Ubuntu App Sandboxing: Firejail Guide

TL;DR

Firejail is a simple, effective way to sandbox applications in Ubuntu. It doesn’t require complex configuration or virtual machines and provides good security with minimal performance impact.

Sandboxing Apps with Firejail: A Step-by-Step Guide

1. Install Firejail

   Open a terminal and update your package list:

   sudo apt update

   Then, install Firejail:

   sudo apt install firejail

2. Understand Profiles

   Firejail uses profiles to define the sandbox restrictions. These are text files that specify what resources an application can access.

   • Default Profile: Firejail has a default profile which provides basic security.
   • Application-Specific Profiles: Many common applications have pre-made profiles in /etc/firejail.
   • Creating Custom Profiles: You can create your own profiles for more granular control (see step 5).
3. Run an Application with Firejail

   To run an application in a sandbox, use the firejail command followed by the application’s executable.

   firejail firefox

   This will launch Firefox within a sandbox. You can check if it is running sandboxed with:

   ps aux | grep firejail

4. Using Pre-Made Profiles

   Check for an existing profile before creating your own.

   1. List available profiles:

      ls /etc/firejail

   2. If a profile exists (e.g., firefox.profile), use it:

      firejail --profile=/etc/firejail/firefox.profile firefox

5. Create a Custom Profile

   If no suitable profile exists, create one.

   1. Copy the default profile as a starting point:

      cp /etc/firejail/default.profile ~/firefox.profile

   2. Edit the profile using your preferred text editor (e.g., nano):

      nano ~/firefox.profile

   3. Modify restrictions as needed. Common options include:
      • blacklist: Prevent access to specific files or directories.
      • whitelist: Allow access only to specified files or directories.
      • private: Create a private namespace for certain directories (e.g., /tmp, /home).
      • caps: Drop specific Linux capabilities.
   4. Example restriction to prevent access to your Downloads folder:

      blacklist /home/$USER/Downloads

   5. Run the application with your custom profile:

      firejail --profile=~/firefox.profile firefox

6. Firejail GUI (Optional)

   For a more user-friendly experience, you can use the Firejail GUI.

   1. Install the GUI:

      sudo apt install firejail-config

   2. Launch the GUI from your application menu or by typing firecfg in a terminal.
   3. The GUI allows you to manage profiles and launch applications with specific settings.
7. Persistent Sandboxes

   By default, changes made within the sandbox are lost when the application is closed. To make changes persistent:

   1. Edit your profile and add private-dev to create a private /dev directory.

      nano ~/firefox.profile

      Add:
      private-dev

   2. Consider using a bind mount to share specific directories:

      mkdir -p ~/.sandbox/downloads

      firejail --profile=~/firefox.profile --bind=/home/$USER/Downloads:~/.sandbox/downloads firefox