« Previous 1 2
Run applications in a containerized sandbox with Firejail
Locked In
Your Own Profiles
To use your own profiles, create them in your home directory under .config/firejail/. As the name of the profile, it makes sense to choose the name of the program you want to start in the sandbox. For example, for testing, you can use ls again by creating the file ~/.config/firejail/ls.profile and adding a one-liner with the content:
whitelist ${HOME}/DownloadsNow in the output you will see displayed files such as .bashrc or .Xauthority. Firejail creates the .bashrc file, and it does not contain any of the customizations from your own .bashrc file. To check this, simply output the content with cat. First create a ~/.config/firejail/cat.profile and add the following line, which lets you include the previously created ls profile:
include ls.profile
Now check the content of the file with the command:
firejail --quiet cat ~/.bashrc
As you will see, the file contains only the default version of .bashrc from your system, which you will find in /etc/skel/.bashrc. Firejail copies and uses this file accordingly. The .Xauthority file is created by the tool to allow graphical programs to access the X11 server and open windows. If you want to prevent access to X11 from a sandbox, add the --x11=none argument to the command or disable X11 in the configuration accordingly. If your X11 server is also accessible over a network socket, you will receive an error when starting the program. If you disable this socket, or directly disable the entire network for your sandbox with --net=none, the .Xauthority file is no longer created in the home directory.
Sandbox for All
Firejail comes with firecfg, a utility that automatically starts all supported programs in a sandbox. If you run firecfg as root, it creates symbolic links in /usr/local/bin for these programs, and Firejail is automatically started with the selection of any of these programs. If you want to do this only for your current user, you can enter --bindir=~/bin, for example, to define a directory in your home directory for the symlinks created. Then, you only have to make sure that the directory is listed at the start of your PATH environment variable. The --clean option lets you undo the changes simply and easily.
Conclusions
Linux namespaces enable the isolation of applications. If you want to run programs in a container sandbox without too much overhead, Firejail gives you an easy-to-use tool to achieve this objective.
Infos
- Firejail: https://firejail.wordpress.com
- Namespaces for process isolation resources: https://man7.org/linux/man-pages/man7/namespaces.7.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Dialing up security for Docker containers
Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues. -
The practical benefits of network namespaces
With network namespaces, you can create very sophisticated and resource-saving setups using the tools inside a running Linux system – without the use of containers. -
Create secure simple containers with the systemd tools Nspawnd and Portabled
Systemd comes with two functions for container management that allow many programs to run more securely through isolation. -
Flatpak, Snap, and AppImage
The Flatpak, Snap, and AppImage package formats work across distributions, but each has its specific disadvantages. -
Capsicum – Additional seasoning for FreeBSD
Applications such as web browsers can open up vulnerabilities and threaten an entire system. As a remedy, Capsicum provides the option of finely granulated allocation of privileges on top of sandboxing.