Firejail, an application isolation system arrives with its new version 0.9.62

firejail_crop

firejail is a framework that develops a system for the isolated execution of graphic applications, console and server. Using Firejail minimizes the risk of compromising the system main when running unreliable or potentially vulnerable programs. The program is written in C, distributed under the GPLv2 license and can work on any Linux distribution.

firejail uses namespaces, AppArmor, and system call filtering (seccomp-bpf) on Linux for isolation. Once started, the program and all of its child processes use separate representations of kernel resources, such as the network stack, process table, and mount points.

Dependent applications can be combined in a common sandbox. If desired, Firejail can also be used to start Docker, LXC, and OpenVZ containers.

About Firejail

Unlike container insulation tools, Firejail is extremely simple to configure and does not require the preparation of a system image: the composition of the container is formed based on the contents of the current file system and is removed after the application ends.

Se provide flexible tools for setting file system access rules, You can determine which files and directories have access denied or denied, connect temporary file systems (tmpfs) for data, restrict read-only access to files or directories, combine directories using bind-mount and overlayfs.

For a large number of popular applications, including Firefox, Chromium, VLC, among others, out-of-the-box system call isolation profiles have been prepared.

To obtain the necessary privileges to set up a sandbox, the firejail executable is installed with the SUID root flag (after initialization, the privileges are reset).

What's new in Firejail 0.9.62?

In this new version it is highlighted that comes with more profiles added for app startup isolated with which the total number of profiles reaches up to 884.

Besides it file copy limit setting has been added to config file /etc/firejail/firejail.config, This allows you to limit the size of the files that will be copied to memory using the "–private- *" options (by default, the limit is set to 500MB).

The chroot call is now done not based on the path, but instead uses mount points based on the file descriptor.

Of the other changes:

  • In profiles, the use of debuggers is allowed.
  • Improved filtering of system calls using the seccomp mechanism.
  • Automatic detection of compiler flags is provided.
  • The / usr / share directory is whitelisted for a variety of profiles.
  • New helper scripts gdb-firejail.sh and sort.py have been added to the conrib section.
  • Enhanced protection in the privileged code execution stage (SUID).
  • For profiles, new conditional signs HAS_X11 and HAS_NET are implemented to verify the presence of the X server and access to the network.

How to install Firejail on Linux?

For those interested in being able to install Firejail on their Linux distribution, they can do it following the instructions that we share below.

On Debian, Ubuntu and derivatives installation is quite simple since they can install Firejail from the repositories of its distribution or they can download the prepared deb packages from sourceforge. 

In the case of choosing the installation from the repositories, just open a terminal and execute the following command:

sudo apt-get install firejail

Or if they decided to download the deb packages, they can install with their preferred package manager or from the terminal with the command:

sudo dpkg -i firejail_0.9.62_1*.deb

While for the case of Arch Linux and derivatives from this, just run:

sudo pacman -S firejail

For the case of Fedora, RHEL, CentOS, OpenSUSE or any other distro with support for rpm packages can get the packages from the following link.

And the installation is done with:

sudo rpm -i firejail-0.9.62-1.x86_64.rpm

Configuration

Once the installation is done, now we will have to configure the sandbox and we also have to have AppArmor enabled.

From a terminal we are going to type:

sudo firecfg

sudo apparmor_parser -r /etc/apparmor.d/firejail-default

To know its use and integration you can consult its guide In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.