Run your web browser (and other apps) in a secure sandbox


Back to the homepage


Contents of this page:

Why the sandbox of Firejail is useful

1. By default, Linux Mint is already very secure. Yet with a relatively small measure, you can increase the already high level of security of your Linux considerably. Namely by running your web browser from within a secure virtual sandbox. Because web browsers (and their plugins) are, by far, the applications that are most under attack.

You can easily achieve that protection by means of the application Firejail, which offers simple lightweight virtualization on the application level. Translated into ordinary language that means: you can fully isolate your web browser from your personal folder, so that it can never do any harm in your personal folder.

With that, you're much better protected against hackers or malware breaking into your personal folder (the files that are accessible without root permissions). Firejail protects against malware that tries to do nasty things with your personal files behind your back. The malware can go ahead without being stopped, but.... can't touch anything.

Because your web browser and its plugins, are then isolated from your personal folder. Almost entirely, because there are some useful exceptions, like the Downloads folder and the configuration of the web browser. The system folders and files are also still accessible, but obviously as "read-only".

Firejail is well designed: it causes only a little extra system load.

Note: Firejail can't be used for applications that are installed as Flatpaks or Snaps. Because those already have their own sandbox.

I fully agree with what Distrowatch has said about Firejail: the extra protection layer that Firejail provides, increases security considerably, uses very few resources and requires almost no effort to use. In today's world of security breaches and privacy concerns, my opinion is: Why would someone not want to use Firejail? (the complete Distrowatch article is here)

Everything has of course its price, even if it's a small one: the disadvantage of this isolation is, that you can for example only add files to an e-mail message if those files are in the Downloads folder. Because for the rest, your web browser is isolated from your personal folder. Also printing web pages might fail because of this.

That's why I advise to limit this isolation to the web browser launcher that's in the panel of your desktop. That way, you can always launch a "normal" web browser from the menu.

Sidenote: the isolation of Firejail is limited to your personal folder; your web browser can still access folders and files of the operating system itself. That's intentional and no problem, because those are owned by root, so they fall under the protection of the password requirement.

You can achieve this as follows:

Install Firejail

2. Installing Firejail in Linux Mint is easy:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):

sudo apt-get install firejail

Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. In Mint this has changed: you'll see asterisks when you type. Press Enter again.

Optional: the latest Firejail

2.1. First check your Firejail version. You can check the version of the Firejail that's installed in your system, with this terminal command:

firejail --version

If for some reason you need a newer version (but why?), you can always get the latest upstream Firejail from this web page.

Download the .deb installer file (not the .tar.bz2) of the latest Firejail. Don't try to install it by means of the dialog window in your web browser (sometimes this doesn't work), but just download it. Then launch your file manager and simply double-click it, as if it were a Windows installer.

Run Firefox from a sandbox

3. After installing Firejail, you can run Firefox from a sandbox in the following way:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):

firejail firefox

Press Enter.

That's all! Firejail has reasonable default settings for Firefox, which are hardly ever annoying and still increase your online security a lot. The average desktop user doesn't need to change anything in those settings.

But that's a one-time launch only; it's of course not very convenient to launch Firefox that way every time. So I advise to create a desktop shortcut that launches Firefox in a sandbox by default.

For that, you perform in Linux Mint Cinnamon a right-click with your mouse on the icon of Firefox in the menu - Add to desktop. Then right-click on the newly created desktop shortcut - Properties - Command: change this into:

firejail firefox %u

In other desktop environments than Cinnamon, you need to edit the Firefox desktop shortcut in a comparable way.

Now close all open Firefox windows and double-click the Firefox desktop shortcut, so that Firefox is being launched again. Firefox should be running in a sandbox now.

In order to check that, launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):

firejail --tree

Press Enter.

With that command you can check whether Firefox is indeed running in sandbox mode.

Fix a sound issue (PulseAudio) caused by Firejail

4. When you run Firejail, it might cause problems with sound and playback. If so, you can try to fix it like this:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Copy/paste the following series of commands into the terminal (press Enter after each individual command):

mkdir -p ~/.config/pulse

cd ~/.config/pulse

cp -v /etc/pulse/client.conf ~/.config/pulse

echo "enable-shm = no" >> client.conf

Note: this is a user setting, so repeat this in each user account.

Check the settings for Firefox and modify them (for advanced users only)

5. Do you want to check the settings of Firejail for Firefox? They're in /etc/firejail/firefox.profile

Do you wish to change something in the Firefox profile of Firejail? Then preferably don't do that systemwide, but first copy the systemwide Firefox profile of Firejail to your personal folder. That can be done with the following terminal commands (use copy/paste to transfer them to the terminal):

First:

mkdir -v ~/.config/firejail

Press Enter.

Then:

cp -v /etc/firejail/firefox.profile ~/.config/firejail

Press Enter.

Finally:

xed ~/.config/firejail/firefox.profile

Press Enter.

Then you can experiment safely in the copied profile, and your modifications will remain intact when you install a newer version of Firejail.

You can also launch Firejail with a lot of advanced options. You can take a look at those with the terminal command man firejail or on this web page.

Firefox completely in the sandbox (only for advanced users)

6. It's also possible to put Firefox in your user account completely in the sandbox, regardless of how you launch it. I don't recommend that, because you'll probably be confronted with annoying limitations then, from time to time. But if you want that anyway, then these are the two terminal commands you need for that:

First this (it's one line):

cp -v /usr/share/applications/firefox.desktop ~/.local/share/applications

Then this (it's one line):

sed -i 's/Exec=firefox/Exec=firejail firefox/g' .local/share/applications/firefox.desktop

Close Firefox and launch it again.

You can undo it like this:

rm -v ~/.local/share/applications/firefox.desktop

Close Firefox and launch it again.

Run Google Chrome from a sandbox

7. For Google Chrome, a sandbox is less important than for Firefox. Because it's better protected than Firefox (which is an issue that the Firefox developers are currently working on). Nevertheless, a sandbox is useful for Google Chrome as well.

After installing Firejail, you can run Google Chrome from a sandbox in the following way:

Launch a terminal window.
(You can launch a terminal window like this: *Click*)

Type (copy/paste):

firejail google-chrome-stable

Press Enter.

That's all! Firejail has reasonable default settings for Chrome, which are hardly ever annoying and still increase your online security a lot. The average desktop user doesn't need to change anything in those settings.

But that's a one-time launch only; it's of course not very convenient to launch Chrome that way every time. So I advise to create a desktop shortcut that launches Chrome in a sandbox by default.

For that, you first need to put a starter for Google Chrome in the panel of your desktop. In Linux Mint Cinnamon that can be done from the menu: Internet - rightclick on Google Chrome - Add to desktop.

Then you do in Linux Mint Cinnamon a rightclick with your mouse on the newly created shortcut to Chrome on your desktop - Properties - Command: change this into:

firejail google-chrome-stable %U

In other desktop environments than Cinnamon, you need to edit the Chrome desktop shortcut in a comparable way.

Now close all open Chrome windows and click on the Chrome desktop shortcut, so that Chrome is being launched again. Chrome should now be running in a sandbox.

In order to check that, launch a terminal window.
(You can launch a terminal window like this: *Click*)

type (copy/paste):

firejail --tree

Press Enter.

With that command you can check whether Chrome is indeed running in sandbox mode.

Check the settings for Chrome and modify them (for advanced users only)

8. Do you want to check the settings of Firejail for Chrome?
They're in /etc/firejail/google-chrome-stable.profile

Do you wish to change something in the Chrome profile of Firejail? Then preferably don't do that systemwide, but first copy the systemwide Chrome profile of Firejail to your personal folder. That can be done with the following terminal commands (use copy/paste to transfer them to the terminal):

First:

mkdir -v ~/.config/firejail

Press Enter.

Then (it's one line!):

cp -v /etc/firejail/google-chrome-stable.profile ~/.config/firejail

Press Enter.

Finally:

xed ~/.config/firejail/google-chrome-stable.profile

Press Enter.

Then you can experiment safely in the copied profile, and your modifications will remain intact when you install a newer version of Firejail.

You can also launch Firejail with a lot of advanced options. You can take a look at those by means of the terminal command man firejail or on this web page.

Chrome completely in the sandbox (only for advanced users)

9. It's also possible to put Chrome in your user account completely in the sandbox, regardless of how you launch it. I don't recommend that, because then you'll probably be confronted with annoying limitations from time to time. But if you want that anyway, then these are the two terminal commands you need for that:

First this (it's one line):

cp -v /usr/share/applications/google-chrome.desktop ~/.local/share/applications

Then this (it's one large line):

sed -i 's/google-chrome-stable/firejail google-chrome-stable/g' .local/share/applications/google-chrome.desktop

Close Chrome and launch it again.

Check whether it works, with this command:

firejail --tree

You can undo it like this (it's one line!):

rm -v ~/.local/share/applications/google-chrome.desktop

Close Chrome and launch it again.

Even more applications in the sandbox?

10. The web browser is of course the application that's most useful to secure, because it faces most of the dangers. But in a similar way as with Firefox and Chrome, you can put even more applications in the sandbox.

For that, it's best to check first whether Firejail has a specific profile for the application you want to sandbox. Because if not, Firejail will use a generic profile which might cause problems for your specific application.
The available profiles are in /etc/firejail .

If you use an e-mail client like Thunderbird or a torrent client like Transmission: it's probably a good idea to sandbox them with Firejail as well.

Use Firejail as internet access blocker for individual applications

11. It's also possible to use Firejail in order to block internet access for an individual application. You don't need complicated firewall rules, in order to prevent a program to access the internet behind your back!

This can be done by launching Firejail with the option --protocol=unix. Below is an example for media player VLC; copy/paste the following command into the terminal and press Enter:

firejail --protocol=unix vlc

Note: you can also use the option --net=none. But that option sometimes results in an application crash or in red error reports in the terminal. That's why I don't recommend it.

The option --net=none has the same effect as the option --protocol=unix, but the problem is that it might interfere with DBUS functionality. The difference is: with one option the program doesn't see the network at all (so of course it can't connect to it), and with the other option it does see the network but cannot connect to it.


Bottom line: just use --protocol=unix.

Tip: do you want to launch an application with blocked internet access on a regular basis? Then simply create a desktop launcher for it that contains this particular Firejail prefix.

Want more tips?

Do you want more tips and tweaks? There's a lot more of them on this website!

For example:

Speed up your Linux Mint!

Clean your Linux Mint safely

Avoid 10 fatal mistakes


To the content of this website applies a Creative Commons license.

Back to the home page

Disclaimer