Application-level isolation with Firejail

Here is a method I have been reading up on for the last few days about how to do application-level isolation on Linux. However, I did not get to complete my testing, so I am leaving the general thought/process here for others to test.

NOTES:

  1. What I found interesting when I read the documentation was step #3 in which a command alias could be created for running applications in a chroot sandbox.
  2. I also did not get to test sandboxing root (which, if didn’t work, could nullify the need/use for most cases).
  3. I would imagine there are some security vulnerabilities with Firejail itself but I also didn’t get a chance to investigate the level or quantity (but the project does look to be active).

From the firejail documentation (untested):

Step 1: Build a basic Debian sid filesystem:

$ sudo mkdir /chroot-sid
$ sudo debootstrap --arch=amd64 sid /chroot-sid

Step 2: Add a regular user account and install the target application (youtube-dl in this example):

$ sudo firejail --noprofile --chroot=/chroot-sid
# adduser netblue
# apt-get install youtube-dl
# exit

Step 3: Run the application:

$ firejail --chroot=/chroot-sid
$ youtube-dl  https://...
1 Like