Castle-security

Essential System Tools: Firejail – Excellent Security Sandboxing

Other Features

Networking support

Firejail can integrate its own TCP/IP networking stack to the sandbox. The new stack comes with its own routing table, firewall and set of interfaces. Implemented as a Linux namespace inside the kernel, the stack is totally independent of host network stack.

You can connect the TCP/IP network interface with an existing network bridge, which is useful for setting up a demilitarized zone (DMZ), or for testing.

Security profiles

Profile files describe the filesystem container, the security filters and network configuration.

In these security profiles, you can enable the –seccomp and –caps functions. Additionally, you can define which directories Firejail will not pass through to the sandbox, or where access will be restricted to read-only, and you can define mount points to match. You can also define limits for the sandbox.

Firejail can switch the sandbox to Private mode. Here, the sandbox hides the complete home directory specifically from the running software.

Resource allocation

Resources can be allocated using control groups and rlimits.

Packaging formats

There’s support for both AppImage and Snap packages. AppImage is a format for distributing portable software on Linux without needing superuser permissions to install the application. Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run.

Sandbox auditing

This feature helps users find any gaps in security profiles.

Other

There’s also options to monitor system resources, tracing system calls, and logging access to blacklisted files and directories.

Next page: Page 4 – Firetools

Pages in this article:
Page 1 – Introduction / Installation
Page 2 – In Operation
Page 3 – Other Features
Page 4 – Firetools
Page 5 – Summary

Share this article

Share your Thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.