The cost of complexity: Ansible AWX
May 05, 2024
Running Wireshark in a jail/sandbox
Firejail is a powerful tool that can be used to sandbox a lot of applications. By default, Firejail provides profiles for Chrome, Firefox, Telegram, and other famous applications. Wireshark is still missing.
We want to limit the interfaces a user can sniff. To be more specific, we want users to capture from bridge interfaces only.
Installing Firejail
On Ubuntu 16.04 Firejail is available universe repository:
sudo apt-get -y install firejail
All profiles are stored under /etc/firejail/*.profile
.
We can run a bash
using a generic profile:
firejail --profile=/etc/firejail/generic.profile bash
Wireshark under Firejail
Wireshark is a little bit more complicated:
- Wireshark calls dumpcap to capture packets without root privileges;
- dumpcap has few capabilities so every user in the
wireshark
group has some advanced privileges:
# getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Let’s add a new profile:
# cat /etc/firejail/wireshark-gtk.profile
# Wireshark profile
private-bin bash,ls,wireshark-gtk,reordercap,dumpcap,editcap,rawshark,mergecap,text2pcap,capinfos
private-dev
private-etc fonts,group,gtk-3.0,hosts,machine-id,wiresharck
private-tmp
noblacklist /bin
noblacklist /dev
noblacklist /etc
noblacklist /home
noblacklist /lib
noblacklist /lib64
noblacklist /sys
noblacklist /tmp
noblacklist /usr
blacklist /*
caps.drop all
netfilter
noroot
seccomp
shell none
The above profiles:
- maps all
bin
andsbin
directories importing a few binaries; - maps an almost empty
/dev
directory; - maps an almost empty
/etc
directory; - maps an empty
/tmp
directory; - blacklists (disables) all directories except the one required by Wireshark;
- enforces more the jail.
Users must not be part of the wireshark
group, or they’ll get privileges to capture from any interface.
Now add at least one rule for sudo
:
@brcapture ALL=(root) NOPASSWD: /usr/bin/dumpcap -s0 -i br0 -P -w -
Mind that dumpcap
can capture from multiple interfaces at the same time, so you should not use the *
symbol,
From any user in the brcapture
group you can now capture packets without any risk;
sudo /usr/bin/dumpcap -s0 -i br0 -P -w - | firejail wireshark-gtk -n -k -i -
If the user stops the capture from the Wireshark UI and tries to start the capture on a different interface, he will get a You don't have permission to capture on that device
error.
Moreover, if the user will try to browse the filesystem, he will get a Could not read the content
error on most of the directories.
To check what is inside the Wireshark jail, just try to start a bash
using that profile:
firejail --profile=/etc/firejail/wireshark-gtk.profile bash
For example you will see an almost empty /etc
:
$ ls /etc/
fonts group gtk-3.0 hosts machine-id