-
Notifications
You must be signed in to change notification settings - Fork 557
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[information] Scenario of an attack #1973
Comments
From what I understand when a profile uses AppArmor, Firejail will enable that early on during sandbox creation so AppArmor can protect the system if Firejail is compromised. A hypothetical attack could be as follows
I might be completely wrong, and someone else can probably explain it better. |
Thank you for this fast reply. If you're answer is correct and I understand it correctly, there is no need to write a firefox profile apparmor in addition of the firejail one. |
Firejail use generic apparmor profile which can cover (depends on distro) some things like dbus,ptrace, non-standard network access, noexec /home, writing to /proc and /sys independently of firejail own sandbox. You can make your own specfic firefox apparmor profile or use some you find o the web but then it's better to use it alone without firejail. |
This will never happen if:
A 0-day exploit is also not directly able to circumvent security-features. You need mostly a very powerful exploit, or many of them in combination to get successful access. And if an attacker is getting direct access via kernel-exploit, there is no difference between Firejail or AppArmor. You lose. If there is no AppArmor-Profile in extension to Firejail, there exist no additional security-layer if Firejail gets bypassed. And for any bypass of Seccomp/Namespaces you need an kernel-exploit, who possibly can bypass AppArmor too. But don't worry, the Kernel-Self-Protection-Project makes very good efforts. Also additional LSM-Modules like the Linux-Kernel-Runtime-Guard, will be an interesting security-layer in future. So the best strategy is always prevention.
|
Thanks for those information, will start to write a profile apparmor for firefox and other app and use it independantly of Firejail. About LKRG, I made a post few days ago (see https://forums.gentoo.org/viewtopic-p-8231330.html?sid=43c8a000e3a5b2b3e7dab91706b138c5#8231330), doesn't seem to work yet on Gentoo but it is definitively a security feature that I will use KSPP is alright, I can only thanks free security work provided by the community |
I think the question was answered. Nothing to do here. |
Hello,
I cannot figure out what would happen in the following scenario
Configuration
Firefox run inside a firejail sandbox which have the parameters --apparmor
Firefox doesn't have an apparmor profile, only firejail.
Scenario
An attacker exploit a vulnerability inside Firefox to gain access on the system, the attacker known a 0day that allow him to escape the firejail sandbox
What happen at this point ?
Thanks
The text was updated successfully, but these errors were encountered: