💾 Archived View for privacy.flounder.online › article_firejail.gmi captured on 2022-04-29 at 15:11:32. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-17)

-=-=-=-=-=-=-

Sandboxing Web Browsers With Firejail

The biggest attack vector is web browser. That's the place where people tend to click random links without thinking, use untrusted video streaming sites, use torrent sites and whatever else - and who knows how many malicious scripts are being run on the background. That's why JavaScript should be disabled by default. However, that is not a guarantee to have 100% security. For this reason it is recommended to use virtual machine and/or sandboxing program on daily basis, becase they limit and prevent the damages of malicious code.

(Please note: Having a virtual machine allows user to "spoof" another operating system, language and timezone while browsing the internet. Thus, it is possible to anonymize user's real identity from surveillance-infested sites. However, VMs may not run smoothly on old computers.)

Firejail basics

Citing Firejail's homepage, "Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. -- The sandbox is lightweight, the overhead is low. -- Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions."

Firejail can be operated via GUI and command line. According to what I have noticed among various firejailed browsers, the overhead is definitely low and user experience isn't affected. Please note that these experiences are based on traditional use, not performance stress tests. Your mileage may vary.

How to use

Firejail is widely available among the most common Linux distros/repos. The package is called "firejail".

Sandboxing a program:

firejail <program name>

Examples:

firejail firefox          # starting Mozilla Firefox
firejail brave            # starting Brave Browser
firejail palemoon         # starting Pale Moon

You can use custom security profiles (rules lists) for each app, just in case the default setting is not enough. Please visit e.g. Gentoo Wiki or Arch Wiki for further information about commands.

To make things easier, create firejailed browser shortcuts to desktop or system toolbar - or maybe create a handy alias ("jailfox", "jailmoon" etc) to start sandboxed program.

Conclusion

+ Easy to use

+ Custom security profiles

+ Works on older computers

____________________________

Last updated: 16.12.2021

Return to homepage