Firejail as security sandbox for your programs

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
User avatar
xenopeek
Level 24
Level 24
Posts: 24971
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Firejail as security sandbox for your programs

Post by xenopeek »

Update: for Linux Mint 19 you can also install Firejail from a PPA or from the default repositories. See info from Fred, who's on the Firejail team, here viewtopic.php?f=58&t=273533

(This tutorial is for Linux Mint main edition. If you're using LMDE use viewtopic.php?f=241&t=240156 instead. There also is an older tutorial viewtopic.php?f=42&t=202735 that covered how to create your own Firejail profiles. It is outdated but may be a place to start if you're interested in that.)

Firejail is an easy to use security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux kernel security features. It restricts what files and directories an application can access in your home directory and what access it has to system directories and system resources. Firejail is ideal for use with web browsers, desktop applications, and daemons/servers alike. Read more at its website: https://firejail.wordpress.com/

I personally highly recommend you use Firejail at least with your web browser.

Installation
There are various ways of installing Firejail. You can download a package from its website and install from that or you may install it from the repository. The version in the repository is the long term support (LTS) version but, curiously, instead of getting upgrades to the LTS version through the repository only selectively certain bug fixes are backported to the version in the repositories. It may be safe enough but right now I would err on the side of caution and instead install it from the website if for some reason you want the LTS version. The LTS version doesn't have the firecfg command used below to easily configure your programs to use Firejail. Instead I'd recommend you download the current version from the website. If you download either version from the website you will have to keep an eye on new releases yourself and upgrade from a new download.

You can subscribe to this feed to get new release announcements: https://github.com/netblue30/firejail/releases.atom

Option 1: download from website
The download page on Firejail's website: https://firejail.wordpress.com/download-2/. I would recommend you use the current version. The long term support version will continue to receive fixes for bug but won't get new features. Click through on the version you want and you will be taken to the SourceForge download page where you can download either the firejail_version_amd64.deb package (for 64-bit systems) or firejail_version_i386.deb package (for 32-bit systems). After downloading the file double-click it in your file manager to launch the installer.

Option 2: use the repository
Note: Firejail is in the repository starting with Linux Mint 18 so if you're using an older version of Linux Mint you can't use this option.

This is the easier option. Just open Software Manager and search for firejail and install it. Configuration is harder though.

Configuration
Firejail comes with a profile for over 140 programs. You can find all the profiles in /etc/firejail/. One simple way to use Firejail with a program is with the command firejail program but while simple this quickly becomes tedious. You can edit the program's launcher in your menu and prefix "firejail " to the command in the launcher. This is a good solution if you just want to run your web browser in the security sandbox but again tedious if you want to use it for all possible programs. Luckily Firejail has the option to make it so that the programs you have installed for which Firejail has a profile will be configured to use Firejail by default. For this you need to run two commands from the terminal.

Note: these commands are not available if you installed Firejail from the Linux Mint 18.x repository. You need to have installed it from the download on their website to get these commands.

First run the following command which makes all possible changes so that all users on your system will use Firejail with installed programs for which Firejail has a profile (you will be asked for your password so mind that on the terminal you get no visual feedback as you type a password; just type it and press enter).
sudo firecfg

Second run the following command which fixes any programs that have an incompatible menu launcher. You will need to run this command for every user.
firecfg --fix

If you install additional programs in the future for which there is a Firejail profile you will have to re-run both of these commands.

Now if you start one of these programs from your menu they will be run in the Firejail security sandbox. When in doubt you can run the command firejail --list to see the list of programs currently running in a Firejail security sandbox.
Image
happysadhu
Level 1
Level 1
Posts: 27
Joined: Fri Sep 10, 2010 10:57 pm

Re: Firejail as security sandbox for your programs

Post by happysadhu »

Great Post--detailed and well-written.
I haven't heard of Firejail before. Will it slow down an application (e.g.,) when it's sandboxed by Firejail?

Thanks for sharing,
Sam

PS: This webpage offers additional tips on using Firejail, and even references your post.
https://sites.google.com/site/easylinux ... y-Firejail
User avatar
xenopeek
Level 24
Level 24
Posts: 24971
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Post by xenopeek »

Firejail has negligible impact on performance. It uses standard Linux kernel security features.
Image
deleted

Re: Firejail as security sandbox for your programs

Post by deleted »

This is great news.
Thanks for the port.
-Hinto
User avatar
all41
Level 16
Level 16
Posts: 6563
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Firejail as security sandbox for your programs

Post by all41 »

And to think I have been using individual start commands to accomplish this. :)
Is there a log of the sandboxing actions somewhere?
It would be great to have notification/alarm of attempted boundary violations
Light travels faster than sound. That's why some people appear smart until you hear what they are saying.
You will seldom see a grey-beard wearing a tinfoil hat.
Hoser Rob
Level 16
Level 16
Posts: 6800
Joined: Sat Dec 15, 2012 8:57 am

Re: Firejail as security sandbox for your programs

Post by Hoser Rob »

So why the hell is it that when I install the recommended LTS from the .deb file I get a command not found when I try to run firecfg???
User avatar
xenopeek
Level 24
Level 24
Posts: 24971
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Post by xenopeek »

Well, color you surprised, new software versions actually do add something! Imagine that :) LTS means long term support—for security issues. Not for new functionality like firecfg. You would use the LTS of something if you don't care to get new features and just care to get security updates. That's why I recommend you install the version (not LTS) from the website instead of the LTS from the repository. The repository does have the LTS but it is several security updates behind, doing away with the only reason for using the LTS in the first place.
Image
Hoser Rob
Level 16
Level 16
Posts: 6800
Joined: Sat Dec 15, 2012 8:57 am

Re: Firejail as security sandbox for your programs

Post by Hoser Rob »

I DID install the deb from the site.
User avatar
xenopeek
Level 24
Level 24
Posts: 24971
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Firejail as security sandbox for your programs

Post by xenopeek »

I think you mean you downloaded the LTS version from the website. Not the current version which has the latest features, such as firecfg. I've reworded the installation section above to make it explicitly clear that the LTS version doesn't give you the latest features.

Unchanged: I recommend people download the current version from the website. The LTS version doesn't make sense on Ubuntu based Linux Mint. Either you install it from the repository and get an outdated LTS version with security issues or you install the latest LTS version from the website manually, which does away with those security issues, but then you have to update that manually anyway so why not fo for the current version with the latest features...
Image
tkocou
Level 1
Level 1
Posts: 41
Joined: Mon Jul 30, 2012 6:25 pm

Re: Firejail as security sandbox for your programs

Post by tkocou »

Like other folks, I had not heard of firejail. But given the latest news of "wanna-cry" and other malware, I found the firejail to be just the needed program to sandbox the Windows programs running under WINE. And I find the sandboxing of Firefox to be appealiing as well.
A standard installation of Linux Mint is fairly immune to such shenanigans, however, running Windows programs via WINE is a different kettle of fish.

Just a small tip for those folks wanting to try firejail: as of June 3 2017, the version of firejail in the Linux Mint repositories lacks the "firecfg" program. After installing the firejail program, the Pulse Audio server becomes inaccessable. The firecfg program is the easiest method to fix the situation. There is URL showing an alternative method to fix the Pulse Audio shown at the post by "happysadhu" (above)
Pepper-Mint-Patty
Level 4
Level 4
Posts: 457
Joined: Fri Dec 20, 2019 4:54 pm
Location: Royston Vasey

Re: Firejail as security sandbox for your programs

Post by Pepper-Mint-Patty »

xenopeek wrote:
Mon Feb 20, 2017 1:16 pm
Firejail is an easy to use security sandbox program...
Everytime somebody is using these words prepare for hell! Still now in 2020.
xenopeek wrote:
Mon Feb 20, 2017 1:16 pm
I personally highly recommend you use Firejail at least with your web browser.
I am afraid he is right there, that only makes things worse though...
Language is a virus.
19.2 Cinn + latest kernel + Nemo 4.2.3
RIH
Level 5
Level 5
Posts: 816
Joined: Sat Aug 22, 2015 3:47 am

Re: Firejail as security sandbox for your programs

Post by RIH »

Firetools is a handy little user interface with Firejail if you don't like using the terminal.

I use Firejail (via Firetools) just on my browsers.
Pepper-Mint-Patty
Level 4
Level 4
Posts: 457
Joined: Fri Dec 20, 2019 4:54 pm
Location: Royston Vasey

Re: Firejail as security sandbox for your programs

Post by Pepper-Mint-Patty »

Just removed the lot since it was only creating problems.
Well i have to try that maybe...
But what about saving files and copy them to the 'jail-free zone'? How to do so?
Language is a virus.
19.2 Cinn + latest kernel + Nemo 4.2.3
User avatar
Moem
Level 20
Level 20
Posts: 11953
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Firejail as security sandbox for your programs

Post by Moem »

Pepper-Mint-Patty wrote:
Wed Oct 28, 2020 6:56 am
But what about saving files and copy them to the 'jail-free zone'? How to do so?
From above:
tutorials.png
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Post Reply

Return to “Tutorials”