Firejail
Firejail is a SUID sandboxing program. It reduces the risk of security breaches by restricting the running environment of untrusted applications using, inter alia, Linux namespaces and seccomp-bpf. The software includes security profiles for a large number of applications like Mozilla Firefox, Chromium, VLC, or Transmission.
Installation
USE flags
USE flags for sys-apps/firejail Security sandbox for any type of processes
X
|
Enable X11 sandboxing |
apparmor
|
Enable support for custom AppArmor profiles |
chroot
|
Enable chrooting to custom directory |
contrib
|
Install contrib scripts |
dbusproxy
|
Enable DBus proxying to filter access in supporting profiles |
file-transfer
|
Enable file transfers between sandboxes and the host system |
globalcfg
|
Enable global config file |
network
|
Enable networking features |
private-home
|
Enable private home feature |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
userns
|
Enable attaching a new user namespace to a sandbox (--noroot option) |
The X USE flag sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server but introduces a lot of additional dependencies.
Emerge
root #emerge --ask sys-apps/firejailConfiguration
Firejail comes with numerous default profiles for many popular applications located in /etc/firejail/. In many cases the default profile configuration is sufficient. In addition to configuring a profile users may wish to set up a shortcut to enable firejail to be run by default for their selected application.
Profiles
The list of preconfigured profiles is available in /etc/firejail/.
If you wish to make customizations for an existing profile simply copy it to your home directory and edit as necessary:
user $cp /etc/firejail/firefox.profile ~/.config/firejail/firefox.profileTo make a profile for an application without a preconfigured profile you can use the default profile as a basis:
user $cp /etc/firejail/default.profile ~/.config/firejail/app-name.profileHere are some example options you may wish to include in a custom profile:
~/.config/firejail/app-name.configCustom profile examplewhitelist ~/pictures/ whitelist ~/share/ read-only ~/share/ whitelist ~/dev/WebExtensions/ read-only ~/dev/WebExtensions/ whitelist ~/.cache/fish/ blacklist /mnt blacklist /opt
Using Firejail by default
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. A good place is /usr/local/bin directory. For example to run Firefox with firejail by default:
root #ln -s /usr/bin/firejail /usr/local/bin/firefoxThis works for clicking on desktop environment icons, menus etc. Use firejail --tree to verify the program is sandboxed.
user $firejail --tree23615:larry:firejail /usr/bin/firefox
23616:larry:firejail /usr/bin/firefox
23618:larry:/usr/bin/firefox
Alternatively you can create the following file instead and make it executable:
/usr/local/bin/firefoxFirejail Desktop Integration#!/bin/bash firejail /usr/bin/firefox $@
This method allows command line options to be passed to firejail. Remember to make it executable with chmod +x /usr/local/bin/firefox.
To use Firejail by default for all applications for which it has profiles, run the firecfg tool as root.
root #firecfgIn the default configuration, firecfg will build a symbolic link for patch, this action will make portage work incorrectly , maybe you need to remove the link or do some configurations for patch
System-wide Configuration
System-wide configuration is set in /etc/firejail/firejail.config. If you have executables in /usr/local/bin corresponding to one of your firejailed applications combined with the private-bin profile option then make sure private-bin-no-local is set to yes
/etc/firejail/firejail.configSystem-wide settings example# Remove /usr/local directories from private-bin list, default disabled. private-bin-no-local yes
Kernel
Optionally you can enable user namespaces in the kernel so they can be utilized by firejail:
General setup --->
Namespaces support --->
<*> User namespace
Usage
Usage is simple as:
user $firejail firefoxPrivate mode can be used as a quick way of hiding all the files in your home directory from sandboxed programs. It is enabled using --private command line option:
user $firejail --private firefoxAdditionally, firejail can provide full graphical isolation for X11-based programs like firefox; an in-depth tutorial for doing so may be read here.
Troubleshooting
firemon
firejail comes with a tool firemon which can be used to help with troubleshooting. To use it run firemon as root then in a separate terminal start the application you wish to troubleshoot with firejail application.
Verbose arguments
Consider to use following arguments:
--trace --debug-caps --debug-errnos --debug-syscalls --debug-protocols --debug-blacklists --debug-whitelists --debug-caps --debug-errnos --debug-private-lib --debug-protocols --debug-syscalls
Possible obstacles
not all executables from --private-bin list were found.
Either disable the private-bin option in your application profile or ensure private-bin-no-local yes is set in /etc/firejail/firejail.config.
user namespaces not available in the current kernel.
Make sure user namespaces are set in the kernel. CONFIG_USER_NS=y
See also
User:Sakaki/Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail - tutorial-style article, introducing firejail's protection features in some depth, as well as the additional steps required to fully graphically isolate software such as firefox.