Difference between revisions of "Firejail"
Views
Actions
Namespaces
Variants
Tools
m (added languages and translate tags) |
(Marked this version for translation) |
||
Line 3: | Line 3: | ||
<translate> | <translate> | ||
== Introduction == | == Introduction == <!--T:1--> | ||
<!--T:2--> | |||
[https://github.com/netblue30/firejail Firejail] is a very easy to use piece of software, initially developed to make Firefox more secure by isolating it (putting it in a sandbox) from the rest of your system. Firejail has developed beyond that & can be used simultaneously on many parts of your system. It is worth reading about on Firejail site (linked to above). | [https://github.com/netblue30/firejail Firejail] is a very easy to use piece of software, initially developed to make Firefox more secure by isolating it (putting it in a sandbox) from the rest of your system. Firejail has developed beyond that & can be used simultaneously on many parts of your system. It is worth reading about on Firejail site (linked to above). | ||
<!--T:3--> | |||
From the Github page: | From the Github page: | ||
<blockquote>Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.</blockquote> | <blockquote>Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.</blockquote> | ||
== Install firejail == | == Install firejail == <!--T:4--> | ||
<!--T:5--> | |||
Firejail is available in the repos. Install it using your graphical package manager or with pacman. | Firejail is available in the repos. Install it using your graphical package manager or with pacman. | ||
sudo pacman -S firejail | <!--T:6--> | ||
sudo pacman -S firejail | |||
== Using Firejail == | == Using Firejail == <!--T:7--> | ||
<!--T:8--> | |||
Simply prefix your command or application with ''firejail''. Example: | Simply prefix your command or application with ''firejail''. Example: | ||
firejail firefox | <!--T:9--> | ||
firejail firefox | |||
<!--T:10--> | |||
You can even integrate firejail into your whole desktop. Every application you launch will use the firejail sandbox if it is supported by default. To do this use the command | You can even integrate firejail into your whole desktop. Every application you launch will use the firejail sandbox if it is supported by default. To do this use the command | ||
sudo firecfg | <!--T:11--> | ||
sudo firecfg | |||
<!--T:12--> | |||
For a list of all supported applications see [https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config here] | For a list of all supported applications see [https://github.com/netblue30/firejail/blob/master/src/firecfg/firecfg.config here] | ||
== GUI == | == GUI == <!--T:13--> | ||
<!--T:14--> | |||
The firejail team also develops a graphical user interface for firejail called ''firetools''. It is available in the [[Arch User Repository]]. | The firejail team also develops a graphical user interface for firejail called ''firetools''. It is available in the [[Arch User Repository]]. | ||
== Block an application from accessing the internet == | == Block an application from accessing the internet == <!--T:15--> | ||
<!--T:16--> | |||
You can use the option ''–-net=none'' to ensure firejail does not allow any network access like so: | You can use the option ''–-net=none'' to ensure firejail does not allow any network access like so: | ||
firejail –-net=none thunderbird | <!--T:17--> | ||
firejail –-net=none thunderbird | |||
<!--T:18--> | |||
But that option will block local network access, such as access to shared folders. To still have local network access, but block the application from accessing the internet use option ''--protocol=unix''. Example: | But that option will block local network access, such as access to shared folders. To still have local network access, but block the application from accessing the internet use option ''--protocol=unix''. Example: | ||
firejail --protocol=unix thunderbird | <!--T:19--> | ||
firejail --protocol=unix thunderbird | |||
</translate> | </translate> | ||
[[Category:Contents Page{{#translation:}}]] | [[Category:Contents Page{{#translation:}}]] | ||
[[Category:Applications{{#translation:}}]] | [[Category:Applications{{#translation:}}]] |
Revision as of 16:42, 7 September 2021
Introduction
Firejail is a very easy to use piece of software, initially developed to make Firefox more secure by isolating it (putting it in a sandbox) from the rest of your system. Firejail has developed beyond that & can be used simultaneously on many parts of your system. It is worth reading about on Firejail site (linked to above).
From the Github page:
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Install firejail
Firejail is available in the repos. Install it using your graphical package manager or with pacman.
sudo pacman -S firejail
Using Firejail
Simply prefix your command or application with firejail. Example:
firejail firefox
You can even integrate firejail into your whole desktop. Every application you launch will use the firejail sandbox if it is supported by default. To do this use the command
sudo firecfg
For a list of all supported applications see here
GUI
The firejail team also develops a graphical user interface for firejail called firetools. It is available in the Arch User Repository.
Block an application from accessing the internet
You can use the option –-net=none to ensure firejail does not allow any network access like so:
firejail –-net=none thunderbird
But that option will block local network access, such as access to shared folders. To still have local network access, but block the application from accessing the internet use option --protocol=unix. Example:
firejail --protocol=unix thunderbird