firejail command
firejail sandboxes applications
Typical usage: constructing sandbox environments, confinement of processes, testing softwareIntroduction into firejail
Firejail is a program that can sandbox other programs. Its intended purpose is to restrict a program by limiting what a process and its children can see or do.
To achieve sandboxing functionality, Firejail uses Linux capabilities, namespaces, and secure computing in the form of seccomp-bpf. The current implementation of Firejail uses a SUID binary. That means that there is a risk of compromise if a bug in Firejail can be exploited. The project therefore recommends limiting who can access the tooling.
As Firejail is an alternative sandboxing tools to flatpak and snap, these will not work together.
Examples
Tracing DNS requests
Firejail comes with a very handy option --dnstrace to see the initiated DNS requests. If a program is specified, then it will show the DNS request for the applicable namespaces. When providing just the option alone, all namespaces will be monitored. This is very useful to quickly see what DNS requests happen on a system.
# firejail --dnstrace
DNS trace for Sun Dec 15 00:02:21 2024
00:02:28 192.168.123.1 _http._tcp.security.debian.org (type 33)
00:02:28 192.168.123.1 _http._tcp.deb.debian.org (type 33)
00:02:28 192.168.123.1 debian.map.fastlydns.net (type 1)
00:02:28 192.168.123.1 debian.map.fastlydns.net (type 28)
Blocking capabilities
To see if a tool uses any capabilities, we can tell Firejail to block them all. If it is required for proper functioning, then it will show up very quickly.
# firejail --caps.drop=all ping 192.168.1.1
/bin/bash: line 1: /usr/bin/ping: Operation not permitted
So this needs filecap we can easily find that `ping` requires a capability. Which one?
```plaintext {hl_lines=1}
# filecap /usr/bin/ping
set file capabilities rootid
effective /usr/bin/ping net_raw
So in this case we need to allow the CAP_NET_RAW capability.
# firejail --caps.keep=net_raw ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.474 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.474/0.474/0.474/0.000 ms
Now the ping
command works again.
Project details
Background information | |
---|---|
Author (alias) | netblue30 |
First release version | 0.9 |
First release date | 2014-04-12 |
License | GPLv2 |
Requires root permissions | no |
Installation
When firejail command is not installed by default, it can be added to the system using the relevant software package.
Package information for firejail command
Operating system | Package name | Installation |
---|---|---|
AlmaLinux | firejail |
|
Arch Linux | firejail |
|
Debian | firejail |
|
Fedora | firejail |
|
Red Hat Enterprise Linux | firejail |
|
Rocky Linux | firejail |
|
Ubuntu | firejail |
|
Your Linux distribution using a different package? Share your feedback.
Usage
Available options
Option | Description |
---|---|
--build | Run a program and build a profile that uses the concept of allow-listing. After the application ends, the suggested profile will be displayed. |
--caps.drop | Define which Linux capabilities to drop. Use 'all' to deny all capabilities, or define a comma-separated list for capabilities to block. This is the concept of deny-listing. |
--caps.keep | Define which Linux capabilities should be allowed. Use comma-separated list to define multiple capabilities. |
--version | Show version and built-in application support |
Missing an option in this overview? Share your feedback.
Relevant articles using the firejail command
The following articles include an example on how to use firejail and might be worth further exploring.
Frequently Asked Questions
What is the firejail command and its purpose?
Firejail is a tool to sandbox applications to restrict what they can do. It is a useful tool to limit the risk on privilege escalation and exploits.
Which package provides the firejail command?
The command firejail is provided by the firejail package.