Securely Run Programs In Linux Mint Using Firetools


For running applications sandboxed in Linux, Firetools is a good utility to do so. Sandboxing is essentially restricting applications in their own space and thereby limiting their reach to the overall system. This is a security layer to prevent any malicious programs to have full access to the system.

Firetools is a graphical front-end for the command-line sandboxing tool Firejail.

Installing Firetools:

To use Firetools in Linux Mint, first install it from the Terminal by typing in:

sudo apt install firetools

installing Firetools in Linux Mint

Once installed, it will show up in the System menu.

Firetools installed in Linux Mint

Using Firetools:

Launch Firetools to begin. This will show a menu which is the Sandbox Launcher.

Firetools Sandbox Launcher

A jail icon will also be visible in the system tray indicating that Firetools is now running.

Firetools system tray icon

By default, most of the applications that are installed will be listed as icons that can be run sandboxed. Firetools and Firejail also support over 800 different applications so they too can be run after installing them. However, Snap and flatpak packages aren’t supported.

To run any of these, either right-click on them and choose Run or double-click them.

running apps in sandbox mode using Firetools in Linux Mint

To see if the applications are running in the sandboxed mode, double-click on the Settings icon at the top from the Firetools menu or right-click and select Tools.

This will show a list of applications that are sandboxed along with their process IDs and the system resources that they are using.

Firetools sandbox list

To know further details, click on their process IDs. It will show a graphical view of their usage. You can also shut down the applications from here by clicking on Shutdown.

graphical view of sandbox apps and managing them using Firetools

This will exit them from the sandboxed mode and also close them.

shutting down sandboxed apps using Firetools

Creating custom sandboxes using Firetools:

Besides running the applications in the default sandbox, you can also create your own. This is useful when you need to add specific restrictions on a per-application basis.

To configure a custom sandbox, click on the wizard icon from the Firetools menu, or right-click and select Configuration wizard.

Firetools configuration wizard

Then select the application for custom sandboxing and choose Build a custom security profile. In this example, LibreOffice Writer is to be sandboxed so that all the documents created with it can only be saved to the Documents folder and not anywhere else.

choosing apps to sandbox using Firetools configuration wizard

 

So, the option of Restrict /home directory is enabled for this (which is disabled by default). Then, all the other folders except Documents are unchecked which means that they can’t be accessed by LibreOffice Writer.

restricting home directory folders using Firetools configuration wizard

Click on Continue. In this example, other settings are left unchanged. You can however enable these for say sandboxing a browser or a multimedia program.

finishing creating a custom sandbox using Firetools

Click again on Continue. The sandbox monitoring and statistics option is disabled by default but can be enabled if needed. finally, finish by clicking on Done.

Firetools custom sandbox setup complete

After this custom sandbox is created and when LibreOffice Writer is opened in it, no other folders except Documents can save the created files.

restricted folders access for LibreOffice Writer using Firetools

Similarly, you can make a custom sandbox for browsers and can restrict downloads to only a specific directory, prevent audio and video playback, and so on.

Using Firejail from the Linux command-line:

You can also directly use firejail from the command-line by typing in:

firejail

running firejail from the Linux command line

This will launch a jailed shell which will have certain restrictions. You can’t execute system-related tasks from this like rebooting, shutting down or switching to root, and so on.

jailed shell in firejail restricts certain system tasks

To do that, you’d need to first exit this jailed shell.

To run programs using firejail, use the command:

firejail appname

So, to open Firefox in the sandboxed mode, the command will be:

firejail firefox

Running Firefox in a sandbox using Firejail in Linux Mint

Similarly, to launch VLC player, the command will be:

firejail vlc

You can also use other parameters like bandwidth, netstats, and so on. To know more, use the man command:

man firejail

using the man command for knowing firejail syntax

These apps that are started from the firejail command-line too can be managed with the Sandbox Launcher. However, using Firetools as a front-end makes it simpler to launch them, create custom sandboxes, and manage what is being sandboxed.

Happy sandboxing.


Leave a Comment