Run applications in a containerized sandbox with Firejail

Locked In

Your Own Profiles

To use your own profiles, create them in your home directory under .config/firejail/. As the name of the profile, it makes sense to choose the name of the program you want to start in the sandbox. For example, for testing, you can use ls again by creating the file ~/.config/firejail/ls.profile and adding a one-liner with the content:

whitelist ${HOME}/Downloads

Now in the output you will see displayed files such as .bashrc or .Xauthority. Firejail creates the .bashrc file, and it does not contain any of the customizations from your own .bashrc file. To check this, simply output the content with cat. First create a ~/.config/firejail/cat.profile and add the following line, which lets you include the previously created ls profile:

include ls.profile

Now check the content of the file with the command:

firejail --quiet cat ~/.bashrc

As you will see, the file contains only the default version of .bashrc from your system, which you will find in /etc/skel/.bashrc. Firejail copies and uses this file accordingly. The .Xauthority file is created by the tool to allow graphical programs to access the X11 server and open windows. If you want to prevent access to X11 from a sandbox, add the --x11=none argument to the command or disable X11 in the configuration accordingly. If your X11 server is also accessible over a network socket, you will receive an error when starting the program. If you disable this socket, or directly disable the entire network for your sandbox with --net=none, the .Xauthority file is no longer created in the home directory.

Sandbox for All

Firejail comes with firecfg, a utility that automatically starts all supported programs in a sandbox. If you run firecfg as root, it creates symbolic links in /usr/local/bin for these programs, and Firejail is automatically started with the selection of any of these programs. If you want to do this only for your current user, you can enter --bindir=~/bin, for example, to define a directory in your home directory for the symlinks created. Then, you only have to make sure that the directory is listed at the start of your PATH environment variable. The --clean option lets you undo the changes simply and easily.

Conclusions

Linux namespaces enable the isolation of applications. If you want to run programs in a container sandbox without too much overhead, Firejail gives you an easy-to-use tool to achieve this objective.

Infos

  1. Firejail: https://firejail.wordpress.com
  2. Namespaces for process isolation resources: https://man7.org/linux/man-pages/man7/namespaces.7.html

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus