The beauty of the Privacy Cookbook is that I can jump around between different chapters & sections and provide updates and insights on new products and developments almost in real time.
So, today I want to jump back to Secure PC setup and add to the information on Linux!
Sandboxing is one of those things that makes QubesOS one of the best, if not the best, Linux distros out there. It takes entire systems into different Qubes and even different operation system setups for each of your setups. However, you can Sandbox also on any other Linux system. not as powerfully as on QubesOS, but still making your OS pretty secure.
PDF, Browsers, perhaps your email application and some other apps are running in the background and are potential targets for hackers and attackers.
"Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups."
Firejail should be in most Software centers, regardless of if you're running Majaro, Ubuntu or any other distro. Once installed, it's dead simple!
Firefox is one of the first things you should run in Firejail, to do so just start the terminal and run:
Firefox can now only connect to a few files
Note: Only ~/Downloads and ~/.mozilla directories are real, all other directories are created by Firefox. The same home directory layout is imposed by Firejail for all supported browsers and BitTorrent clients. Please make sure you save all your downloaded files in ~/Downloads directory.
This is what the rest of the file system looks like:
- /boot – blacklisted
- /bin – read-only
- /dev – read-only; a small subset of drivers is present, everything else has been removed
- /etc – read-only; /etc/passwd and /etc/group have been modified to reference only the current user; you can enable a subset of the files by editing /etc/firejail/firefox-common.profile (uncomment private-etc line in that file)
- /home – only the current user is visible
- /lib, /lib32, /lib64 – read-only
- /proc, /sys – re-mounted to reflect the new PID namespace; only processes started by the browser are visible
- /sbin – blacklisted
- /selinux – blacklisted
- /usr – read-only; /usr/sbin blacklisted
- /var – read-only; similar to the home directory, only a skeleton filesystem is available
- /tmp – only X11 directories are present
This is the setup for your already used Firefox, including all the Firefox add-ons you installed.
If you would like to use a virgin Firefox setup, just enter:
- –net=none: With this you could, for example, start a PDF file, as it would not allow the application to have internet access anymore
- –private: Brand new virgin start of an application, as in our example Firefox, just after an installation
- –private=directory: You can save files to a specific directory, these files are still existing after you close Firejail
- –private-tmp: No connection to /tmp and you mount a fresh /tmp directory
- –blacklist=dirname_or_filename: Blocks a specific file directory from the application
Let's use Firefox again as an example:
firejail --net=none firefox
Firefox without internet
firejail --private --dns=220.127.116.11 firefox
This would start a fresh Firefox in a sandbox with the family protection of AdGuard
firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
Firefox with a new IP table and no local network connection.
You do not need to Firejail every app, but I would recommend to do so with your browser apps, email and PDF readers.
Firejail is an absolute winner when it comes to securing your computer. Use it, learn more about it and use it even more!
The Privacy Advocate