Run Cloud.Mail.Ru agent inside firejail

It’s usually not a good idea to run proprietary code on your machine. But if you really want to do so, it’s recommended to run it inside of sandbox to at least minimize the risks. There are a lot of different approaches for that: VMs, LXC, Docker, Firejail … .

Cloud.Mail.Ru is Russian mail provider, that gave in January 2014 1Tb of storage for free for new accounts. I’m running agent only when it’s needed inside of Firejail Security Sandbox.

Below is my profile used for native GNU/Linux cloud agent. Options that may require some changes according to particular user configuration are set to bold. The profile should be saved in ~/.config/firejail/cloud.profile.

############################################
# ./cloud (agent for Cloud.Mail.Ru) profile
############################################
# Persistent global definitions
include /etc/firejail/globals.local

### basic blacklisting
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

# path to executable
# no deb/rpm was installed to avoid running
# unknown install scripts as root on my system
noblacklist ${HOME}/bin/usr/Cloud.Mail.Ru
whitelist ${HOME}/bin/usr/Cloud.Mail.Ru

### home directory whitelisting
whitelist ${HOME}/.config/Mail.Ru
whitelist ${HOME}/.Mail.Ru_Cloud
whitelist ${HOME}/.local/share/Mail.Ru
whitelist ${HOME}/.config/Mail.Ru

# path to data folder
whitelist /media/system/data/user/data/cloud-mail.ru

include /etc/firejail/whitelist-common.inc

### filesystem
private-tmp
private-dev
private-bin bash,ls
private-etc fonts,passwd,ssl,hosts,drirc,xdg,gtk-3.0,selinux,resolv.conf
blacklist /var

### security filters
caps.drop all
nonewprivs
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
seccomp

### network
protocol unix,inet,inet6,
# net enp0s31f6
netfilter

### environment
shell none

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

To run agent inside of sandbox use command ‘firejail cloud’. You may want to modify accordingly corresponding desktop file to use firejail as well.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s