Objective
Install Firejail and use it to sandbox applications, like web browsers, that interact with the open Internet.Distributions
This will work with any current Linux distribution.Requirements
A working Linux install with root privileges.Difficulty
EasyConventions
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudo
command - $ - requires given linux commands to be executed as a regular non-privileged user
Introduction
The single biggest threat to your Linux system is your web browser. When you think about it, it makes perfect sense. A browser is a large and complex piece of software with the ability to execute code, and it accesses the open Internet and executes just about everything that it comes into contact with.The best way to handle this problem is by compartmentalizing your browser, or any other Internet-facing application, away from the rest of your system. This way, it can't do nearly as much damage if it is compromised. That's what Firejail is for. Firejail is a sandboxing program that allows programs to run in individual sandboxes with their own set of parameters, limiting their contact with the rest of your system. Firejail is easy to use, and it's available in the repositories of nearly every major distribution, except for Fedora and CentOS.
Install Firejail
Debian/Ubuntu
$ sudo apt install firejail
Fedora/CentOS
Download the Firejail.rpm
from their Sourceforge page https://sourceforge.net/projects/firejail/files/firejail/
, and install it manually. # rpm -i firejail_X.Y-Z.x86_64.rpm
OpenSUSE
# zypper install firejail
Arch Linux
# pacman -S firejail
Gentoo
# emerge --ask firejail
Basic Usage
To run an application through Firejail, you only need to prefix the command withfirejail
. $ firejail firefoxFirefox will start up like it usually would, but contained in it's own sandbox. This will work with virtually any application that you can think of, including command line ones.
$ firejail tar xpf somefile.tar.gzFirejail will stay running as long as the application does. Even if you're using something that'll be open for a while, you don't have to worry about Firejail stopping and your application being insecure. Actually, if something like that does happen, the application will stop too. You can also use Firejail along with graphically intensive programs. It won't slow them down much, if at all.
$ firejail wine64 '~/.wine/drive_c/Program Files (x86)/World of Warcraft/Wow-64.exe'