Page MenuHomePhabricator

Install Firejail by default inside Whonix
Open, NormalPublic

Details

Impact
High

Related Objects

Event Timeline

TNTBOMBOM created this task.Oct 4 2018, 6:10 PM
TNTBOMBOM triaged this task as High priority.

It's on the roadmap but a little far off until ParrotOS changes can be combined with the upstream package. It will make maintenance and turning it on by default much more easier.

HulaHoop closed this task as Resolved.Oct 12 2018, 12:21 AM
Patrick reopened this task as Open.Fri, Apr 12, 7:00 PM

T804 is actually not a duplicate of this. T804 seems a lot to do while this ticket is just something similar to:

sudo apt-get install firetools --no-install-recommends

(Adding to anon-meta-packages https://github.com/Whonix/anon-meta-packages/blob/master/debian/control.)

Not sure if/when T804 gets implemented but this ticket looks easier, perhaps possible in Whonix 15.

For required technical reasons, Whonix is always build as if using --no-install-recommends:
https://www.whonix.org/wiki/Whonix_Debian_Packages#Technical_Stuff

So firetools and by dependency firejail only?

sudo apt-get install firetools --no-install-recommends
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libevent-2.0-5
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  firejail
Recommended packages:
  firejail-profiles xpra | xserver-xephyr | xvfb
The following NEW packages will be installed:
  firejail firetools
0 upgraded, 2 newly installed, 0 to remove and 69 not upgraded.
Need to get 530 kB of archives.
After this operation, 1,727 kB of additional disk space will be used.
Do you want to continue? [Y/n]

Or should we also install firejail-profiles?

sudo apt-get install firetools firejail-profiles --no-install-recommends
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libevent-2.0-5
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  firejail
Recommended packages:
  xpra | xserver-xephyr | xvfb
The following NEW packages will be installed:
  firejail firejail-profiles firetools
0 upgraded, 3 newly installed, 0 to remove and 69 not upgraded.
Need to get 600 kB of archives.
After this operation, 2,495 kB of additional disk space will be used.
Do you want to continue? [Y/n]

But if we could drop --no-install-recommends (which we ought not to)...

sudo apt-get install firejail-profiles 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following package was automatically installed and is no longer required:
  libevent-2.0-5
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
  firejail libgtkglext1 libpango1.0-0 libpangox-1.0-0 libturbojpeg0 python-bcrypt python-future python-gtkglext1 python-lz4 python-lzo python-nacl python-opengl
  python-paramiko python-pyasn1 python-rencode python-uritools ssh-askpass xpra xserver-xorg-input-void xserver-xorg-video-dummy
Suggested packages:
  python-future-doc python-nacl-doc libgle3 python-gssapi openssh-server python-pyopencl python-gst-1.0 python-avahi cups-pdf python-cups python-opencv v4l2loopback-dkms
  python-yaml python-uinput
The following NEW packages will be installed:
  firejail firejail-profiles libgtkglext1 libpango1.0-0 libpangox-1.0-0 libturbojpeg0 python-bcrypt python-future python-gtkglext1 python-lz4 python-lzo python-nacl
  python-opengl python-paramiko python-pyasn1 python-rencode python-uritools ssh-askpass xpra xserver-xorg-input-void xserver-xorg-video-dummy
0 upgraded, 21 newly installed, 0 to remove and 69 not upgraded.
Need to get 4,204 kB/4,341 kB of archives.
After this operation, 22.8 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Then I am wondering if we ought to install any of the following recommended packages too?

  • ssh-askpass
  • xpra
  • xserver-xorg-input-void
  • xserver-xorg-video-dummy

Perhaps these are required to make some of the firejail-profiles work?

TNTBOMBOM added a comment.EditedFri, Apr 12, 8:14 PM

Yes this command will do the job:

sudo apt install --no-install-recommends firetools firejail-profiles

i never used or installed xpra , ssh-askpass, xserver-xorg-input-void , xserver-xorg-video-dummy

so i dont know why they are there , but for surely they are not needed for firejail-profiles to perform.

Then I am wondering if we ought to install any of the following recommended packages too?

The xserver/xpra stuff is necessary if you want to properly isolate GUI apps which I think is a major use case.

Patrick lowered the priority of this task from High to Normal.Sun, Apr 14, 3:36 PM

There is one issue with installing xpra:

  • it will install xpra browser (unwanted in Whonix)
  • also it has ability to connect to an outside xpra servers (unwanted in Whonix)

launch xpra GUI or from terminal and you will find all these stuff.

Patrick changed the task status from testing-in-next-build-required to Open.Fri, Apr 19, 12:31 PM

There is one issue with installing xpra:

  • it will install xpra browser (unwanted in Whonix)
  • also it has ability to connect to an outside xpra servers (unwanted in Whonix)

    launch xpra GUI or from terminal and you will find all these stuff.
In T869#18236, @Patrick wrote:

The xpra package could be a problem.

apt-file list xpra | grep browser

xpra: /usr/bin/xpra_browser
xpra: /usr/share/applications/xpra-browser.desktop

https://manpages.debian.org/testing/xpra/xpra_browser.1.en.html

But browser here may not mean Internet Browser so it may not be an issue?

apt-file list xpra | grep desktop
xpra: /usr/share/applications/xpra-browser.desktop
xpra: /usr/share/applications/xpra-launcher.desktop
xpra: /usr/share/applications/xpra-shadow.desktop
xpra: /usr/share/applications/xpra.desktop

/usr/share/applications/xpra-launcher.desktop for example is an issue.

Screenshot:
https://www.xpra.org/trac/raw-attachment/ticket/1281/Screen%20Shot%202016-08-10%20at%2011.02.16.png

We could easily hide all of these start menu entries. Would that be a good solution?

i would say purge xpra , if someone want xpra he can install it easily.