Features

 

Contents

 

• Linux Namespaces
• Access Control
• Security Filters
• Networking
• Security Profiles
• Universal Packaging Formats
• Statistics and Monitoring
• Graphical User Interface

 

This is a short list of the features and technologies behind Firejail:

 

Linux namespaces

Technology Presentation

The core technology is Linux Namespaces, a lightweight form of virtualization. Basically, the app gets its own filesystem, network stack, and kernel interface.

 

Access Control

On top of the regular file system, we deploy a very efficient Mandatory Access Control. It restricts application access to the underlying file system on a file by file basis.

 

Virtual home directory in Mozilla Firefox

 

Security filters

The following security filters are currently implemented:

• seccomp-bpf – reduce the attack surface of the kernel by attaching a system call filter to the processes running inside the sandbox.
• communication protocol filter – most default profiles allow only UNIX, IPv4 and IPv6 communication protocols.
• noroot user namespace – install a user namespace with only one valid user, the current user.
• Linux capabilities – a set of distinct root privileges that can be independently enabled or disabled (POSIX 1003.1e).
• X11 sandboxing support is built around two external X11 server software packages, Xpra and Xephyr.
• D-BUS filtering
• AppArmor and SELinux support if available on the host system.

 

An Openbox desktop manager running in a Xephyr/X11 Firejail sandbox

 

Networking

 

Network namespace configured in a Firejail sandbox

Firejail can attach a new, isolated TCP/IP stack to the sandbox. The new stack comes with its own routing table, firewall, and set of interfaces. We support classic firewall filter configurations based on iptables, and dynamic firewall filters (see –netlock).

Firejail inspects the network traffic (see –nettrace), and allows the user to analyze and monitor application behavior.

Network trace

 

Network stats

 

Security profiles

Located in /etc/firejail directory, profile files describe the filesystem container, the security filters and network configuration for each application supported by default by Firejail. Currently, more than 1000 different applications are supported,

 

Default profile statistics describing the various technologies used by Firejail. More than 1000 application profiles are available by default in /etc/firejail as of version 0.9.64.

 

Universal packaging formats

Firejail supports AppImage packaging format natively. Simply add –appimage command line option and the package is mounted and run inside the sandbox.

 

Statistics and monitoring

Firejail provides a large number of options to track all the aspects of sandboxed applications. This includes monitoring CPU/memory/bandwidth usage, tracing system calls, monitoring exec and fork events, and logging accesses to blacklisted files and directories.

Monitoring sandboxes with “firejail –top”

 

We also have available a simple auditing tool, jailcheck. Running as root, the program attaches itself to all running sandboxes, and looks for possible security problems with user configuration.

 

jailcheck, a simple tool for auditing sandboxes

Graphical user interface

A GUI application, Firetools, is available as a separate software package.

 

Firefox Aurora sandbox statistics