Firejail is a powerful tool which can be use to sandboxing lot of applications. By default Firejail provides profiles for Chrome, Firefox, Telegram and other famous applications. Wireshark is still missing.
We want to limit the interfaces a user can sniff. To be more specific, we want users capture from bridges interfaces only.
On Ubuntu 16.04 Firejail is available universe repository:
# apt-get -y install firejail
All profiles are stored under
We can run a
bash using a generic profile:
$ firejail --profile=/etc/firejail/generic.profile bash
Wireshark under Firejail
Wireshark is a little bit more complicated:
- Wireshark call dumpcap to capture packets without root privileges;
- dumpcap has few capabilities so every user in the
wiresharkgroup has some advanced privileges:
# getcap /usr/bin/dumpcap /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Let’s add a new profile:
# cat /etc/firejail/wireshark-gtk.profile # Wireshark profile private-bin bash,ls,wireshark-gtk,reordercap,dumpcap,editcap,rawshark,mergecap,text2pcap,capinfos private-dev private-etc fonts,group,gtk-3.0,hosts,machine-id,wiresharck private-tmp noblacklist /bin noblacklist /dev noblacklist /etc noblacklist /home noblacklist /lib noblacklist /lib64 noblacklist /sys noblacklist /tmp noblacklist /usr blacklist /* caps.drop all netfilter noroot seccomp shell none
The above profiles:
- maps all
sbindirectories importing few binaries;
- maps an almost empty
- maps an almost empty
- maps an empty
- blacklists (disables) all directories except the one required by Wireshark;
- enforces more the jail.
Users must not be part of the
wireshark group, or they’ll get privileges to captures from any interface.
Now add at least one rule for
@brcapture ALL=(root) NOPASSWD: /usr/bin/dumpcap -s0 -i br0 -P -w -
dumpcap can capture from multiple interfaces at the same time, so you should not use the
From any user in the
brcapture group you can now capture packets without any risk;
$ sudo /usr/bin/dumpcap -s0 -i br0 -P -w - | firejail wireshark-gtk -n -k -i -
If the user stop the capture from the Wireshark UI and try to start the capture on a different interface, he will get a
You don't have permission to capture on that device error.
Moreover if the user will try to browse the filesystem, he will get a
Could not read the content error on most of the directories.
To check what is inside the Wireshark jail, just try to start a
bash using that profile:
$ firejail --profile=/etc/firejail/wireshark-gtk.profile bash
For example you will see an almost empty
$ ls /etc/ fonts group gtk-3.0 hosts machine-id