Firejail

From Gentoo Wiki
Jump to: navigation, search

Firejail (sys-apps/firejail, sys-apps/firejail-lts) is a SUID sandboxing program that reduces the risk of security breaches by restricting the running environment of untrusted applications using, inter alia, Linux namespaces and seccomp-bpf. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc.

Installation

USE flags

USE flags for sys-apps/firejail Security sandbox for any type of processes

apparmor Enable support for custom AppArmor profiles
chroot Enable chrooting to custom directory
contrib Install contrib scripts
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
file-transfer Enable file transfers between sandboxes and the host system
globalcfg Enable global config file
network Enable networking features
overlayfs Enable overlayfs
private-home Enable private home feature
seccomp Enable system call filtering
suid Enable setuid root program, with potential security risks
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
userns Enable attaching a new user namespace to a sandbox (--noroot option)
vim-syntax Pulls in related vim syntax scripts
whitelist Enable whitelist
x11 Enable X11 sandboxing
Data provided by the Gentoo Package Database · Last update: 2020-02-17 17:38 More information about USE flags

The x11 USE flag sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server but introduces a lot of additional dependencies.

Emerge

root #emerge --ask sys-apps/firejail

Alternatively sys-apps/firejail-lts can be used.

Configuration

Firejail comes with numerous default profiles for many popular applications located in /etc/firejail/. In many cases the default profile configuration is sufficient. In addition to configuring a profile users may wish to set up a shortcut to enable firejail to be run by default for their selected application.

Profiles

The list of preconfigured profiles is available in /etc/firejail/.

If you wish to make customizations for an existing profile simply copy it to your home directory and edit as necessary:

user $cp /etc/firejail/firefox.profile ~/.config/firejail/firefox.profile

To make a profile for an application without a preconfigured profile you can use the default profile as a basis:

user $cp /etc/firejail/default.profile ~/.config/firejail/app-name.profile

Here are some example options you may wish to include in a custom profile:

FILE ~/.config/firejail/app-name.configCustom profile example
whitelist ~/pictures/

whitelist ~/share/
read-only ~/share/

whitelist ~/dev/WebExtensions/
read-only ~/dev/WebExtensions/

whitelist ~/.cache/fish/

blacklist /mnt
blacklist /opt

Using Firejail by default

A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. A good place is /usr/local/bin directory. For example to run Firefox with firejail by default:

root #ln -s /usr/bin/firejail /usr/local/bin/firefox

This works for clicking on desktop environment icons, menus etc. Use firejail --tree to verify the program is sandboxed.

user $firejail --tree
23615:gentoouser:firejail /usr/bin/firefox 
  23616:gentoouser:firejail /usr/bin/firefox 
    23618:gentoouser:/usr/bin/firefox

Alternatively you can create the following file instead and make it executable:

FILE /usr/local/bin/firefoxFirejail Desktop Integration
#!/bin/bash
firejail /usr/bin/firefox $@

This method allows command line options to be passed to firejail. Remember to make it executable with chmod +x /usr/local/bin/firefox.

To use Firejail by default for all applications for which it has profiles, run the firecfg tool as root.

root #firecfg

System-wide Configuration

System-wide configuration is set in /etc/firejail/firejail.config. If you have executables in /usr/local/bin corresponding to one of your firejailed applications combined with the private-bin profile option then make sure private-bin-no-local is set to yes

FILE /etc/firejail/firejail.configSystem-wide settings example
# Remove /usr/local directories from private-bin list, default disabled.
private-bin-no-local yes

Kernel

Optionally you can enable user namespaces in the kernel so they can be utilized by firejail:

KERNEL Enabling user namespaces
General setup --->
  Namespaces support --->
    <*>  User namespace

Usage

Usage is simple as:

user $firejail firefox

Private mode can be used as a quick way of hiding all the files in your home directory from sandboxed programs. It is enabled using --private command line option:

user $firejail --private firefox

Additionally, firejail can provide full graphical isolation for X11-based programs like firefox; an in-depth tutorial for doing so may be read here.

Troubleshooting

firemon

firejail comes with a tool firemon which can be used to help with troubleshooting. To use it run firemon as root then in a separate terminal start the application you wish to troubleshoot with firejail application.

not all executables from --private-bin list were found.

Either disable the private-bin option in your application profile or ensure private-bin-no-local yes is set in /etc/firejail/firejail.config.

user namespaces not available in the current kernel.

Make sure user namespaces are set in the kernel. CONFIG_USER_NS=y

See also

Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail - tutorial-style article, introducing firejail's protection features in some depth, as well as the additional steps required to fully graphically isolate software such as firefox.

External resources

Retrieved from "https://wiki.gentoo.org/index.php?title=Firejail&oldid=819100"