Difference between revisions of "Firejail"

From ArchWiki
Jump to navigation Jump to search
(Initial addition - need to check and see if copying/adding .desktop files in ~/.local/share/applications will override the defaults and prevent pacman overwrites)
 
m
Line 2: Line 2:
 
[[Category:Security]]
 
[[Category:Security]]
  
[https://l3net.wordpress.com/projects/firejail/ Firejail] s an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. Used alone or combined with [[GRSecurity]] or another hardening system further increases the security provided by each sandbox. Firejail is ideal for use with browsers and daemons/servers alike.
+
[https://l3net.wordpress.com/projects/firejail/ Firejail] s an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. Used alone or combined with [[Grsecurity]] or another hardening system further increases the security provided by each sandbox. Firejail is ideal for use with browsers and daemons/servers alike.
  
 
== Installation ==
 
== Installation ==

Revision as of 15:19, 12 October 2015


Firejail s an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. Used alone or combined with Grsecurity or another hardening system further increases the security provided by each sandbox. Firejail is ideal for use with browsers and daemons/servers alike.

Installation

The firejailAUR and firejail-gitAUR packages provide all of the requirements out of the box.

Configuration

Firejail uses profiles for the applications executed inside of it - you can find the default profiles in /etc/firejail/profiles. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in ~/.config/firejail.

Usage

To execute an application using firejail with seccomp protection, such as firefox, execute the following:

$ firejail --seccomp firefox

Ideally, you will want to edit the /usr/share/applications/*.dekstop files to include firejail where appropriate, and consider aliasing other applications in your shell's RC file. For the that pacman may sometimes overwrite these. No solution currently exists to automatically deal with launches of applications that should be run in the Firejail sandbox.

Further, some applications do not work properly with Firejail, and others simply require special configuration. In the instance any directories are disallowed or blacklisted for any given application, you may have to further edit the profile to enable nonstandard directories that said application needs to access.

Private Mode

Firejail also includes a one time private mode, in which no mounts are made in the chroots to your home directory. In doing this, you can execute applications without performing any changes to disk. For example, to execute firefox in private mode, do the following:

$ firejail --seccomp --private firefox

Firetools

A GUI application for use with Firejail is also available, firetoolsAUR.