Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
Firejail installation on Linux involves the install of three packages. They altogether secure applications by separating them from other parts of the system.
In this context, you will learn how to install Firejail in Linux.
How to install Firejail In Linux ?
Firejail is a tool that helps in separating applications from other parts of the system. It restricts untrusted applications and thus helps in reducing the risk of security flaws.
To install Firejail, we need to install the packages firejail, firetools, and firejail-configuration-wizard.
Firejail is a primary sandboxing program. Firetools is a GUI utility to monitor firejail processes currently running. Firejail-configuration-wizard can create custom profiles for any application.
To install Firejail on any Ubuntu-based distribution, follow the commands given below on a terminal window:
sudo apt-get install firejail
For other Linux distributions, we may need to replace the apt-get command with their corresponding installation command.
Now let us install Firetools. This app is not present in the standard repositories. However, the developer has made official .debs available.
To install one of the .deb files, follow these steps:
i. Download the file associated with your architecture (either 32- or 64-bit).
ii. Open a terminal window.
iii. Change into the Downloads directory with the command cd ~/Downloads.
iv. Issue the command sudo dpkg -i firetools*.deb.
v. Type your sudo password and hit Enter.
vi. Allow the installation to complete.
Sometimes, the installation may error out with dependency issues. If that’s the case, enter the command sudo apt-get install -f, to resolve the dependencies, and Firetools will be ready to use.
After installing Firejail, we can check whether it is installed on your system or not by running the following command in the terminal
$ firejail --version
If this command gives the version of Firejail, then it has been installed.
How to use Firejail?
After firejail installation, we can either use the command line to launch any application with firejail command as a prefix or use the GUI tool.
Run firejail from the command line:
For instance, to run 'Firefox' within a Firejail, open up a terminal and issue the command 'firejail firefox'.
Note: Applications run with Firejail will not have access to all the files. For example, if you run Firefox with Firejail, the attempt to upload a file from the Picture directory will fail due to access restriction of the sandbox.
To close an application running in a Firejail, simply close it as you normally would.
Firejail works with profiles. It includes profiles for a number of popular applications, as well as a very restrictive default profile.
If Firejail does not find a profile for an executed command, it will then run the application with the default profile.
We can create a custom profile for an application with the following steps:
i. Open up a terminal window.
ii. Issue the command mkdir -p ~/.config/firejail.
iii. Change into the newly created directory.
iv. Copy the default profile into the newly created directory with the command cp /etc/firejail/generic.profile ~/.config/firejail/APPNAME.profile (where APPNAME is the name of the app to be used).
v. Edit the newly created profile to suit your needs.
The generic profile looks like this:
# Generic GUI application profile
Now, if we want to prevent that application from accessing the user Documents directory, add the following to the newly created profile:
We can also write that out with the explicit path to the directory, like so:
Here USERNAME is the actual name of the user.
Now, to limit the access to read-only we can enable this in the profile with the line:
How to use Firetools?
To startup the tool issue the command below from a terminal window:
This shows the Firetools window and an indicator for the running app in the system tray.
A few apps will be already included with Firetools.
To start one, we can either double-click the app launcher or right-click the launcher and select Run.
Firetools includes a monitor that shows which apps are running within a firejail. To open this, unminimize Firetool, right-click anywhere in the GUI, and select Tools.
Further, to add a new app to Firetools, right-click the GUI and click Edit. In the new window, fill out the details for the app.
In the Command section, we must include firejail.
If we want to add an entry for KeePassX, the Command section will be firejail keepassx.
How to use firejail GUI ?
From the application menu, launch firetools. It will show the supported applications currently installed on the system.
Now, double click any application and it will launch the program in a sandbox.
How to Monitor firejail processes ?
Firejail processes can be monitored from a CLI or graphical interface.
For instance, click on the process PID to monitor a specific process and to see what permissions it has over the filesystem and network. We can also shut down the process or join an already running sandbox to modify the filesystem etc.
To list all the firejail processes from the command line, run:
Similarly, to shut down a firejail process from the command line use the command below:
How to Launch all applications with firejail by default ?
Launching an application with firejail requires users to launch it either from the command line with firejail command prefixed to the software command or use the GUI tool. Likewise, we can also set to launch all applications with firejail by default.
Finally, to integrate firejail with the desktop environment using the command below:
Now, any applications we launch from the system menu or command line will launch with firejail by default.