-
Notifications
You must be signed in to change notification settings - Fork 577
Sandboxing Binary Software
As a rule, don't install random software you find on Internet. Use this guide to install newer versions of the software you already have in your package manager, or software from sources you trust. Always grab the binary archive directly from the developer.
The proper place to install binary programs in Linux is /opt
directory. The archive is unpacked
as root user. The files are owned by root and cannot be altered by a regular user, or by someone
taking control of one of your programs.
Some programs require the user to unpack them in /home
directory. This is also fine,
but the files are owned by the user and can be altered. Usually these programs auto-update themselves
when new versions become available. An example is Tor browser.
After unpacking, if you are asked to run anything as root, stop immediately! This is more common for server software. Sometimes they need to create a dedicated user group, or plug themselves in the init system. For desktop programs there should be no reason to run a setup program as root after unpacking the archive. No Linux security system ever, including Firejail, is or will be able to contain a program install running as root.
Integrating the program into your desktop and sandboxing is easy.
If the program is already supported by Firejail, the sandbox will pick the right profile from /etc/firejail
directory.
If the program is not supported yet, the sandbox will use the default profile.
The default profile (/etc/firejail/default.profile
) is very permissive.
For some programs we had to relax the profile rules and remove some of the default features in order to get the program running.
Follow the steps described for Firefox for a /opt
install and Tor Browser for a /home
install.
We also have an AppImage example in Kdenlive. For a command-line application check youtube-dl.
If you install software by yourself and not with a package-manager, you need to update the software. To have the actual security-patches installed is even more important for a secure system than sandboxing and hardening.
Hint: See Wiki: Profiles for Firejail's paths.
-
Download the latest version of Firefox from https://www.mozilla.org/en-US/firefox/new/
-
Unpack the archive in
/opt
:
$ su
# cd /opt
# tar -xvf firefox-67.0.tar.bz2
- Create a desktop file in ~/Desktop directory. This is the content of the file:
$ cat ~/Desktop/firefox.desktop
[Desktop Entry]
Name=Firefox
Exec=firejail firefox --no-remote
Icon=/opt/firefox/browser/chrome/icons/default/default48.png
Terminal=false
Type=Application
To start the browser click on the new desktop icon.
The archive distributed by Tor project is structured as a self-contained system,
similar to portable-apps on Windows. Unpack the archive in your home directory.
If you install it in /opt
as root, the browser won't run. The program will auto-update when
a new version becomes available.
-
Download the latest archive from https://www.torproject.org/download/
-
Unpack the archive in your home directory
$ cd ~
$ tar -xvf tor-browser-linux64-8.5.1_en-US.tar.xz
- Create a desktop file in ~/Desktop directory. This is the content of the file:
$ cat ~/Desktop/tor.desktop
[Desktop Entry]
Name=Tor
Exec=firejail --private=~/tor-browser_en-US ./start-tor-browser.desktop
Icon=/home/username/tor-browser_en-US/Browser/browser/chrome/icons/default/default48.png
Terminal=false
Type=Application
Replace username with your current user name on Icon line above.
~/tor-browser_en-US
directory acts as your new home directory inside the sandbox.
To start the browser click on the new desktop icon.
The Kdenlive video editor is distributed by the developers in the AppImage format. Download the archive, move it to /opt
and build a desktop file.
-
Download the latest Kdenlive stable version in appimage format from https://kdenlive.org/en/download/
-
Copy the file in /opt directory
$ sudo cp ~/bin/Kdenlive-17.12.0d-x86_64.AppImage /opt/.
- Create a desktop file in
~/Desktop
directory. This is the content of the file:
$ cat ~/Desktop/kdenlive.desktop
[Desktop Entry]
Name=Kdenlive
Exec=firejail --profile=/etc/firejail/kdenlive.profile --appimage /opt/Kdenlive-17.12.0d-x86_64.AppImage
Terminal=false
Type=Application
Icon=/opt/kdenlive-icon.png
Drop an icon for the program in /opt
or any other directory. The official Kdenlive icon is here: https://github.com/KDE/kdenlive/blob/master/data/icons/128-apps-kdenlive.png
youtube-dl is a command-line program to download videos from YouTube.com and few other sites. Google changes YouTube quite often, breaking youtube-dl application. A few days later, the youtube-dl developers release a new version. You are interested in downloading "youtube-dl" file from the release page:
- Uninstall youtube-dl version supplied by your distribution (on Debian:
sudo apt-get purge youtube-dl
) - Download the latest youtube-dl file as explained above
- Copy the downloaded file in
/usr/bin
$ su
# cp youtube-dl /usr/bin/.
# chmod +x /usr/bin/youtube-dl
- Reconfigure Firejail
$ sudo firecfg