Firejail: Difference between revisions
imported>Onny Add info about Firejail module |
imported>Onny Add Tor routing example |
||
| Line 47: | Line 47: | ||
firejail --profile=$(nix --extra-experimental-features nix-command --extra-experimental-features flakes eval -f '<nixpkgs>' --raw 'firejail')/etc/firejail/firefox.profile firefox | firejail --profile=$(nix --extra-experimental-features nix-command --extra-experimental-features flakes eval -f '<nixpkgs>' --raw 'firejail')/etc/firejail/firefox.profile firefox | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Tips & tricks == | |||
=== Torify application traffic === | |||
The following example configuration creates a virtual network bridge which can be used in Firejail as an isolated network namespace. All traffic originating from this interface will be routed through a local [[Tor]] service which will therefore anonymize your internet traffic. | |||
<syntaxhighlight lang="nix"> | |||
tor = { | |||
enable = true; | |||
openFirewall = true; | |||
settings = { | |||
TransPort = [ 9040 ]; | |||
DNSPort = 5353; | |||
VirtualAddrNetworkIPv4 = "172.30.0.0/16"; | |||
}; | |||
}; | |||
networking.bridges."tornet" = { | |||
interfaces = []; | |||
}; | |||
networking.interfaces.tornet.ipv4.addresses = [{ | |||
address = "10.100.100.1"; | |||
prefixLength = 24; | |||
}]; | |||
</syntaxhighlight> | |||
Run your preferred application inside the isolated Tor network | |||
<syntaxhighlight lang="bash"> | |||
firejail --net tornet --profile=$(nix --extra-experimental-features nix-command --extra-experimental-features flakes eval -f '<nixpkgs>' --raw 'firejail')/etc/firejail/firefox.profile firefox | |||
</syntaxhighlight> | |||
Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances. | |||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category:Security]] | [[Category:Security]] | ||
Revision as of 17:50, 14 November 2022
Firejail is an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.
Installation
Add following line to your system configuration to install Firejail globally
environment.systemPackages = with pkgs; [ firejail ];
You can also use the Firejail NixOS module for a persistent usage of specific applications which should always run in Firejail. The following example wraps the browser Librewolf and the messenger Signal in a Firejail environment. The usual program path to librewolf and signal-desktop will be overwritten by the Firejail-wrapper.
programs.firejail = {
enable = true;
wrappedBinaries = {
librewolf = {
executable = "${pkgs.librewolf}/bin/librewolf";
profile = "${pkgs.firejail}/etc/firejail/librewolf.profile";
extraArgs = [
# Required for U2F USB stick
"--ignore=private-dev"
# Enforce dark mode
"--env=GTK_THEME=Adwaita:dark"
];
};
signal-desktop = {
executable = "${pkgs.signal-desktop}/bin/signal-desktop --enable-features=UseOzonePlatform --ozone-platform=wayland";
profile = "${pkgs.firejail}/etc/firejail/signal-desktop.profile";
extraArgs = [ "--env=LC_ALL=C" "--env=GTK_THEME=Adwaita:dark" ];
};
};
};
Usage
To start an application in a sandboxed enviroment use Firejail like this
firejail bash
For a graphical application like Firefox web browser, it is recommended to also use a profile
firejail --profile=$(nix --extra-experimental-features nix-command --extra-experimental-features flakes eval -f '<nixpkgs>' --raw 'firejail')/etc/firejail/firefox.profile firefox
Tips & tricks
Torify application traffic
The following example configuration creates a virtual network bridge which can be used in Firejail as an isolated network namespace. All traffic originating from this interface will be routed through a local Tor service which will therefore anonymize your internet traffic.
tor = {
enable = true;
openFirewall = true;
settings = {
TransPort = [ 9040 ];
DNSPort = 5353;
VirtualAddrNetworkIPv4 = "172.30.0.0/16";
};
};
networking.bridges."tornet" = {
interfaces = [];
};
networking.interfaces.tornet.ipv4.addresses = [{
address = "10.100.100.1";
prefixLength = 24;
}];
Run your preferred application inside the isolated Tor network
firejail --net tornet --profile=$(nix --extra-experimental-features nix-command --extra-experimental-features flakes eval -f '<nixpkgs>' --raw 'firejail')/etc/firejail/firefox.profile firefox
Please note that this is a experimental setup which doesn't guarantee anonymity or security in any circumstances.