The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space. The following features are implemented:
Firejail restricts the processes visible in the sandbox by making the sandboxed program PID 1. Only processes started by this program and its descendants will be visible in the sandbox.
The feature is implemented using a PID namespace. Firejail can run any type of processes, servers or GUI applications. It can also be used as a login shell to sandbox users upon telnet or SSH login into a server.
Three types of filesystems are supported: local, overlay and chroot filesystems. Multiple sandboxes can be ran in parallel on the same filesystem tree.
- Local filesystem with the main directories mounted read-only. Only /home, /tmp and /var directories are writable. To create a sandbox for a program, pass the program and its arguments to the firejail executable (firejail program_and_arguments).
- Overlay filesystem mounted on top of the local filesystem using OverlayFS. OverlayFS is a patch to Linux Kernel currently applied by default to Ubuntu and OpenSUSE kernels. The overlay holds all filesystem modifications. These modifications are not saved to the local filesystem (firejail –overlay program_and_arguments).
- Classic chroot system. Build a full / directory tree using debootstrap or any other tool provided by your distribution, and start Firejail on it (firejail –chroot=/path/to/root/tree program_and_arguments). You can also use distribution-specific trees extracted from OpenVZ templates.
By default, if program_and_arguments is not specified, a regular Bash shell is started in the sandbox.
Private mode and security profiles
Private mode can be used on top of any type of filesystem described above. It basically isolates the current user directory form the processes running in the sandbox by mounting empty temporary filesystems on top of /root, /home and /tmp directories. Any files written in these directories will be discarded when the sandbox is closed.
Security profiles are an easy way to configure an existing filsystem tree. It allows the user to specify files and directories that are not to be accessed in the sandbox, marked read-only, or empty filesystem trees mounted on top of them and discarded when the sandbox is closed. For example, in a profile tree you can deny access to ~/.ssh directory. In this directory user SSH certificates and encryption keys are kept. A program running in a sandbox, such as Mozilla Firefox, should not have access to this type of information. Default security profiles are provided for Firefox, Midori and Evince.
Firejail can attach a new TCP/IP networking stack to the sandbox. This can be used to set up local Demilitarized Zones (DMZ), or to configure temporary networks for developing and testing various client/server programs.
In this example firejail sandbox vm1 runs its own TCP/IP stack and connects to the host on br0 bridge device (firejail –net=br0 program_and_arguments).
The sandboxes and the associated processes are listed using firejail –list command. A separate utility, firemon, based on Process Events Connector feature in Linux kernel allows the administrator to trace and log all fork, exec, id change, and exit events in the sandbox.