Using firejail from git
There are different reasons why you would want to install firejail from its git source. You want to have the latest profiles and features, and/or you want to contribute to firejail.
Makefile
The easiest way to install firejail from git is to clone the repo and use the 'traditional' configure+make steps to build and install it:
git clone https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install-stripSee ./configure --help for additional flags like --enable-apparmor or --enable-selinux.
Note that git clone gets you a local copy of an existing remote repository. In order to update that local copy with new commits from the repository you can use git pull:
cd firejail
git pull
./configure --prefix=/usr
make
sudo make install-stripSome more lines can be added to implement hardening measures as explained here:
sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' \ /etc/firejail/firejail.config sudo groupadd firejail sudo chown -c root:firejail /usr/bin/firejail sudo chmod -c 4750 /usr/bin/firejail sudo usermod -a -G firejail "$USER" sudo firecfg
If you want to explicitly exclude some applications from being sandboxed by Firejail you can add something like:
sudo rm /usr/local/bin/VirtualBox
If you ever want to uninstall firejail, run sudo make uninstall in your local copy of the repository.
Pros
- Simple
- Works on any distro
Cons
- It is generally disadvised to bypass your package manager when installing software
- WARNING: make install
overwrites firejail.config - Needs frequent rebuilding (using ccache can significantly speed-up the build process)
- Occasionally things might break
- Uninstalling can be complicated if you delete the repo or run
./configurewith other flags
Arch Linux
The AUR firejail-git package enables AppArmor by default.
Debian/Ubuntu
- Prepare your build environment
You will always need to install git and gcc compiler.
For AppArmor support (default in Ubuntu since v7), installing libapparmor-dev and pkg-config are required:
sudo apt-get install git build-essential libapparmor-dev pkg-config
For SELinux support (uncommon), installing libselinux1-dev and pkg-config are required:
sudo apt-get install git build-essential libselinux1-dev pkg-config
- Full manual setup (installed files will not be manageable via apt or GUI frontends)
With AppArmor:
git clone https://github.com/netblue30/firejail.git cd firejail ./configure --enable-apparmor --prefix=/usr && make && sudo make install-strip
With SELinux:
git clone https://github.com/netblue30/firejail.git cd firejail ./configure --enable-selinux --prefix=/usr && make && sudo make install-strip
- Scripted setup (create and install deb file)
Copy update_deb.sh script from contrib to a local directory and make it executable. The script enables AppArmor support by default and installs the firejail deb file via dpkg. If you need/want other configuration options, edit the script accordingly. You can use this script for updating your firejail from git installation.
Fedora
maintained by @rusty-snake
Fedora uses rpm packages to install software, it also uses SELinux by default. That's why we want to build an rpm and enable SELinux-labeling support in firejail.
- First you need to install some packages to build the rpm and clone the firejail git-repo:
sudo install rpmbuild libselinux-devel
git clone "https://github.com/netblue30/firejail.git" firejail- You also need a spec file for firejail.
firejail.spec example
Name: firejail
Version: 0.9.63
Release: 1.gitbc3f74f2%{?dist}
Summary: Linux namespaces sandbox program
License: GPLv2+
URL: https://github.com/netblue30/firejail
Source0: %{name}.tar.gz
Recommends: xdg-dbus-proxy
BuildRequires: libselinux-devel
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%autosetup -c
%build
%configure --enable-selinux
%make_build
%install
make install-strip DESTDIR=%{buildroot}
%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
- In order to build an rpm you need some directories, which you can create using
rpmdev-setuptree; but we are going to setup these directories in a custom location.
TOPDIR=$(mktemp -dt firejail-build.XXXXXX) BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir) RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir) SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir) SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir) SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir) mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
This creates a directory named firejail-build.XXXXXX (where the Xs are random) under $TMPDIR or /tmp as fallback. The sub-directories will be created in accordance with the corresponding rpm macros.
- You can now create the spec file in
$SPECDIRand produce a tar.gz archive containing the source-code.
tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create \ --gzip --file "$SOURCEDIR/firejail.tar.gz" .
- Start building the rpm:
rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb \ "$SPECDIR"/firejail.spec
- Install the firejail rpm package:
sudo dnf install "$RPMDIR"/x86_64/firejail-*.rpm
That's it!
Automation
Create a shell script to automate the build process.
build-firejail-rpm.sh
#!/bin/bash set -e NAME=firejail VERSION=$(grep "PACKAGE_VERSION=.*" configure | grep -oE "([[:digit:]]|\.)*") COMMIT=$(git rev-parse --short HEAD) installed_release=$(rpm -q --qf="%{RELEASE}" $NAME ||:) if [ -z "$installed_release" ]; then RELEASE=1 else RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1)) fi TOPDIR=$(mktemp -dt $NAME-build.XXXXXX) BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir) RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir) SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir) SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir) SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir) mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR" cleanup() { rm -rf "$TOPDIR" } trap cleanup EXIT cat <<EOF > "$SPECDIR/$NAME.spec" Name: $NAME Version: $VERSION Release: $RELEASE.git$COMMIT%{?dist} Summary: Linux namespaces sandbox program License: GPLv2+ URL: https://github.com/netblue30/firejail Source0: %{name}.tar.gz Recommends: xdg-dbus-proxy BuildRequires: libselinux-devel %description Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It includes a sandbox profile for Mozilla Firefox. %prep %autosetup -c %build %configure --enable-selinux %make_build %install make install-strip DESTDIR=%{buildroot} %files %config(noreplace) %{_sysconfdir}/firejail/firejail.config %config(noreplace) %{_sysconfdir}/firejail/login.users %config %{_sysconfdir}/firejail/*.inc %config %{_sysconfdir}/firejail/*.net %config %{_sysconfdir}/firejail/*.profile %{_bindir}/firecfg %{_bindir}/firejail %{_bindir}/firemon %{_libdir}/firejail %{_datadir}/bash-completion/completions/firejail %{_datadir}/bash-completion/completions/firecfg %{_datadir}/bash-completion/completions/firemon %{_docdir}/firejail/COPYING %{_docdir}/firejail/README %{_docdir}/firejail/RELNOTES %{_docdir}/firejail/profile.template %{_docdir}/firejail/redirect_alias-profile.template %{_docdir}/firejail/syscalls.txt %{_mandir}/man1/firecfg.1.gz %{_mandir}/man1/firejail.1.gz %{_mandir}/man1/firemon.1.gz %{_mandir}/man5/firejail-login.5.gz %{_mandir}/man5/firejail-profile.5.gz %{_mandir}/man5/firejail-users.5.gz %{_datadir}/vim/vimfiles/ftdetect/firejail.vim %{_datadir}/vim/vimfiles/syntax/firejail.vim %license COPYING EOF tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create \ --gzip --file "$SOURCEDIR/$NAME.tar.gz" . rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb \ "$SPECDIR"/$NAME.spec RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm" mv "$RPMDIR/$(rpm -E %_arch)/$RPM" . sudo dnf install "$RPM" rm "$RPM"