In this brief tutorial, we will discuss what is Firejail, how to install firejail in Linux and how to improve the Linux systems security using Firejail.
Table of Contents
Introduction
Linux kernel is secure by default. But, it doesn't mean that the software on the Linux system are completely secure.
Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of.
Even though, we can't completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail.
Firejail is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.
Features
Concerning about Firejail features, we can list the following:
- Easy to install
- User can set file or directory attributes.
- Customized security.
- Support network.
- Separate sandbox containers for applications.
- Easy to monitor.
- GUI provided to manage application.
1. Install Firejail in Linux
This security application is easy to install, and it can be installed using apt-get package manager. We will be using Ubuntu 16.04 OS for demonstration purpose.
All commands given below are executed as root
user.
Update Ubuntu Linux:
# apt-get update
Install Firejail application with command:
# apt-get install firejail
By default firejail configurations and profiles are stored under /etc/firejail
. These can be manged by user as per their need, Have a look at the following output.
# ls /etc/firejail
2. Improve The Linux Systems Security Using Firejail
2.1. Run applications with firejail
The typical syntax to use firejail is:
# firejail <application>
Say for example, to run Firefox web browser using firejail, we can use the following command:
# firejail firefox
When a user launch application with firejail, profile defined in firejail configurations get loaded and events are logged in syslog
.
By default firejail launch application with default profile, your can configure default profile with their own parameters.
2.2. Customize firejail profile for application
To create a custom profile for a application/command create following directory under home environment of user.
# cd ~
# mkdir -p ~/.config/firejail
Copy generic profile to that newly created directory:
# cp /etc/firejail/generic.profile /home/user/.config/example.profile
# vim /etc/firejail/generic.profile
If you wants to load Document folder for a particular user to be loaded as read only. Define parameters as follows:
blacklist /home/user/Documents
If you wants to set some attribute as read only:
read-only /home/user/Download
Accessing some banking stuff over the internet is recommended to be secured, can be achieved with firejail.
Create a directory for user.
# mkdir /home/user/safe
Firefox will consider 'safe' as home directory.
# firejail --private=/home/user/safe firefox &
Define default network interface for application to run with.
# firejail --net=enp0s3 firefox&
Sample output:
2.3. Using firejail GUI tool
For the ease of user gui tool of firejail is available which can be downloaded from this link.
Download appropriate package as per your hardware and operating system installed and use it.
Conclusion
The filejail tool is a must have for Security concerned users. Although there are lots of methods available in Linux which can provide same level of security, Firejail is one such a way to improve the security to your Linux environment. We hope you will find this article useful.
Resource:
1 comment
Good tutorial on a simple sandbox app. Finally, something for linux better than an idiotbox “firewall for windows” clone….