Firejail is a security tool that allows you to run processes in a sandbox environment using Linux’s built-in namespace and cgroups capabilities. Essentially, it creates a “jail” or isolated environment for a process to run in, which limits its access to the host system and other processes. This can help prevent malicious or compromised processes from escaping the jail and causing damage to the host system or other processes.
Firejail uses a number of different features to create the jail and restrict the process’s access. These include:
- Namespaces: Firejail uses Linux’s namespace feature to isolate the process from the host system’s environment. This includes isolating the process’s view of the file system, network, and other resources.
- Seccomp: Firejail uses the seccomp (secure computing mode) feature to restrict the system calls that the process is allowed to make. This can help prevent the process from making dangerous or unauthorized system calls.
- Apparmor and SELinux: Firejail can also use Apparmor and SELinux (mandatory access control systems) to further restrict the process’s access to the host system.
- cgroups: Firejail uses cgroups (control groups) to limit the resources that the process can access, such as CPU and memory usage.
firejail Command Examples
1. Integrate firejail with your desktop environment:
# firecfg
2. Open a restricted Mozilla Firefox:
# firejail firefox
3. Start a restricted Apache server on a known interface and address:
# firejail --net=eth0 --ip=192.168.1.244 /etc/init.d/apache2 start
4. List running sandboxes:
# firejail --list
5. List network activity from running sandboxes:
# firejail --netstats
6. Shutdown a running sandbox:
# firejail --shutdown=7777