Sometimes you may want to use applications that have not been well tested in different environments, yet you must use them. In such cases, it is normal to be concerned about the security of your system. One thing that can be done in Linux is to use applications in a sandbox.
“Sandboxing” is the ability to run application in a limited environment. That way the application is provided a tighten amount of resources, needed to run. Thanks to application called Firejail, you can safely run untrusted applications in Linux.
Firejail is a SUID (Set Owner User ID) application that decrease the exposure of security breaches by limiting the running environment of untrusted programs using Linux namespaces and seccomp-bpf.
It makes a process and all its descendants to have their own secret view of the globally shared kernel resources, such as the network stack, process table, mount table.
Some of the features that Firejail uses:
- Linux namespaces
- Filesystem container
- Security filters
- Networking support
- Resource allocation
Detailed information about Firejail features can be found in the official page.
How to Install Firejail in Linux
The installation can be completed by downloading the latest package from the project’s github page using git command as shown.
$ git clone https://github.com/netblue30/firejail.git $ cd firejail $ ./configure && make && sudo make install-strip
In case you don’t have git installed on your system, you can install it with:
$ sudo apt install git [On Debian/Ubuntu] # yum install git [On CentOS/RHEL] # dnf install git [On Fedora 22+]
An alternative way of installing firejail is to download the package associated with your Linux distribution and install it with its package manager. Files can be downloaded from SourceForge page of the project. Once you have the file downloaded, you can install it with:
$ sudo dpkg -i firejail_X.Y_1_amd64.deb [On Debian/Ubuntu] $ sudo rpm -i firejail_X.Y-Z.x86_64.rpm [On CentOS/RHEL/Fedora]
How to Run Applications with Firejail in Linux
You are now ready to run your applications with firejail. This is accomplished by launching a terminal and adding firejail before the command you wish to run.
Here is an example:
$ firejail firefox #start Firefox web browser $ firejail vlc # start VLC player
Create Security Profile
Firejail includes many security profiles for different applications and they are stored in:
If you have build the project from source, you can find the profiles in:
If you have used the rpm/deb package, you can find the security profiles in:
Users, should place their profiles in the following directory:
If you want to extend an existing security profile, you can use include with path to the profile and add your lines afterwards. This should look something like this:
$ cat ~/.config/firejail/vlc.profile include /etc/firejail/vlc.profile net none
If you wish to restrict access of application to certain directory, you can use a blacklist rule to achieve exactly that. For example, you can add the following to your security profile:
Another way to achieve the same result is to actually describe the full path to the folder you wish to restrict:
There are many different ways in which you can configure your security profiles, such as disallowing access, allowing read-only access etc. If you are interested in building custom profiles, you can check the following firejail instructions.
Firejail is an awesome tool for the security minded users, who want to protect their system.
2 thoughts on “Firejail – Securely Run Untrusted Applications in Linux”
default profiles are pretty bad, otherwise it’s fine
Firejail can be used to sandbox and secure ANY application, whether trusted or untrusted.
Firejail users should also download/install Firetools package which provides a GUI front end for Firejail as well as other helpful options.