-
Notifications
You must be signed in to change notification settings - Fork 567
Using firejail from git
There are different reasons why you would want to install firejail from its git source. You want to have the latest profiles and features, and/or you want to contribute to firejail.
The easiest way to install firejail from git is to clone the repo and use the 'traditional' configure+make steps to build and install it:
git clone https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make
sudo make install-strip
See ./configure --help
for additional flags like --enable-apparmor
or --enable-selinux
.
Note that git clone
gets you a local copy of an existing remote repository. In order to update that local copy with new commits from the repository you can use git pull
:
cd firejail
git pull
./configure --prefix=/usr
make
sudo make install-strip
Some more lines can be added to implement hardening measures as explained here:
sudo sed -i 's/# force-nonewprivs no/force-nonewprivs yes/' /etc/firejail/firejail.config
sudo groupadd firejail
sudo chown -c root:firejail /usr/bin/firejail
sudo chmod -c 4750 /usr/bin/firejail
sudo usermod -a -G firejail $USER
sudo firecfg
If you want to explicitly exclude some applications from being sandboxed by Firejail you can add something like:
sudo rm /usr/local/bin/VirtualBox
If you ever want to uninstall firejail, run sudo make uninstall
in your local copy of the repository.
- simple
- works on any distro
- it is generally disadvised to bypass your package manager when installing software
- WARNING: make install
overwrites firejail.config
- needs frequent rebuilding (using ccache can significantly speed-up the build process)
- occasionally things might break
- uninstalling can be complicated if you delete the repo or run
./configure
with other flags
The AUR firejail-git package enables AppArmor by default.
- Prepare your build environment
You will always need to install git and gcc compiler.
For AppArmor support (default in Ubuntu since v7), installing libapparmor-dev and pkg-config are required:
$ sudo apt-get install git build-essential libapparmor-dev pkg-config
For SELinux support (uncommon), installing libselinux1-dev and pkg-config are required:
$ sudo apt-get install git build-essential libselinux1-dev pkg-config
- Full manual setup (installed files will not be manageable via apt or GUI frontends)
With AppArmor:
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-apparmor --prefix=/usr && make && sudo make install-strip
With SELinux:
$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure --enable-selinux --prefix=/usr && make && sudo make install-strip
- Scripted setup (create and install deb file)
Copy update_deb.sh script from contrib to a local directory and make it executable. The script enables AppArmor support by default and installs the firejail deb file via dpkg. If you need/want other configuration options, edit the script accordingly. You can use this script for updating your firejail from git installation.
maintained by @rusty-snake
Fedora uses rpm packages to install software, it also uses SELinux by default. That's why we want to build an rpm and enable SELinux-labeling support in firejail.
- First you need to install some packages to build the rpm and clone the firejail git-repo:
$ sudo install rpmbuild libselinux-devel
$ git clone "https://github.com/netblue30/firejail.git" firejail
- You also need a spec file for firejail.
firejail.spec example
Name: firejail
Version: 0.9.63
Release: 1.gitbc3f74f2%{?dist}
Summary: Linux namespaces sandbox program
License: GPLv2+
URL: https://github.com/netblue30/firejail
Source0: %{name}.tar.gz
Recommends: xdg-dbus-proxy
BuildRequires: libselinux-devel
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%autosetup -c
%build
%configure --enable-selinux
%make_build
%install
make install-strip DESTDIR=%{buildroot}
%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
- In order to build an rpm you need some directories, which you can create using
rpmdev-setuptree
; but we are going to setup these directories in a custom location.
TOPDIR=$(mktemp -dt firejail-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)
mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
This creates a directory named firejail-build.XXXXXX
(where the X
s are random) under $TMPDIR
or /tmp
as fallback. The sub-directories will be created in accordance with the corresponding rpm macros.
- You can now create the spec file in
$SPECDIR
and produce a tar.gz archive containing the source-code.
$ tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/firejail.tar.gz" .
- Start building the rpm:
$ rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/firejail.spec
- Install the firejail rpm package:
$ sudo dnf install "$RPMDIR"/x86_64/firejail-*.rpm
That's it!
Create a shell script to automate the build process.
build-firejail-rpm.sh
#!/bin/bash
set -e
NAME=firejail
VERSION=$(grep "PACKAGE_VERSION=.*" configure | grep -oE "([[:digit:]]|\.)*")
COMMIT=$(git rev-parse --short HEAD)
installed_release=$(rpm -q --qf="%{RELEASE}" $NAME ||:)
if [ -z "$installed_release" ]; then
RELEASE=1
else
RELEASE=$(($(grep -oE "^[[:digit:]]+" <<<"$installed_release") + 1))
fi
TOPDIR=$(mktemp -dt $NAME-build.XXXXXX)
BUILDDIR=$(rpm --define "_topdir $TOPDIR" --eval %_builddir)
RPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_rpmdir)
SOURCEDIR=$(rpm --define "_topdir $TOPDIR" --eval %_sourcedir)
SPECDIR=$(rpm --define "_topdir $TOPDIR" --eval %_specdir)
SRPMDIR=$(rpm --define "_topdir $TOPDIR" --eval %_srcrpmdir)
mkdir -p "$BUILDDIR" "$RPMDIR" "$SOURCEDIR" "$SPECDIR" "$SRPMDIR"
cleanup() {
rm -rf "$TOPDIR"
}
trap cleanup EXIT
cat <<EOF > "$SPECDIR/$NAME.spec"
Name: $NAME
Version: $VERSION
Release: $RELEASE.git$COMMIT%{?dist}
Summary: Linux namespaces sandbox program
License: GPLv2+
URL: https://github.com/netblue30/firejail
Source0: %{name}.tar.gz
Recommends: xdg-dbus-proxy
BuildRequires: libselinux-devel
%description
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applications
using Linux namespaces. It includes a sandbox profile for Mozilla Firefox.
%prep
%autosetup -c
%build
%configure --enable-selinux
%make_build
%install
make install-strip DESTDIR=%{buildroot}
%files
%config(noreplace) %{_sysconfdir}/firejail/firejail.config
%config(noreplace) %{_sysconfdir}/firejail/login.users
%config %{_sysconfdir}/firejail/*.inc
%config %{_sysconfdir}/firejail/*.net
%config %{_sysconfdir}/firejail/*.profile
%{_bindir}/firecfg
%{_bindir}/firejail
%{_bindir}/firemon
%{_libdir}/firejail
%{_datadir}/bash-completion/completions/firejail
%{_datadir}/bash-completion/completions/firecfg
%{_datadir}/bash-completion/completions/firemon
%{_docdir}/firejail/COPYING
%{_docdir}/firejail/README
%{_docdir}/firejail/RELNOTES
%{_docdir}/firejail/profile.template
%{_docdir}/firejail/redirect_alias-profile.template
%{_docdir}/firejail/syscalls.txt
%{_mandir}/man1/firecfg.1.gz
%{_mandir}/man1/firejail.1.gz
%{_mandir}/man1/firemon.1.gz
%{_mandir}/man5/firejail-login.5.gz
%{_mandir}/man5/firejail-profile.5.gz
%{_mandir}/man5/firejail-users.5.gz
%{_datadir}/vim/vimfiles/ftdetect/firejail.vim
%{_datadir}/vim/vimfiles/syntax/firejail.vim
%license COPYING
EOF
tar --exclude-vcs-ignore --exclude="./.git" --exclude="./test" --create --gzip --file "$SOURCEDIR/$NAME.tar.gz" .
rpmbuild --nodebuginfo --quiet --define "_topdir $TOPDIR" -bb "$SPECDIR"/$NAME.spec
RPM="$NAME-$VERSION-$RELEASE.git$COMMIT$(rpm -E %{?dist}).$(rpm -E %_arch).rpm"
mv "$RPMDIR/$(rpm -E %_arch)/$RPM" .
sudo dnf install "$RPM"
rm "$RPM"