This is the latest in our series of articles highlighting essential system tools. These are small, indispensable utilities, useful for system administrators as well as regular users of Linux based systems. The series examines both graphical and text based open source utilities. For details of all tools in this series, please check the table at the summary page of this article.
For this article, we’ll look at Firejail, a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, Linux capabilities and seccomp-bpf.
What are namespaces? They are a method of detaching processes from a specific layer of the kernel and assigning them to a new layer. The processes see a different file system root with no access to the original file system. This concept is extended to the other operating system layers. A specific process therefore resides in a virtual operating system.
Capabilities are implemented in Linux using extended attributes in the security namespace. Historically UNIX implementations segregated processes into two simple groups, root-privileged processes and unprivileged processes. That changed when capabilities were added to Linux kernel 2.2. Capabilities split up the monolithic root privilege into smaller blocks (or sets) of permissions, which can be independently enabled or disabled on a per-thread basis.
The idea behind seccomp is to restrict the system calls that can be made from a process. They were introduced in Linux kernel 3.5 back in 2012, so they have been around for some time. seccomp-bpf (secure computing – Berkeley packet filter) adds an extra layer of security. It restricts access from a process to the attack surface of the kernel.
I often use a distribution’s packages to install software. But when it comes to security applications, I prefer compiling and installing a project’s source code. First clone the project with git, compile and install with these commands, typed at a shell.
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make -j4 && sudo make -j4 install-strip
It’s recommended to integrate your sandbox into your desktop with the following commands:
$ firecfg --fix-sound
$ sudo firecfg
You’ll need to logout and login.