Install of Firejail in Linux mainly involves the install of three packages. They altogether secure applications by separating them from other parts of the system.
As a part of our Server Management Services, we help our Customers with software installations regularly.
Let us today discuss the steps to install Firejail in Linux.
Install Firejail In Linux
Firejail is a tool that helps in separating applications from other parts of the system. It restricts untrusted applications and thus helps in reducing the risk of security flaws.
To install Firejail, we need to install the packages firejail, firetools, and firejail-configuration-wizard.
Firejail is a primary sandboxing program. Firetools is a GUI utility to monitor firejail processes currently running. Firejail-configuration-wizard can create custom profiles for any application.
To install Firejail on any Ubuntu-based distribution, follow the commands given below on a terminal window:
sudo apt-get install firejail
For other Linux distributions, we may need to replace the apt-get command with their corresponding installation command.
Now let us install Firetools. This app is not present in the standard repositories. However, the developer has made official .debs available. To install one of the .deb files, follow these steps:
- Download the file associated with your architecture (either 32- or 64-bit)
- Open a terminal window
- Change into the Downloads directory with the command cd ~/Downloads
- Issue the command sudo dpkg -i firetools*.deb
- Type your sudo password and hit Enter
- Allow the installation to complete
At times, the installation may error out with dependency issues. If that’s the case, enter the command sudo apt-get install -f, to resolve the dependencies, and Firetools will be ready to use.
After installing Firejail, we can check whether it is installed on your system or not by running the following command in the terminal
$ firejail --version
If this command gives the version of Firejail, then it has been installed.
Using Firejail
After firejail installation, we can either use the command line to launch any application with firejail command as a prefix or use the GUI tool.
Run firejail from the command line
firejail application_name
For instance, to run Firefox within a Firejail, open up a terminal and issue the command ‘firejail firefox’.
Note: Applications run with Firejail will not have access to all the files. For example, if you run Firefox with Firejail, the attempt to upload a file from the Picture directory will fail due to access restriction of the sandbox.
To close an application running in a Firejail, simply close it as you normally would.
Firejail works with profiles. It includes profiles for a number of popular applications, as well as a very restrictive default profile.
If Firejail does not find a profile for an executed command, it will then run the application with the default profile. We can create a custom profile for an application with the following steps:
- Open up a terminal window
- Issue the command mkdir -p ~/.config/firejail
- Change into the newly created directory
- Copy the default profile into the newly created directory with the command cp /etc/firejail/generic.profile ~/.config/firejail/APPNAME.profile (where APPNAME is the name of the app to be used)
- Edit the newly created profile to suit your needs
The generic profile looks like this:
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot
Now, if we want to prevent that application from accessing the user Documents directory, add the following to the newly created profile:
blacklist ${HOME}/Documents
We can also write that out with the explicit path to the directory, like so:
blacklist /home/USERNAME/Documents
Here USERNAME is the actual name of the user.
Now, to limit the access to read-only we can enable this in the profile with the line:
read-only ${HOME}/Documents
Using Firetools
To startup the tool issue the command below from a terminal window:
firetools &
This shows the Firetools window and an indicator for the running app in the system tray.
A few apps will be already included with Firetools. To start one, we can either double-click the app launcher or right-click the launcher and select Run.
Firetools includes a monitor that shows which apps are running within a firejail. To open this, unminimize Firetool, right-click anywhere in the GUI, and select Tools.
Further, to add a new app to Firetools, right-click the GUI and click Edit. In the new window, fill out the details for the app. In the Command section, we must include firejail. If we want to add an entry for KeePassX, the Command section will be firejail keepassx.
Using firejail GUI
From the application menu, launch firetools. It will show the supported applications currently installed on the system. Now, double click any application and it will launch the program in a sandbox.
Monitor firejail processes
Firejail processes can be monitored from a CLI or graphical interface.
For instance, click on the process PID to monitor a specific process and to see what permissions it has over the filesystem and network. We can also shut down the process or join an already running sandbox to modify the filesystem etc.
To list all the firejail processes from the command line, run:
firejail --list
Similarly, to shut down a firejail process from the command line use the command below:
firejail --shutdown=3342
Launch all applications with firejail by default
Launching an application with firejail requires users to launch it either from the command line with firejail command prefixed to the software command or use the GUI tool. Likewise, we can also set to launch all applications with firejail by default.
Finally, to integrate firejail with the desktop environment using the command below:
sudo firecfg
Now, any applications we launch from the system menu or command line will launch with firejail by default.
[Need any further assistance to install Firejail in Linux? – We’re available 24*7]
Conclusion
In short, Firejail reduces the risk of security breaches by restricting the untrusted applications and separating them from other parts of the system. Today, we saw how our Support Engineers install Firejail in Linux.
0 Comments