[Information] Firejail + Tor

[chiraag-nataraj]

I thought I'd leave a little note here about an easy way to make jailed applications work with Tor when they don't have proxy options and don't respect HTTP_PROXY and its variants. You will need a program called proxychains (it should be in your repo).

Now trying something like proxychains firejail <program> or firejail --profile=<path to profile> proxychains <program> will not work since proxychains (and other programs like it) refuse to work on SUID binaries.

The key is to use --env. Use firejail --env="LD_PRELOAD=libproxychains.so.3" <program>. If you're using private-etc, make sure you whitelist proxychains.conf. If you're using private-bin, make sure you whitelist sh,dig,awk. Oh, and if you're using seccomp.keep, make sure you whitelist gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait (I think that was all of them?).

Just thought I'd drop that by since I had a lot of trouble at first getting them to work together (I didn't want to use a bridge and other stuff that was detailed here: https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/). Hope this helps someone!

[netblue30]

It is by far the best Tor/Firejail howto I've seen so far. I have a link to them here: https://firejail.wordpress.com/2017/03/13/into-the-void-firejail-with-tor-howto/

[chiraag-nataraj]

Yeah, I mean...I saw that. Just felt that this is an alternative that works if you have very few applications that won't obey the proxy settings (and if you're using proxychains or something like it already).

[ghost]

I'm getting the following result: "ERROR: ld.so: object 'libproxychains.so.3' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored"

I've also tryied using the guide @netblue30 pointed out. But got stuck at the third quotation box, the one that starts with "$ firejail --net=tornet /bin/bash". After firejailing bash, using the command "$ host www.debian.org" returns ";; connection timed out; no servers could be reached".

I'm using Debian Jessie with the firejail version available through jessie-backports, that is, "0.9.44.8-1~bpo8+". bridge-utils and proxychains are in versions "1.5-9" and "3.1-6" respectively.

[chiraag-nataraj]

Hmmm...are you trying to run an SUID binary with proxychains? That is, is the application you're running with firejail an SUID binary?

[ghost]

I wouldn't know how to identify an SUID binary, sorry. But indeed, I messed up by not providing the command I've used for this attempt. I've used "firejail --env="LD_PRELOAD=libproxychains.so.3" chromium". And this is the firejail profile used for this particular application:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/chromium.local

# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc

whitelist ${DOWNLOADS}
mkdir ~/.config/chromium
whitelist ~/.config/chromium
mkdir ~/.cache/chromium
whitelist ~/.cache/chromium
mkdir ~/.pki
whitelist ~/.pki

# specific to Arch
whitelist ~/.config/chromium-flags.conf

include /etc/firejail/whitelist-common.inc

ipc-namespace
netfilter
nogroups
shell none

private-dev
private-tmp

noexec ${HOME}
noexec /tmp

Thank you for giving this matter your time and consideration. ;)

[chiraag-nataraj]

Ah, that's why - chromium uses an SUID helper to create its own sandbox. From what I remember, though, chromium should respect the system proxy settings (so if you use something like privoxy, you can just export http_proxy=localhost:8118, https_proxy=localhost:8118, and the uppercase equivalents and Chromium should Just Work™ 😄)

[ghost]

I see @chiraag-nataraj. Anyway, I used Chromium just for testing as I normally use a firejailed Tor Browser. I've now tested the command with another application using the command "firejail --env="LD_PRELOAD=libproxychains.so.3" trans word" and it worked. Anyway, in the case this problem arises in the future, do you have a source I could refer to in order to lear how to setup my system's proxy settings? As of now, it has none. Also, is it possible to declare this environment variable using the applicattion's firejail profile?

Thanks!

[chiraag-nataraj]

Basically, you'll have to export environment variables (that's the easiest way of doing it in my experience): https://justintung.com/2013/04/25/how-to-configure-proxy-settings-in-linux/

I would think you would be able to pass it using --env, so yes.