How to sandbox using Firejail

From PeerFreedom Wiki
Jump to navigation Jump to search

Goal of this tutorial is providing way to fully sandbox any program inside Debian. Application should be fully chrooted, and running in separated X server.

Prerequisites

You should enable backports repo, and make sure that AppArmor is enabled.

Installation

# apt-get -t buster-backports install firejail firejail-profiles xserver-xephyr firetools openbox debootstrap
# apparmor_parser -r /etc/apparmor.d/firejail-default

Preparing chroot dirs

# mkdir /chroot1
# mkdir /chroot2
# mkdir /chroot3
# mkdir /foo/bar
etc.

# debootstrap --arch=amd64 buster /chroot1
# debootstrap --arch=amd64 buster /chroot2
# debootstrap --arch=amd64 buster /chroot3
# debootstrap --arch=amd64 buster /foo/bar
etc.

# firejail --noprofile --chroot=/chroot1
# adduser <your_user_name_here>
# apt-get update
# apt-get install openbox <application1_you_wish_to_run_in_chroot1> <application2> ...
# exit

# firejail --noprofile --chroot=/chroot2
# adduser <your_user_name_here>
# apt-get install openbox <application1_you_wish_to_run_in_chroot2> <application2> ...
# exit

and so on

Running example application

$ firejail --x11=xephyr --apparmor --chroot=/chroot1 openbox

$ firemon --x11
7299:<username>::firejail --apparmor --chroot=/chroot1 openbox
  DISPLAY :756

$ DISPLAY=:756 firejail --apparmor --chroot=/chroot1 firefox

FAQ

Q: I have error when I try to run apt-get update W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

A: Permissions of chroot directory was changed. Restore them.

Q: How to change resolution of Xephyr?

A: xephyr-screen WidthxHeight can be set in /etc/firejail/firejail.config in host where Width and Height are in pixels and based on your screen resolution.


Q:

Openbox-Message: A window manager is already running on screen 0
Parent is shutting down, bye...

maybe also mentioning xpra e.g.:

...
2019-11-19 15:10:08,744 xpra is ready.
2019-11-19 15:10:08,750 15.6GB of system memory
*** Attaching to xpra display ... ***
...

A: it is important to use --x11=xephyr (as seen in firejail --help) above it was trying to user Xpra instead of Xephyr

See also