LinuxCommandLibrary

firejail

Sandbox applications for increased system security

TLDR

Integrate firejail with your desktop environment

$ sudo firecfg
copy

Open a restricted Mozilla Firefox
$ firejail [firefox]
copy

Start a restricted Apache server on a known interface and address
$ firejail --net=[eth0] --ip=[192.168.1.244] [/etc/init.d/apache2] [start]
copy

List running sandboxes
$ firejail --list
copy

List network activity from running sandboxes
$ firejail --netstats
copy

Shutdown a running sandbox
$ firejail --shutdown=[7777]
copy

Run a restricted Firefox session to browse the internet
$ firejail --seccomp --private --private-dev --private-tmp --protocol=inet firefox --new-instance --no-remote --safe-mode --private-window
copy

Use custom hosts file (overriding /etc/hosts file)
$ firejail --hosts-file=[~/myhosts] [curl http://mysite.arpa]
copy

SYNOPSIS

firejail [options] [--] program [arguments]
firejail {--help | --version | --list | other commands}

PARAMETERS

--apparmor
    Enable AppArmor confinement

--caps.drop=all
    Drop all Linux capabilities

--ipc-namespace
    Enable IPC namespace

--net=none
    Disable networking

--net=eth0
    Use specific network namespace

--private
    Mount empty filesystem in private /tmp

--private-home
    Use fake empty home directory

--private-dev
    Create private /dev directory

--private-etc
    Copy modified config files to private /etc

--private-tmp
    Mount empty /tmp in private tmpfs

--profile=FILE
    Use custom profile file

--profile.print=APP
    Print default profile for app

--seccomp
    Enable seccomp-bpf filters

--quiet
    Suppress messages

--debug
    Print debug info

--list
    List running sandboxes

--top
    Show sandbox resource usage

--kill=PID
    Kill sandbox by PID

--version
    Print version

--help
    Show help

DESCRIPTION

Firejail is a lightweight SUID sandbox program that enhances security by restricting untrusted applications via Linux namespaces, seccomp-bpf filters, and capabilities. It isolates processes in private views of the file system, network, IPC, PID, and more, preventing unauthorized access to sensitive data.

Designed for ease of use, Firejail ships with 1000+ pre-defined profiles for popular apps like Firefox, VLC, and wget. Run firejail firefox to instantly sandbox a browser. Custom profiles allow fine-tuning restrictions.

It supports overlays for home directory isolation, network namespaces (e.g., --net=none), and restrictive capabilities. Firejail is performant, with minimal overhead, and integrates well with desktop environments. Primarily for Debian/Ubuntu, it works on most distros with user namespace support.

Key benefits: malware containment, privilege escalation prevention, and data leakage mitigation. Not a replacement for SELinux/AppArmor but a user-friendly complement.

CAVEATS

Requires kernel with user namespaces (CONFIG_USER_NS=y). SUID binary poses risks if compromised. Not immune to kernel exploits. Profiles may break apps needing specific access. Test thoroughly; use --noprofile to disable.

PROFILES

Profiles in /etc/firejail/*.profile or ~/.config/firejail/. Edit for custom rules like blacklist /etc/shadow.

CONFIG FILE

Global settings in /etc/firejail/firejail.config, e.g., netfilter for iptables.

X11 SUPPORT

Use --x11=xpra or --x11=fake for graphical apps.

HISTORY

Developed by Cristian Banu (netblue30) since 2015. First release 0.9.4 in March 2015. Actively maintained on GitHub with 200+ releases. Gained popularity for browser/email sandboxing amid rising malware threats. Supports modern kernels up to 6.x.

SEE ALSO

unshare(1), bubblewrap(1), systemd-run(1), flatpak(1), snap(8)

Copied to clipboard