- Sep 30, 2005
- Reaction score
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.
Oh and if you think that as a Chrome user you do not need this program as you are fully sandboxed in Chrome,,,Private mode always starts the browser with factory defaults, protecting it from malicious addons and plugins the user might have installed in the past. It is mainly used for accessing bank websites and alike:
$ firejail --private firefox
For more information about private mode and high security browser setups see part 3 of this series.
Even penguins can do with a bit of security.The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.