
Sandboxing with Firejail - moreati
https://lwn.net/Articles/671534/
======
mynewtb
I had no idea it was so easy to use!

> The --net=none option will create a new network namespace without any
> devices, so processes cannot communicate outside of the namespace.

No idea what a namespace is, does this mean the process will be unable to use
any network? I want that as default for everything on my machine...

~~~
cesnja
Linux namespaces isolate certain functionality for a group of processes. See
more here: [http://man7.org/linux/man-
pages/man7/namespaces.7.html](http://man7.org/linux/man-
pages/man7/namespaces.7.html)

And yes, a blank new network namespace won't even have the loopback interface
available. There is a program named unshare, which executes a program in
another namespace.

~~~
digi_owl
Really wish there was a basic set of commands for manipulating namespaces. It
seems we are reliant on support being baked into larger tools like systemd at
present, and said tools may not allow the user/admin to manipulate namespaces
directly.

~~~
tobbyb
The unshare tool [1] can be used along with ip-tools to create a namespace
with networking support. Add a chroot or pivot root to it and you have a Linux
container. It's quite easy to do. We have a guide on using namespaces directly
and the various projects using it including Firejail here [2]

Linux namespaces were created to support containers. This is how userland
container projects like LXC, Docker and Nspawn work, only they don't use the
unshare tool but the underlying system calls clonens, setns and unshare [3].

[1] [http://man7.org/linux/man-
pages/man2/unshare.2.html](http://man7.org/linux/man-
pages/man2/unshare.2.html)

[2] [https://www.flockport.com/alternatives-to-docker-and-
lxc/](https://www.flockport.com/alternatives-to-docker-and-lxc/)

[3] [https://lwn.net/Articles/531114/](https://lwn.net/Articles/531114/)

------
SeriousM
Just for the record: [http://www.sandboxie.com/](http://www.sandboxie.com/) is
THE sandbox tool for Windows.

------
yadascript
Could Firejail be used as the isolation layer for an online IDE ?

~~~
jeswin
Sorry off topic, but just wanted to check if I can reach you by email. I am
building something on those lines, and wanted to see if we can exchange ideas.
My email is on my profile.

------
brudgers
Previous:
[https://news.ycombinator.com/item?id=8187534](https://news.ycombinator.com/item?id=8187534)

~~~
e12e
That doesn't appear to be the same article - so this isn't a duplicate story -
just a duplicate (but much more recent) mention of the technology in question.

------
fulafel
Are there advantages for Ubuntu users over enabling the Firefox AppArmor
profile? (And why doesn't that default to on, anyway?)

~~~
satai
You can do both, there is no need to decide between MAC and firejail. (It may
not work for some small quirks but they should be fixable, at least in theory)

------
agentgt
Pardon my ignorance as I am a long time Linux user now using OSX.. are there
any good sandbox tools for OSX?

