Install firejail and sandbox default programs

[KellerFuchs]

I think it would be a pretty good security improvements to provide users with firejail and run several things (like weechat or mutt) inside.
Note that user configuration (in ~/.config/firejail) always trumps system-wide config (in /etc/firejail).

This would ideally involve:

• Improve firejail
  • Privilege separation (can come later)
  • Use capabilities rather than suid (can come later, since CAP_SYS_ADMIN is required AFAIK)
  • Allow enforcing use of NO_NEW_PRIVS to make sure users don't exploit privileged binaries through firejail.
  • Add a mechanism for blacklisting/whitelisting features system-wide..
  • Extend restricted-network to apply to --netfilter.
• Blacklist unsafe features, enforce NO_NEW_PRIVS.
• Install firejail, possibly by building a backport.
• Provide a profile for mutt.
  • Use a non-sgid alternative for sendmail.
• Improve on the provided profile for weechat.
• Edit dotfiles to run things under firejail:
  • weechat
  • mutt
    Alternatively, we can create symlinks from /usr/local/bin/{mutt,weechat,...} to /usr/bin/firejail, but I think that might be more confusing to users.

Pro:

• Protects users from vulnerabilities in sandboxed applications.
  For instance, that would prevent exploitation of a vulnerability in weechat (or, more likely, in a script) to run sudo hashbangctl, access private keys and so on.
• Lets users sandbox arbitrary applications, unlike LSMs (like SELinux or AppArmor) which only allow root to define profiles.
• Encourage users to learn to use modern security features: firejail uses namespaces, capabilities and seccomp (mainly), yet stays fairly accessible and user-friendly.

Cons:

• A profile that is too restrictive can make sandboxed applications fail (by preventing access to a given ressource).
  We can have violations of the default profiles written to syslog(3) and mailed to us to be able to handle those issues quickly.
• A vulnerability in firejail itself may enable privilege escalation (by #! users), as it is a suid binary.
  This seems pretty unlikely, however.

[KellerFuchs]

PS: That might be unclear in the description, but we can start providing firejail without sandboxing any application (you have to explicitely run firejail weechat to get it sandboxed) and thoroughly test the profiles first.

[KellerFuchs]

@hashbang/administrators Would anyone have any issue with installing firejail? That wouldn't make it automatically used anywhere (as I said, you have to explicitely run firejail foo), but it would let people (who want to) use it, test profiles and so on.

[ghost]

No issue.

On Wed, Apr 6, 2016 at 2:05 PM The Fox in the Shell <
notifications@github.com> wrote:

@hashbang/administrators
https://github.com/orgs/hashbang/teams/administrators Would anyone have
any issue with installing firejail? That wouldn't make it automatically
used anywhere (as I said, you have to explicitely run firejail foo), but
it would let people (who want to) use it, test profiles and so on.

—
You are receiving this because you are on a team that was mentioned.
Reply to this email directly or view it on GitHub
#86 (comment)

Ryan Rion ryan@hashbang.sh
Programmer :: Scripter :: Designer :: Administrator
https://github.com/ChickenNuggers

[KellerFuchs]

Ok, let's install that.

[KellerFuchs]

       Ryan │ KellerFuchs: I'd suggest moving the sandboxing default programs to hashbang/dotfiles
       Ryan │ And then add 'install firejail' as an issue for shell-etc
KellerFuchs │ Ryan: Having the default profiles in dotfiles makes them hard to update if we ever find a bug in them, though
       Ryan │ Alright. System defaults, then.

[KellerFuchs]

Rolled back the installation of firejail in 473bcef
I checked before-hand, and I was still the only person running it.

Rationale:

• the net option would have enabled users to create network namespaces and attempt to assign themselves IPs that don't belong to our server;
• firejail itself doesn't do privilege separation properly (which could be a concern, should there be a security flaw in firejail);
• I have some other issues with the firejail code, in the end.

I will endeavour to have that fixed upstream, and this issue will be blocked in the meantime.

[KellerFuchs]

@ChickenNuggers Thanks, I was too lazy to add the label to the project that early in the morning.

As soon as a new release of firejail is tagged (and available in Debian), we can install it again since it will support a config file letting us set which firejail features are available.

[KellerFuchs]

@hashbang/administrators OK, all the improvements we needed landed in upstream firejail, so we can start working on what we need next.

I'm opening a pull-request on shell-etc with the proposed firejail config, I will need people to review.

[KellerFuchs]

@hashbang/administrators Providing a profile for mutt requires replacing our current sendmail: it relies on being a sgid binary to write new mails to the mail queue directly, which simply won't work with NO_NEW_PRIVS.

I suggest using msmtp:

• it's packaged in Debian;
• it is simple and can easily be configured system-wide (in /etc), with users being able to override settings;
• it can easily pin the fingerprint of mail.hashbang.sh;
• it supports GSSAPI for authenticating the users, when we finally get started with authenticating mail senders.

[dpflug]

I use msmtp at home. I'm a fan. :)

[KellerFuchs]

@dpflug I will take that as approval and just do it, then.

[KellerFuchs]

firejail 0.9.40 landed today in Debian unstable.
It should land in testing in a week, and we can move forward at that time.

@hashbang/administrators @hashbang/contributers In the meanwhile, we can get a profile for mutt ready. That would help not losing momentum.

[KellerFuchs]

I merged #93 and installed firejail.
I also have a basic profile for mutt, which I might send in a separate pull-request.

[KellerFuchs]

Doing some work now on weechat.profile.

[KellerFuchs]

We could actually enable firejail on weechat now: the profile is currently pretty basic, but better than nothing.

@hashbang/administrators Any thoughts?

[lrvick]

@KellerFuchs Fine with me.

[KellerFuchs]

@lrvick Done and tested.

[KellerFuchs]

Actually, now that weechat's firejail profile uses a homedir whitelist, it's not so basic anymore :-)

I guess I can close this