firejail
Sandbox applications for increased system security
TLDR
Integrate firejail with your desktop environment
Open a restricted Mozilla Firefox
Start a restricted Apache server on a known interface and address
List running sandboxes
List network activity from running sandboxes
Shutdown a running sandbox
Run a restricted Firefox session to browse the internet
Use custom hosts file (overriding /etc/hosts file)
SYNOPSIS
firejail [options] program [arguments...]
PARAMETERS
--profile=filename
Use a specific profile file for the sandbox.
--private
Create a new /home directory inside the sandbox.
--net=none
Disable network access for the sandboxed program.
--read-only=path
Mount the specified path as read-only inside the sandbox.
--whitelist=path
Grant read/write access to the specified path.
--overlay
Create a private writable overlay on top of the system's read-only filesystem.
--debug
Enable debug output.
--version
Display the version number and exit.
--help
Display a help message and exit.
DESCRIPTION
Firejail is a security sandbox program that reduces the risk of security breaches by restricting the operating environment of untrusted applications. It allows a process to run in a secure environment with limited access to the rest of the system. Firejail achieves this by using Linux namespaces, seccomp-bpf, and capabilities.
This isolation means that if an application is compromised, the attacker's access to the system is limited to the confines of the sandbox. Firejail includes predefined security profiles for many common applications, making it easy to secure them without needing to be an expert in Linux security.
It's suitable for both desktop and server environments. Key features include file system restrictions, network access control, process sandboxing, and resource limitations. Firejail can be used with or without a graphical environment.
The primary goal is to minimize the damage from compromised applications, protecting user data and system integrity.
CAVEATS
Some applications may not function correctly when sandboxed due to the restrictions imposed by Firejail. Profiles might need customization for optimal functionality.
Nested Firejail instances are not supported by default and require special configurations.
PROFILES
Firejail relies on configuration files (profiles) located in /etc/firejail and ~/.config/firejail which define the sandbox's security policy. These profiles control aspects like file access, network permissions, and capabilities.
HISTORY
Firejail was developed by netblue30 in 2014. The initial motivation was to provide a user-friendly way to sandbox applications on Linux systems, addressing the growing need for enhanced security in desktop environments.
Since its inception, Firejail has gained popularity as a practical tool for isolating untrusted software, particularly in scenarios where traditional security measures are insufficient.
Continuous development has focused on improving compatibility, adding new security features, and expanding the library of predefined application profiles. Its usage ranges from isolating web browsers to sandboxing media players and development tools.
SEE ALSO
namespaces(7), seccomp(2), chroot(8)