Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.
- Linux namespaces support: mount, UTS, IPC, PID, network
- Process separation
- Filesystem support: local filesystem mounted read-only, chroot filesystem, and overlay filesystem
- Support for running multiple sandboxes on top of the same filesystem
- Server sandboxing
- GUI application sandboxing
- User login session sandboxing
- Private mode
- Filesystem security profile support; default security profiles for Firefox, Midori and Evince
- Bash, zsh and csh shell support
- Seccomp support
- Linux capabilities support
- Extensive networking support
- Extensive monitoring support
- Source: Extract the the files from the archive and run ./configure && make && sudo make install in the archive directory. Firejail only needs libc and POSIX threads (libpthreads) for compilation, no additional libraries are required.
- Debian/Ubuntu/Mint: sudo dpkg -i firejail_X.Y_1_amd64.deb
- OpenSUSE/Fedora/CentOS 7: sudo rpm -i firejail_X.Y-Z.x86_64.rpm
- Arch Linux: aur.archlinux.org/packages/firejail/
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
- How To Use Firejail to Set Up a WordPress Installation in a Jailed Environment (digitalocean.com)
September 2014 – version 0.9.12 released. The new release brings in support for Linux capabilities, Cent0S 7 and a number of bugfixes.
August 2014 – version 0.9.10 released. The new release brings in several sandbox management capabilities and a number of bugfixes. Please note that –list option was renamed –tree and a new –list was introduced, printing only the main sandbox process data. This version also brings in support for sandboxing Google Chromium browser.
Release Announcement, Release Notes
July 2014 – version 0.9.8 released. This release adds seccomp support, nowrap mode for –list option, a new –top option similar to Linux top command, PID filtering support in firemon, and lots of bugfixes.
June 2014 – version 0.9.6 released. This release adds support for running servers, zsh and csh shells, and a number of fixes to chroot and private mode.
May 2014 – version 0.9.4 released. It fixes network connectivity problems for Ubuntu and Debian systems, /run directory, following symlinks in profile files, and it adds Evince and Midori sandbox profiles.
April 2014 – version 0.9.2 released. This version brings in support for multiple network devices, –noip option necessary for DHCP setups, default gateway option, syslog support, tmpfs and read-only profile commands, bash completion, and a number of bugfixes.
April 2014 – version 0.9 released
Download and install
Download the latest version of the software from sourceforge.net/projects/firejail/files/.
Usage: firejail [options] program_and_arguments
Please use the comment section on this page, or sourceforge.net/projects/firejail/support.