Description
Details
- Impact
- High
Related Objects
- Mentioned Here
- T804: ParrotOS's Firejail Code
Event Timeline
It's on the roadmap but a little far off until ParrotOS changes can be combined with the upstream package. It will make maintenance and turning it on by default much more easier.
T804 is actually not a duplicate of this. T804 seems a lot to do while this ticket is just something similar to:
sudo apt-get install firetools --no-install-recommends
(Adding to anon-meta-packages https://github.com/Whonix/anon-meta-packages/blob/master/debian/control.)
Not sure if/when T804 gets implemented but this ticket looks easier, perhaps possible in Whonix 15.
For required technical reasons, Whonix is always build as if using --no-install-recommends:
https://www.whonix.org/wiki/Whonix_Debian_Packages#Technical_Stuff
So firetools and by dependency firejail only?
sudo apt-get install firetools --no-install-recommends Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libevent-2.0-5 Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: firejail Recommended packages: firejail-profiles xpra | xserver-xephyr | xvfb The following NEW packages will be installed: firejail firetools 0 upgraded, 2 newly installed, 0 to remove and 69 not upgraded. Need to get 530 kB of archives. After this operation, 1,727 kB of additional disk space will be used. Do you want to continue? [Y/n]
Or should we also install firejail-profiles?
sudo apt-get install firetools firejail-profiles --no-install-recommends Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libevent-2.0-5 Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: firejail Recommended packages: xpra | xserver-xephyr | xvfb The following NEW packages will be installed: firejail firejail-profiles firetools 0 upgraded, 3 newly installed, 0 to remove and 69 not upgraded. Need to get 600 kB of archives. After this operation, 2,495 kB of additional disk space will be used. Do you want to continue? [Y/n]
But if we could drop --no-install-recommends (which we ought not to)...
sudo apt-get install firejail-profiles Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: libevent-2.0-5 Use 'sudo apt autoremove' to remove it. The following additional packages will be installed: firejail libgtkglext1 libpango1.0-0 libpangox-1.0-0 libturbojpeg0 python-bcrypt python-future python-gtkglext1 python-lz4 python-lzo python-nacl python-opengl python-paramiko python-pyasn1 python-rencode python-uritools ssh-askpass xpra xserver-xorg-input-void xserver-xorg-video-dummy Suggested packages: python-future-doc python-nacl-doc libgle3 python-gssapi openssh-server python-pyopencl python-gst-1.0 python-avahi cups-pdf python-cups python-opencv v4l2loopback-dkms python-yaml python-uinput The following NEW packages will be installed: firejail firejail-profiles libgtkglext1 libpango1.0-0 libpangox-1.0-0 libturbojpeg0 python-bcrypt python-future python-gtkglext1 python-lz4 python-lzo python-nacl python-opengl python-paramiko python-pyasn1 python-rencode python-uritools ssh-askpass xpra xserver-xorg-input-void xserver-xorg-video-dummy 0 upgraded, 21 newly installed, 0 to remove and 69 not upgraded. Need to get 4,204 kB/4,341 kB of archives. After this operation, 22.8 MB of additional disk space will be used. Do you want to continue? [Y/n]
Then I am wondering if we ought to install any of the following recommended packages too?
- ssh-askpass
- xpra
- xserver-xorg-input-void
- xserver-xorg-video-dummy
Perhaps these are required to make some of the firejail-profiles work?
Yes this command will do the job:
sudo apt install --no-install-recommends firetools firejail-profiles
i never used or installed xpra , ssh-askpass, xserver-xorg-input-void , xserver-xorg-video-dummy
so i dont know why they are there , but for surely they are not needed for firejail-profiles to perform.
Then I am wondering if we ought to install any of the following recommended packages too?
The xserver/xpra stuff is necessary if you want to properly isolate GUI apps which I think is a major use case.
There is one issue with installing xpra:
- it will install xpra browser (unwanted in Whonix)
- also it has ability to connect to an outside xpra servers (unwanted in Whonix)
launch xpra GUI or from terminal and you will find all these stuff.
The xpra package could be a problem.
apt-file list xpra | grep browser
xpra: /usr/bin/xpra_browser
xpra: /usr/share/applications/xpra-browser.desktop
https://manpages.debian.org/testing/xpra/xpra_browser.1.en.html
But browser here may not mean Internet Browser so it may not be an issue?
apt-file list xpra | grep desktop
xpra: /usr/share/applications/xpra-browser.desktop xpra: /usr/share/applications/xpra-launcher.desktop xpra: /usr/share/applications/xpra-shadow.desktop xpra: /usr/share/applications/xpra.desktop
/usr/share/applications/xpra-launcher.desktop for example is an issue.
Screenshot:
https://www.xpra.org/trac/raw-attachment/ticket/1281/Screen%20Shot%202016-08-10%20at%2011.02.16.png
We could easily hide all of these start menu entries. Would that be a good solution?
The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.
The root cause of this ticket is "install firejail by default, even though we don't have a firejail maintainer, so perhaps we find one in future and easy experimenting with firejail". Looking back at the root cause it would be better to not install firejail by default at all than adding an perhaps incomplete implementation not well understood.
The problem is, xpra (actually xpra | xserver-xephyr | xvfb) isn't in the list of Recommends: of the firejail package by accident. We don't really know the rationale of that. Could be an optional dependency and without it, some things someone who knows firejail who is happy to find it installed would wonder why it actually does not work.
Xpra is only used for GUI isolation.
https://firejail.wordpress.com/documentation-2/x11-guide/
There would be no other use for an external X server with firejail.
I've used firejail many times without xpra and it has worked fine.
GUI isolation is very important, no?
It is, but it isn't enabled by default in any profiles, so unless a user chooses to specifically enable it then nothing will break.