We are still actively working on the spam issue.
Difference between revisions of "Firejail"
m (→Usage: - typo) |
|||
(13 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | [[File:Firejail2.png|thumb| | + | [[File:Firejail2.png|thumb|The logo]] |
− | [https://firejail.wordpress.com Firejail] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis. | + | [https://firejail.wordpress.com Firejail] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features (as of writing) to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis. |
== Installation == | == Installation == | ||
− | + | * {{ic|git clone https://github.com/netblue30/firejail}} | |
− | + | * {{ic|cd firejail}} | |
− | + | * (Optional) wget [https://git.solus-project.com/packages/firejail/plain/files/0001-Support-a-stateless-configuration.patch this patch] to make it stateless (in which case, the profiles will be stored in {{ic|/usr/shared/defaults/firejail}}), by issuing {{ic|git apply 0001-Support-a-stateless-configuration.patch}} | |
− | + | * {{ic|1=./configure --prefix=/usr}} | |
− | + | {{note|There are a multitude of options that you can set at compile time which you can see by running ./configure --help. For instance, if you use apparmor or busybox, add --enable-apparmor and --enable-busybox-workaround, respectively.}} | |
− | * {{ic| | + | * {{ic|1=CFLAGS="-march=native -mtune=native -O3" make -jn}}, where n is the amount of jobs you want to spawn |
+ | * {{ic|sudo make install}} | ||
== Usage == | == Usage == | ||
− | Using firejail is pretty simple, just open a terminal and enter {{ic|$ firejail <program name>}}. Alternatively, edit the exec field | + | Using firejail is pretty simple, just open a terminal and enter {{ic|$ firejail <program name>}}. Alternatively, edit the exec field of the *.desktop files in {{ic|/usr/share/applications}} so it doesn't take input space. |
Example: | Example: | ||
* Firejailing Firefox: {{ic|$ firejail firefox}} | * Firejailing Firefox: {{ic|$ firejail firefox}} | ||
− | Ideally, you might want to use {{ic|1=--name=}} to name it, should you want to join that sandbox later on with {{1= | + | Ideally, you might want to use {{ic|1=--name=}} to name it, should you want to join that sandbox later on with {{ic|1=--join=}}. This is particularly useful for opening new windows on firefox, since one instance is used to manage multiple windows. |
=== Whitelisting directories === | === Whitelisting directories === | ||
By default firejail gives each firejailed program it's own view of the filesystem, so you may need to whitelist directories in some programs to access your files (whitelisting your pictures directory for your web browser to post chinese cartoons on imageboards, for example). | By default firejail gives each firejailed program it's own view of the filesystem, so you may need to whitelist directories in some programs to access your files (whitelisting your pictures directory for your web browser to post chinese cartoons on imageboards, for example). | ||
− | To whitelist a directory for a program, edit the programs respective profile in ~/.config/firejail. For instance, to whitelist your documents directory in firefox, you | + | To whitelist a directory for a program, edit the programs respective profile in {{ic|~/.config/firejail}}. For instance, to whitelist your documents directory in firefox, you would copy your firefox.profile file to {{ic|~/.config/firejail/firefox.profile}} and add the line {{ic|whitelist ~/Documents}}. These rules are user-wide, but firejail will read {{ic|~/}} as the users own home directory, so don't worry about cross contamination. Permissions in whitelisted directories are the same as their filesystem permissions, so if you make a file read-only in a whitelisted directory, programs with that directory whitelist will respect that permission and will only be able to read the file. |
== Notes == | == Notes == | ||
Line 37: | Line 38: | ||
=== PulseAudio === | === PulseAudio === | ||
− | Firejail profiles with {{ic|--private-dev}} will mount a tmpfs directory on top of /dev/shm and, due to [https://bugs.freedesktop.org/show_bug.cgi?id=92141|this unresolved PA bug] delete PulseAudio's shm files, causing audio to stop working in the process. | + | Firejail profiles with {{ic|--private-dev}} will mount a tmpfs directory on top of {{ic|/dev/shm}} and, due to [https://bugs.freedesktop.org/show_bug.cgi?id=92141|this unresolved PA bug] delete PulseAudio's shm files, causing audio to stop working in the process. |
− | Adding {{ic|1=enable-memfd = yes}} to daemon.conf | + | Adding {{ic|1=enable-memfd = yes}} to daemon.conf mitigates this, and will be the default value come PulseAudio 10.0. It is an imperfect solution because it doesn't fully solve it. |
== See also == | == See also == | ||
Line 47: | Line 48: | ||
[[Category:GNU/Linux]] | [[Category:GNU/Linux]] | ||
+ | [[Category:Software]] |
Latest revision as of 14:36, 16 February 2023
Firejail is a Linux-only sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features (as of writing) to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.
Contents
Installation
git clone https://github.com/netblue30/firejail
cd firejail
- (Optional) wget this patch to make it stateless (in which case, the profiles will be stored in
/usr/shared/defaults/firejail
), by issuinggit apply 0001-Support-a-stateless-configuration.patch
./configure --prefix=/usr
CFLAGS="-march=native -mtune=native -O3" make -jn
, where n is the amount of jobs you want to spawnsudo make install
Usage
Using firejail is pretty simple, just open a terminal and enter $ firejail <program name>
. Alternatively, edit the exec field of the *.desktop files in /usr/share/applications
so it doesn't take input space.
Example:
- Firejailing Firefox:
$ firejail firefox
Ideally, you might want to use --name=
to name it, should you want to join that sandbox later on with --join=
. This is particularly useful for opening new windows on firefox, since one instance is used to manage multiple windows.
Whitelisting directories
By default firejail gives each firejailed program it's own view of the filesystem, so you may need to whitelist directories in some programs to access your files (whitelisting your pictures directory for your web browser to post chinese cartoons on imageboards, for example).
To whitelist a directory for a program, edit the programs respective profile in ~/.config/firejail
. For instance, to whitelist your documents directory in firefox, you would copy your firefox.profile file to ~/.config/firejail/firefox.profile
and add the line whitelist ~/Documents
. These rules are user-wide, but firejail will read ~/
as the users own home directory, so don't worry about cross contamination. Permissions in whitelisted directories are the same as their filesystem permissions, so if you make a file read-only in a whitelisted directory, programs with that directory whitelist will respect that permission and will only be able to read the file.
Notes
Chromium
Sometimes if you exit out of Chromium, it will keep running in the background. You will notice this in your firejail terminal. Press Control-C and Chromium is killed and the firejail ended (this is true for all firejailed programs/processes).
In order to fully fix this, simply go to Chromium's settings page and uncheck "Continue running background apps when Google Chrome is closed".
group and passwd
While a firejail is running, firejail will lock your /etc/group and /etc/passwd files, making it so no program can access or write data to them (even root). This is a security feature and not a bug. If your group or passwd files don't work correctly (groupadd error code 10), close all firejails then try again.
PulseAudio
Firejail profiles with --private-dev
will mount a tmpfs directory on top of /dev/shm
and, due to unresolved PA bug delete PulseAudio's shm files, causing audio to stop working in the process.
Adding enable-memfd = yes
to daemon.conf mitigates this, and will be the default value come PulseAudio 10.0. It is an imperfect solution because it doesn't fully solve it.