Firejail as security sandbox for your programs

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
xenopeek
Level 24
Level 24
Posts: 20530
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Firejail as security sandbox for your programs

Postby xenopeek » Mon Feb 20, 2017 1:16 pm

(This tutorial is for Linux Mint main edition. If you're using LMDE use viewtopic.php?f=241&t=240156 instead. There also is an older tutorial viewtopic.php?f=42&t=202735 that covered how to create your own Firejail profiles. It is outdated but may be a place to start if you're interested in that.)

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. Read more at its website: https://firejail.wordpress.com/

I personally highly recommend you use Firejail at least with your web browser.

Installation
There are various ways of installing Firejail. You can download a package from its website and install from that or you may install it from the repository. The version in the repository is the long term support (LTS) version but, curiously, instead of getting upgrades to the LTS version through the repository only selectively certain bug fixes are backported to the version in the repositories. It may be safe enough but right now I would err on the side of caution and instead install it from the website. The version from the repository also doesn't have the firecfg command used below to easily configure your programs to use Firejail! If you download it from the website you will have to keep an eye on new releases yourself and upgrade from a new download.

You can subscribe to this feed to get new release announcements: https://github.com/netblue30/firejail/releases.atom

Option 1: download from website
The download page on Firejail's website: https://firejail.wordpress.com/download-2/. I would recommend you use the current version. The long term support version will continue to receive fixes for bug but won't get new features. Click through on the version you want and you will be taken to the SourceForge download page where you can download either the firejail_version_amd64.deb package (for 64-bit systems) or firejail_version_i386.deb package (for 32-bit systems). After downloading the file double-click it in your file manager to launch the installer.

Option 2: use the repository
Note: Firejail is in the repository starting with Linux Mint 18 so if you're using an older version of Linux Mint you can't use this option.

This is the easier option. Just open Software Manager and search for firejail and install it.

Configuration
Firejail comes with a profile for over 140 programs. You can find all the profiles in /etc/firejail/. One simple way to use Firejail with a program is with the command firejail program but while simple this quickly becomes tedious. You can edit the program's launcher in your menu and prefix "firejail " to the command in the launcher. This is a good solution if you just want to run your web browser in the security sandbox but again tedious if you want to use it for all possible programs. Luckily Firejail has the option to make it so that the programs you have installed for which Firejail has a profile will be configured to use Firejail by default. For this you need to run two commands from the terminal.

First run the following command which makes all possible changes so that all users on your system will use Firejail with installed programs for which Firejail has a profile (you will be asked for your password so mind that on the terminal you get no visual feedback as you type a password; just type it and press enter).
sudo firecfg

Second run the following command which fixes any programs that have an incompatible menu launcher. You will need to run this command for every user.
firecfg --fix

If you install additional programs in the future for which there is a Firejail profile you will have to re-run both of these commands.

Now if you start one of these programs from your menu they will be run in the Firejail security sandbox. When in doubt you can run the command firejail --list to see the list of programs currently running in a Firejail security sandbox.
Image

happysadhu
Level 1
Level 1
Posts: 6
Joined: Fri Sep 10, 2010 10:57 pm

Re: Firejail as security sandbox for your programs

Postby happysadhu » Thu Apr 20, 2017 1:34 am

Great Post--detailed and well-written.
I haven't heard of Firejail before. Will it slow down an application (e.g.,) when it's sandboxed by Firejail?

Thanks for sharing,
Sam

PS: This webpage offers additional tips on using Firejail, and even references your post.
https://sites.google.com/site/easylinux ... y-Firejail

User avatar
xenopeek
Level 24
Level 24
Posts: 20530
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Postby xenopeek » Thu Apr 20, 2017 2:09 am

Firejail has negligible impact on performance. It uses standard Linux kernel security features.
Image

User avatar
hinto
Level 8
Level 8
Posts: 2101
Joined: Thu Jul 09, 2009 7:32 pm
Location: Cary NC, USA

Re: Firejail as security sandbox for your programs

Postby hinto » Thu Apr 20, 2017 9:12 am

This is great news.
Thanks for the port.
-Hinto
"In God we trust, all others bring data."- W. Edwards Deming

User avatar
all41
Level 10
Level 10
Posts: 3242
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail as security sandbox for your programs

Postby all41 » Thu Apr 20, 2017 10:10 am

And to think I have been using individual start commands to accomplish this. :)
Is there a log of the sandboxing actions somewhere?
It would be great to have notification/alarm of attempted boundary violations
Folding@home-Team Linux Mint-76140


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 7 guests