How to Use Firejail to Sandbox Applications in Debian 12 Bookworm

Learn how to use Firejail to sandbox applications on a Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Security is a crucial aspect of modern computing, especially for users who frequently execute untrusted applications or browse the internet. One effective way to enhance security is by sandboxing applications, preventing them from accessing sensitive system resources. Firejail is a lightweight sandboxing tool that uses Linux namespaces to restrict an application’s access to system components. This guide provides a step-by-step approach to installing, configuring, and using Firejail to sandbox applications on a Debian 12 Bookworm system.

Understanding Firejail and Its Benefits

Firejail is an SUID (Set User ID) program that allows users to run applications in an isolated environment. The benefits of using Firejail include:

  • Enhanced security: It limits the application’s access to the system, reducing the impact of potential vulnerabilities.
  • Privacy protection: It can restrict applications from accessing personal files or network connections.
  • Reduced risk of malware: By confining an application’s permissions, Firejail mitigates the risk of malware affecting the entire system.
  • Lightweight nature: Unlike virtual machines or containers, Firejail has minimal overhead, making it efficient for desktop users.

Installing Firejail on Debian 12 Bookworm

Step 1: Update the System

Before installing Firejail, ensure your system is up-to-date:

sudo apt update && sudo apt upgrade -y

Step 2: Install Firejail

Firejail is available in Debian’s official repositories, making installation straightforward:

sudo apt install firejail -y

After installation, verify the version:

firejail --version

Step 3: Enable Firejail for Common Applications

Firejail includes default profiles for many popular applications. To check the available profiles, run:

ls /etc/firejail/

For example, to use Firejail with Firefox, simply run:

firejail firefox

This will start Firefox in a sandboxed environment.

Configuring Firejail for Better Security

Step 1: Using Default Profiles

Firejail provides predefined profiles for many applications, stored in /etc/firejail/. These profiles specify what system resources an application can access. To check the profile being used by an application, run:

firejail --tree

To apply Firejail globally to an application, use:

sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

This ensures Firefox always runs inside a sandbox.

Step 2: Creating Custom Firejail Profiles

If the default profiles do not meet your needs, you can create a custom profile:

  1. Copy an existing profile as a base:
cp /etc/firejail/default.profile ~/.config/firejail/custom.profile
  1. Edit the new profile:
nano ~/.config/firejail/custom.profile
  1. Define restrictions. For example, to disable network access, add:
disable-net
  1. Save and apply the profile:
firejail --profile=~/.config/firejail/custom.profile firefox

Advanced Firejail Usage

Step 1: Running Applications Without Internet Access

To run an application without internet access, use:

firejail --net=none firefox

Step 2: Restricting File System Access

To prevent an application from accessing personal files:

firejail --private firefox

This creates a temporary home directory for the application that gets deleted upon closing.

Step 3: Enforcing Strict Security Policies

You can enable stricter security by using seccomp (Secure Computing Mode):

firejail --seccomp firefox

This restricts the application to a minimal set of system calls, reducing the risk of exploits.

Step 4: Running Applications with X11 Isolation

To prevent applications from capturing keyboard and screen inputs:

firejail --x11=xephyr firefox

This runs the application inside a separate X server.

Integrating Firejail with System Startups

To ensure certain applications always run in Firejail:

  1. Open the application’s .desktop file:
nano ~/.local/share/applications/firefox.desktop
  1. Modify the Exec line:
Exec=firejail firefox %u
  1. Save the file and restart your session.

Monitoring and Troubleshooting

Checking Active Sandboxes

To view running Firejail instances:

firejail --list

Debugging Issues

If an application does not work properly inside Firejail, try running it in debug mode:

firejail --debug firefox

This will provide logs to help diagnose issues.

Resetting Firejail Profiles

If custom profiles cause problems, restore the defaults:

sudo rm -r ~/.config/firejail/

Conclusion

Using Firejail on Debian 12 Bookworm is an effective way to enhance security without sacrificing system performance. By following this guide, you can confidently sandbox applications, protecting your files, network, and privacy from potential threats. Whether using default profiles or creating custom ones, Firejail provides a flexible and robust solution for securing your Linux environment.


< How to Prevent Brute-Force Attacks on Web Applications in Debian 12 Bookworm SystemHow to Set Up File Integrity Monitoring with AIDE on Debian 12 Bookworm >