Comparison of systemds hardening options with firejail and vice versa.

firejail-systemd.md

https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options

Nice work! Please put this to FAQ. Sorting the lines alphabetically would improve it as reference.

private-bin could be implemented with something like

TemporaryFileSystem=/usr/bin
BindReadOnlyPaths=/usr/bin/prog

IPAddressDeny= and IPAddressAllow= can be implemented with a custom file for --netfilter=.

hostname is not implemented for systemd. I suggested this in systemd PR 11682 but the accepted version is now ProtectHostname=.

Firejail uses PID namespaces. This was not accepted for systemd (PR 11670 ), but ProtectProc= and ProcSubset= are now in.

I implemented ExecPaths= and NoExecPaths= in systemd PR 18273, but this has not been released yet.

notv blocks /dev/dvb, so this could be implemented with InaccessiblePaths=/dev/dvb.

Equivalent of include for systemd would be drop-ins. For example,

$ cat /etc/systemd/system/auditd.service.d/ipaddressdeny-any.conf
[Service]
IPAddressDeny=any

Sorting the lines alphabetically would improve it as reference.

Would be the question sort by systemd or firejail. In addition I will add categories like

systemd	firejail
filesystem
PrivateTmp=yes	private-tmp
InaccessiblePaths=/boot	blacklist /boot
network
PrivateNetwork=yes	net none
RestrictAddressFamilies=AF_UNIX	protocol unix

private-bin could be implemented with something like

TemporaryFileSystem=/usr/bin
BindReadOnlyPaths=/usr/bin/prog

Yes but there are also /bin /sbin and /usr/sbin. With a unified filesystem-hirachy (/bin and /sbin are symlinks to there /usr counterparts) this is just an additional TemporaryFileSystem=/usr/sbin but without?

hostname is not implemented for systemd. I suggested this in systemd PR 11682 but the accepted version is now ProtectHostname=.

IPAddressDeny= and IPAddressAllow= can be implemented with a custom file for --netfilter=.

I implemented ExecPaths= and NoExecPaths= in systemd PR 18273, but this has not been released yet.

notv blocks /dev/dvb, so this could be implemented with InaccessiblePaths=/dev/dvb.

done

Ready to add this to the wiki. Any comments before doing this?
@SkewedZeppelin @topimiettinen @glitsj16 @curiosityseeker @kmk3 @reinerh @Fred-Barclay

Absolutely excellent - please add it to the wiki! Although I cannot judge every single detail as effectively correct (unfortunately).

I found one typo in https://gist.github.com/rusty-snake/c6d773fc27ddde9071461e0fe4010610#seccomp-mdwe-capabilities-and-nnp : in the line mentioning #3106 the systemd command should read: SystemCallFilter=@system-service

Looks good to me, except a few minor typos ("systemd's", "These tables", "rather than", "its focus", "their behavior", "firejail's")

Note: I'm not very familiar with using systemd, so I don't have much to add.

@rusty-snake commented 7 hours ago:

Ready to add this to the wiki. Any comments before doing this?

I think the side-by-side equivalents are very nice to have. It's good to know
if we are missing useful functionality compared to other projects and
vice-versa. Also, I had no idea that there were so many similarities.

Resource Limits

[...]

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't read-only +
noexec equivalent?

User/Group

[...]

| Not Implemented | RemoveIPC=yes |

I was going to comment about ipc-namespace, but now I see that it is
mentioned later with relation to PrivateIPC=yes. At first glance, it looks
like having such an option could be complementary to dbus-user none +
dbus-system none.

Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any warranty.

Nice; I think using the GNU APL makes a lot of sense for gists.

---

(Offtopic)

This is kind of a PR for the wiki, so I'll just leave this linked here:

netblue30/firejail#4441

For net eth0 there's no equivalent in systemd directives.

For netfilter /etc/firejail/myfilter.net, similar features are IPIngressFilterPath=/IPEgressFilterPath= and more general BPFProgram=. They use BPF rather than iptables/nftables.

Yes but there are also /bin /sbin and /usr/sbin. With a unified filesystem-hirachy (/bin and /sbin are symlinks to there /usr counterparts) this is just an additional TemporaryFileSystem=/usr/sbin but without?

Yes. I think there could be also further unification where also /usr/sbin is just a symlink to /usr/bin.

I implemented ExecPaths= and NoExecPaths= in systemd PR 18273, but this has not been released yet.

This is now merged and released.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't read-only +
noexec equivalent?

Not really, umask is applied when creating new files but read-only or noexec remount a directory tree with flags to deny writing or executing. A new umask can be also installed easily (unless prevented with seccomping) but changing mount flags would need superuser capabilities.

@topimiettinen commented on Aug 11:

I implemented ExecPaths= and NoExecPaths= in systemd PR
18273, but this has not
been released yet.

This is now merged and released.

Nice.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't
read-only + noexec equivalent?

Not really, umask is applied when creating new files but read-only or
noexec remount a directory tree with flags to deny writing or executing. A
new umask can be also installed easily (unless prevented with seccomping) but
changing mount flags would need superuser capabilities.

I see; thanks for the explanation. For some reason I thought that the option
was actually about enforcing the permissions rather than just changing the
umask.