Firejails & Malicious Links: Protection Guide

TL;DR

Firejails can help protect against malicious links by sandboxing applications that handle them (like web browsers). However, it’s not a perfect solution. You need to configure Firejails correctly and understand its limitations. This guide explains how.

How Firejails Works

Firejails creates isolated environments for programs. If a malicious link tries to do something harmful (install software, access your files), the damage is contained within that sandbox. It doesn’t prevent you from clicking the link, but it limits what the program can do after you click.

Protecting Against Malicious Links with Firejails

1. Identify the Application: Determine which application opens links when you click them. Common examples are web browsers (Firefox, Chrome), email clients (Thunderbird), and instant messaging apps.
2. Create a Profile: For each application, create a dedicated Firejails profile. This is where you define the sandbox restrictions.

   sudo firejail --profile=/etc/firejail/browser.profile firefox

3. Configure Restrictions (Essential): Within your profile, set strict limitations. Here’s a breakdown of important settings:
   • Private: Use private-dev, private-tmp and private-home to isolate the application’s access to system resources.

     private-dev
     private-tmp
     private-home

   • No Network Access (Initially): Start by denying network access completely. This is the safest approach. You can selectively allow access later if needed.

     nonewprivs
     network none

   • Disable IPC: Inter-Process Communication can be exploited. Disable it.

     ipc-namespace

   • Read-Only Access to Important Directories: Make system directories read-only where possible.

     read-only /etc
     read-only /usr/share

   • Whitelist Executables (Important): Only allow the browser’s core executables to run. This prevents malicious scripts from launching other programs.

     whitelist /usr/lib/firefox/*

4. Test Your Profile: Launch the application using Firejails and test it thoroughly. Try opening known safe websites first to ensure basic functionality works.

   firejail --profile=/etc/firejail/browser.profile firefox

5. Gradually Allow Network Access (If Needed): If the application requires network access, start by allowing only specific domains or IP addresses. Use netfilter rules within your profile.

   netfilter --domain example.com
   netfilter --domain google.com

6. Monitor and Update: Regularly review your Firejails profiles and update them as the application changes or new vulnerabilities are discovered. Check for updates to Firejails itself.

   sudo apt update && sudo apt upgrade firejail #Debian/Ubuntu

7. Consider Additional Security Measures: Firejails is one layer of security. Combine it with other tools like:
   • Antivirus Software: For detecting known malware.
   • Ad Blockers: To prevent malicious ads from loading.
   • NoScript/uMatrix: To control JavaScript and other scripts.
   • Safe Browsing Extensions: Like those provided by Google or your browser vendor.

Limitations

• Zero-Day Exploits: Firejails can’t protect against completely new vulnerabilities that haven’t been discovered yet.
• Configuration Errors: A poorly configured profile can be ineffective or even create security holes.
• Resource Intensive: Sandboxing adds overhead, which may slightly slow down the application.
• Compatibility Issues: Some applications may not work correctly within a Firejails sandbox.