Firejail: Feature request: Scanning application to determine if it 'misbehaves'

Given the way it currently works, probably not. The way firejail currently works is that it sets up the sandbox, launches the program, and goes to sleep. If you're concerned about an application, only give it access to a specific directory (I usually use ~/Downloads) and put any files you want to read in there. That's what I do for firefox, for example, as well as many of the messaging apps I use. If you also deny it internet access, it can't upload stuff even if it wants to. There are ways to prevent the stuff you're talking about here using firejail, but they may necessitate a change in habits.

Well isn't it possible to implement new features that I have mentioned to
firejail though?

Oh ok I understand. But still I would like to have this feature installed,
it makes everything a lot better.

On Sat, Jul 28, 2018 at 4:14 PM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

Given the way it currently works, probably not. The way firejail currently
works is that it sets up the sandbox, launches the program, and goes to
sleep. If you're concerned about an application, only give it access to a
specific directory (I usually use ~/Downloads) and put any files you want
to read in there. That's what I do for firefox, for example, as well as
many of the messaging apps I use. If you also deny it internet access, it
can't upload stuff even if it wants to. There are ways to prevent the stuff
you're talking about here using firejail, but they may necessitate a change
in habits.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2069#issuecomment-408586043,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BnZfZsuTDHDRxHIZ3rnZ8Jhq5Sbuks5uLAFEgaJpZM4Vk6_Z
.

But what you're talking about is runtime monitoring of the application, which is entirely out of the scope of firejail...

Yes I know, and I wish firejail to have this feature included as well as I
have mentioned some of the problems of sandboxing application.

On Sat, Jul 28, 2018 at 4:32 PM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

But what you're talking about is runtime monitoring of the application,
which is entirely out of the scope of firejail...

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2069#issuecomment-408586776,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BjyqxgimbVrpeZpm_1bpNWTvvkv5ks5uLAVzgaJpZM4Vk6_Z
.

But that's what I'm saying. If you don't want it to access your entire filesystem, don't let it! You can allow just one folder for file transfers. I do this all the time, including with my browser, image editor, etc. If there's a folder they're "supposed" to be able to access (e.g. Documents), then grant them access to that as well. So for example, for the PDF reader, you might allow it to access Documents (for documents you create yourself and permanent documents you download) and Downloads (for temporary documents you download). If you don't want it to send anything to Adobe's servers, don't grant it internet access (net none). A lot of what you want to accomplish can already be done with firejail, and to introduce a runtime monitoring system would drastically increase the code complexity and most likely bring in additional dependencies, making it heavier, less usable, and more prone to bugs and security issues.

And you're not going to be able to block the collection of telemetry. You just aren't. The only hope is if they either let you disable it (e.g. firefox) or they upload it to a different server from the main one (so you can block it with a hosts file entry). What you _can_ do is block uploading stuff to their servers (again, by using net none), but that depends on the program not needing internet access for normal function. As I said earlier, most of what you want can be achieved by a few simple directives in the firejail profile.

"But that's what I'm saying. If you don't want it to access your entire
filesystem, don't let it!" What if you thought that application was safe
and you needed to allow it to have access to a particular confidential file
and it turns out that it sent a copy to a server, that is why I want
Firejail monitor and report back to me as to what that application was
doing.

On Sat, Jul 28, 2018 at 4:42 PM ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
wrote:

And you're not going to be able to block the collection of telemetry. You
just aren't. The only hope is if they either let you disable it (e.g.
firefox) or they upload it to a different server from the main one (so you
can block it with a hosts file entry). What you can do is block
uploading stuff to their servers (again, by using net none). As I said
earlier, most of what you want can be achieved by a few simple directives
in the firejail profile.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2069#issuecomment-408587200,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79Bkks-AaqFbXWlLcqlRSyXwmRaXu3ks5uLAfLgaJpZM4Vk6_Z
.

You could configure apparmor for that.
This allows you also to blacklist files, or only report on blacklisted file access.

"or only report on blacklisted file access." So I can get an alert if it
attempts to access a certain file, right?

On Sat, Jul 28, 2018 at 6:58 PM Reiner Herrmann notifications@github.com
wrote:

You could configure apparmor for that.
This allows you also to blacklist files, or only report on blacklisted
file access.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2069#issuecomment-408593604,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BjvpfQ6jFtTMrlDGkClF1QBnnc_Cks5uLCe9gaJpZM4Vk6_Z
.

Yes, by default it logs accesses to the kernel log. But it's possible to setup userspace notification daemons and desktop applets for informing the user.

@Raj2032 what you ask is beyond of scope for firejail. Use tools which are designed for the job like Audit framework (remember Unix philosophy: Write programs that do one thing and do it well.)

That being said yours "allow and monitor" approach is wrong for security. When you get report that your secrets were sent somewhere over the internet it's already too late.

Look at what @chiraag-nataraj recommended to you and run something like firejail --whitelist=~/Documents --net=none <pdf-app> to view docs and so on.

Thanks for that :)

Why does Unix have this philosophy in the first place?

On Sat, Jul 28, 2018 at 9:11 PM Vincent43 notifications@github.com wrote:

@Raj2032 https://github.com/Raj2032 what you ask is beyond of scope for
firejail. Use tools which are designed for the job like Audit framework
https://wiki.archlinux.org/index.php/Audit_framework (remember Unix
philosophy: Write programs that do one thing and do it well.)

That being said yours "allow and monitor" approach is wrong for security.
When you get report that your secrets were sent somewhere over the internet
it's already too late.

Look at what @chiraag-nataraj https://github.com/chiraag-nataraj
recommended to you and run something like firejail
--whitelist=~/Documents --net=none to view docs.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2069#issuecomment-408600028,
or mute the thread
https://github.com/notifications/unsubscribe-auth/Ab79BpPga9ItutE-5CiXCJZkh0T8Lgozks5uLEbTgaJpZM4Vk6_Z
.

Unix has this philosophy because it has (historically, anyway) resulted in smaller programs which can be easily reused to make larger programs or scripts or whatever. Basically, it becomes more flexible as a result, and the people who are making the programs in the first place don't necessarily have to think about every usecase. https://en.wikipedia.org/wiki/Unix_philosophy