~alpine/users

10 6

Firejail

Details
Message ID
<MexPCzM--3-2@keemail.me>
DKIM signature
missing
Download raw message
I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?

Also, the Tor browser doesn't work with `musl`. Is there a workaround?
Details
Message ID
<87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org>
In-Reply-To
<MexPCzM--3-2@keemail.me> (view parent)
DKIM signature
missing
Download raw message
Hi,

On Mon, 19 Jul 2021, ml-devel@keemail.me wrote:

> I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?

`firejail` has a rather problematic design, so we dropped the package as 
we were not confident in its dependability as a security tool.

There are other tools like bubblejail that may work for your use case.

> Also, the Tor browser doesn't work with `musl`. Is there a workaround?

I'm not familiar with the modifications made to Firefox with tor-browser, 
but you should be able to just use Firefox with Tor directly, I think.

Ariadne
Details
Message ID
<MextMId--3-2@keemail.me>
In-Reply-To
<87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org> (view parent)
DKIM signature
missing
Download raw message
Jul 19, 2021, 07:26 by ariadne@dereferenced.org:

> `firejail` has a rather problematic design, so we dropped the package as we were not confident in its dependability as a security tool.

The main reason I use Firejail is because it has a simple front-end. For instance, if I don't want an application to see the contents of my local filesystem, I could simply use the `--private` flag. I could use `--net=none` to prevent the application from accessing the network. Firejail also has extensive documentation, which makes it easy to figure things out.

I understand that one shouldn't rely solely on Firejail for security/privacy, although I think it's a great tool to have in the arsenal. I would like to request the re-addition of Firejail into the official repositories.

> I'm not familiar with the modifications made to Firefox with tor-browser, but you should be able to just use Firefox with Tor directly, I think.

Yes, I could do this. Although Tor provides additional anti-fingerprinting measures, which Firefox doesn't provide by default.

Also, I noticed that `apparmor` is still in in the testing repository. How unsafe is it to run your systems, especially production-facing ones, without `apparmor`? Is there an alternative that's currently provided?

"All userland binaries arecompiled as Position Independent Executables (PIE) with stack smashingprotection. These proactive security features prevent exploitation of entireclasses of zero-day and other vulnerabilities."

I am not sure what the above lines mean. Does PIE, in a way, function as a kind of alternative to apparmor?

(I am not a security-expert, so please bear with my questions. I'm just trying to harden my system, as a hobby.)
Details
Message ID
<20210719101703.yqqpbtcsgc2cqkpo@mail.wolfsden.cz>
In-Reply-To
<87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org> (view parent)
DKIM signature
missing
Download raw message
On 2021-07-19 02:26:45 -0500, Ariadne Conill wrote:
> > I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?
> 
> `firejail` has a rather problematic design, so we dropped the package as we
> were not confident in its dependability as a security tool.

Would you be able to recommend some reading on the topic? Since I'm
using it on my laptop I would like to know more.

W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
Details
Message ID
<5eec4fc-291d-1aae-dac-4776cba0945b@dereferenced.org>
In-Reply-To
<MextMId--3-2@keemail.me> (view parent)
DKIM signature
missing
Download raw message
Hi,

On Mon, 19 Jul 2021, ml-devel@keemail.me wrote:

> Jul 19, 2021, 07:26 by ariadne@dereferenced.org:
> 
> > `firejail` has a rather problematic design, so we dropped the package as we were not confident in its dependability as a security tool.
> 
> The main reason I use Firejail is because it has a simple front-end. For instance, if I don't want an application to see the contents of my local filesystem, I could simply use the `--private` flag. I
> could use `--net=none` to prevent the application from accessing the network. Firejail also has extensive documentation, which makes it easy to figure things out.
> 
> I understand that one shouldn't rely solely on Firejail for security/privacy, although I think it's a great tool to have in the arsenal. I would like to request the re-addition of Firejail into the
> official repositories.

Unfortunately, the SUID nature of firejail is sufficiently problematic 
that it won't return until there is a way to run firejail without being 
SUID.

> > I'm not familiar with the modifications made to Firefox with tor-browser, but you should be able to just use Firefox with Tor directly, I think.
> 
> Yes, I could do this. Although Tor provides additional anti-fingerprinting measures, which Firefox doesn't provide by default.
> 
> Also, I noticed that `apparmor` is still in in the testing repository. How unsafe is it to run your systems, especially production-facing ones, without `apparmor`? Is there an alternative that's
> currently provided?

It is perfectly safe to run your systems without AppArmor or SELinux. 
These systems just provide mechanisms for building and loading policy 
statements into the kernel.  The normal UNIX security primitives, while 
not as advanced, are sufficient for the majority of production Alpine 
systems.

With that said, there is some interest amongst some developers to make 
AppArmor a first-class citizen in Alpine 3.15, but it's still early days 
of that effort, so we'll see how it plays out.  I think it would be nice 
to have, but I sleep well at night without it.

> "All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and
> other vulnerabilities."
> 
> I am not sure what the above lines mean. Does PIE, in a way, function as a kind of alternative to apparmor?

AppArmor is a policy framework, PIE is a way of compiling programs to make 
them have a more randomized address space layout.  They are unrelated to 
each other.

Ariadne
Details
Message ID
<baa6b11-72eb-e3d0-d732-dc04ff7ae2a@dereferenced.org>
In-Reply-To
<20210719101703.yqqpbtcsgc2cqkpo@mail.wolfsden.cz> (view parent)
DKIM signature
missing
Download raw message
Hello,

On Mon, 19 Jul 2021, Wolf wrote:

> On 2021-07-19 02:26:45 -0500, Ariadne Conill wrote:
>>> I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?
>>
>> `firejail` has a rather problematic design, so we dropped the package as we
>> were not confident in its dependability as a security tool.
>
> Would you be able to recommend some reading on the topic? Since I'm
> using it on my laptop I would like to know more.

The basic gist of it is that we weren't really thrilled about having a 
SUID program with several CVEs that describes itself as a security tool in 
the repo.

Although the CVEs have been mitigated, they were caused by lack of 
experience writing C code, which means there are likely many more CVEs in 
firejail just waiting to be discovered.  Given that it's SUID and has to 
be SUID in order to do its thing (due to the way its implemented), I hope 
you can understand the skepticism.

Ariadne
Laurent Bercot <ska-devel@skarnet.org>
Details
Message ID
<emf058e1ad-462b-4ccc-bac1-f73609d93adc@elzian>
In-Reply-To
<baa6b11-72eb-e3d0-d732-dc04ff7ae2a@dereferenced.org> (view parent)
DKIM signature
missing
Download raw message
>The basic gist of it is that we weren't really thrilled about having a SUID program with several CVEs that describes itself as a security tool in the repo.
>
>Although the CVEs have been mitigated, they were caused by lack of experience writing C code, which means there are likely many more CVEs in firejail just waiting to be discovered.  Given that it's SUID and has to be SUID in order to do its thing (due to the way its implemented), I hope you can understand the skepticism.

  Ariadne is diplomatically understating the severity of the situation.
Since I do not represent Alpine in any capacity, I do not have to take
the same precautions.

  The reality is that firejail is a catastrophe that has already happened
and is waiting to happen again. Its design and code are so terrible that
any semi-competent QA team would veto it on the first read; the fact 
that
it advertises itself as a "security tool" would be laughable if it 
weren't
so tragic for the users that have been scammed by it.

  The only reason why firejail has made it into distributions is that 
free
software painfully lacks manpower for peer review. This is not an
indictment of distribution maintainers, who are underpaid and overworked
(and code review, as far as maintainer tasks go, is one of the most
thankless ones). This is the unfortunate reality - there is basically no
quality assurance for random free software, so FOSS is like a box of
chocolates: you never know what you're going to get. Most of the time,
people who invest energy into coding FOSS are good at it, so the 
software
is at least passable even with paltry best-effort QA; unfortunately,
firejail falls into the other category.

  If users like firejail for its simple frontend, it means that there's
a need for a similar tool with a similar frontend but better
implementation. If it doesn't exist yet, add it to the already huge
list of "software that needs to be written".

--
  Laurent
Details
Message ID
<Mezfm_C--3-2@keemail.me>
In-Reply-To
<5eec4fc-291d-1aae-dac-4776cba0945b@dereferenced.org> (view parent)
DKIM signature
missing
Download raw message
Do you know how to write Firejail's `firejail --private executable` equivalent for Bubblewrap? I never use my browser to access/upload files from my local filesystem, so I don't see why it should have access to them.

I tried looking it up, but `bubblewrap` seems much more complicated than Firejail. I haven't yet wrapped my head around it.
Details
Message ID
<CAPxz1+aZzUFWoQGJD9rajZXJTzik00YmJM8BmF6GWFT2ccB45Q@mail.gmail.com>
In-Reply-To
<MexPCzM--3-2@keemail.me> (view parent)
DKIM signature
missing
Download raw message
On Sun, Jul 18, 2021 at 11:20 PM <ml-devel@keemail.me> wrote:
> I've noticed that `firejail` isn't available in the repositories. Will it be available in the future?
>
> Also, the Tor browser doesn't work with `musl`. Is there a workaround?

If Arch Linux provides the Tor browser, you could try installing
Arch's version of the Tor browser inside an Lxroot.

Demo #3 at the below link shows how to install and run the Arch
version of the Chromium browser inside Lxroot.  I have not tried
installing the Tor browser inside Lxroot.

https://github.com/parke/lxroot

Also, depending on your requirements, Lxroot might be an alternative
to other uses of Firejail.
Details
Message ID
<167feb7b-99e3-099c-90fb-d21292afaae0@riseup.net>
In-Reply-To
<87c4c1c0-f20-3f9-2a6-a85c9a4b2133@dereferenced.org> (view parent)
DKIM signature
missing
Download raw message
El 19/7/21 a las 7:26, Ariadne Conill escribió:
>> Also, the Tor browser doesn't work with `musl`. Is there a workaround?
>
> I'm not familiar with the modifications made to Firefox with 
> tor-browser, but you should be able to just use Firefox with Tor 
> directly, I think.

Another problem using upstream firefox with tor connection is that you 
will get more captchas than using tor-browser, also I think that you 
can't reach .onion addresses.

A possible "solution" (if you are ok running flatpak) is using Micah Lee 
launcher https://github.com/micahflee/torbrowser-launcher.


Donoban
Details
Message ID
<015b2e3a-7258-9b2c-cf8e-efdb728ab64f@riseup.net>
In-Reply-To
<Mezfm_C--3-2@keemail.me> (view parent)
DKIM signature
missing
Download raw message
On 19/7/21 16:52, ml-devel@keemail.me wrote:
> Do you know how to write Firejail's `firejail --private executable` 
> equivalent for Bubblewrap? I never use my browser to access/upload 
> files from my local filesystem, so I don't see why it should have 
> access to them.
>
> I tried looking it up, but `bubblewrap` seems much more complicated 
> than Firejail. I haven't yet wrapped my head around it.

Take a look to bubblejail which is a simpler wrapper for bubblewrap and 
also has a basic GUI, bubbejail-config.

On bubblejail all Instances have their private home (stored in 
~/.local/share/bubblejail/instances/) and then you can mount other 
folders from your real home if needed.


Donoban
Reply to thread Export thread (mbox)