Sometimes we need to run an application that we don’t trust, but we are afraid that it might look at or delete our personal data, since despite the fact that Linux frameworks are less inclined to malware, they are not completely immune. Possibly you need to get to a shady-sounding website. Or perhaps you need to access your bank account, or some other site managing delicate private data. You may put stock in the site, yet don’t believe the additional items or augmentations introduced in your program.
In each of the above cases, sandboxing is helpful. The thought is to limit the non-trusted application in a secluded compartment – a sandbox– so that it does not have access to our personal data, or the other applications on our system. While there is, a software called Sandboxie that does what we require, it is accessible for Microsoft Windows. But Linux users need not worry, since we have Firejail for the job.
So right away, let us see how to set up Fire jail on a Linux system and use it to sandbox apps in Linux:
If you are using Debian, Ubuntu, or Linux Mint, open up the Terminal, and enter the following command:
sudo apt install firejail
Enter your account password, and press Enter. If you are asked for a confirmation, type y, and press Enter again.
If you are using Fedora, or any other RedHat-based distribution, just replace apt with yum. The rest of the instructions remain the same:
sudo yum install firejail
You are now ready to run Firejail.
Optional: Install the Graphical Interface
You can select to install the official graphical front-end for Firejail called Firetools. It is not available in the official repositories, so we will have to manually install it.
- Download the installation file for your systemDebian, Ubuntu and Mint users should download the file ending with .deb. I am on a 64-bit Mint installation, so I selected
- After the download is complete, open the Terminal, and navigate to your Downloads folder by running
- Now install the Firetools package by running the command
sudo dpkg -i firetools*.deb.
- Enter your password, hit Enter, and you’re done.
In a Terminal, write
firejail, followed by the command that you need to run. For instance, to run Firefox:
Make sure to close all Firefox windows first. If you don’t, it will just open a new tab or window in the current session – negating any security benefit you would get from Firejail.
Similarly, for Google Chrome:
Running commands like this gives the application access to only a few needed configuration directories, and your Downloads folder. Access to whatever is left of the document framework, and the other directories in your Home folder is restricted. This can be shown by attempting to get to my home organizer from Chrome:
As you can see, most of my folders, including Pictures, Documents, and others are not accessible from the sandboxed chrome. If I still try to access them by modifying the URL, I will get a File not found error:
Restricting Applications Further:
Sometimes, you may require more restrictions, for instance, you might need to utilize a totally crisp program profile with no history, and no additional items. Suppose you don’t need your web browser to access your Downloads folder either. For that, we can utilize the private choice. Run the application as takes after:
firejail google-chrome –private This method completely restricts the application – it always starts in a fresh state, and cannot even create or download any new files.
Using the Graphical Interface – Firetools:
If you prefer to use a GUI instead of running a command every time, you can use the graphical front-end for Firejail called
Firetools. Open the Terminal, and run the command firetools. You will see a window like this:
You can double click on any pre-configured application (Firefox and VLC here) to run it sandboxed. If you need to add an application, right click on an empty space on the Firetools app, and click on Edit:
You can now enter the name, description, and the command that you need to run. The command would be the same as you would keep running in a comfort. For instance, to create an icon for Google Chrome that you need to keep running in private mode, you would input the following:
Now simply double-click the icon you just created to launch the app:
Run Doubtful Applications Securely on Linux With Firejail
That is, it from our side when it comes to sandboxing non-trusted apps in Linux with Firejail. If you wish to learn more about the advanced sandboxing options that Firejail offers, take a look at the official