firejail

Integrate firejail with your desktop environment

$ sudo firecfg

$ firejail [firefox]

$ firejail --net=[eth0] --ip=[192.168.1.244] [/etc/init.d/apache2] [start]

$ firejail --list

$ firejail --netstats

$ firejail --shutdown=[7777]

$ firejail --seccomp --private --private-dev --private-tmp --protocol=inet firefox --new-instance --no-remote --safe-mode --private-window

$ firejail --hosts-file=[~/myhosts] [curl http://mysite.arpa]

firejail [OPTIONS] [PROGRAM] [ARGUMENTS...]
firejail --profile=PROFILE [PROGRAM] [ARGUMENTS...]
firejail --private [PROGRAM] [ARGUMENTS...]
firejail --list | --tree | --help | --version

--profile=file
    Load a custom profile file for the sandbox configuration.

--private
    Create a new, empty private home and /tmp directory for the sandbox.

--private=directory
    Mount the specified directory as the private home directory inside the sandbox.

--net=interface
    Route network traffic through a specific network interface (e.g., eth0).

--net=none
    Disable all network access for the sandboxed application.

--dns=IP
    Specify a custom DNS server for the sandbox.

--blacklist=path
    Prevent access to a specific file or directory inside the sandbox.

--whitelist=path
    Allow specific files or directories to be writable or visible when other restrictions apply.

--readonly=path
    Make a specific file or directory read-only inside the sandbox.

--writable-var
    Make the /var directory writable within the sandbox (otherwise it's often read-only).

--seccomp
    Enable system call filtering (seccomp-bpf) to restrict system calls the application can make.

--apparmor
    Enable AppArmor confinement for the sandboxed application, if AppArmor is active on the system.

--noroot
    Drop root capabilities inside the sandbox, even if the application starts as root.

--list
    List all currently running firejail processes.

--tree
    Display a tree view of all running firejail processes.

Firejail is a SUID program that significantly reduces the risk of security breaches by restricting the environment of untrusted applications. It leverages Linux kernel namespaces (private filesystems, networking, process IDs, etc.), seccomp-bpf, and optionally AppArmor/SELinux to create isolated sandboxes. Each sandbox has its own private view of the system, preventing applications from accessing or modifying files outside their designated paths, making unauthorized network connections, or interacting with other processes.

It's designed to be user-friendly, offering pre-built profiles for common applications (browsers, media players, email clients) and allowing users to create custom ones. By running applications in a sandboxed environment, potential exploits or malware are contained, limiting damage to the system and user data. It's an excellent tool for enhancing desktop security.

Firejail relies on Linux kernel features; older kernel versions might lack some capabilities. It is not a full virtualization solution like a VM; the host kernel is still shared. Careful profile configuration is crucial; misconfigured profiles can break applications or inadvertently introduce vulnerabilities. It does not protect against kernel-level exploits or hardware attacks, and some advanced networking features may require root privileges.

Firejail primarily uses profile files (located in /etc/firejail and ~/.config/firejail) to define sandbox rules. These text files specify detailed filesystem restrictions, network rules, capabilities, and other security measures, significantly simplifying the configuration of complex sandboxes for various applications.

Firejail leverages several core Linux kernel features to achieve its robust isolation:

• Namespaces: To virtualize system resources such as PID, mount, network, user, IPC, and UTS.
• Seccomp-bpf: To filter and restrict the specific system calls an application can make, reducing the attack surface.
• AppArmor/SELinux: Optional integration with Mandatory Access Control (MAC) frameworks for additional, fine-grained process confinement.
• Capabilities: To drop unnecessary root privileges within the sandbox, adhering to the principle of least privilege.

Firejail was initially developed by Marin Marusinec (Netblue) with its first public release around 2014. It quickly gained popularity for its focus on ease of use in sandboxing desktop applications, providing a user-friendly solution for enhanced security on Linux systems.

chroot(1), unshare(1), bwrap(1), systemd-nspawn(1), namespaces(7), seccomp(2), apparmor(7), selinux(8)