Browser is the biggest place where bad hackers can attack your desktop computer because you open many different websites every day and you do not know if they have some dangerous exploit. If you use Fedora Linux, the default Firefox they give you is very fast and nice, but it does not have a real sandbox boundary, so it can see all your private files in your home folder. If a hacker find a zero-day exploit in your browser, he can steal your school homework, your private photos, and your passwords very easily. This tutorial show you how to delete that browser and install the Flatpak version which uses Bubblewrap and portals to keep your files safe in a strong jail.
Step 1: Delete the normal Firefox from your Fedora system
First, we must delete the old Firefox that comes with your Fedora system because that version can look at your entire home directory. Open your terminal application and type this command to remove it:
sudo dnf5 remove -y firefoxThis command use the new dnf5 package manager to uninstall the native Firefox browser. The sudo word means you must write your admin password because you are changing system files, and the -y option means you say yes automatically so the terminal does not stop to ask you if you are sure. After you press enter, the terminal will delete the old browser and now your system is ready for the safe sandbox version.
Step 2: Install Flatpak Firefox and Flatseal tool
Now your computer does not have Firefox, so we need to install the safe Flatpak version from the Flathub store. We also need to install a helper app called Flatseal which has a simple window with buttons where you can see and change what permission each Flatpak app has. Run this command in your terminal:
flatpak install -y flathub org.mozilla.firefox
flatpak install -y flathub com.github.tchx84.FlatsealThis command will download the browser and the tool. Flatpak is very cool because it bundles all the libraries inside its own box so it does not make your system dirty. It can take some minutes to download if your internet connection is slow like mine, so please wait until it finish.
Step 3: Block home folder access with override commands
By default, the Flatpak Firefox still has permission to look at your home folder because the creators want to make it easy for you to upload files. But this is very dangerous because a bad script can still read your private keys. We want to tell the computer that Firefox can only see the Downloads folder, so if you download a file it works, but it cannot touch anything else. Run these two commands in your terminal:
flatpak override --user --nofilesystem=home org.mozilla.firefox
flatpak override --user --filesystem=~/Downloads org.mozilla.firefoxThe first command uses the override option to say no filesystem access to the home directory. The second command says okay, you can only have access to the Downloads folder in your home directory. Now, if a hacker gets into your browser, he is trapped in a small empty box and cannot see your other folders.
Step 4: Check your new settings inside Flatseal app
It is always a good idea to verify if the commands worked correctly because sometimes we make a small typo. Open your application menu on your desktop and search for Flatseal, then open it. On the left side of the Flatseal window, you will see a list of your installed Flatpak apps. Click on the Firefox icon, and then scroll down on the right side until you see the section named Filesystem. Here, you must see that the toggle for All user files is turned off, and under the other files list, you will see only the ~/Downloads folder is written there. This means your sandbox is configured correctly.
Step 5: Do the same safe settings for Chrome or Chromium
Maybe you do not like Firefox because you prefer to use Google Chrome or Chromium for your school work or video watching. You can do the exact same security steps for them too. First, you must install them from Flatpak, and then you run the same override commands but you change the name of the application at the end.
If you use Google Chrome, write these commands:
flatpak override --user --nofilesystem=home com.google.Chrome
flatpak override --user --filesystem=~/Downloads com.google.ChromeIf you use the open source Chromium browser, write these commands:
flatpak override --user --nofilesystem=home org.chromium.Chromium
flatpak override --user --filesystem=~/Downloads org.chromium.ChromiumThis works exactly the same way, so your Google Chrome is also locked inside the safe sandbox jail and cannot steal your personal files.
Step 6: Test if your sandbox is actually working
To prove that the browser is really locked up and we did not do all this for nothing, you can perform a very simple test. Open your new Flatpak Firefox and press the keys Ctrl and O together on your keyboard. This will open the file picker window where you can choose a file to open in the browser. Try to click on your Documents folder or your Desktop folder. You will see that you cannot see any files there, or the system will show an error because the browser do not have permission to open those folders. Then, click on your Downloads folder, and you will see all your downloaded files are visible. This means the sandbox is working.
Step 7: How to reset the settings if you have problems
Sometimes you might need to upload a file from your Documents folder for your school website and you are too lazy to copy it to the Downloads folder first. If you want to delete all the security rules we made and make the browser normal again, you do not need to delete the app. You can just run this simple command to reset everything:
flatpak override --user --reset org.mozilla.firefoxThis command will wipe out all the custom rules we wrote for Firefox and it will go back to the default Flathub settings. It is very easy to do and you do not need to worry about breaking your system.
Step 8: Extra safe setup with Firejail or Distrobox for paranoid users
If you are very scared because you think super smart hackers are trying to target your computer, you can make the security level even higher. One way is to use a program called Firejail which is like a second cage around your browser cage. Firejail uses special profiles to block even more system calls that the browser tries to make to your Linux kernel. Another cool way is to install a tool called Distrobox. Distrobox lets you create a small container with a completely different Linux operating system inside your terminal. You can run your browser inside this Distrobox container, so even if a hacker exploits your browser, they are trapped in a fake computer that has nothing inside it.
Conclusion
Setting up a sandbox for your browser on Linux is a very smart thing to do because the web browser is the most dangerous path for viruses to enter your PC. By removing the native Fedora Firefox and replacing it with the Flatpak version, and then restricting its access to only the Downloads folder, you make your personal files much safer from zero-day exploits. It is not extremely difficult to do and it gives you a much better peace of mind when you browse the internet.