This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.
Introducing Firejail
Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.
The download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is also available in AUR.
Moving Dropbox in the new home directory
Dropbox software consists of three directories placed in user home: .dropbox, Dropbox, and .dropbox-dist. I kill the running instance of Dropbox, create the new home directory (mybox), and I move the three directories there:
$ cd ~ $ pkill dropbox $ mkdir mybox $ mv .dropbox mybox/. $ mv Dropbox mybox/. $ mv .dropbox-dist mybox/.
I also create a symbolic link to ~/mybox/Dropbox:
$ ln -s mybox/Dropbox Dropbox
The last step is to change the autostart entry. For this, I open ~/.config/autostart/dropbox.desktop in a text editor and modify Exec line as follows:
Exec=firejail --private=~/mybox "dropbox start -i && sleep inf"
Next computer restart or user login, Dropbox software will start automatically in sandbox with /home/user/mybox as home directory. Personal files in your actual home directory will not be accessible to Dropbox process.
Starting Dopbox manually
You can add a start icon on your desktop:
$ cp ~/.config/autostart/dropbox.desktop ~/Desktop/.
or you can start Dropbox from a terminal:
$ firejail --private=~/mybox "dropbox start -i && sleep inf"
Verifying Dropbox is running
To check if Dropbox is running, use firejail –tree. This will list all the processes running in the sandbox:
Verifying Dropbox is running
1549 is the process id (PID) of the sandbox. You can use this PID value to join the sandbox.
Auditing the sandbox
To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.
Joining the sandbox
The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.
For more information about Firejail, visit the project page.
l3net - a layer 3 networking blog 
Dropbox is a good service for sync. What do you think about Binfer? Is it better for private file sharing? Interesting read here: http://www.binfer.com/solutions/tasks/secure-file-sharing
I’ll give it a try, thanks!
An include command or something akin to private.keep but with persistent data would be a great addition to firejail. Using this example: You could just point to the three Dropbox folders instead of moving and softlinking them, that would add a great deal of flexibility and ease of use.
Unfortunately is not possible at the moment. There is some support coming in the next version, mainly for files in /etc directory. A discussion is here:
https://github.com/netblue30/firejail/issues/5
can this sandbox software hide/mask/cloak your PC name?
I think the name is set in an external DNS server. I would create a new network namespace with a random IP address, and a new hostname:
$ firejail ānet=eth0 āhostname=newname firefox
I have been running dropbox in ubuntu 17.10 but in 18.04, after downloading the deamon, it start firefox to connect to dropbox.com and firefox does not work because it can’t access to the profile folder. I have tries all I knew with no luck (whitelisting, simlinks, profile manager, …). Have you tried?
There were some problems with Firefox in Ubuntu 18.04. You would need to update Firejail to version 0.9.54.
After playing with a dropbox profile, I got rid of it and had to run the below to get it to work (note the double quotes and the –noprofile bit);
firejail –noprofile –private=/home/mog/mybox “”dropbox start -i && sleep inf””
Thanks!
I did it. With my session open and the dropbox firejail running, I changed my home directory (with vipw) to the home directory of the dropbox profile. I opened other shell (in this shell my home is where Dropbox is) and run “dropbox start -i”. It started google-chrome and I was able to associate the dropbox account to the pc. Then I closed the shell and restored my home directory.