spwhitton/ blog/ entry/ Skype inside Firejail version 0.9.40-rc1
bucheontimestop | Notes from the Library | seoulviasfo

Since my PGP key is on its way into the Debian Maintainers keyring, I feel that I should be more careful about computer security. This week I find that I need to run Skype in order to make some calls to some landlines. With the new release candidate of Firejail, it’s really easy to minimise the threat from its non-free code.

Firstly, check that the Skype .deb you download from their website merely installs files and does not run any prerm or postinst scripts. You can run dpkg-deb --control skype-debian_4.3.0.37-1_i386.deb and confirm that there’s nothing executable in there. You should also list the contents with dpkg-deb --contents skype-debian_4.3.0.37-1_i386.deb, and confirm that it doesn’t install anything to places that will be executed by the system, such as to /etc/cron.d. For my own reference the safe .deb has sha256 hash a820e641d1ee3fece3fdf206f384eb65e764d7b1ceff3bc5dee818beb319993c, but you should perform these checks yourself.

Then install Firejail and Xephyr. You can hook Firejail and Xephyr together manually, but Firejail version 0.9.40-rc1 can do it for you, which is very convenient, so we install that from the Debian Experimental archive:

# apt-get install xserver-xephyr firejail/experimental

Here’s an invocation to use the jail:

$ firejail --x11=xephyr --private --private-tmp --net=eth0 openbox
$ DISPLAY=$(firemon --x11 | grep "DISPLAY" | sed 's/   DISPLAY //') \
  firejail --net=eth0 --private --private-tmp skype

This takes advantage of Firejail’s existing jail profile for Skype. We get the following:

  • A private /home/you so that Skype cannot access any of your files (disadvantage is that Skype can’t remember your username and password; you can look at --private=directory to do something persistent).
  • A private /tmp to avoid it going near any sockets.
  • A private X11 server so that Skype cannot access the contents of any of your other windows (X11 inter-application security is virtually non-existent).
  • The Firejail profile for Skype restricts the hardware it can access to only what it needs i.e. network, camera, microphone etc.
  • The openbox window manager so you can close overlapping windows.

This isn’t perfect. An annoyance is that the Xephyr window sticks around when you close Skype. More seriously, computer security is always an attacker’s advantage game, so this is just an attempt at reducing (optimistically: minimising) the threat posed by non-free code.

Update 2016/vi/1: use openbox

Update 2016/vi/15: use --net=eth0 or the X11 jail is not actually secure