Simplify the safeguarding of programs with Firetools

The console program Firejail start processes in its own "sandboxes." These jails limit access to the rest of the system. If, for example, an attacker takes over your web browser via a security loophole, the attacker is trapped in the sandbox and cannot cause any further damage. However, rather inconveniently, you need to manage this useful tool on the command line using numerous parameters [1].

Thus, Firejail developers have created Firetools – a graphical user interface for Firejail. It is based on the Qt4 framework, which KDE 4, among other software, also uses. Despite the pretty high version number (0.9.26.1), development of Firetools only started in the spring of 2015. The young tool's functionality is therefore still pretty simple, but the core functions are up and running. A simple double-click, for example, will launch an application in a sandbox. Statistics also allow the program to be monitored.

Installation

You will find binary packages for Debian, Ubuntu, Linux Mint, Fedora, openSUSE, CentOS 7, and RHEL on the Firejail website [2]. Although 32-bit versions are available for Debian, Ubuntu, and Mint, a 64-bit system is needed for the packages for the other distributions. Users of Arch Linux will find Firejail in the AUR [3], and SlackBuild's directory supplies the packages for Slackware [4]. In any case, you can install the downloaded package using your distribution's package manager.

You will need to compile Firejail manually if there is a package missing for your distribution. To do so, first install a C compiler, Make, and the kernel headers via the package manager. Then, unpack the source archive downloaded from the Firejail website, switch to the directory just created, and install Firejail with the classic triple jump shown below. On top of Firejail and Qt4 (usually in the libqt4 ), Firetools requires the terminal program Xterm, which most distributions provide.

$ ./configure && make && sudo make install

Depending on your distribution, after the installation, you will find Firetools in either the start menu or in Ubuntu via the dashboard. The tool appears there as Firejail Tools . If in doubt, press Alt+F2 (or open a terminal) and start the program by typing firetools .

Behind Bars

Double-clicking one of the icons in Firetools' red main window (Figure 1) will start the corresponding program in a sandbox. Double-clicking the globe, for example, will open the Firefox web browser in a secured environment. Alternatively, you can right-click an icon and select Run from the context menu. Xterm is hidden behind the terminal icon, not the terminal emulation offered by the desktop environment used.

Figure 1: Clicking the respective icon is enough to start the program with Firejail in a secure sandbox.

To move the red window, place the mouse pointer on it. Then, hold the left mouse button and drag the window to the desired position. Clicking the small white bar in the top right corner will minimize the window.

There is then only one icon left in Ubuntu at the top right in the panel. To display the window again, click the icon and select Restore . The red main window can currently manage a maximum of 12 applications. To add your own program, right-click an empty space and select Edit . Now specify the name of the program in the window from Figure 2 and a description that will appear later in the tool tip. Define the Firejail command, which Firetools will use to lock the application in a sandbox in Command . For a simple sandbox, you can just type firejail followed by the name of the application. You can increase security by enabling two of the kernel's additional security mechanisms using the corresponding parameters. The following example locks LibreOffice in this way:

$ firejail --seccomp --caps.drop=all libreoffice

Figure 2: Specify the Firejail command in the settings of the respective entry. In this example, Firetools would start the document viewer.

Be careful: Firetools actually only executes the command stored here. Notably, this doesn't make sure that the application is run in a sandbox. If you only type firefox in the box, Firetools will start the browser outside of a jail. You can change the details later by clicking the right mouse button in the red main window above the corresponding program and then selecting Edit . To remove a program from the window, select Delete from the context menu. However, this only works with programs you added; icons that are already there can't be deleted, they can only be edited via Edit .

There are more shortcomings: It is not possible to incorporate your own icons, for example. The programs you add only appear with text. The current version of Firetools (0.9.26.1) also forgets all settings as soon as you close the window by right-clicking and selecting Quit . This also applies to both edited and new entries.