Firejail
Views
Actions
Namespaces
Variants
Tools
Введение
Firejail - это очень простая в использовании программа, изначально разработанная для повышения безопасности Firefox путем его изоляции (помещения в песочницу) от остальной системы. Firejail не ограничивается этим и может использоваться одновременно во многих частях вашей системы. Об этом стоит прочитать на сайте Firejail (ссылка выше).
From the Github page:
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Установка firejail
Firejail is available in the repos. Install it using your graphical package manager or with pacman.
sudo pacman -S firejail
Использование Firejail
Simply prefix your command or application with firejail. Example:
firejail firefox
You can even integrate firejail into your whole desktop. Every application you launch will use the firejail sandbox if it is supported by default. To do this use the command
sudo firecfg
For a list of all supported applications see here
Графический интерфейс
The firejail team also develops a graphical user interface for firejail called firetools. It is available in the Arch User Repository.
Блокировка приложению доступа к интернету
You can use the option –-net=none to ensure firejail does not allow any network access like so:
firejail –-net=none thunderbird
But that option will block local network access, such as access to shared folders. To still have local network access, but block the application from accessing the internet use option --protocol=unix. Example:
firejail --protocol=unix thunderbird