LinuxCommandLibrary

firejail

Sandbox applications for increased system security

TLDR

Integrate firejail with your desktop environment

$ sudo firecfg
copy

Open a restricted Mozilla Firefox
$ firejail [firefox]
copy

Start a restricted Apache server on a known interface and address
$ firejail --net=[eth0] --ip=[192.168.1.244] [/etc/init.d/apache2] [start]
copy

List running sandboxes
$ firejail --list
copy

List network activity from running sandboxes
$ firejail --netstats
copy

Shutdown a running sandbox
$ firejail --shutdown=[7777]
copy

Run a restricted Firefox session to browse the internet
$ firejail --seccomp --private --private-dev --private-tmp --protocol=inet firefox --new-instance --no-remote --safe-mode --private-window
copy

Use custom hosts file (overriding /etc/hosts file)
$ firejail --hosts-file=[~/myhosts] [curl http://mysite.arpa]
copy

SYNOPSIS

firejail [options] program [arguments...]

PARAMETERS

--profile=filename
    Use a specific profile file for the sandbox.

--private
    Create a new /home directory inside the sandbox.

--net=none
    Disable network access for the sandboxed program.

--read-only=path
    Mount the specified path as read-only inside the sandbox.

--whitelist=path
    Grant read/write access to the specified path.

--overlay
    Create a private writable overlay on top of the system's read-only filesystem.

--debug
    Enable debug output.

--version
    Display the version number and exit.

--help
    Display a help message and exit.

DESCRIPTION

Firejail is a security sandbox program that reduces the risk of security breaches by restricting the operating environment of untrusted applications. It allows a process to run in a secure environment with limited access to the rest of the system. Firejail achieves this by using Linux namespaces, seccomp-bpf, and capabilities.
This isolation means that if an application is compromised, the attacker's access to the system is limited to the confines of the sandbox. Firejail includes predefined security profiles for many common applications, making it easy to secure them without needing to be an expert in Linux security.
It's suitable for both desktop and server environments. Key features include file system restrictions, network access control, process sandboxing, and resource limitations. Firejail can be used with or without a graphical environment.
The primary goal is to minimize the damage from compromised applications, protecting user data and system integrity.

CAVEATS

Some applications may not function correctly when sandboxed due to the restrictions imposed by Firejail. Profiles might need customization for optimal functionality.
Nested Firejail instances are not supported by default and require special configurations.

PROFILES

Firejail relies on configuration files (profiles) located in /etc/firejail and ~/.config/firejail which define the sandbox's security policy. These profiles control aspects like file access, network permissions, and capabilities.

HISTORY

Firejail was developed by netblue30 in 2014. The initial motivation was to provide a user-friendly way to sandbox applications on Linux systems, addressing the growing need for enhanced security in desktop environments.
Since its inception, Firejail has gained popularity as a practical tool for isolating untrusted software, particularly in scenarios where traditional security measures are insufficient.
Continuous development has focused on improving compatibility, adding new security features, and expanding the library of predefined application profiles. Its usage ranges from isolating web browsers to sandboxing media players and development tools.

SEE ALSO

namespaces(7), seccomp(2), chroot(8)

Copied to clipboard