 |
Title: Firejail on Linux to sandbox all the things |
|
Author: Solène |
|
Date: 14 February 2021 |
|
Tags: linux security sandbox |
|
Description: |
|
|
|
# Introduction |
|
|
|
Firejail is a program that can prepare sandboxes to run other programs. |
|
This is an efficient way to keep a software isolated from the rest of |
|
the system without need of changing its source code, it works for |
|
network, graphical or daemons programs. |
|
You may want to sandbox programs you run in order to protect your |
|
system for any issue that could happen within the program (security |
|
breach, code mistake, unknown errors), like Steam once had a "rm -fr /" |
|
issue, using a sandbox that would have partially saved a part of the |
|
user directory. Web browsers are major tools nowadays and yet they |
|
have access to the whole system and have many security issues |
|
discovered and exploited in the wild, running it in a sandbox can |
|
reduce the data a hacker could exfiltrate from the computer. Of |
|
course, sandboxing comes with an usability tradeoff because if you only |
|
allow access to the ~/Downloads/ directory, you need to put files in |
|
this directory if you want to upload them, and you can only download |
|
files into this directory and then move them later where you really |
|
want to keep your files. |
|
|
|
# Installation |
|
|
|
On most Linux systems you will find a Firejail package that you can |
|
install. If your distribution doesn't provide a Firejail package, it |
|
seems the installing from sources process is quite easy, and as the |
|
project is written in C with limited dependencies it may be easy to get |
|
the build process done. |
|
There are no service to enable and no kernel parameters to add. |
|
Apparmor or SELinux features in kernel can be used to integrates into |
|
Firejail profiles if you want to. |
|
|
|
# Usage |
|
|
|
## Start a program |
|
|
|
The simplest usage is to run a command by adding Firejail before the |
|
command name. |
|
|
|
```shell command |
|
$ Firejail firefox |
|
``` |
|
|
|
## Use a symlink |
|
|
|
Firejail has a neat feature to allow starting software by their name |
|
without calling Firejail explicitly, if you create a symbolic link in |
|
your $PATH using a program name but targeting Firejail, when you call |
|
that name Firejail will automatically now what you want to start. The |
|
following example will run firefox when you call the symbolic link. |
|
|
|
```shell command |
|
export PATH=~/bin/:$PATH |
|
$ ln -s /usr/bin/firejail ~/bin/firefox |
|
$ firefox |
|
``` |
|
|
|
## Listing sandboxes |
|
|
|
There is a Firejail --list command that will tell you about all |
|
sandboxes running and what are their parameters. As a first column the |
|
identifier is available for more Firejail features. |
|
|
|
```shell command |
|
$ firejail --list |
|
6108:solene::/usr/bin/firejail /usr/bin/firefox |
|
``` |
|
|
|
## Limit bandwidth per program |
|
|
|
Firejail also has a neat feature that allows to limit the bandwidth |
|
available only for one sandbox environment. Reusing previous list |
|
output, I will reduce firefox bandwidth, the number are in kB/s. |
|
|
|
```shell command |
|
$ firejail --bandwidth=6108 set wlan0 1000 40 |
|
``` |
|
|
|
You can find more information about this feature in the "TRAFFIC |
|
SHAPING" section of the Firejail man page. |
|
|
|
## Restrict network access |
|
|
|
If for some reason you want to start a program with absolutely no |
|
network access, you can run a program and deny it any network. |
|
|
|
```shell command |
|
$ firejail --net=none libreoffice |
|
``` |
|
|
|
# Conclusion |
|
|
|
Firejail is a neat way to start software into sandboxes without |
|
requiring any particular setup. It may be more limited and maybe less |
|
reliable than OpenBSD programs who received unveil() features but it's |
|
a nice trade off between safety and required work within source code |
|
(literally none). It is a very interesting project that proves to work |
|
easily on any Linux system, with a simple C source code with little |
|
dependencies. I am not really familiar with Linux kernel and its |
|
features but Firejail seems to use seccomp-bpf and namespace, I guess |
|
they are complicated to use but powerful and Firejail comes here as a |
|
wrapper to automate all of this. |
|
|
|
Firejail has been proven to be USABLE and RELIABLE for me while my |
|
attempts at sandboxing Firefox with AppArmor were tedious and not |
|
optimal. I really recommend it. |
|
|
|
# More resources |
|
|
 |
Official project website with releases and security information |
|
Firejail sources and documentation |
|
|
|
Community profiles 1 |
|
Community profiles 2 |
