Firejail as security sandbox for your programs (LMDE)

Write tutorials here
More tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Do not start a support topic here please, Before you post please read this
User avatar
xenopeek
Level 24
Level 24
Posts: 21473
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Firejail as security sandbox for your programs (LMDE)

Postby xenopeek » Mon Feb 20, 2017 1:04 pm

(This tutorial is for LMDE. If you're using Linux Mint main edition use viewtopic.php?f=42&t=240157 instead. There also is an older tutorial viewtopic.php?f=42&t=202735 that covered how to create your own Firejail profiles. It is outdated but may be a place to start if you're interested in that.)

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. Read more at its website: https://firejail.wordpress.com/

I personally highly recommend you use Firejail at least with your web browser.

Installation
There are various ways of installing Firejail. You can download a package from its website and install from that or you may add either the Jessie Backports or Debian Testing repository to your system and install Firejail from there. Both repositories at the time of this writing have the current version of Firejail. I prefer using Jessie Backports but I will detail the alternatives as well. Installing from either repository has the obvious benefit of Update Manager handling upgrades for you. If you download it from the website you will have to keep an eye on new releases yourself and upgrade from a new download.

You can subscribe to this feed to get new release announcements: https://github.com/netblue30/firejail/releases.atom

Option 1: download from website
The download page on Firejail's website: https://firejail.wordpress.com/download-2/. I would recommend you use the current version. The long term support version will continue to receive fixes for bug but won't get new features and it doesn't have the firecfg command used below to easily configure your programs to use Firejail! Click through on the version you want and you will be taken to the SourceForge download page where you can download either the firejail_version_amd64.deb package (for 64-bit systems) or firejail_version_i386.deb package (for 32-bit systems). After downloading the file double-click it in your file manager to launch the installer.

Option 2: use Jessie Backports
Jessie Backports is an additional repository you can add to your LMDE 2 system. It provides additional programs and new feature releases of programs. Only programs you explicitly install from Jessie Backports will be upgraded from there so there is no risk of your LMDE 2 installation becoming unstable if you only selectively install programs from here.

Adding Jessie Backports is easy (for more information and alternative mirrors see https://backports.debian.org/Instructions/#index2h2). Open Software Sources from your menu, go to the "Additional repositories" tab in the left sidebar and click on the "Add a new repository" button there. Put the following in the text field:
deb http://ftp.debian.org/debian jessie-backports main

After adding that repository click the "Update the cache button" in the top right of the window. Next open Software Manager and search for firejail and install it. Because it is not found in the main repositories you don't need to anything special to install it from Jessie Backports. For installing other packages from Jessie Backports see the instructions: https://backports.debian.org/Instructions/#index3h2

Option 3: use Debian Testing
Installing from Debian Testing works the same as from Jessie Backports but adding the repository is much more involved. See my instructions for how to correctly add Debian Testing repository to your system: viewtopic.php?t=212502

Configuration
Firejail comes with a profile for over 140 programs. You can find all the profiles in /etc/firejail/. One simple way to use Firejail with a program is with the command firejail program but while simple this quickly becomes tedious. You can edit the program's launcher in your menu and prefix "firejail " to the command in the launcher. This is a good solution if you just want to run your web browser in the security sandbox but again tedious if you want to use it for all possible programs. Luckily Firejail has the option to make it so that the programs you have installed for which Firejail has a profile will be configured to use Firejail by default. For this you need to run two commands from the terminal.

First run the following command which makes all possible changes so that all users on your system will use Firejail with installed programs for which Firejail has a profile (you will be asked for your password so mind that on the terminal you get no visual feedback as you type a password; just type it and press enter).
sudo firecfg

Second run the following command which fixes any programs that have an incompatible menu launcher. You will need to run this command for every user.
firecfg --fix

If you install additional programs in the future for which there is a Firejail profile you will have to re-run both of these commands.

Now if you start one of these programs from your menu they will be run in the Firejail security sandbox. When in doubt you can run the command firejail --list to see the list of programs currently running in a Firejail security sandbox.
Image

Return to “Tutorials”