Linux Firejail: Securely Throw Untrusted Applications Behind Bars
How to Sandbox Applications in Linux? [Firejail]
Table of contents
- What is Sandboxing?
- Why use Firejail?
- How does Firejail work?
- Firejail Basics and Workflow
Sandboxing or Containerization are always considered the ultimate weapons for high Privacy and Security threat models. The most renowned privacy and security tools like Whonix, Qubes OS, Tail and Docker are focused on Sandboxing one way or another. What they actually do is effectively isolating various components of applications like network interfaces and file system to prevent unwanted connections.
To get started, let's delve into how Firejail operates and then explore how seamlessly you can incorporate it into your security toolkit.
What is Sandboxing?
Sandboxing is a security mechanism for running programs and processes inside an isolated environment with limited access to resources. What happens in the Sandbox stays in the Sandbox; I mean, it won't affect your host machine, just like virtual machines. The concept of sandboxing is not new; many of us unknowingly engage with sandbox-enabled programs daily. Web browsers, Snap or Flatpak packages, and Electron-based software like Discord and VSCode use sandboxing for security purposes.
LiveOverflow has an insightful video explaining Browser Sandboxing.
Why use Firejail?
The most secure way to live in a virtual world is to live in a virtual machine. Of course, That's not practical for everyday users, and that's why we have tools like Qubes and Whonix. But to be honest, they can also be somewhat daunting for the average user.
And most of us don't require these high threat model tools. We aren't hiding from Governments or intelligence agencies like Edward Snowden. Instead, we're concerned about more common scenarios. Picture your friend who recently discovered malware and unknowingly sent one within a PDF. In these situations, what we need is a middle ground like Firejail that strikes a balance between security and usability. A solution that seamlessly integrates into our everyday work environment.
How do I use Firejail?
So let's be real, I don't use Firejail for every single application. I mainly leverage Firejail for two specific purposes:
For Viewing Documents or PDFs
Running Untrusted Applications, Especially GitHub Packages
Why not AppArmor, Snap or Flatpak?
Unlike Firejail, AppArmor demands some initial configurations.
However, AppArmor stands as a viable alternative to Firejail, and we can delve into its merits—feel free to comment below if interested.
Snaps & Flatpak
Both Offer Limited Control Over Applications.
While not every application comes with a Snap or Flatpak package, Firejail outshines by running any application in a sandbox, irrespective of packaging.
Flatpak, due to package size concerns, isn't my preference.
Unlike Firejail, Snaps & Flatpak lack internal access to the sandbox.
Simplicity is on the side of Snaps & Flatpak, making them more beginner-friendly.
Someone on internet said "Snaps and Flatpaks ensure security based on developers' intentions, whereas Firejail is an additional layer you can incorporate into an application for enhanced security". Notably, Flatpak can be fine-tuned with Flatseal.
How does Firejail work?
Firejail is a command-line utility that uses security profiles. It comes bundled with thousands of well-known software profiles, giving Firejail a significant advantage over other similar tools. These profiles are located under
/etc/firejail, contain crucial specifications dictating an application's behavior. For instance, my PDF viewer is confined to the Downloads directory, with no internet access. Moreover, Firejail extends its functionality to custom profiles, enabling users to run lesser-known software within a protected environment.
Running applications under the Firejail Sandbox is quite easy; just prefix your command with "firejail". E.g.
$ firejail firefox # starting Mozilla Firefox
$ firejail vlc # starting VideoLAN Client
The underlying technology that powers Firejail and other similar programs like Docker, Flatpak, Snaps is Linux Namespaces.
LiveOverflow also has an amazing video about Namespaces, definitely worth checking out.
Firejail Basics and Workflow
Firejail can be conveniently retrieved from the official Linux repository using your distro's package manager.
sudo pacman -S firejail
sudo apt install firejail
The following command will open Firefox in a sandbox environment with a specific set of requirements.
firejail --x11 --private --net=eth0 --dns=220.127.116.11 --dns=18.104.22.168 --hosts-file=~/adblock firefox --no-remote
--no-remote-> Prevents opening new tabs or windows attached to the existing Firefox process.
Private Browser Setup
--private-> Initiates Firefox with an empty home directory, resulting in a factory default browser configuration.
--dns=22.214.171.124-> Specifies a custom DNS configuration for your sandbox.
--net=eth0-> Assigns a random, unused IP address from the specified interface.
--hosts-file=~/adblock-> Adds a hosts file implementing an adblocker.
--x11-> Prevents X11 keyboard loggers and screenshot utilities from accessing the X11 server.
By default, Firejail assigns random IP and MAC addresses to your sandbox, disappearing once the sandbox is closed. Firejail can run multiple applications in parallel, each with a different IP address.
Sandbox Internal Access
Firejail also provides a way to verify that Firefox is indeed running inside a sandbox.
List all running sandboxes:
~ firejail --list
26893:flarexes::firejail --private=/home/radowoo/Downloads --dns=126.96.36.199 firefox --no-remote
Attach to the Firefox sandbox using its ID.
~ firejail --join=26893
This allows you to initiate a shell within the Firefox sandbox.
Profiles offer a streamlined approach to lengthy Firejail commands. For instance, in the case of Firefox, Firejail already includes a dedicated profile. As highlighted earlier, Firejail is equipped with an extensive library of pre-configured profiles for well-known applications.
Executing the Firefox command with its profile is straightforward:
~ firejail --profile=firefox firefox
Simple enough right? All the pre-bundled profiles can be found at
/etc/firejail, If you ever find the need to tailor your security measures.
When Firejail lacks an application-specific profile, take matters into your own hands by creating one. For a more organized workflow, it's advisable to store custom profiles under
~/.config/firejail instead of the present working directory.
Step 1: Build a Custom Profile
Launch a terminal and execute the following command. This builds a custom profile named
my-app.profile for the application
~ firejail --build=my-app.profile my-app
This command runs my-app in a sandboxed environment, recording the system calls it makes.
Step 2: Edit and Refine the Custom Profile
Refining your profile involves the following steps:
my-app.profilefile using a text editor.
Compare the generated profile with existing similar profiles in the
Select the necessary features, referring to Arch Docs.
Step 3: Launch the Application with the Custom Profile
After refining the custom profile, launch the application using it with the following command:
~ firejail --profile=~/.config/firejail/my-app.profile my-app
This command initiates the application
my-app within a sandboxed environment, harnessing the tailored security measures you've crafted.
Desktop Integration with Firecfg
Firecfg is command-line utility comes pre-packaged with firejail. It allow users to streamline the process of desktop integration.
Below command will create symbolic link of every possible application installed on your system. These symbolic links will allow the applications to start under Firejail automatically, and you can also launch apps from menu without any further modification.
List all firejail symbolic links.
Remove all firejail symbolic links.
sudo firecfg --clean
It's important to note that by default Firecfg will use default profiles relative to the applications.
In a world full of digital risks, securing our online activities is crucial. Firejail stands out as a flexible solution, offering a middle ground between high-security options like Qubes or Whonix and the practical needs of everyday use cases.
With a simple prefix to commands, users can launch applications in a secure sandbox effortlessly. Whether it's browsing documents, viewing PDFs, or cautiously running applications from untrusted sources.
In essence, Firejail, a Linux command-line utility focused on enhancing privacy and security through sandboxing. We have explored how Firejail operates using security profiles, its installation process, and examples of sandboxing applications like Firefox. Whether you desire a straightforward approach or a more sophisticated, Firejail can do both.
If You Wanna Study Firejail In-Depth Check Resources Below:
Fixing X11 Vulnerability:
Firejail Guide On Linux Capabilities:
Thanks For Reading, Bye 👋