Tuesday, January 24, 2017

Firejail sandbox a program

Firejail can reduces security breaches by restricting untrusted applications using full fledged of Linux's capabilities.

1- limit application to access /etc,
 - create a firejail profile called /etc/firejail/bash.profile wit the following content
# bash profile
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
blacklist ${HOME}/.wine
blacklist /etc
caps.drop all
seccomp
protocol unix,inet,inet6
noroot



2- we can run firejail or firejail --private

the following is the message when we try to list /etc
ls: cannot open directory '/etc': Permission denied

No comments:

Post a Comment