Firejail vs Fatdog's sandbox environment?

[Neo_78]

Could someone explain the conceptual difference between Firejail and Fatdog's built-in sandbox?

https://github.com/netblue30/firejail

"Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc."

From Fatdog's documentation on the sandbox environment:

https://distro.ibiblio.org/fatdog/web/faqs/sandbox.html

"Note: This only works for "well-behaved" application - that is application which do not pose security risk to your system. The sandbox is not a security tool. It is still possible for malicious apps to create havoc on the system. It is possible for malicious application to "escape" from the sandbox. If you need to secure yourself from these, you need a stronger sandboxing: consider using Linux Container sandbox or User Mode Linux or other virtualisation solutions such as Qemu (with/without KVM), VirtualBox, or others."

Has anyone used Firejail in Fatdog or has experience with a specific sandbox or container tool?

[Neo_78]

I tried to install the recommended bullseye-backport of firejail:

https://packages.debian.org/bullseye-backports/firejail

The .deb file converts to a Fatdog package and it installs correctly.

However, as a test run I tried

Code: Select all

firejail firefox --no-remote

and get the following error:

Code: Select all

Firejail: error while loading shared libraries: 
libapparmor.so.1: cannot open shared object file: No such file or directory

I then tried to install the listed AppArmor dependency, converted and installed the package successfully:

https://packages.debian.org/bullseye/libapparmor1

But still no fun. I get the same error when trying to run firejail.

Is this fixable?

[chiron]

When dependency hunting and installing converted debian library packages, they tend to be put in a subdirectory of /usr/lib or /usr/lib64, something like ./x64linuxgnu. That subdirectory is not in $PATH, and thus the libraries are not found. Copying or linking from their subdirectory to /usr/lib or /usr/lib64 does the trick.

[fatdoguser]

https://distro.ibiblio.org/fatdog/web/faqs/sandbox.html
"Note: This only works for "well-behaved" application - that is application which do not pose security risk to your system. The sandbox is not a security tool. It is still possible for malicious apps to create havoc on the system. It is possible for malicious application to "escape" from the sandbox. If you need to secure yourself from these, you need a stronger sandboxing: consider using Linux Container sandbox or User Mode Linux or other virtualisation solutions such as Qemu (with/without KVM), VirtualBox, or others."

Has anyone used Firejail in Fatdog or has experience with a specific sandbox or container tool?

kvm works well very for me

If you vnc into a application server from within the guest I find that having the sound directed to the host, leave the guest just handling the video and that is more inclined to avoid sound clipping and looks/sounds better.

The older version of qemu in gslapt has had audio configuration changed in the later version, what works for me for the later version (first commented out lines are the initial setup/build of the VM where a vHDD is created and fatdog iso booted and installed. Later uncommented section is how I subsequently boot that) ...

Code: Select all

#qemu-img create -f raw test.raw 4G

#qemu-system-x86_64 \
# -vga std \
# -cdrom Fatdog64-901.iso \
# -usbdevice tablet \
# -machine type=pc,accel=kvm \
# -cpu host \
# -enable-kvm \
# -m 1024 \
# -device virtio-net,netdev=mynet0 \
# -netdev user,id=mynet0,hostfwd=tcp::2222-:22 \
# -drive if=virtio,file=test.raw,format=raw \
# -boot d

QEMU_AUDIO_DRV=alsa qemu-system-x86_64 \
 -display none \
 -usbdevice tablet \
 -machine type=pc,accel=kvm \
 -cpu host \
 -enable-kvm \
 -m 1024 \
 -device AC97,id=snd0 \
 -device virtio-net,netdev=mynet0 \
 -netdev user,id=mynet0,hostfwd=tcp::2222-:22,hostfwd=tcp::5930-:5930 \
 -drive if=virtio,cache=none,file=test.raw,format=raw \
 -boot c

I set up the auto start of

Code: Select all

vncserver :30 -SecurityTypes none

within the guest rather than using qemu's vnc (-vnc :30) as tigervnc server to tigervnc viewer works better that tigervnc viewer to qemu vnc server. I forward that to the host port 55920 and from the remote system ssh -N <ip of host> -L 5902:localhost:55902
so that vnc session is accessed from the remote by vncviewer localhost:5902

As above the sound from the guest is heard on the host, you can set up tx/rx (sound loopback) direct transmission from the server to the remote if you prefer separation via Fatdog control panel (sound tab).

Be mindful that the guest system will be able to see the hosts ports, whilst host network wont see the guests ports. So make sure your main LAN systems have firewalls turned on, and you might want to drop access to your Router port
ROUTER_IP=192.168.1.1 # or whatever your router IP
iptables -A INPUT -s $ROUTER_IP -j DROP

kvm is otherwise a idle (virtual) cpu, might as well use it