DEV Community

Vlyth_r
Vlyth_r

Posted on

Secure Your Applications with Firejail: A Linux Sandbox Tutorial

Firejail is a powerful sandboxing tool for Linux that enhances the security of running applications. It creates lightweight sandboxes around applications, isolating them from the rest of the system and restricting their access to resources. Here's a summary of what Firejail is and why you should use it:

  1. Enhanced Security: Firejail helps improve the security of your Linux system by isolating applications within sandboxes. This isolation prevents potentially malicious actions from affecting the rest of the system and limits the privileges of applications.

  2. Resource Restriction: Firejail allows you to control an application's access to various system resources. You can restrict network access, limit file system access, and run applications with reduced privileges, providing an additional layer of defense against potential threats.

  3. Easy to Use: Firejail is designed to be user-friendly and straightforward. It offers a simple command-line interface that allows you to sandbox applications with just a few commands. Additionally, Firejail provides pre-defined profiles for many common applications, simplifying the sandboxing process.

  4. Customization: Firejail enables you to create custom profiles tailored to your specific needs. You can fine-tune the restrictions and permissions for each application, giving you granular control over how they interact with the system.

  5. Cross-Platform Compatibility: While primarily developed for Linux, Firejail also supports other Unix-like operating systems such as FreeBSD, OpenBSD, and macOS. This cross-platform compatibility allows for consistent sandboxing practices across different environments.

  6. Open-Source: Firejail is an open-source project, meaning its source code is freely available for review and modification. This transparency fosters community involvement, security audits, and continuous improvements.

In summary, Firejail is a valuable tool for enhancing the security of Linux systems. By isolating applications in sandboxes and controlling their access to resources, Firejail helps mitigate potential risks and safeguard your system from malicious activities.

So, let's begin:

Step 1: Installation
Open a terminal on your Linux system.
Install Firejail by running the appropriate command based on your distribution:

  • For Ubuntu or Debian-based systems:

     sudo apt-get install firejail
    
  • For Fedora or CentOS-based systems:

     sudo dnf install firejail
    
  • For Arch Linux:

     sudo pacman -S firejail
    

Step 2: Basic Usage
Launch an application with Firejail by prefixing the command with firejail. For example, to run Firefox with Firejail, use:

   firejail firefox
Enter fullscreen mode Exit fullscreen mode

This will start Firefox within a sandboxed environment.

Step 3: Restricting Network Access
You can restrict network access for an application using Firejail.
Launch an application with limited network access by using the --net option followed by the desired network restriction. For example, to allow only IPv4 connections, use:

   firejail --net=eth0 firefox
Enter fullscreen mode Exit fullscreen mode

This will start Firefox with restricted network access.

Step 4: Filesystem Restrictions
Firejail allows you to restrict file system access for an application.
Launch an application with restricted file system access by using the --private option. This creates a private file system namespace for the application, isolating it from the rest of the system. For example:

   firejail --private firefox
Enter fullscreen mode Exit fullscreen mode

This will start Firefox with restricted access to the file system.

Step 5: Running as a Specific User
Firejail enables you to run an application as a specific user.
Launch an application with a specific user by using the --user option followed by the username. For example, to run Firefox as the user "guestuser," use:

   firejail --user=guestuser firefox
Enter fullscreen mode Exit fullscreen mode

This will start Firefox running as the specified user.

Step 6: Creating Custom Profiles
Firejail provides pre-defined profiles for many common applications. However, you can also create custom profiles tailored to your needs.
To create a custom profile, start by launching an application with Firejail and running it as you normally would.
Once the application is running, you can generate a profile by using the --list option with Firejail:

   firejail --list > myapp.profile
Enter fullscreen mode Exit fullscreen mode

This command will generate a profile for the running application and save it to a file named myapp.profile.
You can modify the profile file using a text editor to fine-tune the restrictions and permissions for the application.
To use the custom profile, simply specify it when running the application with Firejail:

   firejail --profile=myapp.profile myapp
Enter fullscreen mode Exit fullscreen mode

Step 7: Additional Configuration
Firejail offers various command-line options and configuration files for advanced usage. You can refer to the Firejail documentation (https://firejail.wordpress.com/documentation-2/) for more information on these options and how to use them.

Remember that while Firejail can improve security, it's important to keep your system and applications up to date with security patches and follow other security best practices.

Top comments (1)

Collapse
 
bronce profile image
Bronce

Hi Vlyth_r, thanks for this tutorial. I'm a bit of a Linux newbie, I'm having trouble with other browsers, for example Mullvad browser. When I type in 'firejail mullvad' it comes back blank. I've tried mullvadbrowser, and mullvad-browser but both come back blank.
As a newbie coming from Windows, I can't work out how to find out the name of the .exe file, I can't even work out where it's located :( I'm running Fedora.
(in this sense win was a lot more familiar lol)
Also, coming from Sandboxie, it always had a colored frame around the app, as a visual remeinder that you're sandboxed. Is there no such visual aid with Firejail?
Many thanks for your help, Bronce