Run your web browser (and maybe other applications as well) in a secure sandbox


Back to the homepage



Why the sandbox of Firejail is useful

1. By default, Linux Mint and Ubuntu are already very secure. Yet with a relatively small measure, you can increase the already high level of security of your Linux considerably. Namely by running your web browser from within a secure virtual sandbox. Because web browsers (and their plugins) are, by far, the applications that are most under attack.

You can easily achieve that protection by means of the application Firejail, which offers simple lightweight virtualization on the application level. Translated into ordinary language that means: you can fully isolate your web browser from your personal folder, so that it can never do any harm in your personal folder.

With that, you're much better protected against hackers or malware breaking into your personal folder (the files that are accessible without root permissions). Firejail protects against malware that tries to do nasty things with your personal files behind your back. The malware can go ahead without being stopped, but.... can't touch anything.

Because your web browser and its plugins, are then isolated from your personal folder. Almost entirely, because there are some useful exceptions, like the Downloads folder and the configuration of the web browser. The system folders and files are also still accessible, but obviously as "read-only".

Firejail is well designed: it causes only a little extra system load.

I fully agree with what Distrowatch has said about Firejail: the extra protection layer that Firejail provides, increases security considerably, uses very few resources and requires almost no effort to use. In today's world of security breaches and privacy concerns, my opinion is: Why would someone not want to use Firejail? (the complete Distrowatch article is here)

Everything has of course its price, even if it's a small one: the disadvantage of this isolation is, that you can for example only add files to an e-mail message if those files are in the Downloads folder. Because for the rest, your web browser is isolated from your personal folder. Also printing web pages might fail because of this.

That's why I advise to limit this isolation to the web browser launcher that's in the panel of your desktop. That way, you can always launch a "normal" web browser from the menu.

Sidenote: the isolation of Firejail is limited to your personal folder; your web browser can still access folders and files of the operating system itself. That's intentional and no problem, because those are owned by root, so they fall under the protection of the password requirement.

You can achieve this as follows:

Install Firejail

2. Installing Firejail in Ubuntu 16.04.x and in Linux Mint 18.x is easy:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):
sudo apt-get install firejail

Press Enter and type your password when requested. Your password will remain entirely invisible, not even dots will show, this is normal. Press Enter again.

Recommended: make sure you have the latest Firejail from the LTS series

2.1. The developers of Firejail maintain two series of Firejail: the Long Term Supported (LTS) series (0.9.38.x) and the latest series.

At the time of writing of this how-to (February 2017), the official repositories of Linux Mint 18.x and Ubuntu 16.04 contained the newest Firejail from the LTS series. But that might not always be the case. So it might be advisable to check that for yourself.

You can check the version of the Firejail that's installed in your system, with this terminal command:
firejail --version

You can always get the newest Firejail LTS here. If there's a newer Firejail LTS available, download the .deb installer file (not the tar.bz2). Don't try to install it by means of the dialog window in your web browser (this usually doesn't work), but just download it. Then launch your file manager and simply double-click it, as if it were a Windows installer.

Run Firefox from a sandbox

3. After installing Firejail, you can run Firefox from a sandbox in the following way:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):
firejail firefox

Press Enter.

That's all! Firejail has reasonable default settings for Firefox, which are hardly ever annoying and still increase your online security a lot. The average desktop user doesn't need to change anything in those settings.

But that's a one-time launch only; it's of course not very convenient to launch Firefox that way every time. So I advise to create a desktop launcher that launches Firefox in a sandbox by default.

For that, you perform in Linux Mint Cinnamon a rightclick with your mouse on the icon of Firefox in the panel of your desktop - Edit - Command: change this into:
firejail firefox %u

Click OK.

In Ubuntu and in other desktop environments than Cinnamon, you need to edit the Firefox desktop launcher in a comparable way.

Now close all open Firefox windows and click on the Firefox launcher in the desktop panel, so that Firefox is being launched again. Firefox should be running in a sandbox now.

In order to check that, launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):
firejail --tree

Press Enter.

With that command you can check whether Firefox is indeed running in sandbox mode.

Fix a sound issue (PulseAudio) caused by Firejail

4. When you run Firejail, it will probably cause problems with sound and playback. If so, you can fix it like this:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following series of commands into the terminal (press Enter after each individual command):

mkdir -p ~/.config/pulse

cd ~/.config/pulse

cp -v /etc/pulse/client.conf ~/.config/pulse

echo "enable-shm = no" >> client.conf

Note: this is a user setting, so repeat this in each user account.

Check the settings for Firefox and modify them (for advanced users only)

5. Do you want to check the settings of Firejail for Firefox? They're in /etc/firejail/firefox.profile

Do you wish to change something in the Firefox profile of Firejail? Then preferably don't do that systemwide, but first copy the systemwide Firefox profile of Firejail to your personal folder. That can be done with the following terminal commands (use copy/paste to transfer them to the terminal):

First:
mkdir -v ~/.config/firejail

Press Enter.

Then:
cp -v /etc/firejail/firefox.profile ~/.config/firejail

Press Enter.

Finally, if you have text editor Leafpad (if not, use another text editor):

leafpad ~/.config/firejail/firefox.profile

Press Enter.

Then you can experiment safely in the copied profile, and your modifications will remain intact when you install a newer version of Firejail.

You can also launch Firejail with a lot of advanced options. You can check those with the terminal command man firejail or on this web page.

Firefox completely in the sandbox (only for advanced users)

6. It's also possible to put Firefox in your user account completely in the sandbox, regardless of how you launch it. I don't recommend that, because you'll probably be confronted with annoying limitations then, from time to time. But if you want that anyway, then these are the two terminal commands you need for that:

First this (it's one line):
cp -v /usr/share/applications/firefox.desktop ~/.local/share/applications

Then this (it's one line):
sed -i 's/Exec=firefox/Exec=firejail firefox/g' .local/share/applications/firefox.desktop

Close Firefox and launch it again.

You can undo it like this:

rm -v ~/.local/share/applications/firefox.desktop

Close Firefox and launch it again.


(continued in the column on the right)
This website is being sponsored by Google Ads.

Are you using an ad blocker? Then you're also blocking my earnings from advertisements....

If you wish to support my website, you can configure your ad blocker to make an exception for this website.

Thanks in advance....

Run Google Chrome and Chromium from a sandbox

7. For Google Chrome and Chromium, a sandbox is less important than for Firefox. Because they're better protected than Firefox (which is an issue that the Firefox developers are currently working on). Nevertheless, a sandbox is useful for Google Chrome and Chromium as well.

The how-to below (items 6, 7 and 8) is written for Google Chrome. Are you using Chromium? Then simply replace the word "google-chrome-stable" by "chromium-browser".

After installing Firejail, you can run Google Chrome from a sandbox in the following way:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):
firejail google-chrome-stable

Press Enter.

That's all! Firejail has reasonable default settings for Chrome, which are hardly ever annoying and still increase your online security a lot. The average desktop user doesn't need to change anything in those settings.

But that's a one-time launch only; it's of course not very convenient to launch Chrome that way every time. So I advise to create a desktop launcher that launches Chrome in a sandbox by default.

For that, you first need to put a starter for Google Chrome in the panel of your desktop. In Linux Mint Cinnamon that can be done from the menu: Internet - rightclick on Google Chrome - Add to panel.

Then you do in Linux Mint Cinnamon a rightclick with your mouse on the icon of Chrome in the panel of your desktop - Edit - Command: change this into:
firejail google-chrome-stable %U

Click OK.

In Ubuntu and in other desktop environments than Cinnamon, you need to edit the Chrome desktop launcher in a comparable way.

Now close all open Chrome windows and click on the Chrome launcher in the desktop panel, so that Chrome is being launched again. Chrome should now be running in a sandbox.

In order to check that, launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):
firejail --tree

Press Enter.

With that command you can check whether Chrome is indeed running in sandbox mode.

Check the settings for Chrome and modify them (for advanced users only)

8. Do you want to check the settings of Firejail for Chrome? They're in /etc/firejail/google-chrome-stable.profile

Do you wish to change something in the Chrome profile of Firejail? Then preferably don't do that systemwide, but first copy the systemwide Chrome profile of Firejail to your personal folder. That can be done with the following terminal commands (use copy/paste to transfer them to the terminal):

First:
mkdir -v ~/.config/firejail

Press Enter.

Then (it's one line!):
cp -v /etc/firejail/google-chrome-stable.profile ~/.config/firejail

Press Enter.

Finally, if you have text editor Leafpad (if not, use another text editor):

leafpad ~/.config/firejail/google-chrome-stable.profile

Press Enter.

Then you can experiment safely in the copied profile, and your modifications will remain intact when you install a newer version of Firejail.

You can also launch Firejail with a lot of advanced options. You can check those by means of the terminal command man firejail or on this web page.

Chrome completely in the sandbox (only for advanced users)

9. It's also possible to put Chrome in your user account completely in the sandbox, regardless of how you launch it. I don't recommend that, because then you'll probably be confronted with annoying limitations from time to time. But if you want that anyway, then these are the two terminal commands you need for that:

First this (it's one line):
cp -v /usr/share/applications/google-chrome.desktop ~/.local/share/applications

Then this (it's one line):
sed -i 's/google-chrome-stable/firejail google-chrome-stable/g' .local/share/applications/google-chrome.desktop

Close Chrome and launch it again.

Check whether it works, with this command:
firejail --tree

You can undo it like this (it's one line!):
rm -v ~/.local/share/applications/google-chrome.desktop

Close Chrome and launch it again.

Even more applications in the sandbox?

10. The web browser is of course the application that's most useful to secure, because it faces most of the dangers. But in a similar way as with Firefox and Chrome, you can put even more applications in the sandbox.

For that, it's best to check first whether Firejail has a specific profile for the application you want to sandbox. Because if not, Firejail will use a generic profile which might cause problems for your specific application.
The available profiles are in /etc/firejail .

If you use an e-mail client like Thunderbird or a torrent client like Transmission: it's probably a good idea to sandbox them with Firejail as well.

Use Firejail as internet access blocker for individual applications

11. It's also possible to use Firejail in order to block internet access for an individual application. You don't need complicated firewall rules, in order to prevent a program to access the internet behind your back!

This can be done by launching Firejail with the option --protocol=unix. Below is an example for media player VLC; copy/paste the following command into the terminal and press Enter:

firejail --protocol=unix vlc

Note: you can also use the option --net=none. But that option sometimes results in an application crash or in red error reports in the terminal. That's why I don't recommend it.

The option --net=none has the same effect as the option --protocol=unix, but the problem is that it interferes with DBUS functionality. The difference is: with one option the program doesn't see the network at all (so of course it can't connect to it), and with the other option it does see the network but yet cannot connect to it.


Tip: do you want to launch an application with blocked internet access on a regular basis? Then simply create a desktop launcher for it that contains this particular Firejail prefix.

A more elaborate how-to on the Linux Mint forum

12. You can find a more elaborate how-to for Firejail, also aimed at advanced use, on the international Linux Mint forum (author: xenopeek).

Want more tips?

Do you want more tips and tweaks for Ubuntu or Linux Mint? There's a lot more of them on this website! Like this one: avoid 10 fatal mistakes in Linux Mint and Ubuntu.


To the content of this website applies a Creative Commons license.


Comments