Firejail sandboxing

I’ve checked the forums and the firejail website but (with my limited understanding) can’t determine if I defeat firejail by what I tried.

I have been using firejail to run zoom. I have been sent an invitation to a meeting that, unlike past meetings, does not contain the meeting address. It does contain the password and the link to the meeting. I decided to open Firefox in firejail, load up my email account and use the embedded link to the meeting. That opens up zoom. My question is: did I jump out of the sandbox when Firefox called Zoom? Or is everything that runs from the sandboxed Firefox also in the sandbox?

I’d also love to know this. Just to be clear …

Using the xdg dialog? As in, it opened the Zoom desktop app?

I’d expect that your sandbox integrity isn’t broken,
But if you want to be sure, you probably shouldn’t use a link to invoke your sandboxed app… After all, how do you know whether you really opened your sandboxed app or an unsandboxed app?
You should instead open the app in your sandbox and then paste your link into the app.

TSU

This may help, Prexy: I think that the Zoom meeting ID and the 10 to 11 numbers following the last slash in the Zoom meeting link are one and the same:

https://support.zoom.us/hc/en-us/articles/201362373-Meeting-ID

When I start the Zoom client, I have the option to “Join a Meeting” or “Sign In.” If I click “Join a Meeting,” it then prompts me to “Enter meeting ID or personal link name.” If you enter those 10 to 11 numbers, you’re in, without having to leave sandboxed Zoom.

If you have the zoom rpm installed, it’s always a possibility that the non-sandboxed version is picked up instead. Have you considered the flatpak version? You may want to adjust the permissions, but it would always run sandboxed.

To clarify: most Zoom invitations give a meeting number and password, as well as a link to the meeting. When I get the number and password, I run “firejail zoom” and enter those numbers. That does call up the “xdg” box to start zoom and I then enter the numbers. I have gotten invitations with only the link and a password. So, I can’t open the zoom app in the sandbox since that meeting number is not available.

I just dug the email out of the trash to examine it. It was listed not as a meeting, but as a webinar. I don’t know if that made a difference. Also, I don’t usually scroll down to the phone-in instructions since I never use that. There were other numbers there. I now presume they would work for the regular video meeting? not a phone meeting?

Also, I’ve never tried flatpak. Is that more secure for zoom?

Firejail uses a setuid binary which launches as root before dropping privileges. Flatpak uses bubblewrap which on oS is not a setuid binary but employs user namespaces instead. I’d rather not even have a setuid program on my system if I can avoid. Besides, firejail profiles are not always in-sync with sandboxed programs, given they are packaged at different paces. Flatpak doesn’t have this issue.

See the profile for Firejail:

And for Flatpak:

Some discussion for the flatpak version of zoom requiring access to $HOME:

hmmmm… pluses and minuses. I may be overthinking this. I may just set up a different user (zoomer) and run only firejail zoom in there and keep my fingers crossed!

Depending on your security objectives,
You could also simply run the app in a virtual machine… which wouldn’t prevent yoru virtual machine from being exposed but would isolate any issues from your main operating system.

Otherwise,
As described I would expect that if you open your link within your firejail and your firejail is configured properly, your zoom application should be isolated as well.

TSU

Thanks to all for your advice!