hello friends! new(ish)!

Firejail: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>M-a-i-k-i
(Created page with "{{stub}} thumb|Firejail Logo [https://firejail.wordpress.com Firejail] is a Linux-only sandbox that uses Linux namespaces, seccomp-b...")
 
>M-a-i-k-i
No edit summary
Line 1: Line 1:
{{stub}} [[File:Firejail2.png|thumb|Firejail Logo]]
[[File:Firejail2.png|thumb|Firejail Logo]]


[https://firejail.wordpress.com Firejail] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.
[https://firejail.wordpress.com Firejail] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.
Line 11: Line 11:
Debian's Firejail installation process requires you to add a [https://backports.debian.org/Instructions backports] repository if you're using stable (jessie). Simply add the backports line to your sources.list in /etc/apt, update your repositories and install firejail using the {{ic|-t jessie-backports}} option.
Debian's Firejail installation process requires you to add a [https://backports.debian.org/Instructions backports] repository if you're using stable (jessie). Simply add the backports line to your sources.list in /etc/apt, update your repositories and install firejail using the {{ic|-t jessie-backports}} option.
* {{ic|$ sudo apt-get -t jessie-backports install firejail}}
* {{ic|$ sudo apt-get -t jessie-backports install firejail}}
== Usage ==
Using firejail is pretty simple, just open a terminal and enter {{ic|$ firejail <program name>}}. Keep in mind firejail takes input space, so it would be wise to make a simple bash script to start firejail in the background for a specific program.
Example:
* Firejailing Firefox: {{ic|$ firejail firefox}}
=== Whitelisting directories ===
By default firejail gives each firejailed program it's own view of the filesystem, so you may need to whitelist directories in some programs to access your files (whitelisting your pictures directory for your web browser to post chinese cartoons on imageboards, for example).
To whitelist a directory for a program, edit the programs respective profile in /etc/firejail. For instance, to whitelist your documents directory in firefox, you'd edit your firefox.profile file to add the line {{ic|whitelist ~/Documents}}. These rules are user-wide, but firejail will read {{ic|~/}} as the users own home directory, so don't worry about cross contamination. Permissions in whitelisted directories are the same as their filesystem permissions, so if you make a file read-only in a whitelisted directory, programs with that directory whitelist will respect that permission and will only be able to read the file.
== Things to keep in mind ==
=== Gay shit with Chromium ===
Sometimes if you exit out of Chromium, it will keep running in the background. You will notice this in your firejail terminal. Press Control-C and Chromium is killed and the firejail ended (this is true for all firejailed programs/processes).
=== Gay shit with group and passwd ===
While a firejail is running, firejail will lock your /etc/group and /etc/passwd files, making it so no program can access or write data to them (even root). This is a security feature and not a bug. If your group or passwd files don't work correctly (groupadd error code 10), close all firejails then try again.
== See also ==
* [[Security|Security]]
* [[Anonymizing_yourself|Anonymizing yourself]]
[[Category:GNU/Linux]]

Revision as of 18:54, 9 December 2016

Firejail Logo

Firejail is a Linux-only sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.

Installation

Installation varies among different GNU/Linux distributions, and it might be as easy as installing it as a package from an official repo. Check your distros repos first.

Debian

Debian's Firejail installation process requires you to add a backports repository if you're using stable (jessie). Simply add the backports line to your sources.list in /etc/apt, update your repositories and install firejail using the -t jessie-backports option.

  • $ sudo apt-get -t jessie-backports install firejail

Usage

Using firejail is pretty simple, just open a terminal and enter $ firejail <program name>. Keep in mind firejail takes input space, so it would be wise to make a simple bash script to start firejail in the background for a specific program.

Example:

  • Firejailing Firefox: $ firejail firefox

Whitelisting directories

By default firejail gives each firejailed program it's own view of the filesystem, so you may need to whitelist directories in some programs to access your files (whitelisting your pictures directory for your web browser to post chinese cartoons on imageboards, for example).

To whitelist a directory for a program, edit the programs respective profile in /etc/firejail. For instance, to whitelist your documents directory in firefox, you'd edit your firefox.profile file to add the line whitelist ~/Documents. These rules are user-wide, but firejail will read ~/ as the users own home directory, so don't worry about cross contamination. Permissions in whitelisted directories are the same as their filesystem permissions, so if you make a file read-only in a whitelisted directory, programs with that directory whitelist will respect that permission and will only be able to read the file.

Things to keep in mind

Gay shit with Chromium

Sometimes if you exit out of Chromium, it will keep running in the background. You will notice this in your firejail terminal. Press Control-C and Chromium is killed and the firejail ended (this is true for all firejailed programs/processes).

Gay shit with group and passwd

While a firejail is running, firejail will lock your /etc/group and /etc/passwd files, making it so no program can access or write data to them (even root). This is a security feature and not a bug. If your group or passwd files don't work correctly (groupadd error code 10), close all firejails then try again.

See also