One of the best benefits of any open source project is that it never runs out of ideas. Independent developers can contribute to the project’s development and fix bugs and vulnerabilities as quickly as possible.
Every Linux distribution has a large community working on the development and taking care of the security and stability of the system. Even then, if you run an untrusted application, it may risk your data and overall system security. There are different approaches to solving this issue. I have already compiled a list of security-centric Linux distributions, so if you want the extra security features out of the box, check out the list.
One of such Linux distributions is Qubes OS. Qubes OS runs applications under a separate compartment or virtual machine. This approach is great when you run an untrusted application, and it’s compromised. The compromised application will not affect other applications on the system.
Read the Qubes OS in detail.
Similarly, the tool I will discuss in this article, firejail, is a great tool for separating applications from other parts of the system.
Firejail is a SUID security sandbox based on Linux Namespace and seccomp-bpf (Secure computing mode). Firejail can run graphical or command-line applications in a sandbox, reduces the risk of security breaches by restricting the untrusted applications.
Using Firejail is extremely easy. This is a very small utility available in almost every Linux distributions repositories. It requires no dependencies because it uses the Linux kernel’s built-in features for completing the sandboxing job.
You can use the default package manager of your distro to install firejail. For ease, fire up the software center of your distro and search for ‘firejail’.
The search results will include the following packages –
Install all three packages.
Firejail is a primary sandboxing program. firetools is a GUI utility to monitor firejail processes currently running. And firejail configuration wizard can create custom profiles for any application you like. By default, firejail comes with profiles for more than 400 Linux applications. If your application is not included in the list, you can use the default profile to run it.
After firejail is installed, you can either use the command line to launch any application with
firejail command as a prefix or use the GUI tool.
From the application menu, launch firetools.
It will show the supported applications currently installed on the system.
Double click any application, and it’ll launch the program in a sandbox. firejail sandboxes an application in less than 1 second. You do not notice any delay in the launch of the application, or the overall drop in the performance is almost negligible.
firejail processes can be monitored from CLI or graphical interface.
Click on the process PID to monitor a specific process and see its permissions over your filesystem and network. You can also shut down the process or join an already running sandbox to modify the filesystem etc.
To list all the firejail processes from the command line, run –
Shutdown a firejail process from the command line –
firejail --shutdown=3342 3342 is the PID of the process
Launching an application with firejail requires users to launch it either from the command line with firejail command prefixed to the software command or use the GUI tool. You can also set to launch all applications with firejail by default.
Just use the following command to integrate firejail with the desktop environment –
firecfg command, any applications you launch from the system menu, or command line will launch with firejail by default.
So that’s how easy it is to install and use it in any Linux distro. It is a very small utility but is extremely useful when it comes to security. firejail uses features already built into the Linux kernel, which eliminates the need to have any dependency except for the Linux kernel 3.5 or newer.
I will keep updating this article to include more firejail commands. You can also comment below this article if you need any help regarding any step described in the article.