×


Install Firejail in Linux

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Firejail installation on Linux involves the install of three packages. They altogether secure applications by separating them from other parts of the system.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Software Installation tasks.

In this context, you will learn how to install  Firejail in Linux.


How to install Firejail In Linux ?

Firejail is a tool that helps in separating applications from other parts of the system. It restricts untrusted applications and thus helps in reducing the risk of security flaws.

To install Firejail, we need to install the packages firejail, firetools, and firejail-configuration-wizard.

Firejail is a primary sandboxing program. Firetools is a GUI utility to monitor firejail processes currently running. Firejail-configuration-wizard can create custom profiles for any application.

To install Firejail on any Ubuntu-based distribution, follow the commands given below on a terminal window:

sudo apt-get install firejail

For other Linux distributions, we may need to replace the apt-get command with their corresponding installation command.

Now let us install Firetools. This app is not present in the standard repositories. However, the developer has made official .debs available. 

To install one of the .deb files, follow these steps:

i. Download the file associated with your architecture (either 32- or 64-bit).

ii. Open a terminal window.

iii. Change into the Downloads directory with the command cd ~/Downloads.

iv. Issue the command sudo dpkg -i firetools*.deb.

v. Type your sudo password and hit Enter.

vi. Allow the installation to complete.


Sometimes, the installation may error out with dependency issues. If that’s the case, enter the command sudo apt-get install -f, to resolve the dependencies, and Firetools will be ready to use.

After installing Firejail, we can check whether it is installed on your system or not by running the following command in the terminal

$ firejail --version

If this command gives the version of Firejail, then it has been installed.


How to use Firejail?

After firejail installation, we can either use the command line to launch any application with firejail command as a prefix or use the GUI tool.

Run firejail from the command line:

firejail application_name

For instance, to run 'Firefox' within a Firejail, open up a terminal and issue the command 'firejail firefox'.

Note: Applications run with Firejail will not have access to all the files. For example, if you run Firefox with Firejail, the attempt to upload a file from the Picture directory will fail due to access restriction of the sandbox.

To close an application running in a Firejail, simply close it as you normally would.

Firejail works with profiles. It includes profiles for a number of popular applications, as well as a very restrictive default profile.

If Firejail does not find a profile for an executed command, it will then run the application with the default profile. 

We can create a custom profile for an application with the following steps:

i. Open up a terminal window.

ii. Issue the command mkdir -p ~/.config/firejail.

iii. Change into the newly created directory.

iv. Copy the default profile into the newly created directory with the command cp /etc/firejail/generic.profile ~/.config/firejail/APPNAME.profile (where APPNAME is the name of the app to be used).

v. Edit the newly created profile to suit your needs.


The generic profile looks like this:

################################
# Generic GUI application profile
################################
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot

Now, if we want to prevent that application from accessing the user Documents directory, add the following to the newly created profile:

blacklist ${HOME}/Documents

We can also write that out with the explicit path to the directory, like so:

blacklist /home/USERNAME/Documents

Here USERNAME is the actual name of the user.

Now, to limit the access to read-only we can enable this in the profile with the line:

read-only ${HOME}/Documents


How to use Firetools?

To startup the tool issue the command below from a terminal window:

firetools &

This shows the Firetools window and an indicator for the running app in the system tray.

A few apps will be already included with Firetools.

To start one, we can either double-click the app launcher or right-click the launcher and select Run.

Firetools includes a monitor that shows which apps are running within a firejail. To open this, unminimize Firetool, right-click anywhere in the GUI, and select Tools.

Further, to add a new app to Firetools, right-click the GUI and click Edit. In the new window, fill out the details for the app. 

In the Command section, we must include firejail. 

If we want to add an entry for KeePassX, the Command section will be firejail keepassx.


How to use firejail GUI ?

From the application menu, launch firetools. It will show the supported applications currently installed on the system. 

Now, double click any application and it will launch the program in a sandbox.


How to Monitor firejail processes ?

Firejail processes can be monitored from a CLI or graphical interface.

For instance, click on the process PID to monitor a specific process and to see what permissions it has over the filesystem and network. We can also shut down the process or join an already running sandbox to modify the filesystem etc.

To list all the firejail processes from the command line, run:

firejail --list

Similarly, to shut down a firejail process from the command line use the command below:

firejail --shutdown=3342


How to Launch all applications with firejail by default ?

Launching an application with firejail requires users to launch it either from the command line with firejail command prefixed to the software command or use the GUI tool. Likewise, we can also set to launch all applications with firejail by default.

Finally, to integrate firejail with the desktop environment using the command below:

sudo firecfg

Now, any applications we launch from the system menu or command line will launch with firejail by default.


[Need urgent assistance to install Firejail in Linux? – We're available 24*7. ]


Conclusion

This article will guide you on steps to #install #Firejail in Linux. Basically, Firejail reduces the risk of security breaches by restricting the untrusted applications and separating them from other parts of the system. 

#Sandboxing involves providing a safe environment for a program or #software so that you can play around with it without hurting your system. It actually keeps your program isolated from the rest of the system, by using any one of the different methods available in the #Linux #kernel.

To Install the Firejail Software:

1. Open up a terminal window.

2. Issue the command sudo apt-get install firejail.

3. Type your sudo password and hit Enter.

4. If prompted, type y to allow the installation to continue.

5. Allow the installation to complete.