Bobcares

How to install Firejail in Linux?

by | Sep 28, 2020

Install of Firejail in Linux mainly involves the install of three packages. They altogether secure applications by separating them from other parts of the system.

As a part of our Server Management Services, we help our Customers with software installations regularly.

Let us today discuss the steps to install Firejail in Linux.

Install Firejail In Linux

Firejail is a tool that helps in separating applications from other parts of the system. It restricts untrusted applications and thus helps in reducing the risk of security flaws.

To install Firejail, we need to install the packages firejail, firetools, and firejail-configuration-wizard.

Firejail is a primary sandboxing program. Firetools is a GUI utility to monitor firejail processes currently running. Firejail-configuration-wizard can create custom profiles for any application.

To install Firejail on any Ubuntu-based distribution, follow the commands given below on a terminal window:

sudo apt-get install firejail

For other Linux distributions, we may need to replace the apt-get command with their corresponding installation command.

Now let us install Firetools. This app is not present in the standard repositories. However, the developer has made official .debs available. To install one of the .deb files, follow these steps:

  • Download the file associated with your architecture (either 32- or 64-bit)
  • Open a terminal window
  • Change into the Downloads directory with the command cd ~/Downloads
  • Issue the command sudo dpkg -i firetools*.deb
  • Type your sudo password and hit Enter
  • Allow the installation to complete

At times, the installation may error out with dependency issues. If that’s the case, enter the command sudo apt-get install -f, to resolve the dependencies, and Firetools will be ready to use.

After installing Firejail, we can check whether it is installed on your system or not by running the following command in the terminal

$ firejail --version

If this command gives the version of Firejail, then it has been installed.

Using Firejail

After firejail installation, we can either use the command line to launch any application with firejail command as a prefix or use the GUI tool.

Run firejail from the command line

firejail application_name

For instance, to run Firefox within a Firejail, open up a terminal and issue the command ‘firejail firefox’.

Note: Applications run with Firejail will not have access to all the files. For example, if you run Firefox with Firejail, the attempt to upload a file from the Picture directory will fail due to access restriction of the sandbox.

To close an application running in a Firejail, simply close it as you normally would.

Firejail works with profiles. It includes profiles for a number of popular applications, as well as a very restrictive default profile.

If Firejail does not find a profile for an executed command, it will then run the application with the default profile. We can create a custom profile for an application with the following steps:

  • Open up a terminal window
  • Issue the command mkdir -p ~/.config/firejail
  • Change into the newly created directory
  • Copy the default profile into the newly created directory with the command cp /etc/firejail/generic.profile ~/.config/firejail/APPNAME.profile (where APPNAME is the name of the app to be used)
  • Edit the newly created profile to suit your needs

The generic profile looks like this:

################################
# Generic GUI application profile
################################

include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot

Now, if we want to prevent that application from accessing the user Documents directory, add the following to the newly created profile:

blacklist ${HOME}/Documents

We can also write that out with the explicit path to the directory, like so:

blacklist /home/USERNAME/Documents

Here USERNAME is the actual name of the user.

Now, to limit the access to read-only we can enable this in the profile with the line:

read-only ${HOME}/Documents

Using Firetools

To startup the tool issue the command below from a terminal window:

firetools &

install Firejail in Linux

This shows the Firetools window and an indicator for the running app in the system tray.

A few apps will be already included with Firetools. To start one, we can either double-click the app launcher or right-click the launcher and select Run.

Firetools includes a monitor that shows which apps are running within a firejail. To open this, unminimize Firetool, right-click anywhere in the GUI, and select Tools.

Further, to add a new app to Firetools, right-click the GUI and click Edit. In the new window, fill out the details for the app. In the Command section, we must include firejail. If we want to add an entry for KeePassX, the Command section will be firejail keepassx.

Using firejail GUI

From the application menu, launch firetools. It will show the supported applications currently installed on the system. Now, double click any application and it will launch the program in a sandbox.

Monitor firejail processes

Firejail processes can be monitored from a CLI or graphical interface.

For instance, click on the process PID to monitor a specific process and to see what permissions it has over the filesystem and network. We can also shut down the process or join an already running sandbox to modify the filesystem etc.

To list all the firejail processes from the command line, run:

firejail --list

Similarly, to shut down a firejail process from the command line use the command below:

firejail --shutdown=3342

Launch all applications with firejail by default

Launching an application with firejail requires users to launch it either from the command line with firejail command prefixed to the software command or use the GUI tool. Likewise, we can also set to launch all applications with firejail by default.

Finally, to integrate firejail with the desktop environment using the command below:

sudo firecfg

Now, any applications we launch from the system menu or command line will launch with firejail by default.

[Need any further assistance to install Firejail in Linux? – We’re available 24*7]

 

Conclusion

In short, Firejail reduces the risk of security breaches by restricting the untrusted applications and separating them from other parts of the system. Today, we saw how our Support Engineers install Firejail in Linux.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF