We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:

source code ( ./configure && make && sudo make install )

) .deb packages for Debian/Ubuntu/Mint ( dpkg -i firejail.deb )

) .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is available in AUR.

Mozilla Firefox

The command to start Firefox in a Firejail sandbox is:

$ firejail firefox or $ firejail --debug firefox

The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.

The way the filesystem is build is controlled from /etc/firejail/firefox.profile, modifying it is pretty straightforward.

Firejail uses a number of security filters to enforce the chroot: