Take a look at your Desktop and/or interface. Be it MATE (desktop/laptop), Phosh (Pinephone/Librem), or KDE. We use several buttons/shortcuts to programs everyday. Some of these need the internet. Some do not.
Have you minimized access to programs who do not need the internet? Did you know some programs secretly “call home” and share data/your IP address with 3rd parties (sometimes sold)? The most ideal setup is one which is restricted wherever possible, but not up to the point where your setup becomes unusable.
Here we are going to use a Hot Off the Press News example to demonstrate how to allow networking only to those programs requiring it (such as web browsers, encrypted messengers, etc). Other programs like VLC Media player, GIMP (image manipulation), and Libre Office do NOT need ANY networking for full functionality. So why do we allow it? Because this is default behavior, we accept it. We are going to change that today.
This is a small excerpt from a ISC Security Series webinar titled “Securing Bind 9 with AppArmor and Firejail”. ISC is a non-profit organization that develops several widely used open source software packages such as BIND 9, ISC DHCP, and Kea DHCP.
Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf which allows the attaching of a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.
With Firejail installed, you can then launch applications from the command line, such that they have a private view of globally-shared kernel resources–such as the network stack. With this addition to your Linux platform, you’ll gain a heightened level of security to an already secure environment.
Firejail is not limited to graphical applications. In fact, Firejail can sandbox servers, GUI tools, and even user login sessions.
Believe it or not, Firejail is incredibly easy to use. I’m going to walk you through the process of installing and using Firejail.