Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version. Debian, Ubuntu, Mint, OpenSUSE, and Fedora packages are provided. An Arch Linux package is maintained in AUR.
- Linux namespaces support: mount, UTS, IPC, PID, network
- Process separation
- Filesystem support: local filesystem mounted read-only, chroot filesystem, and overlay filesystem
- Support for running multiple sandboxes on top of the same filesystem
- Server sandboxing
- GUI application sandboxing
- User login session sandboxing
- Private mode
- Filesystem security profile support; default security profiles for Firefox, Midori and Evince
- Bash, zsh and csh shell support
- Extensive networking support
- Extensive monitoring support
- Source: Extract the the files from the archive and run ./configure && make && sudo make install in the archive directory. Firejail only needs libc and POSIX threads (libpthreads) for compilation, no additional libraries are required.
- Debian/Ubuntu/Mint: sudo dpkg -i firejail_X.Y_1_amd64.deb
- OpenSUSE/Fedora: sudo rpm -i firejail_X.Y-Z.x86_64.rpm
- Arch Linux: aur.archlinux.org/packages/firejail/
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
June 2013 – version 0.9.6 released. This release adds support for running servers, zsh and csh shells, and a number of fixes to chroot and private mode. more…
May 2013 – version 0.9.4 released. It fixes network connectivity problems for Ubuntu and Debian systems, /run directory, following symlinks in profile files, and it adds Evince and Midori sandbox profiles.
April 2013 – version 0.9.2 released. This version brings in support for multiple network devices, –noip option necessary for DHCP setups, default gateway option, syslog support, tmpfs and read-only profile commands, bash completion, and a number of bugfixes.
April 2013 – version 0.9 released
Download and install
Download the latest version of the software from sourceforge.net/projects/firejail/files/.
Usage: firejail [options] program_and_arguments
Please use the comment section on this page, or sourceforge.net/projects/firejail/support.