app4soft

More sandboxing![0]

  $ firejail --appimage Firefox-*.AppImage
For details read Firejail's docs.[1, 2]

[0] https://twitter.com/app4soft/status/994938745072832512

[1] https://firejail.wordpress.com/documentation-2/appimage-supp...

[2] https://firejail.wordpress.com/documentation-2/firefox-guide...

miduil

Last year, afer a firejail local root exploit got released [0], I've completely quit following their project.

I don't want to discomfort the developers and I think it's stunning what they are creating...

But under the aspect that they are working on a security product, I'm concerned by their overall code quality and testing strategy.

They might want to consider taking a step back and reevaluating how they are going to direct their development in terms of secure (c-)coding practices.

*Disclaimer: Not a developer, just a sysadmin, but reviewing some of their code/profiles/CI-jobs in their git repo [1] leaves a bad feeling.

[0]: https://www.exploit-db.com/exploits/43359/ [1]: https://github.com/netblue30/firejail/tree/6830065197cc57489...

megous

I didn't like the code either. I remember seeing that they were changing euid betwen root and something else all over the place, for seemingly little benfit, because exploit code could simply change it back to root too. It seemed a bit confused.

Though there's nsjail if you want something better written/cleaner.

miduil
Good to read about that you're feeling similar and thank you for the pointer, going to check it out.

Sadly this thread never gained traction, but I'd love to read more discussion about this: https://news.ycombinator.com/item?id=13838596

(Link for convenience for others) https://github.com/google/nsjail