Firejail allows you to easily sandbox Linux applications. Find out how to add this extra layer of security.
Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf which allows the attaching of a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.
With Firejail installed, you can then launch applications from the command line, such that they have a private view of globally-shared kernel resources--such as the network stack. With this addition to your Linux platform, you'll gain a heightened level of security to an already secure environment.
Firejail is not limited to graphical applications. In fact, Firejail can sandbox servers, GUI tools, and even user login sessions.
Believe it or not, Firejail is incredibly easy to use. I'm going to walk you through the process of installing and using Firejail.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
What you'll need
The only things you'll need to make this work are:
A running instance of a Linux platform
A user with sudo privileges
I will be demonstrating on Ubuntu Desktop 19.10, but you can make this work on just about any Linux distribution. Since Firejail is found in most standard repositories, you'll only need to adjust the installation instructions to match your distribution of choice.
How to install Firejail
In order to install Firejail, log in to your Linux operating system, open a terminal window, and issue the command (modifying it to fit your distribution package manager):
sudo apt-get install firejail -y
Once the command completes, you're finished with the installation.
How to use Firejail
Using Firejail is quite simple. Let's say you want to open an instance of Firefox. To do that, go back to the terminal window and issue the command:
Firefox will open and you'll see quite a lot of output in the terminal window (Figure A).
You might find that you get no sound from applications sandboxed with Firejail. If that's the case, issue the command:
The above command will fix a few bugs in Pulseaudio, so sound should no longer be a problem. After running the command, log out and log back in so the fix can take effect.
If you're using Firejail on a desktop distribution, you'll want to integrate it into the desktop environment (such as GNOME, KDE, Xfce, Pantheon, etc.). To do that, issue the command:
Log out and log back in.
This will configure a number of symlinks, add your user to the Firejail access database, and fix a number desktop files. Once you've run the firecfg command, you no longer have to run your desktop applications from the command line, as they will automatically run using the firejail command.
The caveat and the fix
One issue you might run into is that sandboxed applications won't have access to your filesystem. For example, say you run the command firejail firefox and then attempt to upload a file to a website. Firejail may prevent that. If that's the case, you have to jump through a few hoops to make it work. Here's what you need to do (we'll stick with our Firefox example).
- Open up a terminal window.
Issue the command mkdir -p ~/.config/firejail.
Change into the newly created directory with the command cd ~/.config/firejail.
Copy the default Firejail profile into the newly created directory with the command cp /etc/firejail/firefox.profile ~/.config/firejail/.
Edit the newly created profile to suit your needs.
Let's say you need to upload files from the ~/Documents directory. In order to do that, you'll need to add a whitelist entry for that directory. Open the newly created file with the command:
Under the noblacklist lines, add the following line:
Save and close the file.
Here's another trick. Say you want to give an application read-only permission to the ~/Documents. For that you could add the line:
Save and close the file.
As you can probably surmise, there are a lot of really nifty tricks up Firejail's sleeve. To find out more of what you can do with profiles, issue the command man firejail-profile to read up on what all this feature has to offer.