Docu review done: Wed 31 Jul 2024 02:14:23 PM CEST

firejail

Table of content

Description

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Firejail allows the user to manage application security using security profiles. Each profile defines a set of permissions for a specific application or group of applications. The software includes security profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

Security Profiles

Several command line options can be passed to the program using profile files. Firejail chooses the profile file as follows:

  1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME. Example:
$ firejail --profile=/home/netblue/icecat.profile icecat
Reading profile /home/netblue/icecat.profile
[...]

$ firejail --profile=icecat icecat-wrapper.sh
Reading profile /etc/firejail/icecat.profile
[...]
  1. If a profile file with the same name as the application is present in ~/.config/firejail directory or in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
$ firejail icecat
Command name #icecat#
Found icecat profile in /home/netblue/.config/firejail directory
Reading profile /home/netblue/.config/firejail/icecat.profile
[...]
  1. Use default.profile file if the sandbox is started by a regular user, or server.profile file if the sandbox is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. To disable default profile loading, use –noprofile command option. Example:
$ firejail
Reading profile /etc/firejail/default.profile
Parent pid 8553, child pid 8554
Child process initialized
[...]

$ firejail --noprofile
Parent pid 8553, child pid 8554
Child process initialized
[...]

Filesystem

DirectorySet as
/bootblacklisted
/binread-only
/devread-only; a small subset of drivers is present, everything else has been removed
/etcread-only; /etc/passwd and /etc/group have been modified to reference only the current user; you can enable a subset of the files by editing /etc/firejail/firefox-common.profile (uncomment private-etc line in that file)
/homeonly the current user is visible
/lib, /lib32, /lib64read-only
/proc, /sysre-mounted to reflect the new PID namespace; only processes started by the browser are visible
/sbinblacklisted
/selinuxblacklisted
/usrread-only; /usr/sbin blacklisted
/varread-only; similar to the home directory, only a skeleton filesystem is available
/tmponly X11 directories are present

Insatllation

$ apt install firejail

Commands

CommandDescription
firejail [application]runs application in firejail
--privateMount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed
--private=[/path/to/dir]Use directory as user home.
--private-tmpMount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets.
--ipc-namespaceEnable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default for sandboxes started as root.
--net=[NIC]Enable a new network namespace and connect it to this ethernet interface using the standard Linux macvlan
--net=noneEnable a new, unconnected network namespace. The only interface available in the new namespace is a new loopback interface (lo). Use this option to deny network access to programs that don’t really need network access.
--netfilterEnable a default firewall if a new network namespace is created inside the sandbox. This option has no effect for sandboxes using the system network namespace.
--netfilter=filenameEnable the firewall specified by filename if a new network namespace is created inside the sandbox. This option has no effect for sandboxes using the system network namespace.
--netstatsMonitor network namespace statistics, see MONITORING section for more details.
--topMonitor the most CPU-intensive sandboxes, see MONITORING section for more details.
--trace[=filename]Trace open, access and connect system calls. If filename is specified, log trace output to filename, otherwise log to console.
--treePrint a tree of all sandboxed processes, see MONITORING section for more details.
--listprints a list of all sandboxes. The format for each process entry is as follows: PID:USER:Sandbox Name:Command

Network

Networkfilter Default

The default firewall is optimized for regular desktop applications. No incoming connections are accepted:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ping
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# drop STUN (WebRTC) requests
-A OUTPUT -p udp --dport 3478 -j DROP
-A OUTPUT -p udp --dport 3479 -j DROP
-A OUTPUT -p tcp --dport 3478 -j DROP
-A OUTPUT -p tcp --dport 3479 -j DROP
COMMIT

Networkfilter Specific

Please use the regular iptables-save/iptables-restore format for the filter file. The following examples are available in /etc/firejail directory.

webserver.net is a webserver firewall that allows access only to TCP ports 80 and 443. Example:

$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 /etc/init.d/apache2 start

nolocal.net is a desktop client firewall that disable access to local network. Example:

$ firejail --netfilter=/etc/firejail/nolocal.net --net=eth0 firefox

Network stats

Monitor network namespace statistics, see MONITORING section for more details.

$ firejail --netstats
PID  User    RX(KB/s) TX(KB/s) Command
1294 netblue 53.355   1.473    firejail --net=eth0 firefox
7383 netblue 9.045    0.112    firejail --net=eth0 transmission

Samples

Firefox

by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process

$ firejail firefox -no-remote

To assign an IP address, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:

$ firejail --net=eth0 --ip=192.168.1.207 firefox

Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use --dns option to configure an external DNS server:

$ firejail --net=eth0 --dns=9.9.9.9 firefox

By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter. This is a setup example, where no access to the local network is allowed:

$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox

On top of that, you can even add a hosts file implementing an adblocker:

$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net --hosts-file=~/adblock firefox

In this setup we use /home/username/work directory for work, email and related Internet browsing. This is how we start all up:

$ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &

Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed.