This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

The download page provides:

source code (./configure && make && sudo make install)

.deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)

.rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR.



Moving Dropbox in the new home directory

Dropbox software consists of three directories placed in user home: .dropbox, Dropbox, and .dropbox-dist. I kill the running instance of Dropbox, create the new home directory (mybox), and I move the three directories there:

$ cd ~ $ pkill dropbox $ mkdir mybox $ mv .dropbox mybox/. $ mv Dropbox mybox/. $ mv .dropbox-dist mybox/.

I also create a symbolic link to ~/mybox/Dropbox:

$ ln -s mybox/Dropbox Dropbox

The last step is to change the autostart entry. For this, I open ~/.config/autostart/dropbox.desktop in a text editor and modify Exec line as follows:

Exec=firejail --private=~/mybox "dropbox start -i && sleep inf"

Next computer restart or user login, Dropbox software will start automatically in sandbox with /home/user/mybox as home directory. Personal files in your actual home directory will not be accessible to Dropbox process.

Starting Dopbox manually

You can add a start icon on your desktop:

$ cp ~/.config/autostart/dropbox.desktop ~/Desktop/.

or you can start Dropbox from a terminal:

$ firejail --private=~/mybox "dropbox start -i && sleep inf"

Verifying Dropbox is running

To check if Dropbox is running, use firejail –tree. This will list all the processes running in the sandbox:

1549 is the process id (PID) of the sandbox. You can use this PID value to join the sandbox.

Auditing the sandbox

To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.

The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.

For more information about Firejail, visit the project page.