We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
Introducing Firejail
The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is available in AUR.
Mozilla Firefox
The command to start Firefox in a Firejail sandbox is:
$ firejail firefox
or
$ firejail --debug firefox
Firefox browser running in a Firejail sandbox
Continue reading →