Title: Firejail on Linux to sandbox all the things
       Author: Solène
       Date: 14 February 2021
       Tags: linux security sandbox
       Description: 
       
       # Introduction
       
       Firejail is a program that can prepare sandboxes to run other programs.
        This is an efficient way to keep a software isolated from the rest of
       the system without need of changing its source code, it works for
       network, graphical or daemons programs.
       You may want to sandbox programs you run in order to protect your
       system for any issue that could happen within the program (security
       breach, code mistake, unknown errors), like Steam once had a "rm -fr /"
       issue, using a sandbox that would have partially saved a part of the
       user directory.  Web browsers are major tools nowadays and yet they
       have access to the whole system and have many security issues
       discovered and exploited in the wild, running it in a sandbox can
       reduce the data a hacker could exfiltrate from the computer.  Of
       course, sandboxing comes with an usability tradeoff because if you only
       allow access to the ~/Downloads/ directory, you need to put files in
       this directory if you want to upload them, and you can only download
       files into this directory and then move them later where you really
       want to keep your files.
       
       # Installation
       
       On most Linux systems you will find a Firejail package that you can
       install.  If your distribution doesn't provide a Firejail package, it
       seems the installing from sources process is quite easy, and as the
       project is written in C with limited dependencies it may be easy to get
       the build process done.
       There are no service to enable and no kernel parameters to add. 
       Apparmor or SELinux features in kernel can be used to integrates into
       Firejail profiles if you want to.
       
       # Usage
       
       ## Start a program
       
       The simplest usage is to run a command by adding Firejail before the
       command name.
       
       ```shell command
       $ Firejail firefox
       ```
       
       ## Use a symlink
       
       Firejail has a neat feature to allow starting software by their name
       without calling Firejail explicitly, if you create a symbolic link in
       your $PATH using a program name but targeting Firejail, when you call
       that name Firejail will automatically now what you want to start.  The
       following example will run firefox when you call the symbolic link.
       
       ```shell command
       export PATH=~/bin/:$PATH
       $ ln -s /usr/bin/firejail ~/bin/firefox
       $ firefox
       ```
       
       ## Listing sandboxes
       
       There is a Firejail --list command that will tell you about all
       sandboxes running and what are their parameters.  As a first column the
       identifier is available for more Firejail features.
       
       ```shell command
       $ firejail --list
       6108:solene::/usr/bin/firejail /usr/bin/firefox 
       ```
       
       ## Limit bandwidth per program
       
       Firejail also has a neat feature that allows to limit the bandwidth
       available only for one sandbox environment.  Reusing previous list
       output, I will reduce firefox bandwidth, the number are in kB/s.
       
       ```shell command
       $ firejail --bandwidth=6108 set wlan0 1000 40
       ```
       
       You can find more information about this feature in the "TRAFFIC
       SHAPING" section of the Firejail man page.
       
       ## Restrict network access
       
       If for some reason you want to start a program with absolutely no
       network access, you can run a program and deny it any network.
       
       ```shell command
       $ firejail --net=none libreoffice
       ```
       
       # Conclusion
       
       Firejail is a neat way to start software into sandboxes without
       requiring any particular setup.  It may be more limited and maybe less
       reliable than OpenBSD programs who received unveil() features but it's
       a nice trade off between safety and required work within source code
       (literally none).  It is a very interesting project that proves to work
       easily on any Linux system, with a simple C source code with little
       dependencies.  I am not really familiar with Linux kernel and its
       features but Firejail seems to use seccomp-bpf and namespace, I guess
       they are complicated to use but powerful and Firejail comes here as a
       wrapper to automate all of this.
       
       Firejail has been proven to be USABLE and RELIABLE for me while my
       attempts at sandboxing Firefox with AppArmor were tedious and not
       optimal.  I really recommend it.
       
       # More resources
       
 (HTM) Official project website with releases and security information
 (HTM) Firejail sources and documentation
       
 (HTM) Community profiles 1
 (HTM) Community profiles 2