Using firejail from git
There are different reasons why you would want to install firejail from its git source. You want to have the latest profiles and features, and/or you want to contribute to firejail.
The easiest way to install firejail from git is to clone the repo and use the 'traditional' configure+make steps to build and install it:
git clone https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install-strip
See ./configure --help
for additional flags like --enable-apparmor
or --enable-selinux
.
Note that git clone
gets you a local copy of an existing remote repository. In order to update that local copy with new commits from the repository you can use git pull
:
cd firejail
git pull
./configure --prefix=/usr
make
sudo make install-strip
Some more lines can be added to implement hardening measures as explained here:
sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' /etc/firejail/firejail.config
sudo groupadd firejail
sudo chown -c root:firejail /usr/bin/firejail
sudo chmod -c 4750 /usr/bin/firejail
sudo usermod -a -G firejail $USER
sudo firecfg
If you want to explicitly exclude some applications from being sandboxed by Firejail you can add something like:
sudo rm /usr/local/bin/VirtualBox
If you ever want to uninstall firejail, run sudo make uninstall
in your local copy of the repository.
- simple
- works on any distro
- it is generally disadvised to bypass your package manager when installing software
- WARNING: make install
overwrites firejail.config
- needs frequent rebuilding (using ccache can significantly speed-up the build process)
- occasionally things might break
- uninstalling can be complicated if you delete the repo or run
./configure
with other flags
The AUR firejail-git package enables AppArmor by default.
- Prepare your build environment
You will always need to install git and gcc compiler.
For AppArmor support (default in Ubuntu since v7), installing libapparmor-dev and pkg-config are required:
$ sudo apt-get install git build-essential libapparmor-dev pkg-config
For SELinux support (uncommon), installing libselinux1-dev and pkg-config are required:
$ sudo apt-get install git build-essential libselinux1-dev pkg-config
- Full manual setup (installed files will not be manageable via apt or GUI frontends)
With AppArmor:
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-apparmor --prefix=/usr && make && sudo make install-strip
With SELinux:
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-selinux --prefix=/usr && make && sudo make install-strip
- Scripted setup (create and install deb file)
Copy update_deb.sh script from contrib to a local directory and make it executable. The script enables AppArmor support by default and installs the firejail deb file via dpkg. If you need/want other configuration options, edit the script accordingly. You can use this script for updating your firejail from git installation.
maintained by @rusty-snake
Fedora uses rpm packages to install software, it also uses SELinux by default. That's why we want to build an rpm and enable SELinux-labeling support in firejail.
- First you need to install some packages to build the rpm and clone the firejail git-repo:
$ sudo install rpmbuild libselinux-devel
$ git clone "https://github.com/netblue30/firejail.git" firejail
- You also need a spec file for firejail.
firejail.spec example
Name: firejail
Version: 0.9.63
Release: 1.gitbc3f74f2%{?dist}
Summary: Linux namespaces sandbox program
License: GPLv2+
URL: https://github.com/netblue30/firejail
Source0: %{name}.tar.gz
Recommends: xdg-dbus-proxy
BuildRequires: libselinux-devel
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%autosetup -c
%build
%configure --enable-selinux
%make_build
%install
make install-strip DESTDIR=%{buildroot}
%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
- In order to build an rpm you need some directories, which you can create using
rpmdev-setuptree
; but we are going to setup these directories in a custom location.
TOPDIR=$(mktemp -dt firejail-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)
mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
This creates a directory named firejail-build.XXXXXX
(where the X
s are random) under $TMPDIR
or /tmp
as fallback. The sub-directories will be created in accordance with the corresponding rpm macros.
- You can now create the spec file in
$SPECDIR
and produce a tar.gz archive containing the source-code.
$ tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/firejail.tar.gz" .
- Start building the rpm:
$ rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/firejail.spec
- Install the firejail rpm package:
$ sudo dnf install "$RPMDIR"/x86_64/firejail-*.rpm
That's it!
Create a shell script to automate the build process.
build-firejail-rpm.sh
#!/bin/bash
set -e
NAME=firejail
VERSION=$(grep "PACKAGE_VERSION=.*" configure | grep -oE "([[:digit:]]|\.)*")
COMMIT=$(git rev-parse --short HEAD)
installed_release=$(rpm -q --qf="%{RELEASE}" $NAME ||:)
if [ -z "$installed_release" ]; then
RELEASE=1
else
RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1))
fi
TOPDIR=$(mktemp -dt $NAME-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)
mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
cleanup() {
rm -rf "$TOPDIR"
}
trap cleanup EXIT
cat <<EOF > "$SPECDIR/$NAME.spec"
Name: $NAME
Version: $VERSION
Release: $RELEASE.git$COMMIT%{?dist}
Summary: Linux namespaces sandbox program
License: GPLv2+
URL: https://github.com/netblue30/firejail
Source0: %{name}.tar.gz
Recommends: xdg-dbus-proxy
BuildRequires: libselinux-devel
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%autosetup -c
%build
%configure --enable-selinux
%make_build
%install
make install-strip DESTDIR=%{buildroot}
%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
EOF
tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" .
rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec
RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm"
mv "$RPMDIR/$(rpm -E %_arch)/$RPM" .
sudo dnf install "$RPM"
rm "$RPM"