One of the best benefits of any open source project is that it never runs out of ideas. Independent developers can contribute to the development of the project and fix bugs and vulnerabilities as quickly as possible.
Every Linux distribution has a large community working on the development and taking care of the security and stability of the system. Even then if you run an untrusted application, it may risk your data and overall system security. There are different approaches to solving this issue. I have already compiled a list of security-centric Linux distributions so if you want the extra security features out of the box, check out the list.
One of such Linux distributions is Qubes OS. Qubes OS runs applications under a separate compartment or virtual machine. This approach is great when you run an untrusted application and it’s compromised. The compromised application will not affect other applications on the system.
Read the Qubes OS in detail.
Similarly, the tool I am going to discuss in this article, firejail, is a great tool for separating applications from other parts of the system.
What is Firejail?
Firejail is a SUID security sandbox based on Linux Namespace and seccomp-bpf (Secure computing mode). Firejail can run graphical or command-line applications in a sandbox, reduces the risk of security breaches by restricting the untrusted applications.
How To Install & Use Firejail?
Using Firejail is extremely easy. This is a very small utility available in almost every Linux distributions repositories. It requires no dependencies because it uses Linux kernel’s built-in features for completing the sandboxing job.
Install Firejail In Linux
You can use the default package manager of your distro to install firejail. For ease, fire up the software center of your distro and search for ‘firejail’.
The search results will include the following packages –
Install all three packages.
Firejail is a primary sandboxing program. firetools is a GUI utility to monitor firejail processes currently running. And firejail configuration wizard can create custom profiles for any application you like. By default, firejail comes with profiles for more than 400 Linux applications. If your application is not included in the list, you can use the default profile to run it.
After firejail is installed, you can either use command line to launch any application with
firejail command as a prefix or use the GUI tool.
Run firejail from command line
Using firejail GUI
From the application menu, launch firetools.
It will show the supported applications currently installed on the system.
Double click any application and it’ll launch the program in a sandbox. firejail sandboxes an application in less than 1 second. You do not notice any delay in the launch of the application or the overall drop in the performance is almost negligible.
Monitor firejail processes
firejail processes can be monitored from CLI or graphical interface.
Click on the proces PID to monitor a specific process and see what permissions it has over your filesystem and network. You can also shutdown the process or join an already running sandbox to modify filesystem etc.
To list all the firejail processes from the command line, run –
Shutdown a firejail process from command line –
firejail --shutdown=3342 3342 is the PID of the process
Launch all applications with firejail by default
Launching any application with firejail requires users to launch it either from the command line with
firejail command prefixed to the software command or use the gui tool. You can also set to launch all applications with firejail by default.
Just use the following command to integrate firejail with the desktop environment –
firecfg command, any applications you launch from the system menu or command line will launch with firejail by default.
So that’s how easy it is to install and use it in any Linux distro. It is a very small utility but is extremely useful when it comes to security. firejail uses features that are already built into the Linux kernel which eliminates the need to have any dependency except for the Linux kernel 3.5 or newer.
I will keep updating this article to include more firejail commands. You can also comment down below this article if you need any help regarding any step described in the article.