6

In Ubuntu 19.04, you can install Chromium using snap like this:

sudo snap install chromium

However, when installing Chromium via snap, you cannot sandbox it with firejail like this:

firejail chromium-browser

The command above runs the non-snap version of chromium in a sandbox where chromium only has access to the Downloads folder (and not your entire home folder).

However, when Chromium is install as a SNAP, firejail cannot achieve these file system restrictions. When you use Chromium installed via sudo apt install chromium-browser, firejail works, but it doesn't work with snap-installed chromium.

I understand that future versions of Ubuntu will only be offering the snap package of Chromium, so that's why I'm trying to address this issue right now in Ubuntu 19.04. See this as well.

I've requested an alternative snap installation method, that only gives Chromium access to the Downloads folder here.

Until then, how can I sandbox Chromium (installed via SNAP), in a manner like firejail sandboxes Chromium (installed via apt)?

Lonnie Best
  • 2,194
  • 2
  • 35
  • 46
  • 3
    Snap apps should already be sandboxed, but I guess you could try to run them through firejail, if you like. Snap's executables are installed in /snap/bin, so try firejail /snap/bin/chromium-browser. – ajgringo619 Oct 06 '19 at 01:27
  • The snap for Chromium is sandboxed to a degree, but not to the degree I want. How can I control exactly what portions of the file system the installation has access to? firejail /snap/bin/chromium-browser doesn't work. – Lonnie Best Oct 06 '19 at 01:35
  • 1
    Look here: https://snapcraft.io/docs/interface-management – ajgringo619 Oct 06 '19 at 01:37
  • @ajgringo619 : That looks like a good start. I was able to disconnect the ability to access the home folder, but I'm now trying to figure out how to enable access to the Downloads folder exclusively. – Lonnie Best Oct 06 '19 at 01:48
  • 1
    This answer shows how to install the Debian repo of Chromium onto Ubuntu/Kubuntu 19.10. – Lonnie Best Feb 18 '20 at 21:47

2 Answers2

2

According to Firejail's man page which you can access by the command man firejail, they do not support snap packages.

Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) are not supported. Snap and flatpak packages have their own native management tools and will not work when sandboxed with Firejail

Mr. T
  • 181
1

Using Firejail would be like using a sandbox inside a sandbox.

Flatpak and Snap have their own sandboxing strategies. One and the other with their flaws. A lot has been written about (note that some of this issues might be already solved):

Pablo Bianchi
  • 15,657