On Linux systems, Bubblewrap and Firejail are two common sandboxing tools used if you need to provide an isolated environment for your applications. Their design goals and application scenarios are significantly different. Bubblewrap is more oriented towards low-level control and is suitable for users who need a finer-grained isolation environment. It does not come with […]
Show full content
On Linux systems, Bubblewrap and Firejail are two common sandboxing tools used if you need to provide an isolated environment for your applications. Their design goals and application scenarios are significantly different.
Bubblewrap is more oriented towards low-level control and is suitable for users who need a finer-grained isolation environment. It does not come with ready-made configuration templates.
Bubblewrap offers a high degree of flexibility and minimal dependencies for developers who want to precisely control their runtime environment through scripting.
Firejail, by contrast, is more focused on ease of use and is particularly well suited to desktop users. It comes with a large number of configuration files for popular programs such as Firefox, VLC, etc., which can be run in a restricted environment with a single command. Firejail offers a simple, plug-and-play solution for the average user who doesn’t want to dive into the details of the kernel but still wants to improve the security of their system.
Overall, if you’re looking to manually build a minimal sandboxed environment with clear control over the isolation logic at every step, then Bubblewrap is the better choice. If you’re concerned with fast isolation, enhanced security, and ease of use for your desktop application, then Firejail is the more hassle-free tool.
This is the simplest VPN setup ever: Linux workstation running Firefox browser under Firejail, and a virtual machine in the cloud running an SSH server. The tunnel uses SOCKS5 feature of OpenSSH. This setup should work with any other application supporting SOCKS5 protocol. OpenSSH protects the traffic with strong, industry standard encryption algorithms such as […]
This is the simplest VPN setup ever: Linux workstation running Firefox browser under Firejail, and a virtual machine in the cloud running an SSH server. The tunnel uses SOCKS5 feature of OpenSSH. This setup should work with any other application supporting SOCKS5 protocol.
OpenSSH protects the traffic with strong, industry standard encryption algorithms such as Advanced Encryption Standard (AES). Due to the large number of enterprise users using SSH in the cloud, you are very likely to go through a VPN blockade undetected. Fly under the radar and have fun!
Sometimes, we may need to restrict the internet access to a single application both for security reasons or testing purposes. On Linux, there are different ways to restrict the internet access to a single program. Unfortunately, most of them, are not straightforward at all. more
Show full content
Sometimes, we may need to restrict the internet access to a single application both for security reasons or testing purposes.
On Linux, there are different ways to restrict the internet access to a single program. Unfortunately, most of them, are not straightforward at all.
Sometimes we have to run an application that we do not trust, but we are afraid that it might look at or delete our personal data, since even though Linux systems are less prone to malware, they are not completely immune. Maybe you want to access a shady-sounding website. Or perhaps you need to access […]
Show full content
Sometimes we have to run an application that we do not trust, but we are afraid that it might look at or delete our personal data, since even though Linux systems are less prone to malware, they are not completely immune. Maybe you want to access a shady-sounding website. Or perhaps you need to access your bank account, or any other site dealing with sensitive private information. You might trust the website, but do not trust the add-ons or extensions installed in your browser.
In each of the above cases, sandboxing is useful. The idea is to restrict the non-trusted application in an isolated container -a sandbox– so that it does not have access to our personal data, or the other applications on our system. While there is a software called Sandboxie that does what we need, it is only available for Microsoft Windows. But Linux users need not worry, since we have Firejail for the job.
So without further ado, let us see how to set up Firejail on a Linux system and use it to sandbox apps in Linux:
While there are many Open Source solutions for browser-based videoconferencing and online meetings, like BigBlueButton or Jitsi, I am still forced to use zoom in a lot of contexts. But the zoom web client lacks a lot of functionality and generally does not work well in my experience. On the other hand I absolutely distrust […]
Show full content
While there are many Open Source solutions for browser-based videoconferencing and online meetings, likeBigBlueButtonor Jitsi, I am still forced to use zoom in a lot of contexts.
But the zoom web client lacks a lot of functionality and generally does not work well in my experience.
On the other hand I absolutely distrust the zoom client. Just inspect the strings that appear in the binary of the launcher…
Many people believe that browser security is difficult. I created this guide as an overview of Firejail sandboxing technology. The goal is to show you that security can be simple and fun. The video guide is structured as a hacking session. The victim is running a sandboxed browser. An imaginary zero-day exploit gives the attacker […]
Many people believe that browser security is difficult. I created this guide as an overview of Firejail sandboxing technology. The goal is to show you that security can be simple and fun.
The video guide is structured as a hacking session. The victim is running a sandboxed browser. An imaginary zero-day exploit gives the attacker control of the sandbox in the form of a remote shell. Let’s see what damage we can do. And maybe, reconfigure the sandbox so the victim can survive the aftermath of such an attack.
Take a look at your Desktop and/or interface. Be it MATE (desktop/laptop), Phosh (Pinephone/Librem), or KDE. We use several buttons/shortcuts to programs everyday. Some of these need the internet. Some do not. Have you minimized access to programs who do not need the internet? Did you know some programs secretly “call home” and share data/your […]
Take a look at your Desktop and/or interface. Be it MATE (desktop/laptop), Phosh (Pinephone/Librem), or KDE. We use several buttons/shortcuts to programs everyday. Some of these need the internet. Some do not.
Have you minimized access to programs who do not need the internet? Did you know some programs secretly “call home” and share data/your IP address with 3rd parties (sometimes sold)? The most ideal setup is one which is restricted wherever possible, but not up to the point where your setup becomes unusable.
Here we are going to use a Hot Off the Press News example to demonstrate how to allow networking only to those programs requiring it (such as web browsers, encrypted messengers, etc). Other programs like VLC Media player, GIMP (image manipulation), and Libre Office do NOT need ANY networking for full functionality. So why do we allow it? Because this is default behavior, we accept it. We are going to change that today.
This is a small excerpt from a ISC Security Series webinar titled “Securing Bind 9 with AppArmor and Firejail”. ISC is a non-profit organization that develops several widely used open source software packages such as BIND 9, ISC DHCP, and Kea DHCP. Firejail profile used in the video: # Firejail profile for BIND 9 (named) […]
This is a small excerpt from a ISC Security Series webinar titled “Securing Bind 9 with AppArmor and Firejail”. ISC is a non-profit organization that develops several widely used open source software packages such as BIND 9, ISC DHCP, and Kea DHCP.
Firejail profile used in the video:
# Firejail profile for BIND 9 (named)
# https://webinar.defaultroutes.de/webinar/07-firejail.html
# Description: Authoritative DNS Server and DNS resolver
name named
# Persistent local customizations
include named.local
# Persistent global definitions
include globals.local
noblacklist /sbin
noblacklist /usr/sbin
blacklist /tmp/.X11-unix
blacklist ${RUNUSER}/wayland-*
include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc
include whitelist-usr-share-common.inc
whitelist /etc/bind
whitelist /etc/passwd
whitelist /var/cache/bind
whitelist /var/run
caps.keep net_admin,net_bind_service,setgid,setuid,sys_chroot,sys_resource
ipc-namespace
machine-id
netfilter
no3d
nodvd
nonewprivs
nosound
notv
nou2f
novideo
protocol inet,inet6,unix,netlink
seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice
disable-mnt
private
private-dev
private-tmp
writable-var
dbus-user none
dbus-system none
# mdwe can break modules/plugins
memory-deny-write-execute
