Linux is always perceived as a more secure OS than its counterparts. However, that doesn’t mean it’s completely immune to viruses, worms, and other evil stuff. Like any other operating system, it has its own set of limitations, and a lot is dependent on how the individual uses it.
Of course, nothing can guarantee absolute protection, but there are ways that make life very hard for viruses, worms, and hackers in general. If you are looking for such a solution, look no further, as in this tutorial we’ll be discussing a software, called Firejail, that can improve the security of your Linux system.
Improve your system’s security
In order to boost your Linux box’s security, you need to install and use Firejail. It’s basically an SUID program that restricts the running environment of untrusted applications, reducing the risk of security breaches. Behind the scenes, what Firejail does is it enables a process as well as its children to have their own private view of the globally-shared kernel resources, including the network stack, process table, and mount table.
The application is written in C language and doesn’t have any dependencies. Of course, it has some requirements. For example, it’s only compatible with Linux machines running a 3.x kernel version or newer. As for what kind of processes the tool can sandbox, the answer is “any.” Yes, you can use it with servers and graphical applications, as well as games and user login sessions.
Installation
The utility can be downloaded from the project’s SourceForge page or from the Download section on the tool’s official website.
The download page comes with .tar, .deb and .rpm packages and also for both 32- and 64-bit architecture. Since I am using Ubuntu, I downloaded the .deb package and installed it using the GDebi package installer.
Usage
Now, to sandbox a process, all you have to do is to pass the corresponding application’s name as an argument to the firejail command. For example, to sandbox the Firefox web browser using Firejail, run the following command:
firejail firefox
While the output logs on the command line should be enough to give you the idea that Firefox is now running in a sandboxed form, to see how Firejail restricts the web browser’s access, try opening a file (File -> Open) from the Firefox window. You’ll see that the list of locations available to the app has been curtailed.
For comparison, here’s the list when Firefox is run without Firejail.
It’s worth mentioning that Firejail mounts a temporary “tmpfs” filesystem on top of the “/home/user” directory. Any files created in this directory will be deleted once the sandbox exits.
The tool includes security profiles for a large number of Linux programs. To give you a better idea on what exactly security profiles are, think of them as configuration files that contain rules defining, for example, which file accesses are allowed and which are not. For more information on Firejail sandboxing as well as how to create and customize security profiles, head to the tool’s documentation.
Those who aren’t much into the command line will be glad to know that there is a GUI for the Firejail security sandbox, and it’s known as Firetools. Built using Qt4/Qt5 libraries, this tool comes as a separate package. It provides a sandbox launcher integrated with the system tray, sandbox editing, management, and statistics.
To install Firetools, head to this page, download the package compatible with your system, and install accordingly. Once you are done with the installation part, run the utility using the following command:
firetools
Conclusion
It doesn’t matter which OS you are using, – you should never let the security aspect slip from your mind in the first place. And if your system contains sensitive information in the form of, say, documents, files, or pictures, system security should be at the top of your priority list. For Linux, the solution we’ve discussed in this article is easy to set up and use. Plus, a lot of documentation is available on it in case you need help. Do give it a try.
Our latest tutorials delivered straight to your inbox
