Firejail – Securely Run Untrusted Applications in Linux

Sometimes you may want to use applications that have not been well tested in different environments, yet you must use them. In such cases, it is normal to be concerned about the security of...

Spread the love

Sometimes you may want to use applications that have not been well tested in different environments, yet you must use them. In such cases, it is normal to be concerned about the security of your system. One thing that can be done in Linux is to use applications in a sandbox.

Sandboxing” is the ability to run application in a limited environment. That way the application is provided a tighten amount of resources, needed to run. Thanks to application called Firejail, you can safely run untrusted applications in Linux.

Firejail is a SUID (Set Owner User ID) application that decrease the exposure of security breaches by limiting the running environment of untrusted programs using Linux namespaces and seccomp-bpf.

It makes a process and all its descendants to have their own secret view of the globally shared kernel resources, such as the network stack, process table, mount table.


Some of the features that Firejail uses:

  • Linux namespaces
  • Filesystem container
  • Security filters
  • Networking support
  • Resource allocation

Detailed information about Firejail features can be found in the official page.

How to Install Firejail in Linux

The installation can be completed by downloading the latest package from the project’s github page using git command as shown.

$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make && sudo make install-strip

In case you don’t have git installed on your system, you can install it with:

$ sudo apt install git [On Debian/Ubuntu]
# yum install git [On CentOS/RHEL]
# dnf install git [On Fedora 22+]

An alternative way of installing firejail is to download the package associated with your Linux distribution and install it with its package manager. Files can be downloaded from SourceForge page of the project. Once you have the file downloaded, you can install it with:

$ sudo dpkg -i firejail_X.Y_1_amd64.deb [On Debian/Ubuntu]
$ sudo rpm -i firejail_X.Y-Z.x86_64.rpm [On CentOS/RHEL/Fedora]

How to Run Applications with Firejail in Linux

You are now ready to run your applications with firejail. This is accomplished by launching a terminal and adding firejail before the command you wish to run.

Here is an example:

$ firejail firefox #start Firefox web browser
$ firejail vlc # start VLC player

Create Security Profile

Firejail includes many security profiles for different applications and they are stored in:

/etc/firejail

If you have build the project from source, you can find the profiles in:

# path-to-firejail/etc/

If you have used the rpm/deb package, you can find the security profiles in:

/etc/firejail/

Users, should place their profiles in the following directory:

~/.config/firejail

If you want to extend an existing security profile, you can use include with path to the profile and add your lines afterwards. This should look something like this:

$ cat ~/.config/firejail/vlc.profile include /etc/firejail/vlc.profile
net none

If you wish to restrict access of application to certain directory, you can use a blacklist rule to achieve exactly that. For example, you can add the following to your security profile:

blacklist ${HOME}/Documents

Another way to achieve the same result is to actually describe the full path to the folder you wish to restrict:

blacklist /home/user/Documents

There are many different ways in which you can configure your security profiles, such as disallowing access, allowing read-only access etc. If you are interested in building custom profiles, you can check the following firejail instructions.

Firejail is an awesome tool for the security minded users, who want to protect their system.

Facebook Comments

More Stuff

TLDR – Easy to Understand Man Pages for Every Linux User One of the most commonly used and reliable ways of getting help under Unix-like systems is via man pages. Man pages are the standard documentation for...
Entering God Mode — The Kernel Space Mirroring Attack How Alibaba are researching using the hardware features of ARM MMU to enable God Mode in Android 8 terminals Wang Yong, a.k.a. Thomas King, is a re...
Tmate – Securely Share SSH Terminal Session with Linux Users tmate is a clone of tmux (terminal multiplexer) that provides a secure, instant and easy-to-use terminal sharing solution over an SSH connection. It i...
Strengthening the weakest link in smart contract security — “onlyO... Ethereum #buidlers have collectively deployed smart contracts worth millions of dollars over the past couple of years. Being one myself, I have been l...
Spread the love

Posted by News Monkey