Skip to content

Sandboxing Binary Software

NetSysFire edited this page Jul 9, 2020 · 12 revisions

As a rule, don't install random software you find on Internet. Use this guide to install newer versions of the software you already have in your package manager, or software from sources you trust. Always grab the binary archive directly from the developer.

The proper place to install binary programs in Linux is /opt directory. The archive is unpacked as root user. The files are owned by root and cannot be altered by a regular user, or by someone taking control of one of your programs.

Some programs require the user to unpack them in /home directory. This is also fine, but the files are owned by the user and can be altered. Usually these programs auto-update themselves when new versions become available. An example is Tor browser.

After unpacking, if you are asked to run anything as root, stop immediately! This is more common for server software. Sometimes they need to create a dedicated user group, or plug themselves in the init system. For desktop programs there should be no reason to run a setup program as root after unpacking the archive. No Linux security system ever, including Firejail, is or will be able to contain a program install running as root.

Integrating the program into your desktop and sandboxing is easy. If the program is already supported by Firejail, the sandbox will pick the right profile from /etc/firejail directory. If the program is not supported yet, the sandbox will use the default profile. The default profile (/etc/firejail/default.profile) is very permissive. For some programs we had to relax the profile rules and remove some of the default features in order to get the program running.

Follow the steps described for Firefox for a /opt install and Tor Browser for a /home install. We also have an AppImage example in Kdenlive. For a command-line application check youtube-dl.

If you install software by yourself and not with a package-manager, you need to update the software. To have the actual security-patches installed is even more important for a secure system than sandboxing and hardening.

 

Applications

  1. Mozilla Firefox
  2. Tor Browser
  3. Kdenlive
  4. youtube-dl
 

Hint: See Wiki: Profiles for Firejail's paths.

Mozilla Firefox (/opt install)

  1. Download the latest version of Firefox from https://www.mozilla.org/en-US/firefox/new/

  2. Unpack the archive in /opt:

$ su
# cd /opt
# tar -xvf firefox-67.0.tar.bz2
  1. Create a desktop file in ~/Desktop directory. This is the content of the file:
$ cat ~/Desktop/firefox.desktop
[Desktop Entry]
Name=Firefox
Exec=firejail firefox --no-remote
Icon=/opt/firefox/browser/chrome/icons/default/default48.png
Terminal=false
Type=Application

To start the browser click on the new desktop icon.

 

Tor Browser (/home install)

The archive distributed by Tor project is structured as a self-contained system, similar to portable-apps on Windows. Unpack the archive in your home directory. If you install it in /opt as root, the browser won't run. The program will auto-update when a new version becomes available.

  1. Download the latest archive from https://www.torproject.org/download/

  2. Unpack the archive in your home directory

$ cd ~
$ tar -xvf tor-browser-linux64-8.5.1_en-US.tar.xz
  1. Create a desktop file in ~/Desktop directory. This is the content of the file:
$ cat ~/Desktop/tor.desktop
[Desktop Entry]
Name=Tor
Exec=firejail --private=~/tor-browser_en-US ./start-tor-browser.desktop
Icon=/home/username/tor-browser_en-US/Browser/browser/chrome/icons/default/default48.png
Terminal=false
Type=Application

Replace username with your current user name on Icon line above.

~/tor-browser_en-US directory acts as your new home directory inside the sandbox. To start the browser click on the new desktop icon.

 

Kdenlive (appimage)

The Kdenlive video editor is distributed by the developers in the AppImage format. Download the archive, move it to /opt and build a desktop file.

  1. Download the latest Kdenlive stable version in appimage format from https://kdenlive.org/en/download/

  2. Copy the file in /opt directory

$ sudo cp ~/bin/Kdenlive-17.12.0d-x86_64.AppImage /opt/.
  1. Create a desktop file in ~/Desktop directory. This is the content of the file:
$ cat ~/Desktop/kdenlive.desktop
[Desktop Entry]
Name=Kdenlive
Exec=firejail --profile=/etc/firejail/kdenlive.profile --appimage /opt/Kdenlive-17.12.0d-x86_64.AppImage
Terminal=false
Type=Application
Icon=/opt/kdenlive-icon.png

Drop an icon for the program in /opt or any other directory. The official Kdenlive icon is here: https://github.com/KDE/kdenlive/blob/master/data/icons/128-apps-kdenlive.png

 

youtube-dl (command-line program)

youtube-dl is a command-line program to download videos from YouTube.com and few other sites. Google changes YouTube quite often, breaking youtube-dl application. A few days later, the youtube-dl developers release a new version. You are interested in downloading "youtube-dl" file from the release page:

 

 
  1. Uninstall youtube-dl version supplied by your distribution (on Debian: sudo apt-get purge youtube-dl)
  2. Download the latest youtube-dl file as explained above
  3. Copy the downloaded file in /usr/bin
$ su
# cp youtube-dl /usr/bin/.
# chmod +x /usr/bin/youtube-dl
  1. Reconfigure Firejail
$ sudo firecfg