# Someone please create a FIREJAIL equivalent for FreeBSD ..... Lack of a sandbox tool is the only reason I moved back to Linux



## john_rambo (Dec 2, 2021)

Hi,
I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.

If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox. 

So it is my request to the FreeBSD devs and community please make a firejail equivalent for FreeBSD.

Under Linux if you want to run Firefox inside firejail all you need to do is $firejail firefox. That's it.

https://firejail.wordpress.com/


----------



## mark_j (Dec 2, 2021)

See here


----------



## john_rambo (Dec 2, 2021)

mark_j said:


> See here


I have submitted my request in that thread. Let's hope for the best.


----------



## mark_j (Dec 2, 2021)

You can only ask and they can only know if you ask.


----------



## shkhln (Dec 2, 2021)

https://github.com/unrelentingtech/capsicumizer is a direct equivalent. It's obviously pointless to run a browser with it, though.


----------



## hardworkingnewbie (Dec 2, 2021)

Look at what the cat dragged in: https://github.com/netblue30/firejail/issues/3046


----------



## rootbert (Dec 2, 2021)

we do not need firejail - we have jails. And  chrbr has advised you in your thread https://forums.freebsd.org/threads/do-you-run-firefox-inside-a-jail.80190/ to stick to the howto of https://forums.freebsd.org/threads/...-in-a-jail-using-iocage-and-ssh-jailme.53362/


----------



## drhowarddrfine (Dec 2, 2021)

john_rambo said:


> I have submitted my request in that thread. Let's hope for the best.



Posting there will gain you nothing. This is a user's forum, not a feature request forum that developers regularly visit.

In addition, I don't know what firejail is but is this a tool for a tool for a tool? Or is it almost the same as what we already have and Linux has it so we have to? In that case, no.


----------



## freezr (Dec 2, 2021)

Firejail had serious vulnerabilities in the past, ending up to increase the surface attack rather than reducing it. I don't believe the situation has been improved so far, since other technologies came out after.


----------



## kpedersen (Dec 2, 2021)

I run all web browsers in a jail. I thought this was common practice.

OP: I highly recommend following this: https://docs.freebsd.org/en/books/handbook/jails/

Take your time to learn how to do it right. If you are happy to sacrifice some security for convenience, you can also just use a chroot (this is useful for OpenBSD, Linux and other operating systems lacking a real Jails system).


----------



## forquare (Dec 3, 2021)

BastilleBSD-Templates / firefox · GitLab
					

Bastille template to bootstrap Firefox web browser




					gitlab.com
				




I've not used it, but the Bastille Jail manager appears to have a template for running Firefox in a Jail.


----------



## Alain De Vos (Dec 3, 2021)

X ssh forwarding to a jail has many problems with many X-applications. It works only good with simple X-programs.


----------



## Zare (Dec 5, 2021)

...and if you're up for simple web experience you might use minimalistic browser, whose attack sufrace is next to none, as a native process.



john_rambo said:


> Hi,
> I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.
> 
> If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.
> ...



Are you aware you can run those programs from different user accounts?

You're paranoid about security but you would use an application (on Linux) that has a history of exploits as your security driver and helper?

If you don't know much in-depth about OS security but you would like to have best possible protection with least effort just follow the basics - firewall for network security, users/groups segmentation for files and programs.

If you know but don't know how to prevent certain attack vector on FreeBSD do write what your use case is about and I'll be glad to help

In case of #1 - FreeBSD already provides some groups that allow user to achieve certain capability.

For instance if you 
- make a non wheel account - firefox_user
- add it to the video group
- remove r/x permissions from $HOME dir of your main account
- use xhost to add permission for another account to connect to your session
- set $DISPLAY env in context of firefox user and run firefox from that shell

The browser runs natively but the user account it runs under can't reach your files.
Technically, a normal user application will write to users home and /tmp, and it will read from /usr/local/, /dev/, procfs...
So you can use permissions to hide entire system-wide configuration and enable 'limited' users of this kind only to see what's going on in their home or default packages path. 

While you can't just apply sandbox and you need to know what kind of resources application consumes, I'm pretty much certain that a user-local installation of firefox would only require r/w access of $HOME and /tmp with read access to devfs and procfs.

Any exploitation of firefox would result in a shell of limited user account. Whether it can be exploited further via privilege escalation is not to be concerned with in this particular layer of security.

Granted, sandboxes with browsers make things automatic and the browser itself sets security features of a certain loaded page but I prefer the OS generic approach.


----------



## Alain De Vos (Dec 5, 2021)

My 5-cent,if you want to be safe use openbsd. I seriously doubt firejail on linux is safer.
Or if you trust mozilla foundation ,just use firefox on freebsd.


----------



## ct85711 (Dec 5, 2021)

Two other options you can securely run firefox; is first install it inside a chroot environment.  It isn't too secure (better than firejail will ever be), but you have to poke holes to give access to outside the set folder.  Like mentioned above, jail will be more secure.  Even more above jails, would be running firefox within a complete VM environment.  It would be significantly more resource intensive; but every interaction to the system/hardware is emulated.  Another bonus putting firefox in a full vm, allows you to share/move the image to other systems/OS and also give you an option that you can rollback any/all changes whenever you want without affecting the base system.


----------



## Alain De Vos (Dec 5, 2021)

When not doing ssh-forwarding because it will fail,  the other option is running a vnc-server in a jail or a nested x-server.


----------



## Zare (Dec 21, 2021)

I wanted to say this with first sentence of my previous post; if you can use a browser over VNC or X11, you most certainly do not require "modern web features", what's the point of security isolation of a modern browser then? User in that scenario can try to utilize a number of minimal browsers from ports that shouldn't have any of the capabilities, any of the "millions of lines of code" that are bound to be exploitable.

I ran FF over wired LAN over X11. It was slow and it would simply stop to work. Usage over "corporate intranet" and those kind of sites, hardly the modern web demand. Over VNC it runs fine but with a significant lag. It would be unusable for multimedia, either protocol.


----------



## Hakaba (Dec 21, 2021)

in the last valuable news...


----------



## kpedersen (Dec 21, 2021)

Zare said:


> I wanted to say this with first sentence of my previous post; if you can use a browser over VNC or X11, you most certainly do not require "modern web features"


Annoyingly web developers tend to overconsume features. You can barely load google (or these forums!) without a "modern" browser.

Plus, even something as terrible as Facebook runs fine over VNC and X11/ssh (especially over localhost).

X11 can also be run directly via a UNIX socket (with direct access to the /dev/* if you are willing to sacrifice some security for WebGL features).


----------



## Alain De Vos (Dec 21, 2021)

I like websites you can visit with lynx, elinks, links. I think javascript is a pain.


----------



## grahamperrin@ (Dec 22, 2021)

drhowarddrfine said:


> Posting there will gain you nothing.



Why so pessimistic? 

Posting there led to inclusion in the summary: 

*FreeBSD Foundation-supported projects: call for ideas, November 2021 *


----------



## drhowarddrfine (Dec 22, 2021)

grahamperrin Not pessimistic. Practical. It wasn't the correct place to ask for such things.


----------



## grahamperrin@ (Dec 22, 2021)

drhowarddrfine said:


> It wasn't the correct place to ask for such things.



Do you mean that a call for ideas should not result in ideas?


----------



## drhowarddrfine (Dec 22, 2021)

grahamperrin No. How did you come up with that? 

The original post says it's making a request to the devs and the community. This community, in general, is not composed of those who do such work. Requests for software has other places for such things. Here it will most likely fall on deaf ears.


----------



## kpedersen (Dec 22, 2021)

I noticed the OP has updated the title.

Their inability to use a proper sandboxing tool is the only reason they moved back to Linux.


----------



## drhowarddrfine (Dec 22, 2021)

I noticed that about a lot of people who lack ability.


----------



## grahamperrin@ (Dec 22, 2021)

jrm@ said:


> Hello all,
> 
> There is a thread on the freebsd-hackers@freebsd.org mailing list seeking project ideas.  If you have ideas about projects that the Foundation could support, please leave your feedback.
> 
> ...





john_rambo said:


> I have submitted my request in that thread. Let's hope for the best.





drhowarddrfine said:


> Posting there will gain you nothing. …



I prefer to think that the Foundation will decide.


----------



## drhowarddrfine (Dec 22, 2021)

grahamperrin said:


> I prefer to think that the Foundation will decide.



Again. He posted in these forums. These forums are not "the Foundation". And these forums are not where such devs typically hang out.


----------



## BawdyAnarchist (Dec 22, 2021)

john_rambo said:


> Hi,
> I tried FreeBSD some months back. I am paranoid about security. I asked here how to configure PF and I got help almost instantly. Everything was going fine except running Firefox inside a sandbox. I tried very hard to run Firefox inside a Jail but unfortunately I didn't succeed. So I had no choice but to move back to Linux.
> 
> If running Firefox or other network facing apps like Pidgin, Thunderbird, etc inside a sandbox is unnecessary or overkill is entirely a different topic. Personally I won't run at least Firefox outside of a sandbox.
> ...


If you're paranoid about security, you really probably shouldn't be using Linux unless it's Qubes. I've read that OpenBSD is renown for having out-of-the-box default hardening applied, along with patching many of the gaping security holes in X11. So if you're looking for a "just works" solution, OpenBSD or Qubes are about as hardcore as you can get. ... That is, if you're serious about being paranoid.

FreeBSD is more like a highly versatile template that you can do anything with. It can be hardened, jailed, VM'd, etc.  I imagine it can be hardened as much as OpenBSD if you really took the time and knew what you were doing.

As others have said, just follow the guide for jailing Firefox.  I run my entire system as as set of jails for literally every activity I do. Host is just a jail coordinator.  Also, better to share the .X11-unix socket rather than use ssh X11 forwarding. There's no reason to encrypt the stream, it just eats resources and can cause display issues.


----------



## shkhln (Dec 22, 2021)

This whole thread is rather embarrassing (as usual with this topic).

1. OpenBSD doesn't even approach Qubes in terms of isolation: Qubes runs everything in a separate virtual machine with appropriate access controls, while OpenBSD does _nothing_ of the sort_._ Remember that Xorg doesn't limit keyboard/screen/clipboard access in any way, not to mention potential attacks on the X server itself.

2. OpenBSD's pledge/unveil works roughly at the same level as Linux's seccomp-bpf and stuff, so they should offer a similar level of protection against browser exploits. FreeBSD lags behind both — Firefox and Chromium sandboxes are simply disabled there.

3. Firejail is unlikely to offer any additional protection over the built-in browser sandbox: it's written by people of inferior skill (in comparison to the browser developers; whatever you think about Google, Chrome devs are definitely smarter people), based on the same kernel primitives and has no insight into internal browser things. Also keep in mind that the main point of browser sandboxing is protecting your sensitive _site_ data from other malicious or compromised sites — nothing that an external sandbox can fix.

4. Running a browser in a FreeBSD jail does actually make some sense, considering the lack built-in sandboxing there, however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities. I think it's fair to say people like that don't exist. Sorry.


----------



## grahamperrin@ (Dec 22, 2021)

drhowarddrfine said:


> These forums are not "the Foundation".



True, however Joseph Mingrone (Joe) is Project Coordinator. 

He chose to use FreeBSD Forums (parallel to the freebsd-hackers list) to call for ideas. 

True: the community should welcome reasonable debate of the pros and cons of an idea. drhowarddrfine I disagree, strongly, with your suggestion that there was nothing to gain from responding to the Foundation's call.


----------



## Alain De Vos (Dec 22, 2021)

Secure browsing,
PS1 , from time to time , "rm -vfR /home/myuser/.cache/* "
PS2 , Chromium caches in different places.


----------



## drhowarddrfine (Dec 23, 2021)

grahamperrin Nothing I ever said had anything to do with "the Foundation's call" and I don't even know what you're talking about cause I did not respond to anything beyond the OP's initial post.

This sounds too much like a reddit thread back-and-forth, and I loathe anything reddit. You're not following anything I said and it seems you make things up as you go along, so I'm not responding anymore.


----------



## grahamperrin@ (Dec 23, 2021)

With respect: 



drhowarddrfine said:


> not following



I wonder whether you followed the link that mark_j provided in post #2. Doing so might have avoided some confusion.


----------



## Lamia (Dec 23, 2021)

Perhaps, the below might be of interest to someone. Running a service in a jail is so easy.

```
/usr/sbin/jail /jails/www www 10.10.10.36 /lighttpd -f conf/lighttpd.co
... and although this jail has a lot of content files in it, the actual UNIX userland is only what is required to run 'lighttpd'
  # find /jails/www/usr | wc -
  4
So it's an extremely lightweight environment with very little attack surface
You can also share a lightweight environment with multiple commands - here are two other jail commands

  /usr/sbin/jail /jails/dns ns1 10.10.10.30 /nsd/nsd -c /nsd/nsd.co
  /usr/sbin/jail /jails/dns dns 10.10.10.37 /unbound/unbound -c /unbound/unbound.con
... see how both jailings of 'nsd' and 'unbound' point to the same '/jails/dns' userland ? Once again, that userland is very, very compact
  # find /jails/dns/|wc -
  9
... so, 97 files total to run both name servers.
```
Source: HackerNews(Item id=29649066)

Other members might have some more examples.


----------



## grahamperrin@ (Dec 23, 2021)

Thanks,



Lamia said:


> Source: HackerNews(Item id=29649066)



FreeBSD jails for fun and profit - Topi Kettunen via <https://news.ycombinator.com/item?id=29649066>


----------



## vermaden (Dec 23, 2021)

john_rambo said:


> Someone please create a FIREJAIL equivalent for FreeBSD



Here:









						Secure Containerized Browser
					

By default Chromium on OpenBSD (not so) recently got OpenBSD’s unveil(2) support. That means that of you run Chromium with –enable-unveil flag then it will be prevented from accessing a…




					vermaden.wordpress.com


----------



## kpedersen (Dec 23, 2021)

shkhln said:


> however this is very difficult to do properly: you'll have to fully isolate it from the host's Xorg and you'll also have to maintain multiple separate jails for work/entertainment/banking activities.


I tend to use a few different solutions for jails, depending on what I am doing:

1) Host Xorg. Nothing special (easiest)
2) Xephyr. Fairly decent isolation but lose out on accelerated graphics
3) Run Xorg in the jail itself. A pain to keep switching but by nature prevents "cross X11 communication" (Which I see as a feature as well as a potential security hazard)
4) VNC. Better isolation but lose out on accelerated graphics, tends to be slowest until you go on complex websites.

I probably trust them all more than a raw Chrome (including on Linux). Mainly because Chrome might have its own clever sandboxing, but it still has raw access to Xorg on the host (which I want but don't want at the same time. Hopefully X12 will add some "per client-program connection" security here when it comes).


----------



## vermaden (Dec 23, 2021)

grahamperrin said:


> Got it on page 1 at <https://forums.freebsd.org/posts/547568>, thanks Hakaba thanks vermaden


OK, sorry to spam then.


----------



## BawdyAnarchist (Jan 1, 2022)

shkhln said:


> This whole thread is rather embarrassing (as usual with this topic).
> 
> 1. OpenBSD doesn't even approach Qubes in terms of isolation: Qubes runs everything in a separate virtual machine with appropriate access controls, while OpenBSD does _nothing_ of the sort_._ Remember that Xorg doesn't limit keyboard/screen/clipboard access in any way, not to mention potential attacks on the X server itself.
> 
> ...


I wasn't trying to say that OpenBSD and Qubes were similar in terms of isolation. Just that I'd read that they tried to patch up some of the X11 security holes.  In the light reading I've done on this one, except for Qubes, I would overall trust OpenBSD security over almost any Linux distro (again, except for Qubes, which I do run on a laptop).


----------

