This is a small excerpt from a ISC Security Series webinar titled “Securing Bind 9 with AppArmor and Firejail”. ISC is a non-profit organization that develops several widely used open source software packages such as BIND 9, ISC DHCP, and Kea DHCP.
Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf which allows the attaching of a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.
With Firejail installed, you can then launch applications from the command line, such that they have a private view of globally-shared kernel resources–such as the network stack. With this addition to your Linux platform, you’ll gain a heightened level of security to an already secure environment.
Firejail is not limited to graphical applications. In fact, Firejail can sandbox servers, GUI tools, and even user login sessions.
Believe it or not, Firejail is incredibly easy to use. I’m going to walk you through the process of installing and using Firejail.