What stops a user from simply running the binary (ex: /bin/firefox) to go around the sandboxed application?

[allisonok331]

What stops a user from simply running the binary (ex: /bin/firefox) to go around the sandboxed application? Is there a way to ensure that the user cannot run the binary file and can only run the sandboxed version of the applicaiton? What is the point of sandboxing the application with firejail if the user can just find where the binary lives and run that. Please let me know if there is a way to avoid this or a known method to overcome this issue.

[rusty-snake]

What stops a user from simply running the binary (ex: /bin/firefox) to go around the sandboxed application?

By default, nothing.

Is there a way to ensure that the user cannot run the binary file and can only run the sandboxed version of the applicaiton?

SELinux, ...

What is the point of sandboxing the application with firejail if the user can just find where the binary lives and run that.

The user is trusted! If you do not trust the user, you need to sandbox the session.

Outline your thread model, then I can answer in more detail.

[allisonok331]

SELinux is set to permissive - I am not able to put it in enforcing. What is another way to resolve this issue if I can't use SELinux to block the use of the binary file but still sbx the app

[rusty-snake]

• Outline your thread model

• To run firefox sandboxed with firejail: firejail /usr/bin/firefox
• To start firefox (and the others) by default in firejail: sudo firecfg

SELinux is set to permissive

Don't. Set the problematic types to permissive e.g. sudo semanage permissive -a pasta_t.

[allisonok331]

I can not have SELinux in enforcing. MY workaround thought is to restrict firefox to 700 permissions and then create a sudo rule for the user to run the firejail firefox. However, when I run sudo /usr/bin/firejail /bin/firefox:11, it says "No server installed". Root is able to run firefox fine with these tightened permissions and if I change the firefox permissions back to 755 and run /usr/bin/firejail /bin/firefox:11, it pulls up the sbx environment fine. It seems to not like sudo in conjunction with running firejail firefox.

Am I doing something wrong here or can the user not run sudo firejail /bin/firefox? Is this something that needs to be configured in the profile? Please let me know

[rusty-snake]

Basic debugging information is missing. (firejail version, "sudo rule", ...)

can the user not run sudo firejail /bin/firefox?

How is firejail supposed to associate user session runtime files like sockets if you start it as root.

---

Third and last time: outline your thread model.
A thread model in which running a browser as root is favoured over "user can bypass firejail" is no common thread model that can be just assumed.