed/ gui browser. The sandbox can be #firejail with the --net=none option. So mutt could send feed the attached images to the browser but force the browser to run offline. This would give you a way to see all the definitively harmless images while nixing all fetched images to ensure no tracking image exploits you.
@fiveEyedBeast @mepi0011 @kde Ha, you fixed it! 😉 You had many of us rather confused... & scrambling to see if there was a new kid on the block. 😜
Fwiw, I began using #KMyMoney 12 years ago [i had to check that just now, coz IMO it feels even longer]. Initially i tried #GNUcash, but rapidly tired of its absence of good user-configurable reports [& several other things]. #KMM isn't perfect ofc, but overall it's still pretty wonderful.
I explicitly do not use any online bank reconciliation, in fact, via #Firejail i specifically block KMM from having any internet access at all. Ergo, i do all my account reconciliations manually each month. For my use-case, KMM is a boon.
Firetools ist eine grafische Benutzeroberfläche (Qt5) für die Linux-Sandbox Firejail. 👇
Yep i concur. I pointed it out per my earlier post, not to imply i thought it was "sufficient", but instead merely that it is "something" in case any users hadn't noticed it there yet.
Personally [as a geek enduser NOT a Dev], i remain wedded to "classic" pkgs from "std" repos + when needed, the AUR [btw😜]. I *want* to control ALL my apps with my desktop theming, AND constrain them with #Firejail [of which I'm a big fan]. My current schema provides this. Otoh, FPs = meh, to me.
@ainmosni Excellent use-case, thx. Clearly, one's needed apps will play a big part in the decision here i suppose [i eschew all those you mentioned, yet i do still take your point].
Re sandboxing, i use #Firejail for all my interwebz-facing apps [to restrict their access to my $HOME files], & for all my sensitive apps that might try calling home to mother but which functionality i block in FJ by giving them no net access.
Just did a small batch of #ArchLinux updates, a couple of days after the bigger last lot that included lovely #KDEPlasma 5.27.0, logged out & toggled to tty2, used #needrestart to restart the various services sans-reboot, toggled back to #SDDM & logged back in, then before relaunching my #FirefoxNightly, #Goodvibes & #Thunderbird [all in #Firejail ofc] i took a moment to gaze contemplatively at my #Wayland desktop, & reflected for the umpteenth time; how GREAT is #FOSS!! 🎉
Updated a instruction 📔 in the #NixOS wiki on how to tunnel sandboxed applications through the #Tor network using #Firejail 🔥 https://nixos.wiki/wiki/Firejail#Torify_application_traffic ⚙️ Switched from iptables to nftables :)
Nice! I don't use an IDE with plugins on my Linux machine today, but I'll keep that in mind! Hadn't thought of it for GUI before. Does it forward X11?
Alternatively, might use #firejail to limit directories directly (which uses similar Linux APIs as Docker, without overhead of separate image/kernel, PID 1, and mounts). Not very different from how macOS sandboxes most of their Mac App Store apps these days, which also run with an alternate view of disk.
@electrona I use all of them with diffrent profiles. My basic setup includes all of those three - firefox, brave and vivaldi, jailed by #firejail with #seccomp #apparmor and awesome #GrapheneOS hardened malloc library: https://github.com/GrapheneOS/hardened_malloc .
Die aktuelle Version von #KeePassXC arbeitet nicht mehr mit dem aktuellen #FireFox zusammen, wenn er unter #firejail läuft. Die Lösung findet sich hier:
Now On Peertube:
(Tor friendly)
#Peertube #Video #privacy #sandboxing #Firejail #flatpak #flatseal #Tor #anonymity #anonymous
https://tube.tchncs.de/w/3KtNGjBPtETqSL42mP5BVa
:tor: Tor Browser User Deanonymization Example: careful downloading files + Easy GUI Sandboxing Solutions Featuring Firetools, Flatpaks + Flatseal
(post now public)
#Blog #sandboxing #Firejail #Flatpak #Flatseal #TorBrowser #Anonymity #privacy
https://www.buymeacoffee.com/politictech/deanonymization-example-solution-isolation-for-security-privacy-members-early-release-a-thank
A little #PSA for #firejail users: Yesterday I found out by accident that if your firejailed application is running and you're starting a #VPN (Wireguard through NetworkManager for me) your DNS does NOT automatically get updated, which causes the whole DNS traffic to leak to your standard DNS instead of using the one of your VPN. I could reproduce that with #Firefox and #Element / firejail 0.9.70-4. You can also check file:///etc/resolv.conf in Firefox to verify.
@tech есть ли для #firejail какой-нибудь UI подобный тому что есть в #android / #ios для раздачи прав в момент их использования? Чтобы не создавать несколько профилей, а в рантайме когда нужно ответить да | нет | только на время запуска. by @AmWwaDSKjmwzf3DgKoLwhCo2RmWoVF2KViPrKXDbygRNW55sqLTcNNTkPEUMPgSi
"Hey, Get The App!" -- But Should You?
#Android #iPhone #Blog #Apps #smartphone #ultrasonic #Tracking #Surveillance #Infosec #Cybersecurity #sandbox #firejail #bubblewrap #Linux
https://www.buymeacoffee.com/politictech/hey-get-the-app-but-should-you
Trustworthy translation tools:
❌ #GoogleTranslate (#PRISM corp)
❌ #YandexTranslate (tech giant)
❌ #DeepL (shares sensitive queries w/tech giant & goes to great lengths to mislead users about it)
❌ #LibreTranslate.com (shares sensitive text w/tech giant; no privacy policy; solicits trust using buzz phrases like “libre”, “free & open”)
🤷 translate.fedilab.app (no privacy policy but no evidence of mishandling data either)
✅ #ArgosTranslate running locally on your own PC inside #Firejail
Jetzt online: Sind AppArmor & Firejail wirklich die Lösung? - Wie Linux zur Festung machen?
Bei der Ausführung kann man auf eine #Sandbox wie #firejail setzen. Diese begrenzt den Zugriff auf das Dateisystem, Netzwerk, usw.. Firejail bringt bereits Profile für eine Vielzahl von Anwendungen mit.
# apt install firejail-profiles
$ firejail --private -blacklist=/media <program>
Quellen
https://unix.stackexchange.com/a/603297
https://firejail.wordpress.com/documentation-2/basic-usage/#basic-usage
I blogged again - on restricting the #zoom client permissions on debian using #firejail -- allowing usage of the latest deb packages provided by zoom. Hopefully limiting the impact of security issues in the client...
https://streibelt.de/blog/2021/11/25/jailing-the-zoom-client/
@markush Noch ein paar Hinweise für #Spotify und #Discord, die ja nicht gerade datenschutzfreundlich und deren Apps nicht quelloffen sind:
1) Du könntest die Programme via #Firejail in einer Sandbox laufen lassen (sofern du nicht die #Flatpak-Versionen verwendest): https://firejail.wordpress.com
2) Du könntest den Webapp Manager von #LinuxMint nutzen, um die Webclients der Dienste zu nutzen: https://github.com/linuxmint/webapp-manager
3) Du könntest den freien Client für Spotify namens #Spot nutzen: https://github.com/xou816/spot
"Firejail is a community project. We are not affiliated with any company, and we don’t have any commercial goals. Our focus is the Linux desktop. Home users and Linux beginners are our target market. The software is built by a large international team of volunteers on GitHub. Expert or regular Linux user, you are welcome to join us!"
"Firetunnel allows the user to connect multiple Firejail sandboxes on a virtualized Ethernet network. Applications include virtual private networks (VPN), overlay networks, peer-to-peer applications. Currently the project is in beta-testing phase, you can find out more on our development page."
Howto: Use Firejail to enhance Privacy on Linux (Pinephone/Pinetab shown but any Linux machine can benefit from these Firejail tips). Partly meant to be a sequel for my previous videos: Tor Browser on the Pinephone & as Firejail Part II.
#HumanRights #Privacy #Tor #Linux #Pinephone #Pinetab #safety #Firejail #Sandbox
https://youtu.be/bXRa9aYWcIY
#antiS (privacy-enhanced live #slackware OS) has been released to 2021.02-rc !
Quite big updates:
- Tencent #QQ (yes the notorious yet popular #spyware and IM tool around #Chinese communities) is experimentally added. It runs under #firejail which should well restrict its behaviors. 😂
- Other bloated applications (those installed in binary form) are also started under firejail #sandbox. #Linux
Privacy Cookbook - Chapter 6.9 - PC security - Firejail sandboxing
The beauty of the Privacy Cookbook is that I can jump around between different chapters & sections and provide updates and insights on new products and developments almost in real time.
https://dt.gl/privacy-cookbook-chapter-6-9-firejail/
#linux #firejail #security
#Firejail is a namespace sandboxer.
Firejail is a program that confines processes into lightweight #Linux namespace sandboxes. Namespaces in Linux can be used to limit what resources (filesystems, networks, USB, etc.) a process has access to. Firejail supports many programs by default, and can be configured to support others or to use special options with configuration files.
Website 🔗️: https://firejail.wordpress.com/
apt 📦️: firejail
I thought Firejail was proprietary. Turns out it's free code under the GPLv2:
https://github.com/netblue30/firejail/blob/master/COPYING
Could there be more than one program called #Firejail that does the same thing?
Me 10 minutes ago:
"What the hell? Why can't I access my local #rust docs anymore? They're a local html file and I see it right there! But Firefox won't recognize `file://` URLs—how could *that* possibly break??
Me last Sunday:
*installs #firejail and sets it up to auto-run for all apps it knows about*
Me right now:
*face-palm* "yes, that is exactly what a sandbox is
… Now, where's the 'pause' button on this thing?
#Secbrowser automatically makes use of #Firejail (in testers repository, coming soon to stable repository) and works with #Hardened_Malloc (if it's manually installed and SecBrowser has been started with ›secbrowser‹ from the command line).
https://www.whonix.org/wiki/Hardened_Malloc
https://www.whonix.org/wiki/Whonix-Workstation_Security#Firejail
#browser #security #privacy #end_of_clearnet_browser_discussion
This should be the end of the endless browser discussion: Running #SecBrowser (firejailed?) in Debian 10 Buster now – and other OS soon.
SecBrowser ist Tor Browser without Tor.
#security #privacy #browser #Qubes #Firejail #Debian #Whonix
Whonix' guides are, by the way, *always* a good security read.
https://www.whonix.org/wiki/SecBrowser
https://www.whonix.org/wiki/Kicksecure
https://firejail.wordpress.com/
@kuketzblog bei mir kommt #Thunderbird immer noch ins #Firejail . Bringt keine funktionalen Einschränkungen mit sich und hinterlässt ein gutes Gefühl, wenn der Donnervogel nicht auf alle privaten Dokumente zugreifen kann.