Title: Firejail on Linux to sandbox all the things | |
Author: Solène | |
Date: 14 February 2021 | |
Tags: linux security sandbox | |
Description: | |
# Introduction | |
Firejail is a program that can prepare sandboxes to run other programs. | |
This is an efficient way to keep a software isolated from the rest of | |
the system without need of changing its source code, it works for | |
network, graphical or daemons programs. | |
You may want to sandbox programs you run in order to protect your | |
system for any issue that could happen within the program (security | |
breach, code mistake, unknown errors), like Steam once had a "rm -fr /" | |
issue, using a sandbox that would have partially saved a part of the | |
user directory. Web browsers are major tools nowadays and yet they | |
have access to the whole system and have many security issues | |
discovered and exploited in the wild, running it in a sandbox can | |
reduce the data a hacker could exfiltrate from the computer. Of | |
course, sandboxing comes with an usability tradeoff because if you only | |
allow access to the ~/Downloads/ directory, you need to put files in | |
this directory if you want to upload them, and you can only download | |
files into this directory and then move them later where you really | |
want to keep your files. | |
# Installation | |
On most Linux systems you will find a Firejail package that you can | |
install. If your distribution doesn't provide a Firejail package, it | |
seems the installing from sources process is quite easy, and as the | |
project is written in C with limited dependencies it may be easy to get | |
the build process done. | |
There are no service to enable and no kernel parameters to add. | |
Apparmor or SELinux features in kernel can be used to integrates into | |
Firejail profiles if you want to. | |
# Usage | |
## Start a program | |
The simplest usage is to run a command by adding Firejail before the | |
command name. | |
```shell command | |
$ Firejail firefox | |
``` | |
## Use a symlink | |
Firejail has a neat feature to allow starting software by their name | |
without calling Firejail explicitly, if you create a symbolic link in | |
your $PATH using a program name but targeting Firejail, when you call | |
that name Firejail will automatically now what you want to start. The | |
following example will run firefox when you call the symbolic link. | |
```shell command | |
export PATH=~/bin/:$PATH | |
$ ln -s /usr/bin/firejail ~/bin/firefox | |
$ firefox | |
``` | |
## Listing sandboxes | |
There is a Firejail --list command that will tell you about all | |
sandboxes running and what are their parameters. As a first column the | |
identifier is available for more Firejail features. | |
```shell command | |
$ firejail --list | |
6108:solene::/usr/bin/firejail /usr/bin/firefox | |
``` | |
## Limit bandwidth per program | |
Firejail also has a neat feature that allows to limit the bandwidth | |
available only for one sandbox environment. Reusing previous list | |
output, I will reduce firefox bandwidth, the number are in kB/s. | |
```shell command | |
$ firejail --bandwidth=6108 set wlan0 1000 40 | |
``` | |
You can find more information about this feature in the "TRAFFIC | |
SHAPING" section of the Firejail man page. | |
## Restrict network access | |
If for some reason you want to start a program with absolutely no | |
network access, you can run a program and deny it any network. | |
```shell command | |
$ firejail --net=none libreoffice | |
``` | |
# Conclusion | |
Firejail is a neat way to start software into sandboxes without | |
requiring any particular setup. It may be more limited and maybe less | |
reliable than OpenBSD programs who received unveil() features but it's | |
a nice trade off between safety and required work within source code | |
(literally none). It is a very interesting project that proves to work | |
easily on any Linux system, with a simple C source code with little | |
dependencies. I am not really familiar with Linux kernel and its | |
features but Firejail seems to use seccomp-bpf and namespace, I guess | |
they are complicated to use but powerful and Firejail comes here as a | |
wrapper to automate all of this. | |
Firejail has been proven to be USABLE and RELIABLE for me while my | |
attempts at sandboxing Firefox with AppArmor were tedious and not | |
optimal. I really recommend it. | |
# More resources | |
Official project website with releases and security information | |
Firejail sources and documentation | |
Community profiles 1 | |
Community profiles 2 |