How to install and use Firejail on Linux

With Firejail you can easily sandbox Linux applications. Discover how you can add this extra layer of security.

How to install and use Firejail on Linux
With Firejail you can easily sandbox Linux applications. Discover how you can add this extra layer of security.

Firejail is a Linux security SUID program that dramatically reduces the risk of security breaches by sandboxing the active environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf that can be used to link a system call filter to a process and all its descendants, reducing the kernel’s attack surface.

If Firejail is installed, you can then launch applications from the command line so that they have a private view of globally shared kernel resources – such as the network stack. With this addition to your Linux platform you get a higher level of security for an already secure environment.

Firejail is not limited to graphic applications. Firejail can even provide sandbox servers, GUI tools and even user login sessions.

Believe it or not, Firejail is incredibly easy to use. I will guide you through the process of installation and use of Firejail.

SEE: Mastermind scammer behind Catch Me If You Can talks about cyber security (TechRepublic download)

What you need

The only things you need to make this work are:

I will demonstrate it on Ubuntu Desktop 19.10, but you can make this work on just about any Linux distribution. Because Firejail is found in most standard repositories, you only need to adjust the installation instructions to your chosen distribution.

How to install Firejail

To install Firejail, log in to your Linux operating system, open a terminal window and issue the command (change it to suit your distribution package manager):

sudo apt-get install firejail -y

After the assignment is complete, you are done with the installation.

How to use Firejail

The use of Firejail is fairly easy. Suppose you want to open a copy of Firefox. To do this, go back to the terminal window and give the command:

firejail firefox

Firefox opens and you see a lot of output in the terminal window (Figure A).

Figure A

Firefox is running in a Firejail sandbox.

You may not get any sound from applications that have been placed in a sandbox with Firejail. If that is the case, give the command:

firecfg – fix sound

The above command fixes a few bugs in Pulseaudio, so sound should not be a problem anymore. After you have completed the assignment, log off and on again so that the fix can take effect.

If you use Firejail on a desktop distribution, you want to integrate it into the desktop environment (such as GNOME, KDE, Xfce, Pantheon, etc.). To do this, execute the command:

sudo firecfg

Log out and log in again.

This will configure a number of symlinks, add your user to the Firejail access database and repair a number of desktop files. After you run the firecfg command, you no longer need to run your desktop applications from the command line, because they are automatically executed with the firejail command.

The warning and the solution

A problem you may encounter is that sandbox applications do not have access to your file system. For example, suppose you run the firejail firefox command and then try to upload a file to a website. Firejail can prevent that. If that’s the case, you’ll have to jump through a few hoops to make it work. This is what you need to do (we keep our Firefox example).

  1. Open a terminal window.
  2. Run the mkdir -p ~ / .config / firejail command.
  3. Go to the new folder with the command cd ~ / .config / firejail.
  4. Copy the standard Firejail profile to the newly created folder with the cp /etc/firejail/firefox.profile ~ / .config / firejail / command.
  5. Edit the newly created profile to meet your needs.

Suppose you have to upload files from the ~ / Documents folder. To do that, you must add a whitelist entry for that folder. Open the newly created file with the command:

nano ~ / .config / firejail / firefox.profile

Add the following line below the noblacklist lines:

white list $ {HOME} / Documents

Save and close the file.

Here’s another trick. Suppose you want to allow a read-only application for the ~ / Documents. For that you could add the rule:

read-only $ {HOME} / Documents

Save and close the file.

As you can probably imagine, there are many useful tricks in the sleeve of Firejail. To find out more about what you can do with profiles, enter the man firejail-profile command to read what all this feature has to offer.

Cyber ​​Security Insider Newsletter

Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday

Register today

Also see

Image: Getty Images / iStockphoto

Follow AsumeTech on

More From Category

More Stories Today

Leave a Reply