[ Split from original support question here: http://forums.linuxmint.com/viewtopic.php?f=47&t=202257 ]
Setting up firejail is relatively easy, and the included default profiles thoroughly enhance security for the programs they are for. You can configure firejail for further needs and for additional programs. How complex you want to make it is up to you. I'll provide an overview below first of how to install it and how to use the default profiles. Then if you want it you can look in to fine-tuning the default profiles or writing your own profile files.
While there are a lot of options for fine-tuning and writing your own profiles, I'll try and show you foremost the possibilities that I think will be of common interest to those that want to take firejail further. But again, the default profiles already boost your security so there is no need to go here unless you want to.
The website best summarizes what firejail does:
InstallationFirejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”.
Whether you are using Linux Mint 17.x or LMDE 2 the installation of firejail is as easy as:
- Download and save to disk the firetools .deb file for your architecture (32 bit or 64 bit) from the website: http://sourceforge.net/projects/firejai ... /firejail/. If you also want the GUI firetools program find that here (firetools will give you a menu window from which to launch applications for which it has a profile): http://sourceforge.net/projects/firejai ... firetools/.
- Double-click the downloaded file in your file manager to launch the installer. It should install without problems.
Usage
Firejail comes with a bunch of default profiles for common programs that are either Internet connected or run untrusted code on your computer. You can find the default profiles in /etc/firejail. To start a program using one of these profiles just prefix the command with "firejail". So for example to start Firefox with the default firejail profile run the command "firejail firefox" (close running Firefox first). Even if you start a program with firejail for which there is no profile defined, it will get some default confinement (see at the end of this comment for the defaults).
Now this isn't very convenient so you'll want to customize the menu launcher for applications you want to run with firejail. AFAIK on all Linux Mint editions you can right-click on the menu button and from one of the options in the context menu go to the menu editor. There you can edit the command associated with a menu launcher. Just prefix the command with "firejail ".
You can also manually copy the .desktop file for the application you want to run with firejail from /usr/share/applications to ~/.local/share/applications and edit the copied file (this is what the menu editor also does). Replace the "Exec=" line to start with "Exec=firejail ". We can also do this in one go for all installed applications for which there is a default firejail profile with this one command:
Code: Select all
mkdir -p ~/.local/share/applications; for profile in $(basename -s .profile /etc/firejail/*.profile); do if [[ -f /usr/share/applications/$profile.desktop ]]; then sed -r 's/^(Exec=)/\1firejail /' /usr/share/applications/$profile.desktop > ~/.local/share/applications/$profile.desktop; echo $profile configured to run in firejail; fi; done
Code: Select all
firejail --list
Code: Select all
firejail --tree
I would recommend you don't edit the profiles in /etc/firejail as these will be overwritten when you install another version of firejail. If you have one or two options you want to add for a program you can just add them as command line parameters to firejail. So for example say you want to blacklist your /backups directory, you would start firefox as: "firejail --blacklist=/backups -- firefox". (The -- before the firefox command signals the end of options for firejail.) This would use the default firefox profile but with this additional parameter.
You can find parameters you can use in the firejail manpage ("man firejail"). You don't need to add parameters for your program to already benefit from additional security. If you have certain additional needs this can be a quick and easy way to tailor the default profiles.
Some common parameters you might have a need for to add:
- --blacklist=dirname_or_filename — makes the directory or file inaccessible
- --cpu=cpu-number,cpu-number,cpu-number — sets which CPU cores the program will be able to use
- --net=none — deny the program network access
- --private — gives the program a private copy of your home directory that is discarded after the program closes
- --private=directory — use the given directory as the home directory for the program, it is not discarded after the program closes
- --tmpfs=dirname — gives the program an empty directory for the given directory that is discarded after the program closes
Custom profiles / understanding default profiles
You might want to write your own profiles for further customization of the default profiles or to add profiles for other applications. Custom profiles you can store in ~/.config/firejail. You can find information on the available settings in the firejail-profile manpage ("man firejail-profile").
If you want to understand the default profiles that information is also very useful.
Let's look at Firefox's default profile as an example (/etc/firejail/firefox.profile):
Code: Select all
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
whitelist ${DOWNLOADS}
whitelist ~/.mozilla
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
include /etc/firejail/whitelist-common.inc
- disable-mgmt.inc — makes inaccessible system management commands (/sbin and /usr/sbin directories, and a couple of commands)
- disable-secret.inc — makes inaccessible secret files in your home directory (SSH keys, Gnome and KDE keyrings, GPG keys, etc.)
- disable-common.inc — makes inaccessible files from other browsers, with the above "noblacklist ${HOME}/.mozilla" line ensuring the files for Firefox aren't made inaccessible (=blacklisted).
disable-devel.inc — makes inaccessible development commands (like compilers, debug tools, scripting tools, and so on)
whitelist-common.inc — make accessible common files and directories that most graphical programs will need
The "seccomp" line enables a filter for which system calls the program can make. Better explained on the firejail blog: https://l3net.wordpress.com/2015/04/13/ ... omp-guide/. The "protocol" line further tailors the system call filter for networking.
The "netfilter" is there so a default network filter is enabled for if you set up a new network namespace.
The "tracelog" line makes it so any violations where the program tries to access blacklisted files or directories will be logged in /var/log/syslog.
The "noroot" line disables the root user in the sandbox.
The "whitelist" lines that follow make accessible files and directories that would be used by Firefox. The modifications to whitelisted files and directories are persistent, everything else written to your home directory is discarded when the sandbox is closed.
On top of this also the defaults apply:
The sandbox consists of a chroot filesystem build in a new mount namespace, and new PID [can't see processes running outside the sandbox] and UTS [can have its own hostname] namespaces. The default Firejail filesystem is based on the host filesystem with the main directories mounted read-only. Only /home and /tmp and directories are writeable [unless overruled with whitelist, blacklist, tmpfs, or private settings].