Since my PGP key is on its way into the Debian Maintainers keyring, I feel that I should be more careful about computer security. This week I find that I need to run Skype in order to make some calls to some landlines. With the new release candidate of Firejail, it’s really easy to minimise the threat from its non-free code.
Firstly, check that the Skype .deb you download from their website
merely installs files and does not run any prerm or postinst scripts.
You can run dpkg-deb --control skype-debian_4.3.0.37-1_i386.deb
and
confirm that there’s nothing executable in there. You should also
list the contents with dpkg-deb --contents
skype-debian_4.3.0.37-1_i386.deb
, and confirm that it doesn’t install
anything to places that will be executed by the system, such as to
/etc/cron.d
. For my own reference the safe .deb has sha256 hash
a820e641d1ee3fece3fdf206f384eb65e764d7b1ceff3bc5dee818beb319993c
,
but you should perform these checks yourself.
Then install Firejail and Xephyr. You can hook Firejail and Xephyr together manually, but Firejail version 0.9.40-rc1 can do it for you, which is very convenient, so we install that from the Debian Experimental archive:
# apt-get install xserver-xephyr firejail/experimental
Here’s an invocation to use the jail:
$ firejail --x11=xephyr --private --private-tmp --net=eth0 openbox
$ DISPLAY=$(firemon --x11 | grep "DISPLAY" | sed 's/ DISPLAY //') \
firejail --net=eth0 --private --private-tmp skype
This takes advantage of Firejail’s existing jail profile for Skype. We get the following:
- A private
/home/you
so that Skype cannot access any of your files (disadvantage is that Skype can’t remember your username and password; you can look at--private=directory
to do something persistent). - A private /tmp to avoid it going near any sockets.
- A private X11 server so that Skype cannot access the contents of any of your other windows (X11 inter-application security is virtually non-existent).
- The Firejail profile for Skype restricts the hardware it can access to only what it needs i.e. network, camera, microphone etc.
- The openbox window manager so you can close overlapping windows.
This isn’t perfect. An annoyance is that the Xephyr window sticks around when you close Skype. More seriously, computer security is always an attacker’s advantage game, so this is just an attempt at reducing (optimistically: minimising) the threat posed by non-free code.
Update 2016/vi/1: use openbox
Update 2016/vi/15: use --net=eth0
or the X11 jail is not actually secure