Why on earth should I use Firejail?
Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.
For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.
If you are running Linux in a business setting, you are not forgotten. Firejail won’t put a major dent in your IT budget and doesn’t require much in the way of new staff or skills either.
Also, we use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.
How much does this cost?
Firejail is 100% free, you don’t have to pay anything. We publish the program under GPL v2 license. You are in control of the software, and you are in control of your data.
Why Firejail is not packaged by XYZ Linux distribution?
Firejail is a young project. As the project matures, Linux distros will package it if there is enough user interest. Currently, Firejail is included in Arch, Debian, Gentoo, NixOS, and Ubuntu – if you find another one, please let me know.
How does it compare with Docker, LXC, nspawn?
Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.
Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.
I recently heard of the sandbox command (it uses SELinux I believe). What’s the advantage of using firejail instead of that?
As the attacks become more and more sophisticated, new security features are added to the Linux kernel. A nice description is available here. Firejail uses a combination of these technologies and closely tracks the new kernel developments.
What is the overhead of the sandbox?
The sandbox itself is a very small process. The setup is fast, typically under one second. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.
It is very difficult to measure the effect various security technologies can have. Take for example the sandbox network namespaces as compared to the system network namespace – you are running a in a network namespace anyway, there should be no speed difference! The only kernel technology that can introduce a small delay is seccomp-bpf.
Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance
By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.
I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?
The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.
The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258
Can you sandbox Steam games and Skype?
Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.
Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.