Secure Chromium through Firejail

People tend to think that if they’re using Linux - it makes them invulnerable. Whilst this is true in most of the cases ( the number of viruses, lockers and trojans targeting Linux-based operating systems is infinitesimal if compared to Windows hell ) - still there are some vulnerabilities that could lead to the personal data leaks.

Some people with level of paranoia above average tend to isolate every app into a container, like Docker - and there are plenty of dockerized versions of Google chrome. This approach makes things pretty much secure - its unlikely that some malicious website will breach through the container and get access to the host OS environment. However it is not very handy since it starts the container, connects it to the network and induces various other overheads that are not truly necessary.

There is another, more lightweight approach to achieve the pretty comfortable level of safety - Firejail. Those who are curious - could find all the details about how that works on the project’s website. I will focus on how to use this stuff.

First of all, firejail comes with the pretty good profile for Chromium browser, and you most likely don’t want to tweak it up. So the first attempt to move Chromium into a Firejail sandbox would be to write a simple shell-script, or even create an alias - that will wrap the execution of chromium into the call to firejail.


firejail chromium $*

This works pretty well - it will start Chromium browser within the firejail sandbox, albeit there is the problem - you won’t be able to open the URL in a browser tab anymore. Second invocation of this script will lead to start of another instance of Chromium, with some conflicts in profiles. The reason is - this script will start another sandbox, which doesn’t know if there’s another instance running. Luckily, firejail allows to attach to another container. So the monified version of the launch script


PID=`firejail --list | grep chromium | awk -F ':' '{print $1;}'`

if [ 'X'$PID = 'X' ];
    firejail chromium $ARGS $*
    firejail --join="$PID" chromium $ARGS $*

will do the trick.

Substantially, it will

  • lookup if there is an instance of chromium sandbox running in firejail
  • if found - then attach to it and invoke chromium with the URL parameter
  • if not found - start the sandbox with the passed url

Now using this script it is possible to open an URL from terminal, or integrate with Termite to open links on mouseclick.