ObjectiveInstall Firejail and use it to sandbox applications, like web browsers, that interact with the open Internet.
DistributionsThis will work with any current Linux distribution.
RequirementsA working Linux install with root privileges.
- # - requires given command to be executed with root privileges either directly as a root user or by use of
- $ - given command to be executed as a regular non-privileged user
IntroductionThe single biggest threat to your Linux system is your web browser. When you think about it, it makes perfect sense. A browser is a large and complex piece of software with the ability to execute code, and it accesses the open Internet and executes just about everything that it comes into contact with.
The best way to handle this problem is by compartmentalizing your browser, or any other Internet-facing application, away from the rest of your system. This way, it can't do nearly as much damage if it is compromised. That's what Firejail is for. Firejail is a sandboxing program that allows programs to run in individual sandboxes with their own set of parameters, limiting their contact with the rest of your system. Firejail is easy to use, and it's available in the repositories of nearly every major distribution, except for Fedora and CentOS.
$ sudo apt install firejail
Fedora/CentOSDownload the Firejail
.rpmfrom their Sourceforge page
https://sourceforge.net/projects/firejail/files/firejail/, and install it manually.
# rpm -i firejail_X.Y-Z.x86_64.rpm
# zypper install firejail
# pacman -S firejail
# emerge --ask firejail
Basic UsageTo run an application through Firejail, you only need to prefix the command with
$ firejail firefoxFirefox will start up like it usually would, but contained in it's own sandbox. This will work with virtually any application that you can think of, including command line ones.
$ firejail tar xpf somefile.tar.gzFirejail will stay running as long as the application does. Even if you're using something that'll be open for a while, you don't have to worry about Firejail stopping and your application being insecure. Actually, if something like that does happen, the application will stop too. You can also use Firejail along with graphically intensive programs. It won't slow them down much, if at all.
$ firejail wine64 '~/.wine/drive_c/Program Files (x86)/World of Warcraft/Wow-64.exe'