Run applications in a containerized sandbox with Firejail
Locked In
The namespaces available in the Linux kernel enable what is by now commonplace use of containers in virtual runtime environments, such as with the LXC Linux container runtime or Docker. Manual use of these namespaces is, of course, possible but can be very time consuming because of the large number of options. If you want to start your installed applications in their own sandboxes by default, whether to enhance security or create unambiguous rules for individual applications, Firejail [1] is a useful option.
Isolation
Isolating important system resources with processes in their own namespaces has a long history in the operating system world. The chroot
operation, for example, has been a way to isolate applications in the kernel as early as 1979 in Unix version 7. The term "isolation" initially refers exclusively to the root filesystem, allowing a different filesystem to be presented to a program (e.g., to prevent unauthorized and unwanted access to important system resources or settings). Isolation is particularly interesting for applications that run under the root account and must not be given root permissions on the host system.
The process that isolation techniques use today to operate containers originated in the early 2000s. Since 2002, in addition to chroot, namespaces have been available to the filesystem in the Linux kernel, which allows different filesystem content to be visible to process groups, the entire root filesystem, or only specific paths. In the course of time, the use of further resources in namespaces was made possible beyond the filesystem. The Linux kernel currently supports eight different namespaces for process isolation resources [2].
Namespaces
Linux namespaces allow the isolation of processes and the abstraction of resources that these processes use. The mount namespace lets you select which mountpoints are to be visible in the process group. A bind mount means that you can implement basically arbitrary filesystem content. The PID namespace abstracts the process IDs, assigning an ID of 1 to the first process within the process group, making this process functionally equivalent to the init process. The abstracted process ID is mapped to the actual process ID in the namespace above it. In the network namespace, the available network interfaces, IP addresses, routes, and firewall rules can be abstracted in the same way as Unix domain sockets, and you can use the UTS (Unix timesharing) namespace to isolate the hostname or obsolete Network Information Service (NIS) names within a process group.
The IPC namespace covers all common mechanisms for interprocess communication that do not rely on the filesystem (e.g., Posix IPC or System V message queues). In the user namespace, the user and group IDs of processes and files can be customized and mapped to users in the overlying namespace. This mapping can then be propagated to sub-namespaces. The cgroups namespace supports abstracting control groups, namespaces, or both. The time namespace, which was only released in 2020 with kernel 5.6, cannot abstract real time within the namespace, but it does provide adapted values for the runtime of programs and the operating system.
Container Sandboxing
In the Firejail default configuration you will find a large number of predefined profiles in /etc/firejail
after the installation. If the profiles are missing on your system, install the firejail- profiles
package. Before using Firejail, first check to see whether your user account is listed in the /etc/firejail/firejail.users
file. Every user allowed to use Firejail is listed there. Now, you can simply start your browser (e.g., Chrome) with the command in a restricted environment:
firejail google-chrome
The browser then fires up in the usual way. On the console you will see messages about the configuration files you are using, but when using them, you will not notice any difference at first. Now if you want to download a file to your computer with Save as
, you will no longer see any content in your home directory. You can only access the Downloads
folder. Of course, files can be saved in your isolated home directory, but note that they will disappear again when you exit the program and will no longer be available. To check at the command line which files a process can access, use the ls
program to list the directory contents. For example, to check the Chrome profile, run the command:
firejail --quiet --profile=/etc/firejail/google-chrome.profile ls -ahl ~/
The --quiet
option lets you turn off what is, in this case, the unhelpful output from Firejail, and --profile
lets you force the use of the specified profile. As you will then see, access is only possible to individual files in your home directory and to the Downloads
folder.
If you use the --private
argument, you create a sandbox that does not include the content of the home directory and tells the browser to create a new profile in the empty directory every time it is started; the directory disappears again completely when the program ends. If you want to reuse the files created in the home directory the next time you start the program, you can also stipulate --private
to define a directory that will then be included as the home directory.
Buy this article as PDF
(incl. VAT)