Firejail as security sandbox for your programs

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Firejail as security sandbox for your programs

Postby xenopeek » Mon Feb 20, 2017 1:16 pm

(This tutorial is for Linux Mint main edition. If you're using LMDE use viewtopic.php?f=241&t=240156 instead. There also is an older tutorial viewtopic.php?f=42&t=202735 that covered how to create your own Firejail profiles. It is outdated but may be a place to start if you're interested in that.)

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. Read more at its website: https://firejail.wordpress.com/

I personally highly recommend you use Firejail at least with your web browser.

Installation
There are various ways of installing Firejail. You can download a package from its website and install from that or you may install it from the repository. The version in the repository is the long term support (LTS) version but, curiously, instead of getting upgrades to the LTS version through the repository only selectively certain bug fixes are backported to the version in the repositories. It may be safe enough but right now I would err on the side of caution and instead install it from the website if for some reason you want the LTS version. The LTS version doesn't have the firecfg command used below to easily configure your programs to use Firejail. Instead I'd recommend you download the current version from the website. If you download either version from the website you will have to keep an eye on new releases yourself and upgrade from a new download.

You can subscribe to this feed to get new release announcements: https://github.com/netblue30/firejail/releases.atom

Option 1: download from website
The download page on Firejail's website: https://firejail.wordpress.com/download-2/. I would recommend you use the current version. The long term support version will continue to receive fixes for bug but won't get new features. Click through on the version you want and you will be taken to the SourceForge download page where you can download either the firejail_version_amd64.deb package (for 64-bit systems) or firejail_version_i386.deb package (for 32-bit systems). After downloading the file double-click it in your file manager to launch the installer.

Option 2: use the repository
Note: Firejail is in the repository starting with Linux Mint 18 so if you're using an older version of Linux Mint you can't use this option.

This is the easier option. Just open Software Manager and search for firejail and install it.

Configuration
Firejail comes with a profile for over 140 programs. You can find all the profiles in /etc/firejail/. One simple way to use Firejail with a program is with the command firejail program but while simple this quickly becomes tedious. You can edit the program's launcher in your menu and prefix "firejail " to the command in the launcher. This is a good solution if you just want to run your web browser in the security sandbox but again tedious if you want to use it for all possible programs. Luckily Firejail has the option to make it so that the programs you have installed for which Firejail has a profile will be configured to use Firejail by default. For this you need to run two commands from the terminal.

First run the following command which makes all possible changes so that all users on your system will use Firejail with installed programs for which Firejail has a profile (you will be asked for your password so mind that on the terminal you get no visual feedback as you type a password; just type it and press enter).
sudo firecfg

Second run the following command which fixes any programs that have an incompatible menu launcher. You will need to run this command for every user.
firecfg --fix

If you install additional programs in the future for which there is a Firejail profile you will have to re-run both of these commands.

Now if you start one of these programs from your menu they will be run in the Firejail security sandbox. When in doubt you can run the command firejail --list to see the list of programs currently running in a Firejail security sandbox.
Image

happysadhu
Level 1
Level 1
Posts: 8
Joined: Fri Sep 10, 2010 10:57 pm

Re: Firejail as security sandbox for your programs

Postby happysadhu » Thu Apr 20, 2017 1:34 am

Great Post--detailed and well-written.
I haven't heard of Firejail before. Will it slow down an application (e.g.,) when it's sandboxed by Firejail?

Thanks for sharing,
Sam

PS: This webpage offers additional tips on using Firejail, and even references your post.
https://sites.google.com/site/easylinux ... y-Firejail

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Postby xenopeek » Thu Apr 20, 2017 2:09 am

Firejail has negligible impact on performance. It uses standard Linux kernel security features.
Image

User avatar
hinto
Level 8
Level 8
Posts: 2145
Joined: Thu Jul 09, 2009 7:32 pm
Location: Cary NC, USA

Re: Firejail as security sandbox for your programs

Postby hinto » Thu Apr 20, 2017 9:12 am

This is great news.
Thanks for the port.
-Hinto
"In God we trust, all others bring data."- W. Edwards Deming

User avatar
all41
Level 10
Level 10
Posts: 3358
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail as security sandbox for your programs

Postby all41 » Thu Apr 20, 2017 10:10 am

And to think I have been using individual start commands to accomplish this. :)
Is there a log of the sandboxing actions somewhere?
It would be great to have notification/alarm of attempted boundary violations
Proud to be a supporter and monthly contributor to Mint.

Hoser Rob
Level 8
Level 8
Posts: 2092
Joined: Sat Dec 15, 2012 8:57 am

Re: Firejail as security sandbox for your programs

Postby Hoser Rob » Sat May 13, 2017 12:03 pm

So why the hell is it that when I install the recommended LTS from the .deb file I get a command not found when I try to run firecfg???

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Postby xenopeek » Sat May 13, 2017 12:41 pm

Well, color you surprised, new software versions actually do add something! Imagine that :) LTS means long term support—for security issues. Not for new functionality like firecfg. You would use the LTS of something if you don't care to get new features and just care to get security updates. That's why I recommend you install the version (not LTS) from the website instead of the LTS from the repository. The repository does have the LTS but it is several security updates behind, doing away with the only reason for using the LTS in the first place.
Image

Hoser Rob
Level 8
Level 8
Posts: 2092
Joined: Sat Dec 15, 2012 8:57 am

Re: Firejail as security sandbox for your programs

Postby Hoser Rob » Sun May 14, 2017 10:08 am

I DID install the deb from the site.

User avatar
xenopeek
Level 24
Level 24
Posts: 20811
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Postby xenopeek » Sun May 14, 2017 1:36 pm

I think you mean you downloaded the LTS version from the website. Not the current version which has the latest features, such as firecfg. I've reworded the installation section above to make it explicitly clear that the LTS version doesn't give you the latest features.

Unchanged: I recommend people download the current version from the website. The LTS version doesn't make sense on Ubuntu based Linux Mint. Either you install it from the repository and get an outdated LTS version with security issues or you install the latest LTS version from the website manually, which does away with those security issues, but then you have to update that manually anyway so why not fo for the current version with the latest features...
Image

tkocou
Level 1
Level 1
Posts: 19
Joined: Mon Jul 30, 2012 6:25 pm

Re: Firejail as security sandbox for your programs

Postby tkocou » Sat Jun 03, 2017 11:50 am

Like other folks, I had not heard of firejail. But given the latest news of "wanna-cry" and other malware, I found the firejail to be just the needed program to sandbox the Windows programs running under WINE. And I find the sandboxing of Firefox to be appealiing as well.
A standard installation of Linux Mint is fairly immune to such shenanigans, however, running Windows programs via WINE is a different kettle of fish.

Just a small tip for those folks wanting to try firejail: as of June 3 2017, the version of firejail in the Linux Mint repositories lacks the "firecfg" program. After installing the firejail program, the Pulse Audio server becomes inaccessable. The firecfg program is the easiest method to fix the situation. There is URL showing an alternative method to fix the Pulse Audio shown at the post by "happysadhu" (above)


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 2 guests