After six months of development project release , within which a system is being developed for the isolated execution of graphical, console and server applications. Using Firejail minimizes the risk of compromising the main system when running untrustworthy or potentially vulnerable programs. The program is written in C language licensed under the GPLv2 and can run on any Linux distribution with a kernel older than 3.0. Ready packages with Firejail in deb (Debian, Ubuntu) and rpm (CentOS, Fedora) formats.
For isolation in Firejail namespaces, AppArmor, and system call filtering (seccomp-bpf) in Linux. Once launched, the program and all of its child processes use separate views of kernel resources, such as the network stack, process table, and mount points. Applications that are dependent on each other can be combined into one common sandbox. If desired, Firejail can also be used to run Docker, LXC and OpenVZ containers.
Unlike container isolation, firejail is extremely in the configuration and does not require the preparation of a system image - the container composition is formed on the fly based on the contents of the current file system and is deleted after the application is completed. Flexible means of setting access rules to the file system are provided; you can determine which files and directories are allowed or denied access, connect temporary file systems (tmpfs) for data, limit access to files or directories to read-only, combine directories through bind-mount and overlayfs.
For a large number of popular applications, including Firefox, Chromium, VLC and Transmission, ready-made system call isolation. To obtain the privileges necessary to set up a sandboxed environment, the firejail executable is installed with the SUID root flag (privileges are reset after initialization). To run a program in isolation mode, simply specify the application name as an argument to the firejail utility, for example, “firejail firefox” or “sudo firejail /etc/init.d/nginx start”.
In the new release:
- In the configuration file /etc/firejail/firejail.config file-copy-limit setting, which allows you to limit the size of files that will be copied into memory when using the “--private-*” options (by default the limit is set to 500MB).
- Templates for creating new application restriction profiles have been added to the /usr/share/doc/firejail directory.
- Profiles allow the use of debuggers.
- Improved filtering of system calls using the seccomp mechanism.
- Auto-detection of compiler flags is provided.
- The chroot call is no longer made based on the path, but using mount points based on the file descriptor.
- The /usr/share directory is whitelisted by various profiles.
- New helper scripts gdb-firejail.sh and sort.py have been added to the conrib section.
- Strengthened protection at the execution stage of privileged code (SUID).
- For profiles, new conditional attributes HAS_X11 and HAS_NET have been implemented to check the presence of an X server and network access.
- Added profiles for isolated application launch (the total number of profiles increased to 884):
- i2p,
- tor-browser (AUR),
- Zulip,
- rsync
- signal-cli
- tcpdump
- tshark,
- qgis
- OpenArena,
- godot,
- klatexformula,
- klatexformula_cmdl,
- links
- xlinks,
- pandoc
- teams-for-linux,
- gnome-sound-recorder,
- newsbeuter,
- keepassxc-cli,
- keepassxc-proxy,
- rhythmbox-client,
- Jerry
- zeal,
- mpg123,
- conplay,
- mpg123.bin,
- mpg123-alsa,
- mpg123-id3dump,
- out123,
- mpg123-jack,
- mpg123-nas,
- mpg123-openal,
- mpg123-oss,
- mpg123-portaudio,
- mpg123-pulse,
- mpg123-strip,
- pavucontrol-qt,
- gnome-characters,
- gnome-character-map,
- Whalebird
- tb-starter-wrapper,
- bzcat,
- kiwix-desktop,
- bzcat,
- zstd,
- pzstd,
- zstdcat,
- zstdgrep,
- zstdless,
- zstdmt,
- unzstd,
- air,
- gnome-latex,
- pngquant
- calgebra
- kalgebramobile,
- amuled
- kfind,
- profanity
- audio-recorder,
- cameramonitor
- ddgtk
- drawio,
- unf,
- gmpc,
- electron-mail,
- gist
- gist-paste.
Source: opennet.ru