What is Reddit's opinion of Firejail?

From 3.5 billion Reddit comments

For those running Chrome on Linux, there is a nifty program called firejail. This program effectively sandboxes chrome with minimal to 0 overhead due to using namespaces and other Linux kernel specific security features. Firejail often comes with it's own profile defined for chrome. All that is needed it run and execute firecfg.

The advantage of the program is you can isolate specific folders from Chrome. You can even isolate it on it's own network inteface, it's own hosts file in it's own small system itself without a sound card or without a webcam.

Yeah, but you're not sandboxing your applications anyway. Right now, and program can read firefox's database, or otherwise edit any of your files. Once they can edit your files, they can probably find a way to run a keylogger, wayland be damned.

You know what stops that? Proper sandboxing, like firejail.

Firejail can also spawn a unique, sandboxed, X session for each app/window. Or it can not do that for programs like your screenshot tool.

In order to get that security, you'd need to use linux namespace sandboxes, and good tooling for managing those sandboxes already sandbox x11...

Under wayland it would, admittedly, be a bit faster. But the only reason I can see to do a rewrite like this is to entrench some good solid standards into place, or to implement locked down set top boxes.

You should be paranoid about clicking links anywhere. To ease that paranoia, try connecting to a VPN. Further from that, you can use the Tor browser, or the GhostNET script to route all your connection through the onion network. Furthermore, you can run your browser in a sandbox such as Firejail and the process will not have access to the important parts of your system.

> Managing which directories and files a program can access.

Use firejail. It comes with profiles for many programs, some sensible defaults, and you can create your own profiles.

Get the firejail sandbox if you are on Linux. https://firejail.wordpress.com/

It's very easy to use.

Altough that might be a different type of sandboxing; one that sandboxes all of firefox, not parts of it.

Hmm, I'd suggest reading about firejail if you aren't familiar with it already. The documentation includes everything you need to know for configuring it.

Then, it's just a matter of creating a new user to run under (mine is named "wino"), starting a new (nested) X server window (I use xephyr) as the "wine user" and starting app+wine through firejail with a profile configured.

Edit: Damn! I just remembered that Firejail added support for X11 recently, and that I haven't yet read up on how to use it.. That would simplify my current setup a bit.

Edit2: Hell yea, this makes it MUCH easier to run X11 apps in a sandbox. Great work firejail team!

both snaps and flatpak sux. if u r open minded then visit https://flatkill.org/

Also just use tar. its much better as it gets delta update. meaning u only download what is changed instead of downloading entire package again.

If u are woried about security use firejail. If want to use a package which is not in your distros repo then use docker/podman, lxc or systemd-nspawn.

Firejail on linux uses “restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.”

It has profiles for most applications and has a very small memory footprint

https://firejail.wordpress.com

https://firejail.wordpress.com/

> Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

It is essentially a helper to sandbox other programs. E.g. if there is a bug in Spotify that allows some shady third party to read random files, then they only see a pristine /home/YOUR_NAME directory, a mostly empty /etc, and so on. Spotify embeds Google ads, and we don't know if bugs in the embedded (most likely) WebKit are timely fixed, so running Spotify in a firejail is a good idea.

In Debian firejail can be directly installed through the default repos. I guess in Arch and other major distros, too.

QubesOS does everything you need to, if you don't want to change operating systems then you can look into flatpak or firejail.

While it is not a completely perfect security solution, running programs within Firejails is a relatively easy and painless way to add an extra degree of security to your desktop system. There is a GUI app to help with them as well, firetools. Both are available in the community repo, but I recommend reading the wiki page as well as the documentation to understand them better.

First of all, Firejail does enforce comprehensive sandboxing without AppArmor. In order to achieve that it uses various technologies available in the Linux kernel, primarily:

• seccomp-bpf
• capabilities
• {mount, PID, network, noroot user} namespaces

See for details https://firejail.wordpress.com/documentation-2/firefox-guide/ and https://firejail.wordpress.com/documentation-2/basic-usage/#kernel

Right now Firejail offers 1064 profiles, and 605 of them contain the apparmor switch. In those cases the /etc/apparmor.d/firejail-default AppArmor profile is used as well which provides some additional protection, e.g. some rules to "Allow running programs only from well-known system directories." Precondition is that AppArmor is installed and enabled on your system (which I recommend). However, it is optional - even without AppArmor Firejail offers strong sandboxing.

Firejail is a nice and relatively easy to use sandboxing tool. I would recommend using the private mode for browsers, though. It creates a temporary file system so malware is even further restricted from accessing the system. By default this temp file system is reset every time you open and close the app, but you may want to make it persistent with --private=directory.

In addition to that, firejail has a lot of predefined profiles for many applications. Look in /etc/firejail if your application is supported, and run it with firejail --profile=application.profile path/to/application. It will block access to unnecessary directories, networks, devices and capabilities.

You can also customize the default profiles, or creating some new.

You leverage Linux kernel features such as network and filesystem namespaces.

Tools like Firejail are a nice way for achieving what you want in a user-friendly way.

https://firejail.wordpress.com/

An extreme might be to containerize your application entirely, but that is more trouble than it's worth.

1. Yes. You can use Firejail (along with Xpra) to increase its security: https://firejail.wordpress.com/documentation-2/x11-guide/. Although, Firejail may have its own problems: https://github.com/containers/bubblewrap#related-project-comparison-firejail. I highly suggest using Wayland if possible.
2. Depends. If you are using a newer AMD/Intel GPU or Nouveau on NVIDIA, then Wayland should work fine, as long as you use GNOME or Sway. Plasma is getting better on Wayland but it still needs time.
3. You can't yet. If you want to see Wayland on these projects, please open issues to upstream.

Most ransomware doesn't get root/administrator access; it just encrypts your personal (non-root) data. So, it can't encrypt other partitions as that would also require root.

Tips for safer browsing:

• Run your browser with Firejail or Flatpak to better sandbox it. Consider --private
• Install uBlock Origin plugin. Ad and malware blocker.
• Install uMatrix plugin. Javascript selective blocker.
• Create frequent snapshots and/or backups of your filesystem. On Linux, Btrfs does snapshots well.
• Learn docker and use it to test downloaded programs or scripts. Or use Firejail if you'd rather. On Windows, use Sandboxie.

I forgot about the Firejail as I've used it by default for a long time. My bad! Here's a link to Firejail if anyone is interested. It works great for web browsers too! https://firejail.wordpress.com/

nspawn is great but aren’t even its authors warning that it’s a process management solution, not a security measure? I remember a caveat like that from when I investigated container solution a while back.

Another container solution geared towards user facing apps: https://firejail.wordpress.com/

I recommend firejail in this case. It was made to isolate programs from seeing its surrounding system. It has plenty of options, and I'm pretty sure it can be set up to isolate Skype so it is unable to do shady stuff. There might even already exist a profile for it.

ctrl + f firejail didn't show any results, so I guess it's somewhat obscure?

Notice, it will break pulseaudio unless you take precautions

Firejail for most applications.

As a general rule, if an application has internet access it does not have filesystem access, and viceversa. This way, malware coming from browser, email client, messaging client... cannot touch (or even see) my files.

It sounds like your real goal is to prevent malware running as a given user to overwrite files belonging to that user (what a ransomware would do). The users separation system implemented in Linux is not designed to handle this case, but there are alternative ways.

You can use firejail to run your applications in sandbox environments where you blacklist / whitelist directories, devices and other resources. For instance, my browser (one of the main attack vectors on a desktop) only has access to ~/Downloads, so any malware that takes control of it cannot even see my files in ~/Documents and other directories. As another example, I only whitelist network access to applications that actually need it (browser, email, messaging), and anything else cannot even see a network interface (games, image editors, music players, development tools...).

Disallowing encryption entirely as you ask is just impossible. If a malware managed to get executed on your system, it does not need to use any encryption API exposed by your system. It can implement encryption algorithms itself, and most likely all existing malware already does it.

run zoom in firejail meaning it is sanboxed and cannot access your files

set up like this, or slightly more complicated like this

run from terminal with this command firejail zoom

perhaps use firejail. https://firejail.wordpress.com/documentation-2/basic-usage/#networking

as far as i know the 'opensnitch' tool is not being maintained any more, (unless that has changed recently)

I picked up a Walmart $300 CAD Acer ($200 USD) and immediately put linux on it.

Then I installed FireJail and Zoom

The I use the command

Firejail zoom

This puts everything in a somewhat protected "sandbox"

Info here - https://firejail.wordpress.com/

and more info here - https://sourceforge.net/projects/firejail/

this might be overkill or too expensive, but it really lets me keep my real work PC separate from apps I am asked to use but really dislike.

I agree, in general. We need better mechanisms for trusting and sandboxing native apps.

That said, firewalling an app on Linux is not too hard: Firejail is all it takes:

firejail potrace ...

But remembering to do that consistently is the hard part.

Edit: Also snap and flatpak have the ability to grant/revoke permissions to apps.

Wow. The amount of people answering to your question without having a fucking clue what you are trying to achieve is astonishing.

Here's the gist of your issue: You need a window manager to be able to maximize/minimize windows. Since you're running tor-browser in a separate X11-server, your normal wm can't control the windows inside it. You could use something lightweight like openbox (as suggested in the firejail documentation https://firejail.wordpress.com/documentation-2/x11-guide/#configurexephyr). To start the browser maximized you'd have to check whether your chosen wm has any easy options for doing that or use some tool. Here are two threads that might help you in that regard: https://askubuntu.com/questions/53646/how-do-i-make-firefox-start-always-maximized https://askubuntu.com/questions/27826/how-to-configure-my-system-so-that-all-windows-start-maximized

Short answer is no. Qubes is highly customized to be the best at what it does.

However, an easy and quick risk mitigation is using firejail. Of course you can use conventional VM software as well.

IMO not really, i prefer firejail way. btw i forgot to provide the link to firejail project https://firejail.wordpress.com

to put simple, firejail isolate apps and limiting access to your home and root directory, for example that particular apps can only access to /home/username/Downloads, etc.

actually there's "safe" way by using i2p, but this method less popular thus less people using it, which mean that less "collections" are available. i2p is similar to tor, but you can torrenting inside i2p network (separate from public torrent).

again this is by other mean will provide you full protections, nothing is fully secure, but we can reduce the risk by taking measurements. and as side note, VPN not really protect your identity.

Not sure what to say, check the CVEs https://firejail.wordpress.com/download-2/cve-status/, at least one of them resulted in a privilege escalation to root if firejail is installed.

If you follow the commit history and look at the code, you will notice that there are many potential issues that are unfixed or fixed without a CVE.

> P.S. What prompted me this question was that X11 sandboxing in Firejail required xpra-winswitch and I can't seem to build its AUR dependencies--I'm curious if anyone actually got it on their system.

You can use xypher.. it works perfectly fine with x11 sandboxing in firejail.

The Linux kernel has several namespacing features that make it possible to sandbox applications like that. There are a number of tools that use those, e.g. Firejail. There's also Docker, but that's more for servers.

> I’m a noob. How do I protect my system?

Use firejail or other sandboxing solutions.

Everyone is going to tell you "do not use root!!!" (using far too many exclamation marks) but that does not help you. Your "limited" user has access to your entire documents, pictures, private keys, saved online accounts, and all your personal data. Root does not really do much more than that.

Obligatory XKCD.

And when everything fails, restore your system and data from backups. Pay attention: you want to restore, not to backup. If you do not make sure you can restore a backup, that backup does not exist.

Following up here, I still have this issue after completely purging Firefox (including ~/.mozilla/firefox/ and the .desktop). With a completely stock reinstall after rebooting, the problem persists; when a Firefox window is open, all of the following result in the original error about an instance already running:

firefox

firefox --new-window

firefox --private-window

​

I do use Firejail (unrelated to Firefox: https://firejail.wordpress.com/), but always have and it's never been an issue with browser instances in the past. I've confirmed there's no interference by running the non-firejailed binary directly with /bin/firefox

I'm at a loss as to what's happening here or how to debug this. It's annoying to the point that I'm close to switching browsers. All suggestions welcome. Thank you!

You can use firejail to run the program. See their github.

You start the program as, for example, firejail zoom, and it runs sandboxed.

Qubes will be a heavy lift as your daily driver -- not just slowness, but usability, even for someone who codes for a living.

That said: what's your threat model for privacy? If you're aiming to avoid work seeing your personal, you likely can try something like multiple accounts if it's an installed work app situation, or in a browser using something like Firefox Containers, or Firejail. Those would get you much of the isolation from non-directed "attacks" without having to send the time/energy making Qubes work for you properly.

To be frank if I only need 1-2 programs and I don't want to download a wholly separate package manager just to use them, I'll gladly go to an AppImage. Better have 1-2 files than a whole system that I don't need.

As for your other points:

• AppImages are distro-agnostic by design, just like Flatpaks and Snaps, the dependencies are all bundled so you can run them from any distro - that's literally the concept of "distro-agnostic", so they are all comparable to each other as they do the exact same thing

• Type 2 AppImages can handle updates with AppImageUpdate

• You can run AppImages inside Firejail like any other program

As to whether one is "superior" than the other, that's plain opinion, there's no "superior" format. If you want to go really deep about it, then we just circle back to your traditional package managers (APT, Pacman, DNF, etc.), or compiling from source if we're willing to go that deep.

Isolate your applications with firejail or another sandbox solution.

Remember that by default every application you run with your user has unconfined access to your entire home directory, and also to most system resources. Sandboxes fix that: now your browser will not be able to read or modify anything outside your download directory, and you can prevent individual applications to access the network.

You could run Emacs in a sandbox. This can be a low-profile solution like FireJail or this could be a sophisticated solution like QubesOS. For any more fine-grained recommendations, you would need to elaborate on your threat model.

Firejail lets you get pretty granular in terms of permissions you give to applications, including network namespacing. You can set up per-app permissions and also integrate it with your desktop.

There's also the option of creating containers if you'd like to get a little more hands-on with things.

I just want to add that it might be even better to use firejail with cgroup, since firejail will also put all process of firefox inside namespace to further limit what they can do to your system.

https://firejail.wordpress.com

if you install a progam via apt , or snap - it will be system wide.

Flatpak - has an option to allow installing programs system wide, or on a per user basis.

and zoom has a flatpak package

https://flathub.org/apps/details/us.zoom.Zoom

flatpaks also have some sandboxing features (i rarely use flatpaks so cant really say more on the topic)

zoom also has an appimage version https://appimage.github.io/Zoom/

the flatpak, or appimage, could be limited to a specific user.

You could use firejail with the appimage version - if you wanted to try to lock it down more --> https://firejail.wordpress.com/documentation-2/appimage-support/

Firejail is a sandboxing system for Linux. Basically it can keep any program in a safe "sandbox" without contact with rest of your system or network. The exact behavior can be further tuned (system access, network access etc)

Firejail can be installed via package manager:

apt install firejail

Before the next step, make sure that zoom is installed in your system. To configure firejail, type in the command line:

firecfg

This will create symlinks for applications in your system, which will now use sandbox. Now, if you type zoom in the terminal, it will belaunched in a safe - sandboxed mode. To check what programs are currently run in the sandbox, type firejail --list

More info and tutorials can be found at the firejail homepage: https://firejail.wordpress.com/

Look here.

Having said that, I just installed firejail, then started zoom via firejail zoom in the terminal. There is already a profile for firejail that seems to work. There is also a ppa for firejail you can install to get the most up to date version with other profiles.

I used this for 6 months, but then moved to the snap as it autoupdates Zoom and provides sandboxing.

Both work well and provide the normal Zoom client.

Beside what others have said,personally I think one of the most annoying problems of ubuntu is updating(not just ubuntu tbh,many point-release distros like Fedora have this problem too).I'm not talking about regular updates like apt upgrade,but do-release-upgrage.It's quite unstable.

I've been an ubuntu user for a relatively long time and I never updated from one major release to another via do-release-upgrade.But you can see many people in the forums and [Askubuntu.com](askubuntu.com) that have had many problems with upgrading ubuntu.

I personally prefer a rolling-release distro like Arch or Manjaro.And by the way you can use Snapd on any distro.It's not tied to ubuntu whatsoever.

And Canonical have done many things to make linux better,like Unity desktop environment(forget about that Amazon stuff,it was just a tiny module) and snap,but to be honest no vanilla linux distribution is as secure as it should be.No application sandboxing is being used extensively in any distro.Snap and flatpaks can just secure their own apps,not all the applications in your system.

Linux has many subsystems and security modules that can make it the most secure desktop OS,but I wonder why almost none of them is being used by default.

If you want to read more about them,take a look at AppArmor and Firejail

Why not flathub.. Appimages are more secure..

They are not strictly self-contained like appimages and have complete access to your /home/$USER directory.

On Ubuntu 18.04 however...

$ apt show firejail Package: firejail Version: 0.9.52-2 Priority: optional Section: universe/utils Origin: Ubuntu Maintainer: Ubuntu Developers <> Original-Maintainer: Reiner Herrmann <> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 866 kB Depends: libapparmor1 (>= 2.6~devel), libc6 (>= 2.15) Recommends: firejail-profiles, iptables, xauth, xpra | xserver-xephyr | xvfb Homepage: https://firejail.wordpress.com Download-Size: 252 kB APT-Sources: http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages Description: sandbox to restrict the application environment Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

> I want to know and control what process on my system is attempting to connect to the internet without asking me

Firejail

Firewalld

netns

> I have heard of apps like docker to run containers but not running apps individually. How can you run a app in a container?

Basically as stated you run the application in a container with its dependencies.

I believe firejail is more suited for this specific purpose, although it works similar to docker:
https://firejail.wordpress.com/
https://www.reddit.com/r/linux/comments/4wfzsx/sandboxing_chrome_with_firejail/

Virus can be delivered through exploitation of legit applications, browser and PDF readers for example. Once they get in, they could easily steal your documents, website passwords and SSH keys, even if root permission isn't possible.

IMO sandboxes such as firejail are much more useful than AV, to protect against future and unknown exploits by restricting what a program can do - for example the filesystem (virtual) seen by a browser could be limited to the download folder, and unable to discover or affect any other process run by the same user.

Using a hosts file actually slows down your traffic, so you might not want that. There are blockers like PiHole or PfSense firewalls, which do a better job, albeit on another device.

I am experimenting with Firejail, a Linux sandbox program. It works well with pretty much anything you throw it at. The documentation is well worth a read and you can just “sudo dnf install firejail.” https://firejail.wordpress.com/

Virtualization is good if you need separation. For example, I do all of my work-related activities in a virtual machine. Your choice between virt-manager or VirtualBox. Gnome Boxes is not have as much customization as virt-manager does.

I don’t know which version of Fedora you are running, but Andrew Ziem, the lead dev of Bleachbit, uploaded RPM files to OpenSUSE’s repos, so you could follow the instructions there to install it. In regards to Veracrypt, just verify the download. Veracrypt is only in the Arch Linux repos last I checked. You do need to check for updates, but IDRIX only seems to update it once a year. https://software.opensuse.org/download/package?package=bleachbit&amp;project=home%3Aandrew_z

ClamAV is fine if you think you need it, but most people shouldn’t. It’s just to stop you from redistributing Windows viruses or known Linux threats. Shouldn’t be a problem if you stick with main repos.

Firewalld for Fedora Workstation has defaults good enough for most end users. People are always complaining about SELinux not letting them do things like port scanning, so don’t worry about blocking protocols, just allow what you need. Don’t turn SELinux off.

I updated the post with some more links. They are mostly from the Arch wiki, but should be applicable to other distributions, too (my setup is somewhat similar to those used by Qubes OS laptop vendors).

As for Wayland, I just find it more efficient and smooth (although some of that feeling may be entirely due to the placebo effect), especially with Firefox (after enabling WebRender and dma-buf support). Another benefit is that keylogging and spying on your screen is much more difficult on Wayland than on X11 (although you should sandbox Wayland-native applications to restrict access to the XWayland socket, otherwise this can be circumvented).

It should:

https://firejail.wordpress.com/documentation-2/firefox-guide/

Also if you use different Firejail setups for sensitive, trusted and untrusted browsing, malicious software / add-ons that get installed in the untrusted profile can't affect your other browser setups.

You can sandbox a program by installing Firejail and running Discord inside of it. Alternatively you could use AppArmor to disable Discord's read access when it comes to other processes.

A default setup on most distros wouldn't prevent the things you describe. An application run by you (i.e. as your user) will have access to all the files you have access to (your home, for example) and I believe all X applications can access each others' contents and also any input (keystrokes etc.).

Wayland (the espoused next-gen graphical layer for Linux) has a more robust/intrusive (depends how you feel about it) security model, more like what you describe on iOS and Android where, by default, nothing has access to anything and permissions have to be given.

If you run on Intel or AMD graphics and use one of the big DEs (or Sway) then Wayland's a viable option.

Linux has lots of tools for mitigating the sort of threats you describe, though. I'll list a few.

• User accounts. The simplest/most straightforward way to deal with this since you're just using what's already there. Make separate user accounts for untrusted software.

• Light sandboxing like Firejail. Not hugely robust and arguably causes as many problems as it solves but possibly enough to mitigate mild paranoia.

• SELinux. A robust access-control frameworky thing. I've not used it so can't say much but my understanding is that it's very good at what it does.

• Containerisation. There are various technologies for doing this, the only one I've played with much is Systemd's nspawn containers. Things running in a container are essentially running on a different machine and only see what you let them see. I wrote a guide to running Steam in an nspawn container a while back - no doubt a bit out of date by now. If you follow my guide you probably won't want to pass stuff through to the container as liberally as I was - I was more concerned with convenience than security. Also I'm by no means an expert so do your own research too if you go down this route.

I run etcher , and i think it asks for the sudo password right befor it images the iso to the USB. I dont recall needing to run it via sudo.

firejail does have appimage support, but i have never used it.

https://firejail.wordpress.com/documentation-2/appimage-support/

If you're on Linux, you can open a browser in a sandbox with different dns settings with firejail and open Google Analytics panel there.

firejail --dns=8.8.8.8 firefox

For OS X or Windows there may sandboxing applications with a similar feature.

probably because they installed the one in the ubuntu LTS base, you should instead download and install from the official website to get something recent. try their LTS version, if you have issues use their current version instead.

i'm using it without problems, for browser. if you want to watch netflix etc too, you may or may not get issues, i personally just use separate firefox profiles (for other reasons) so that would not affect me.

> I'd like to install firejail for obvious security reasons, but it requires a truly incredible 150+ dependencies from seemingly random sources. This includes installing a complete X server among all sorts of other garbage.

This is understandable -- your server environment doesn't have any GUI or X windows components, but firejail requires that environment to do what it was designed to do.

> This includes installing a complete X server among all sorts of other garbage.

In online reading I see that firetools is the GUI user interface for firejail, but the latter's purpose, its role, is to sandbox desktop applications. Because of its intended use it cannot be a command-line application without any graphical components, because it's designed to interact with desktop applications.

What I do is (ab)use firejail to do something very close to this...

firejail --overlay-tmpfs firefox -P kiosk --no-remote https://youtube.com

That way you can have a profile with essential addons / settings (I can't live without ublock and tridactyl) and get the ephemeral behavior of a temp session :)

My kiosk profile for example looks like this. I use it for an electron-like experience with webapps like youtube/whatsapp/etc.

>1.2 What is SUID, and how does it affect me? SUID (Set owner User ID upon execution) is a special type of file permissions. Most programs running on your computer inherit access permissions from the user logged in. SUID allows the program to run as root, rather that the user who started the program.

>We use this Linux feature to start the sandbox, since most kernel technologies involved in sandboxing require root access. Once the sandbox is installed, root permissions are dropped, and the real program is started with regular user permissions. For example in the case of a Firefox browser, we start the sandbox as root, drop privileges, then we start the browser as a regular user.

>SUID programs are considered dangerous on multiuser systems. It is not a great idea to install Firejail on such systems. If you have a server full of people logging in over SSH, forget about it!

https://firejail.wordpress.com/documentation-2/basic-usage/#suid

I did do my masters thesis on top of this tech. Just saying.

Is this is for a guest account / public computer, given you're looking at Deep Freeze? If so, I set something similar up like that for a public shelter a few years back.

This is very hackish, but it's tried and tested under fire:

• 1. Create a guest user account and setup Firefox or whatever to your liking
• 2. Make a tarball of that user's $HOME
• 3. Write a init script that:
  • rm -r's the user's $HOME
  • untars the known good tarball

When done correctly, the entire guest account is wiped and restored to a known good state on reboot. Since you setup a new account, the tarball shouldn't be very large and the extraction at boot shouldn't cause that much of a slowdown.

This doesn't offer 100% protection, but really nothing does (including VMs). Most malware or bad actors under Linux are restricted to screwing around with things in the user's $HOME (provided the user doesn't have root permission or in a group like wheel).

That said, perhaps firejail might be the simplest solution for better than nothing browser security.

I found the sandboxes! in case you're interested. No they're NOT the default anywhere as Ubuntu is pushing snap (firejail is much easier for existing systems IMO).

• firejail which provides file/dir blacklist and whitelist, network isolation / routing / filter, special support for pulseaudio and X (what I was talking about; per-user safety is NOT enough), with a large set of profiles for common apps and can be applied easily.
• snap by Ubuntu. It provides all of above plus a container to wrap applications into independent packages (no system deps). each app is essentially sealed inside a container with a long whitelist to detail what it can do/access.
• flatpak by Red Hat? similar to snap.

The basic mechanism exists as seccomp in kernel (old stuff nobody ever touched), but video and audio need special support to prevent, for example, the browser you run in your account from recording the voice in skype under the same user account, which is beyond kernel's capabilities as pulseaudio is user-space service.

All 3 are much superior to Android's uid per app approach, in that you can restrict apps from accessing unrelated folders and files (ex: from the firefox exploit that uploads your bash history, that actually happened).

Firejail does sometime similar. It wraps Firfox in a container with the option of relocating the home and /tmp directories. My Firefox home dir is at ~/firejail/web, but firefox thinks its at ~.

It has a number of other security features like X11 isolation, disabled root, blacklisting/whitelinst dirs/files, interop with selinux/apparmor, etc. I can be used for any process you want to lock down. The only bad thing is that it's a suid executable which brings some risk. Also, seLinux can give you similar security but it's not as easy to use.

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

> How easy is it to isolate a container for the common layman, like someone who has been classically trained with 5.25" floppies of lotus 1-2-3? And learned turbopascal briefly.

Would depend on the platform you use. For my purposes, I’ve come to appreciate Firejail: https://firejail.wordpress.com/

As others have said, Mint (w/Cinnamon). I think it comes with AppArmor.

The best way to be secure on Linux is to always keep all your software up to date.

For extra security, you can sandbox your Internet apps with firejail and use firecfg to auto-configure it.

&#x200B;

So am I haha!

Oh, those patches are for the Thinkpad's embedded controller, so since Coreboot doesn't touch that (no open-source replacement for the EC unfortunately), the mods work with Coreboot installed! I can confirm this through personal experience, my Fn keys work fine both before and after coreboot flashing. The firmware-flash that gives your keyboard near-100% functionality also includes patches that remove the battery whitelist and a few other things, but they are disabled by default!

Speaking of which, I'm starting to think that my keyboard's post-Coreboot quirks may have been more related to Windows drivers, since my T430 was doing the exact same thing before I updated my keyboard drivers. I'll reinstall Windows on it and troubleshoot to check!

Yeah, PM me! These are difficult waters to go through alone, and hopefully we can learn together!

Yeah, Wayland lacks the support for things I'd like to have in my system, so I don't particularly want to make the jump. I haven't checked it out, but Firejail looks really promising for implementing sandboxing in X for specific applications!

Arch is really nice for being able to build your system, but honestly, in my opinion, all Linux distros end up kind of being the same. Yeah, they have different package managers and repos and different quirks, but overall you can have the exact same experience in every distro once you set up your DE/WM and get all your usual programs, you'll have a pretty similar experience across distros. If you like Xubuntu, keep using Xubuntu!

I personally love Parabola, though. Their beginner guides taught me a lot about Linux, more than Arch's wiki did!

Official site or official site/apt? Because if you did the first, you should read this.

Malware and data collection is also a browser issue. Primarily, even.

You should look at install firejail, and use firejail-sandboxed programs when doing Internet stuff. Firefox and qBittorrent can be launched with firejail.

I agree but if you want to be secure there's no way around it. A lot of tools out there will make it easier to deploy and maintain such a setup, for example Firejail with its security profiles https://firejail.wordpress.com/features-3/

The Flatpak/Snappy runtimes provide a basic set of dependencies, shared across all packages - not sandboxing. With nix-bundle, the "runtime" is effectively included with the package. That obviously has the downside of making the individual packages larger, but you don't have to install anything on your system to be able to run nix-bundles. A nix-bundle is an executable, self-extracting archive - all you have to do is ./mybundle.

It requires CAP_SYS_USER_NS, so I think it does namespace sandboxing (?). There is always the option of using firejail.

Nix-bundle in its current state looks to be more of a proof-of-concept, but it's definitely a cool idea and I would love to see more work put into it. Nix is awesome for defining and building runtime environments for bundling applications.

Any error messages when you launch FF in Terminal firejail firefox? I used to have a warning message about download folder, but it didn't cause any problems. I made the message vanish after editing ~/.config/user-dirs.dirs file and changing

XDG_DOWNLOAD_DIR="$HOME/" to

XDG_DOWNLOAD_DIR="$HOME/Downloads"

Insert your actual downloads folder name.

Another thing. Old firejail has been compromised recently. Uninstall it and download a new version https://firejail.wordpress.com/download-2/ and install it.

Yet another approach if the above fail. Backup your ~/.mozilla folder just in case. Then refresh your Firefox. In the address bar type: about:supportand in the upper right corner click Refresh Firefox button. You won't lose your browsing history or saved passwords or bookmarks. But you'll lose all your addons and you'll need to reinstall them.

As for Steam on Linux please check https://firejail.wordpress.com/. I do not know if this will work thought, never used Steam.

As for Windows 10 you may encrypt your Linux partitions, they may be able to modify and compromise your /boot partition (highly unlikely except targeted attack) or get your LUKS header and try to crack it. But those scenarios are unlikely and I never heard about Steam/Win10 hacking Linux so you may sleep safe.

Yup, it works very well for almost all games.

export HOME="/home/steam"

Except for Paradox Development Studio (Crusader Kings II, Europa Universalis IV, Stellaris), Aspyr Media (Borderlands 2 + TPS, Civilization V + BE, KOTOR2) and very few indie studios (Devil Daggers, ...), they all create their folders in your real home directory, not the one in $HOME variable environment.

I also heard of Firejail (available in repos), but I didn't try it yet.

After creating your new home directory, basic usage would be:

firejail --private=/new/home/directory steam

Ok, sure. If you don't mind about how bloated an X11 server has to be to claim to be X11-compatible (core fonts!), sure, they are cheap. Note that Xpra as far as I can tell launches an Xvfb instance for each sandbox.

I also suppose that Firejail (I've not looked at its implementation nor tested it) has to start a special client for each sandbox to proxy drag&drop and the clipboard (or it just relies on Xpra for that, which means that it doesn't work with Xephyr?).

Looking at the screenshot with Xephyr you just get a nested desktop, which is rather ridiculous. The same page claims that drag&drop "between windows running on different X11 servers is not possible", which is rather limiting and it's unclear if such limitation applies to Xpra too or just Xephyr.

My simple point is that you can make those things as cheap as you want but not having them will always be cheaper, and that such a cumbersome solution isn't the best one when dealing with security issues. Having the compositor be the single trusted component of the session is nicer than having to trust the Xserver and the XComposite compositor.

> Use firejail! It protects secrets such as ssh keys from low-hanging-fruit kind of browser attacks.

Firejail is vulnerable to sandbox escapes:

https://firejail.wordpress.com/

> February 2016 – released Firejail version 0.9.38 (download). The project went through an external security audit, and several SUID-releated problems have been found. Please update your software. This release brings in a number of new features, program interface changes, new application profiles and bugfixes. Release Notes, Release Announcement.

This is Feb 2016, but we should assume that there will be more bugs to come.