Firejail is a security tool that allows you to run processes in a sandbox environment using Linux’s built-in namespace and cgroups capabilities. Essentially, it creates a “jail” or isolated environment for a process to run in, which limits its access to the host system and other processes. This can help prevent malicious or compromised processes from escaping the jail and causing damage to the host system or other processes.
Firejail uses a number of different features to create the jail and restrict the process’s access. These include:
- Namespaces: Firejail uses Linux’s namespace feature to isolate the process from the host system’s environment. This includes isolating the process’s view of the file system, network, and other resources.
- Seccomp: Firejail uses the seccomp (secure computing mode) feature to restrict the system calls that the process is allowed to make. This can help prevent the process from making dangerous or unauthorized system calls.
- Apparmor and SELinux: Firejail can also use Apparmor and SELinux (mandatory access control systems) to further restrict the process’s access to the host system.
- cgroups: Firejail uses cgroups (control groups) to limit the resources that the process can access, such as CPU and memory usage.
If you encounter the below error while running the command firejail:
firejail: command not found
you may try installing the below package as per your choice of distribution:
|Debian||apt-get install firejail|
|Ubuntu||apt-get install firejail|
|Alpine||pacman -S firejail|
|Arch Linux||apt-get install firejail|
|Kali Linux||brew install firejail|
|Fedora||apt-get install firejail|
|Raspbian||dnf install firejail|
firejail Command Examples
1. Integrate firejail with your desktop environment:
2. Open a restricted Mozilla Firefox:
# firejail firefox
3. Start a restricted Apache server on a known interface and address:
# firejail --net=eth0 --ip=192.168.1.244 /etc/init.d/apache2 start
4. List running sandboxes:
# firejail --list
5. List network activity from running sandboxes:
# firejail --netstats
6. Shutdown a running sandbox:
# firejail --shutdown=7777