Objective

Install Firejail and use it to sandbox applications, like web browsers, that interact with the open Internet.

Distributions

This will work with any current Linux distribution.

Requirements

A working Linux install with root privileges.

Difficulty

Easy

Conventions

  • # - requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given command to be executed as a regular non-privileged user

Introduction

The single biggest threat to your Linux system is your web browser. When you think about it, it makes perfect sense. A browser is a large and complex piece of software with the ability to execute code, and it accesses the open Internet and executes just about everything that it comes into contact with.

The best way to handle this problem is by compartmentalizing your browser, or any other Internet-facing application, away from the rest of your system. This way, it can't do nearly as much damage if it is compromised. That's what Firejail is for. Firejail is a sandboxing program that allows programs to run in individual sandboxes with their own set of parameters, limiting their contact with the rest of your system. Firejail is easy to use, and it's available in the repositories of nearly every major distribution, except for Fedora and CentOS.

Install Firejail

Debian/Ubuntu

$ sudo apt install firejail

Fedora/CentOS

Download the Firejail .rpm from their Sourceforge page https://sourceforge.net/projects/firejail/files/firejail/, and install it manually.
# rpm -i firejail_X.Y-Z.x86_64.rpm

OpenSUSE

# zypper install firejail

Arch Linux

# pacman -S firejail

Gentoo

# emerge --ask firejail

Basic Usage

To run an application through Firejail, you only need to prefix the command with firejail.
$ firejail firefox
Firefox will start up like it usually would, but contained in it's own sandbox. This will work with virtually any application that you can think of, including command line ones.
$ firejail tar xpf somefile.tar.gz
Firejail will stay running as long as the application does. Even if you're using something that'll be open for a while, you don't have to worry about Firejail stopping and your application being insecure. Actually, if something like that does happen, the application will stop too. You can also use Firejail along with graphically intensive programs. It won't slow them down much, if at all.
$ firejail wine64 '~/.wine/drive_c/Program Files (x86)/World of Warcraft/Wow-64.exe'

Passing Arguments

There are tons of features available through flags in Firejail. You probably won't ever use most of them, but you can certainly check them out in Firejail's man page. The couple detailed here are the most common.

--seccomp

The --seccomp flag tells Firejail to filter out and block any of a number of system calls. It has it's own default list of system calls that it will block by default, but you can also specify them with --seccomp=syscall,syscall. Just add --seccomp to your regular Firejail command to use it.
$ firejail --seccomp firefox

--private

The --private flag acts sort of like a private window in a web browser does. It creates a separate sandbox in temporary storage and deletes itself after you close the application.
$ firejail --private firefox
Of course, you can string them together.
$ firejail --seccomp --private firefox

Firejail Profiles

Firejail has independent configurations for most of the programs that you'd commonly run it with. It refers to them as, "profiles." These profiles pass specific flags and bits of configuration to Firejail by default whenever the corresponding program is run. You don't need to do anything for Firejail to use it's default profiles. If you want to modify the profiles or create your own, you can copy them into your local directory at ~/.config/firejail/.

Firejail By Default

There are a few ways to get Firejail to run by default with a program. The easiest is probably to modify the launchers of the programs that you plan to use Firejail with. That can be tedious, though, and you don't necessarily need to do it. If you want Firejail to run with every program that it has a default profile for, you can run a simple command as root, and Firejail will set itself up.
# firecfg
If you don't with that wide range of programs using Firejail by default, you can manually set the ones that you want.
# ln -s /usr/bin/firejail /usr/local/bin/firefox
This creates a symbolic link between firejail and the program being run. Substitute the actual path for your system and program.

Closing Thoughts

Firejail is an excellent way to compartmentalize applications on Linux and keep a potential breach quarantined before it even happens. It also has potential for stopping bugs from bringing down more than just the program that they affect. With how easy it is to use, there's no reason not to run Firejail your system.