| Title: Firejail on Linux to sandbox all the things
Author: Solène
Date: 14 February 2021
Tags: linux security sandbox
Description:
# Introduction
Firejail is a program that can prepare sandboxes to run other programs.
This is an efficient way to keep a software isolated from the rest of
the system without need of changing its source code, it works for
network, graphical or daemons programs.
You may want to sandbox programs you run in order to protect your
system for any issue that could happen within the program (security
breach, code mistake, unknown errors), like Steam once had a "rm -fr /"
issue, using a sandbox that would have partially saved a part of the
user directory. Web browsers are major tools nowadays and yet they
have access to the whole system and have many security issues
discovered and exploited in the wild, running it in a sandbox can
reduce the data a hacker could exfiltrate from the computer. Of
course, sandboxing comes with an usability tradeoff because if you only
allow access to the ~/Downloads/ directory, you need to put files in
this directory if you want to upload them, and you can only download
files into this directory and then move them later where you really
want to keep your files.
# Installation
On most Linux systems you will find a Firejail package that you can
install. If your distribution doesn't provide a Firejail package, it
seems the installing from sources process is quite easy, and as the
project is written in C with limited dependencies it may be easy to get
the build process done.
There are no service to enable and no kernel parameters to add.
Apparmor or SELinux features in kernel can be used to integrates into
Firejail profiles if you want to.
# Usage
## Start a program
The simplest usage is to run a command by adding Firejail before the
command name.
```shell command
$ Firejail firefox
```
## Use a symlink
Firejail has a neat feature to allow starting software by their name
without calling Firejail explicitly, if you create a symbolic link in
your $PATH using a program name but targeting Firejail, when you call
that name Firejail will automatically now what you want to start. The
following example will run firefox when you call the symbolic link.
```shell command
export PATH=~/bin/:$PATH
$ ln -s /usr/bin/firejail ~/bin/firefox
$ firefox
```
## Listing sandboxes
There is a Firejail --list command that will tell you about all
sandboxes running and what are their parameters. As a first column the
identifier is available for more Firejail features.
```shell command
$ firejail --list
6108:solene::/usr/bin/firejail /usr/bin/firefox
```
## Limit bandwidth per program
Firejail also has a neat feature that allows to limit the bandwidth
available only for one sandbox environment. Reusing previous list
output, I will reduce firefox bandwidth, the number are in kB/s.
```shell command
$ firejail --bandwidth=6108 set wlan0 1000 40
```
You can find more information about this feature in the "TRAFFIC
SHAPING" section of the Firejail man page.
## Restrict network access
If for some reason you want to start a program with absolutely no
network access, you can run a program and deny it any network.
```shell command
$ firejail --net=none libreoffice
```
# Conclusion
Firejail is a neat way to start software into sandboxes without
requiring any particular setup. It may be more limited and maybe less
reliable than OpenBSD programs who received unveil() features but it's
a nice trade off between safety and required work within source code
(literally none). It is a very interesting project that proves to work
easily on any Linux system, with a simple C source code with little
dependencies. I am not really familiar with Linux kernel and its
features but Firejail seems to use seccomp-bpf and namespace, I guess
they are complicated to use but powerful and Firejail comes here as a
wrapper to automate all of this.
Firejail has been proven to be USABLE and RELIABLE for me while my
attempts at sandboxing Firefox with AppArmor were tedious and not
optimal. I really recommend it.
# More resources
|