Firejail - pseudo-Containers for Linux

Posted by JD 06/04/2016 at 17:00

The firejail project is new to me. It takes all those security efforts added to the Linux kernel over the years and makes them available for end-user programs. These are specifically designed for GUI programs. How cool is that?

Installation

For Ubuntu 16.04, it is as simple as 

sudo apt install firejail

14.04 doesn´t appear to have firejail in the stock repos.

An Example Scenario

Need to run a modern browser without any added blocking to perform something, perhaps printing airline boarding passes.

$ firejail - -private chromium-browser &

This will start the Chromium browser inside a private container where all writeable storage is temporary and only available to THAT program. The other parts of the OS are available as read-only. So when I´ve downloaded the PDF file to be printed into ~/Downloads/, it doesn´t actually show up in the ~/Downloads/ directory seen outside the container. That also means that any other unknown, unexpected changes due to bugs in the program aren´t left on the main system either.

Running the same command again, while the other browser is still running will create an NEW container, with a new, private, file system. Checking the ~/Downloads/ folder and seeing that anything downloaded by the other instance isn´t there should provide it.

Another Example Scenario

Suppose you want to teach someone knew on your box, but don´t entirely trust him/her. Just start up a fresh terminal window and everything opened under it will be inside the same container

$ firejail - -private xterm -sb &

Launch other programs, look around the file system. Let them use sudo, whatever. None of their changes/mistakes will be there when that terminal is closed. sudo doesn´t actually work, because the virtual userid provided, while having the same name, is not in the same groups. /tmp/ is shared by the container and the hostOS, so use that to move files in and out of the protected container. However, both /root/ and /home/ are only tmpfs – so they are gone.
tmpfs             1989560        8   1989552   1% /home
tmpfs             1989560        0   1989560   0% /root

Also, the process table is highly restricted. Under bash (actually started an xterm), I saw only 4 processes in top.

$ ps aux
USER PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
65534  1  0.0  0.0  14068   192 pts/0    S+   10:55   0:00 firejail - -priv
fu     2  0.0  0.1  83448  7320 pts/0    R+   10:55   0:00 xterm -sb
fu     4  0.0  0.1  29700  5372 pts/4    Ss   10:55   0:00 bash
fu    40  0.0  0.0  44432  3276 pts/4    R+   11:05   0:00 ps aux

Created a file in my HOME – then from outside the jail looked for it. Not there. Nice. In fact, it appears that a completely fresh HOME directory was created. My custom .bashrc was not copied over.

I´m impressed. This is some pretty cool crap!

The Profiles are Key

Each program run inside a firejail (container) is setup with specific rights of access like any other container. Over 50 popular programs have profiles – chromium, chrome, firefox, thunderbird, mplayer, kmail, weechat, xchat, skype, dropbox, seamonkey are just a few. There is also a generic profile which gets used for everything else.

You can look at the profiles. They are fairly simple. If you don´t use the - -private option, then the normal files in the userid´s HOME will be read-write, but other places are blocked.

Performance Considerations

Container overhead is really small. Startup is less than a second. I´m unsure why I wouldn´t use firejail as an extra layer of protection. Performance wouldn´t be a concern from what I´ve seen on a chromebook.

Unexplored Options

So far, I´ve only played with firejail using the - -private option. This isn´t necessary and there may be good, useful, reasons NOT to add that extra layer of file system protection.

Summary

I expect to use firejail for most internet connected, hence most dangerous, programs. Each inside a different jail. Programs like IRC or chat tools will be in – -private environments. Running things like a normal firefox or thunderbird with that option sorta defeats all the usability having bookmarks and old emails available provides. Plus, the existing profiles for these tools don´t exist when - -private is used.