HOW TO: install FireJail and sandbox any app

paulwratt · Thu Feb 09, 2017 8:25 am

Originally designed to sandbox FireFox, FireJail can sandbox any app, or service (including Google Chrome, Chromium-Browser)

If FireJail is not in your repo, download:

Code: Select all

wget http://mirrordirector.raspbian.org/raspbian/pool/main/f/firejail/firejail_0.9.44.8-1_armhf.deb
sudo apt-get install libapparmor1
sudo dpkg -i firejail_0.9.44.8-1_armhf.deb

This version of FireJail (on the repo servers, but not in my Jessie repo "apt-cache search firejail") must have been compiled with --enable-apparmor as it requires libapparmor1 (which is in the repo).

(from firejail man page)

List all sandboxed processes.

Code: Select all

firejail --list

DESKTOP INTEGRATION
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place is /usr/local/bin directory. Example:

Make a firefox symlink to /usr/bin/firejail:
Code: Select all
$ ln -s /usr/bin/firejail /usr/local/bin/firefox
Verify $PATH
Code: Select all
$ which -a firefox
/usr/local/bin/firefox
/usr/bin/firefox
Starting firefox in this moment, automatically invokes “firejail firefox”. This works for clicking on desktop environment icons, menus etc. Use "firejail --tree" to verify the program is sandboxed.
Code: Select all
$ firejail --tree
1189:pi:firejail firefox
  1190:pi:firejail firefox
     1220:pi:/bin/sh -c "/usr/lib/firefox/firefox"
        1221:pi:/usr/lib/firefox/firefox

One time use

--private
Mount new /root and /home/user directories in temporary filesys‐
tems. All modifications are discarded when the sandbox is
closed.

Example:
Code: Select all
              $ firejail --private firefox
--private=directory
Use directory as user home.

Example:
Code: Select all
              $ firejail --private=/home/netblue/firefox-home firefox
--private-home=file,directory
Build a new user home in a temporary filesystem, and copy the
files and directories in the list in the new home. All modifica‐
tions are discarded when the sandbox is closed.

Example:
Code: Select all
              $ firejail --private-home=.mozilla firefox
--private-bin=file,file
Build a new /bin in a temporary filesystem, and copy the pro‐
grams in the list. If no listed file is found, /bin directory
will be empty. The same directory is also bind-mounted over
/sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifica‐
tions are discarded when the sandbox is closed.

Example:
Code: Select all
              $ firejail --private-bin=bash,sed,ls,cat
              Parent pid 20841, child pid 20842
              Child process initialized
              $ ls /bin
              bash  cat  ls  sed

sandboxing services (nginx is a web server)

--caps Linux capabilities is a kernel feature designed to split up the
root privilege into a set of distinct privileges. These privi‐
leges can be enabled or disabled independently, thus restricting
what a process running as root can do in the system.

By default root programs run with all capabilities enabled.
--caps option disables the following capabilities: CAP_SYS_MOD‐
ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is
applied to all processes started in the sandbox.

Example:
Code: Select all
              $ sudo firejail --caps /etc/init.d/nginx start
--caps.keep=capability,capability,capability
Define a custom whitelist Linux capabilities filter.

Example:
Code: Select all
              $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\
              setuid /etc/init.d/nginx start
--cgroup=tasks-file
Place the sandbox in the specified control group. tasks-file is
the full path of cgroup tasks file.

Example:
Code: Select all
              # firejail --cgroup=/sys/fs/cgroup/g1/tasks
--cpu=cpu-number,cpu-number,cpu-number
Set CPU affinity.

Example:
Code: Select all
              $ firejail --cpu=0,1 handbrake

Examples

EXAMPLES
firejail
Sandbox a regular /bin/bash session.

firejail firefox
Start Mozilla Firefox.

firejail --debug firefox
Debug Firefox sandbox.

firejail --private firefox
Start Firefox with a new, empty home directory.

firejail --net=none vlc
Start VLC in an unconnected network namespace.

firejail --net=eth0 firefox
Start Firefox in a new network namespace. An IP address is
assigned automatically.

firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
Start a /bin/bash session in a new network namespace and connect
it to br0, br1, and br2 host bridge devices. IP addresses are
assigned automatically for the interfaces connected to br1 and
b2

firejail --list
List all sandboxed processes.

Cheers
Paul

HOW TO: install FireJail and sandbox any app | HOW TO: improve browser experience | HOW TO: pepperflash in FireFox 2017
RE: superblock last write time is in the future | Re: Wine on Raspberry Pi | HOWTO: detached top menu bar (ie Atari ST, Amiga, Mac)
Looking for Grafx2 console art package? | PCManFM right click menu and Open As Root