Skip to content

Using firejail from git

Ted Robertson edited this page Sep 26, 2021 · 15 revisions

There are different reasons why you would want to install firejail from its git source. You want to have the latest profiles and features, and/or you want to contribute to firejail.

Makefile

The easiest way to install firejail from git is to clone the repo and use the 'traditional' configure+make steps to build and install it:

git clone https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install-strip

See ./configure --help for additional flags like --enable-apparmor or --enable-selinux.

Note that git clone gets you a local copy of an existing remote repository. In order to update that local copy with new commits from the repository you can use git pull:

cd firejail
git pull
./configure --prefix=/usr 
make
sudo make install-strip

Some more lines can be added to implement hardening measures as explained here:

sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' /etc/firejail/firejail.config

sudo groupadd firejail
sudo chown -c root:firejail /usr/bin/firejail
sudo chmod -c 4750 /usr/bin/firejail
sudo usermod -a -G firejail $USER

sudo firecfg

If you want to explicitly exclude some applications from being sandboxed by Firejail you can add something like:

sudo rm /usr/local/bin/VirtualBox

If you ever want to uninstall firejail, run sudo make uninstall in your local copy of the repository.

Pros

  • simple
  • works on any distro

Cons

  • it is generally disadvised to bypass your package manager when installing software
  • WARNING: make install overwrites firejail.config
  • needs frequent rebuilding (using ccache can significantly speed-up the build process)
  • occasionally things might break
  • uninstalling can be complicated if you delete the repo or run ./configure with other flags

Arch Linux

The AUR firejail-git package enables AppArmor by default.

Debian/Ubuntu

  • Prepare your build environment

You will always need to install git and gcc compiler.

For AppArmor support (default in Ubuntu since v7), installing libapparmor-dev and pkg-config are required:

$ sudo apt-get install git build-essential libapparmor-dev pkg-config

For SELinux support (uncommon), installing libselinux1-dev and pkg-config are required:

$ sudo apt-get install git build-essential libselinux1-dev pkg-config
  • Full manual setup (installed files will not be manageable via apt or GUI frontends)

With AppArmor:

$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-apparmor --prefix=/usr && make && sudo make install-strip

With SELinux:

$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-selinux --prefix=/usr && make && sudo make install-strip
  • Scripted setup (create and install deb file)

Copy update_deb.sh script from contrib to a local directory and make it executable. The script enables AppArmor support by default and installs the firejail deb file via dpkg. If you need/want other configuration options, edit the script accordingly. You can use this script for updating your firejail from git installation.

Fedora

maintained by @rusty-snake

Fedora uses rpm packages to install software, it also uses SELinux by default. That's why we want to build an rpm and enable SELinux-labeling support in firejail.

  • First you need to install some packages to build the rpm and clone the firejail git-repo:
$ sudo install rpmbuild libselinux-devel
$ git clone "https://github.com/netblue30/firejail.git" firejail
  • You also need a spec file for firejail.
firejail.spec example
Name:           firejail
Version:        0.9.63
Release:        1.gitbc3f74f2%{?dist}
Summary:        Linux namespaces sandbox program

License:        GPLv2+
URL:            https://github.com/netblue30/firejail
Source0:        %{name}.tar.gz

Recommends:     xdg-dbus-proxy
BuildRequires:  libselinux-devel

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.


%prep
%autosetup -c


%build
%configure --enable-selinux
%make_build


%install
make install-strip DESTDIR=%{buildroot}


%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
  • In order to build an rpm you need some directories, which you can create using rpmdev-setuptree; but we are going to setup these directories in a custom location.
TOPDIR=$(mktemp -dt firejail-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)

mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"

This creates a directory named firejail-build.XXXXXX (where the Xs are random) under $TMPDIR or /tmp as fallback. The sub-directories will be created in accordance with the corresponding rpm macros.

  • You can now create the spec file in $SPECDIR and produce a tar.gz archive containing the source-code.
$ tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/firejail.tar.gz" .
  • Start building the rpm:
$ rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/firejail.spec
  • Install the firejail rpm package:
$ sudo dnf install "$RPMDIR"/x86_64/firejail-*.rpm

That's it!

Automation

Create a shell script to automate the build process.

build-firejail-rpm.sh
#!/bin/bash

set -e

NAME=firejail
VERSION=$(grep "PACKAGE_VERSION=.*" configure | grep -oE "([[:digit:]]|\.)*")
COMMIT=$(git rev-parse --short HEAD)

installed_release=$(rpm -q --qf="%{RELEASE}" $NAME ||:)
if [ -z "$installed_release" ]; then
        RELEASE=1
else
        RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1))
fi

TOPDIR=$(mktemp -dt $NAME-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)

mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"

cleanup() {
        rm -rf "$TOPDIR"
}
trap cleanup EXIT

cat <<EOF > "$SPECDIR/$NAME.spec"
Name:           $NAME
Version:        $VERSION
Release:        $RELEASE.git$COMMIT%{?dist}
Summary:        Linux namespaces sandbox program

License:        GPLv2+
URL:            https://github.com/netblue30/firejail
Source0:        %{name}.tar.gz

Recommends:     xdg-dbus-proxy
BuildRequires:  libselinux-devel

%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.


%prep
%autosetup -c


%build
%configure --enable-selinux
%make_build


%install
make install-strip DESTDIR=%{buildroot}


%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
EOF

tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" .

rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec

RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm"

mv "$RPMDIR/$(rpm -E %_arch)/$RPM" .

sudo dnf install "$RPM"

rm "$RPM"

Resources