Firejail is a powerful tool that can be used to sandbox a lot of applications. By default, Firejail provides profiles for Chrome, Firefox, Telegram, and other famous applications. Wireshark is still missing.

We want to limit the interfaces a user can sniff. To be more specific, we want users to capture from bridge interfaces only.

Installing Firejail

On Ubuntu 16.04 Firejail is available universe repository:

sudo apt-get -y install firejail

All profiles are stored under /etc/firejail/*.profile. We can run a bash using a generic profile:

firejail --profile=/etc/firejail/generic.profile bash

Wireshark under Firejail

Wireshark is a little bit more complicated:

• Wireshark calls dumpcap to capture packets without root privileges;
• dumpcap has few capabilities so every user in the wireshark group has some advanced privileges:

# getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip

Let’s add a new profile:

# cat /etc/firejail/wireshark-gtk.profile
# Wireshark profile

private-bin bash,ls,wireshark-gtk,reordercap,dumpcap,editcap,rawshark,mergecap,text2pcap,capinfos
private-dev
private-etc fonts,group,gtk-3.0,hosts,machine-id,wiresharck
private-tmp

noblacklist /bin
noblacklist /dev
noblacklist /etc
noblacklist /home
noblacklist /lib
noblacklist /lib64
noblacklist /sys
noblacklist /tmp
noblacklist /usr
blacklist /*

caps.drop all
netfilter
noroot
seccomp
shell none

The above profiles:

• maps all bin and sbin directories importing a few binaries;
• maps an almost empty /dev directory;
• maps an almost empty /etc directory;
• maps an empty /tmp directory;
• blacklists (disables) all directories except the one required by Wireshark;
• enforces more the jail.

Users must not be part of the wireshark group, or they’ll get privileges to capture from any interface. Now add at least one rule for sudo:

@brcapture ALL=(root) NOPASSWD: /usr/bin/dumpcap -s0 -i br0 -P -w -

Mind that dumpcap can capture from multiple interfaces at the same time, so you should not use the * symbol,

From any user in the brcapture group you can now capture packets without any risk;

sudo /usr/bin/dumpcap -s0 -i br0 -P -w - | firejail wireshark-gtk -n -k -i -

If the user stops the capture from the Wireshark UI and tries to start the capture on a different interface, he will get a You don't have permission to capture on that device error. Moreover, if the user will try to browse the filesystem, he will get a Could not read the content error on most of the directories.

To check what is inside the Wireshark jail, just try to start a bash using that profile:

firejail --profile=/etc/firejail/wireshark-gtk.profile bash

For example you will see an almost empty /etc:

$ ls /etc/
fonts  group  gtk-3.0  hosts  machine-id

References

• Firejail Security Sandbox
• Desktop / Laptop privacy & security of web browsers on Linux part 2: firejail based sandboxes