Simplify the safeguarding of programs with Firetools

The console program Firejail start processes in its own "sandboxes." These jails limit access to the rest of the system. If, for example, an attacker takes over your web browser via a security loophole, the attacker is trapped in the sandbox and cannot cause any further damage. However, rather inconveniently, you need to manage this useful tool on the command line using numerous parameters [1].

Thus, Firejail developers have created Firetools – a graphical user interface for Firejail. It is based on the Qt4 framework, which KDE 4, among other software, also uses. Despite the pretty high version number (0.9.26.1), development of Firetools only started in the spring of 2015. The young tool's functionality is therefore still pretty simple, but the core functions are up and running. A simple double-click, for example, will launch an application in a sandbox. Statistics also allow the program to be monitored.

Installation

You will find binary packages for Debian, Ubuntu, Linux Mint, Fedora, openSUSE, CentOS 7, and RHEL on the Firejail website [2]. Although 32-bit versions are available for Debian, Ubuntu, and Mint, a 64-bit system is needed for the packages for the other distributions. Users of Arch Linux will find Firejail in the AUR [3], and SlackBuild's directory supplies the packages for Slackware [4]. In any case, you can install the downloaded package using your distribution's package manager.

You will need to compile Firejail manually if there is a package missing for your distribution. To do so, first install a C compiler, Make, and the kernel headers via the package manager. Then, unpack the source archive downloaded from the Firejail website, switch to the directory just created, and install Firejail with the classic triple jump shown below. On top of Firejail and Qt4 (usually in the libqt4 ), Firetools requires the terminal program Xterm, which most distributions provide.

$ ./configure && make && sudo make install

Depending on your distribution, after the installation, you will find Firetools in either the start menu or in Ubuntu via the dashboard. The tool appears there as Firejail Tools . If in doubt, press Alt+F2 (or open a terminal) and start the program by typing firetools .

Behind Bars

Double-clicking one of the icons in Firetools' red main window (Figure 1) will start the corresponding program in a sandbox. Double-clicking the globe, for example, will open the Firefox web browser in a secured environment. Alternatively, you can right-click an icon and select Run from the context menu. Xterm is hidden behind the terminal icon, not the terminal emulation offered by the desktop environment used.

Figure 1: Clicking the respective icon is enough to start the program with Firejail in a secure sandbox.

To move the red window, place the mouse pointer on it. Then, hold the left mouse button and drag the window to the desired position. Clicking the small white bar in the top right corner will minimize the window.

There is then only one icon left in Ubuntu at the top right in the panel. To display the window again, click the icon and select Restore . The red main window can currently manage a maximum of 12 applications. To add your own program, right-click an empty space and select Edit . Now specify the name of the program in the window from Figure 2 and a description that will appear later in the tool tip. Define the Firejail command, which Firetools will use to lock the application in a sandbox in Command . For a simple sandbox, you can just type firejail followed by the name of the application. You can increase security by enabling two of the kernel's additional security mechanisms using the corresponding parameters. The following example locks LibreOffice in this way:

$ firejail --seccomp --caps.drop=all libreoffice
Figure 2: Specify the Firejail command in the settings of the respective entry. In this example, Firetools would start the document viewer.

Be careful: Firetools actually only executes the command stored here. Notably, this doesn't make sure that the application is run in a sandbox. If you only type firefox in the box, Firetools will start the browser outside of a jail. You can change the details later by clicking the right mouse button in the red main window above the corresponding program and then selecting Edit . To remove a program from the window, select Delete from the context menu. However, this only works with programs you added; icons that are already there can't be deleted, they can only be edited via Edit .

There are more shortcomings: It is not possible to incorporate your own icons, for example. The programs you add only appear with text. The current version of Firetools (0.9.26.1) also forgets all settings as soon as you close the window by right-clicking and selecting Quit . This also applies to both edited and new entries.

Useful Toolbox

If you click Firetools in the Firetools window or select the Tools item from the context menu, a window appear, which lists all the sandboxes currently running with some relevant additional information. In Figure 3, Firefox is running under the process ID 19090, is taking up 0.20 percent of the processor time, and is hogging 268,296 kibibytes of central memory. The program was started by Firetools using the firejail firefox command (Command ) and is not currently sending any data (TX(KB/sec) ) or receiving any (RX(KB/sec) ). Firetools continuously updates the data; however, in the test, the RX/TX counter didn't work and was constantly at 0 .

Figure 3: The Firetools process analysis all the programs launched with Firetools. A terminal and Firefox are each running in a separate sandbox.

You will receive detailed information by clicking a process ID (Figure 4). The display shows the processor load and the memory usage in the last few minutes for each process in two curves. Unusual fluctuations may indicate attack attempts or a rampage by the process. To kill the process, click Shutdown . The Process Tree indicates which sub-processes the locked application has started. These processes run in the same sandbox. You can open a shell in this same sandbox via Join . This is useful for analyzing the processes in the sandbox, ending them in a controlled manner.

Figure 4: The statistics provide information about resource requirements for the monitored process.

The analysis window contains the items Seccomp and Capabilities . If the hexadecimal number behind Capabilities is not composed entirely of zeros, the process is allowed to access one or more system functions. To determine the specific functions, click the hexadecimal number (Figure 5). If Seccomp is set to enabled , the system prohibits the process from executing certain security-critical actions. This includes not being allowed to start programs with root privileges (SUID).

Figure 5: After clicking Capabilities, Firetools also displays all system functions prohibited by Firejail.

If you click enabled , you will get a list of all prohibited system functions and actions (Figure 6). To specifically prohibit or allow one of the functions, you need to give Firejail the corresponding parameter, which a previous article already covered in detail [1]. Firetools itself does not provide any options for this at the moment.

Figure 6: The Seccomp filter prohibits the process from mounting filesystems, among other things.

You can open DNS settings that are currently applicable on the system via the DNS entry; clicking Home returns you to the overview. All Firejail sandboxes, even those that you started in a separate terminal not in Firetools, always appear in the overview.

Conclusions

The fact that the development of Firetools only started in the spring of 2015 is reflected not least in the pretty small functionality. The main window forgetting all changes upon quitting is particularly annoying – it degrades the tool in its current form to little more than an object to look at. If you need to use a specific function in Firejail, you also need to attach the corresponding parameters to the program call. The constantly updated statistics in the tools window at least provide a decent and quick overview of the current processes. Firetools will definitely be a useful tool for using Firejail if the developers correct the issues described soon.

Infos

  1. "Running Your Programs in a Jail with Firejail" by Tim Schürmann, Linux Magazine , Issue 173: http://www.linux-magazine.com/Issues/2015/173/Firejail
  2. Download Firejail and Firetools: https://l3net.wordpress.com/projects/firejail/#downloads
  3. AUR for Firejail: https://aur.archlinux.org/packages/firejail
  4. Firejail in the SlackBuild repository: http://slackbuilds.org/repository/14.1/system/firejail/?search=firejail