As you already know, Linux kernel is secure by default. But, it doesn't mean that the software on the Linux system are completely secure. Say for example, there is a possibility that any add-ons on your web browser may cause some serious security issues. While doing financial transactions over internet, some key logger may be active in browser which you are not aware of. Even though, we can't completely give the bullet-proof security to our Linux box, we still can add an extra pinch of security using an application called Firejail. It is a security utility which can sandbox any such application and let it to run in a controlled environment. To put this simply, Firejail is a SUID (Set owner User ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications.
In this brief tutorial, we will discuss how to install firejail and use it to improve the Linux system's security using Firejail.
Concerning about Firejail features, we can list the following:
- Easy to install
- User can set file or directory attributes.
- Customized security.
- Support network.
- Separate sandbox containers for applications.
- Easy to monitor.
- GUI provided to manage application.
Improve The Linux System's Security Using Firejail
This security application is easy to install, and it can be installed using apt-get package manager. We will be using Ubuntu 16.04 OS for demonstration purpose.
All commands given below are executed as root user.
Update Ubuntu Linux:
# apt-get update
Install Firejail application with command:
# apt-get install firejail
By default firejail configurations and profiles are stored under /etc/firejail. These can be manged by user as per their need, Have a look at the following output.
# ls /etc/firejail
Run applications with firejail
The typical syntax to use firejai is:
# firejail <application>
Say for example, to run Firefox web browser using firejail, we can use the following command:
# firejail firefox
When a user launch application with firejail, profile defined in firejail configurations get loaded and events are logged in syslog. By default firejail launch application with default profile, your can configure default profile with their own parameters.
Customize firejail profile for application
To create a custom profile for a application/command create following directory under home environment of user.
# cd ~
# mkdir -p ~/.config/firejail
Copy generic profile to that newly created directory:
# cp /etc/firejail/generic.profile /home/user/.config/example.profile
# vim /etc/firejail/generic.profile
If you wants to load Document folder for a particular user to be loaded as read only. Define parameters as follows:
If you wants to set some attribute as read only:
Accessing some banking stuff over the internet is recommended to be secured, can be achieved with firejail.
Create a directory for user.
# mkdir /home/user/safe
Firefox will consider 'safe' as home directory.
# firejail --private=/home/user/safe firefox &
Define default network interface for application to run with.
# firejail --net=enp0s3 firefox&
Using firejail GUI tool
For the ease of user gui tool of firejail is available which can be downloaded from this link.
Download appropriate package as per your hardware and operating system installed and use it.
The filejail tool is a must have for Security concerned users. Although there are lots of methods available in Linux which can provide same level of security, Firejail is one such a way to improve the security to your Linux environment. We hope you will love this article.