Goal
Master Firejail for application sandboxing and understand when to use each hardening tool. Complete hands-on labs and establish a continuous hardening practice.
Prerequisites: Week 11c (Kernel Hardening & AppArmor)
This is Part 4 of 4 - Covers Firejail sandboxing and the decision framework.
1. Firejail for Application Sandboxing
What is Firejail?
Firejail creates isolated sandboxes for applications using Linux namespaces:
- Filesystem isolation - Restrict access to specific directories
- Network isolation - Block or restrict network access
- Process isolation - Limit system calls (seccomp)
- Resource limits - Restrict CPU, memory usage
Why use Firejail:
- Easy to use (just prefix commands with
firejail) - Hundreds of pre-made profiles for common apps
- Works alongside AppArmor (defense in depth!)
- No kernel modifications needed
Install and Basic Usage
sudo apt install firejail
# Run Firefox sandboxed with default profile
firejail firefox
# Open PDF with no network access
firejail --net=none evince suspicious.pdf
# Run app with empty home directory
firejail --private chromium
# Combine restrictions
firejail --private --net=none --seccomp gedit
Common Firejail Options
| Option | Effect | Use Case |
|---|---|---|
--private | Empty temporary home directory | Testing untrusted software |
--private=~/sandbox | Use specific directory as home | Persistent sandboxed workspace |
--net=none | Disable all network | Offline document editing |
--seccomp | Enable syscall filtering | Block dangerous system calls |
--no3d | Disable 3D acceleration | Reduce GPU attack surface |
--nodvd | Block DVD access | Prevent data exfiltration |
--nousb | Block USB access | Prevent BadUSB attacks |
--read-only=/path | Make path read-only | Protect system files |
Example: Sandboxed PDF Viewer
Scenario: Open potentially malicious PDF from email
firejail \
--net=none \
--private \
--seccomp \
--read-only=/usr \
evince suspicious.pdf
What this does:
- No network (can’t phone home)
- Empty home directory (can’t steal files)
- System files read-only (can’t modify system)
- Syscall filtering (limits kernel exploits)
Even if PDF exploits Evince:
- Can’t exfiltrate data (no network)
- Can’t read your files (isolated home)
- Can’t install backdoor (read-only system)
Creating Custom Firejail Profiles
Create profile for custom app:
sudo nano /etc/firejail/myapp.profile
# Include base restrictions
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# Capabilities
caps.drop all
netfilter
nonewprivs
noroot
seccomp
# Filesystem restrictions
private-dev # Empty /dev
private-tmp # Isolated /tmp
private-etc passwd,group,resolv.conf
# Whitelist specific directories
whitelist ~/Documents/work
whitelist ~/Downloads
# Blacklist sensitive directories
blacklist ~/.ssh
blacklist ~/.gnupg
blacklist ~/.config/Signal
Use custom profile:
firejail --profile=/etc/firejail/myapp.profile myapp
Combining Firejail with AppArmor
Double protection (defense in depth):
# Firefox with both AppArmor + Firejail
firejail firefox
Both protections active:
- AppArmor restricts Firefox’s file/network access
- Firejail creates namespace isolation
- Attacker must bypass BOTH layers
Testing Your Sandbox
# Test 1: Can it access SSH keys?
firejail --private bash
ls ~/.ssh/
# Should be empty or not exist
# Test 2: Can it access network?
firejail --net=none bash
ping 1.1.1.1
# Should fail: "Network is unreachable"
# Monitor sandboxes
firejail --list
firejail --shutdown=PID # Kill specific sandbox
2. Hardening Decision Framework
When to Use Each Tool
START: What are you hardening?
├─ Entire system security posture?
│ └─> Use Lynis audit → Systematic fixes
│
├─ Specific application access control?
│ ├─ Need path-based restrictions?
│ │ └─> AppArmor (simpler, Ubuntu default)
│ └─ Need label-based security?
│ └─> SELinux (more powerful, RHEL default)
│
├─ Running untrusted software?
│ ├─ One-time execution?
│ │ └─> Firejail --private --net=none
│ └─ Repeated use?
│ └─> Create custom Firejail profile
│
├─ Kernel attack surface?
│ └─> sysctl hardening + module blacklisting
│
└─ Maximum security?
└─> Combine all: Lynis + AppArmor + Firejail + Kernel
Performance vs Security Trade-offs
| Hardening Method | Performance Impact | Compatibility Risk | Maintenance |
|---|---|---|---|
| Lynis fixes | None | Low | None |
| Kernel hardening | Minimal (<1%) | Low | None |
| AppArmor | Minimal (<2%) | Medium (app breakage) | Low |
| Firejail | Low (5-10%) | Medium (functionality loss) | Medium |
| All combined | Low (10-15%) | High (requires tuning) | Medium |
3. Labs
Lab: Sandbox Untrusted Application
Objective: Run potentially malicious PDF in isolated environment
Estimated time: 20 minutes
# Create sandbox workspace
mkdir ~/sandbox-test
cd ~/sandbox-test
# Download a test PDF
wget https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf
# Run in maximum isolation
firejail \
--net=none \
--private=$PWD \
--seccomp \
evince dummy.pdf
# Verify isolation in another terminal
firejail --list
Test isolation:
firejail --private --net=none bash
# All should fail:
ls ~/.ssh/ # Empty/nonexistent
ping 1.1.1.1 # No network
cat /etc/shadow # No permission
Deliverable: Successfully open PDF with no access to home directory or network
4. Continuous Hardening Practice
Monthly Maintenance Checklist
- Run Lynis audit, compare to previous score
- Review AppArmor denials (
sudo aa-logprof) - Check for new CVEs in installed software
- Update system:
sudo apt update && sudo apt upgrade - Review Firejail sandboxed processes
- Verify kernel hardening settings persist
Set up automated reminder:
# Add to crontab (crontab -e):
0 9 1 * * /usr/bin/lynis audit system --cronjob
Common Mistakes to Avoid
- Enforcing AppArmor profiles without testing (breaks apps)
- Applying all kernel hardening at once (hard to troubleshoot)
- Forgetting to make sysctl changes permanent
- Over-sandboxing to point of unusability
When Hardening Goes Wrong
- App stops working - Check AppArmor denials:
sudo aa-logprof - System unstable - Boot to previous kernel, check dmesg
- Network broken - Review sysctl network parameters
- Permission denied - Check if Firejail blocking needed access
Week 11 Checklist
- Audited system with Lynis and improved hardening score to 75+
- Applied kernel hardening parameters via sysctl
- Enabled AppArmor profiles for Firefox, PDF viewers
- Created at least one custom AppArmor profile
- Ran untrusted software in Firejail sandbox
- Tested sandbox isolation (network, filesystem)
- Disabled uncommon kernel modules
- Set up monthly hardening maintenance reminder
Journal & Git Commit
echo "Week 11: Hardened Linux with Lynis audit, kernel hardening (sysctl), AppArmor profiles, and Firejail sandboxing. Defense-in-depth approach dramatically improved security." >> notes/week11_journal.md
git add .
git commit -S -m "Week 11 - System hardening, AppArmor, Firejail, defense in depth"
Up Next: Week 12
- Distributed systems and decentralized architectures
- Blockchain fundamentals and privacy considerations
- Building censorship-resistant systems
- Integrating all skills from Weeks 1-11
Additional Resources
Sandboxing:
- Firejail documentation: https://firejail.wordpress.com/
- Firejail profiles: https://github.com/netblue30/firejail
- bubblewrap: https://github.com/containers/bubblewrap
Defense in Depth:
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- Arch Linux security: https://wiki.archlinux.org/title/Security
Key Takeaways
- Firejail creates namespace-based sandboxes with simple command-line options
- –private –net=none is the go-to for maximum isolation of untrusted apps
- Combine tools for defense in depth (AppArmor + Firejail + kernel hardening)
- Regular auditing with Lynis catches configuration drift
- Security is ongoing maintenance, not one-time setup