Firejail

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

 

Downloads

logo-sml Source Code Archive.
download-deb 64-bit DEB Package for Debian, Ubuntu, Linux Mint.
32-bit DEB Package for Debian, Ubuntu, Linux Mint.
download-rpm 64-bit RPM Package for Fedora, openSUSE, Centos 7, RHEL 7.
download-arch Arch Linux package in AUR.
download-slackware Slackware Linux package on SlackBuilds.org.
 

News

March 2015 – first candidate for version 0.9.24 has been released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, and a number for smaller features. Release Announcement, Download.

March 2015 – version 0.9.22 released. Starting with this release, 32-bit builds are supported. A 32-bit .deb package for Debian/Ubuntu/Mint and derivatives is available in our download section. The release implements Linux capability whitelists and blacklists filters, macvlan networking support, Netfilter and DNS support, network statistics support via –netstats options, overlay filesystem support when running on Linux kernel version 3.18 or newer (–overlay option), and sandbox standard output logging. The release also introduces support for Thunderbirs/Icedove email client and updated security profiles for all other applications supported by default by Firejail.
Release Announcement, Release Notes

February 2015 – version 0.9.20 released. This release fixes a number of bugs reported by users, and brings in several new features: Linux control group support, CPU affinity, Opera web browser and VLC media player support, and monitoring enhancements. A description of the new features is provided in our Release Announcement.
Release Notes

December 2014 – version 0.9.18 released. This release brings in support for transmission-gtk and transmissin-qt BitTorrent clients, support for tracing system, setuid, setgid, setfsuid, setfsgid, setreuid, setregid, setresuid, setresguid system calls and a number of bugfixes.
Release Notes

 

Documentation

Features   Download and Installation   Usage

Manual Pages: firejail, firemon, firejail profile files

 

HOWTOs

 

Across the Internet

 

Support

Please use the comment section on any page on this blog, or sourceforge.net/projects/firejail/support. All contributions are welcome: ideas, patches, documentation, bug reports, complaints.

 

161 thoughts on “Firejail

  1. somePasserby

    With regards to pulseaudio segfaults mentioned above:

    Could it be so that it is related to the Skype-pulseaudio shared memory crash I described (and am still experiencing in most recent version)?

    Terrance Harris, could you try disabling shared memory for pulseaudio and see if problem persists ?

    Reply
  2. Pingback: Firejail, un sandbox universal para Linux - Detrás del pingüino

  3. somePasserby

    Any news with regards to skype-pulseaudio shared-memory related crash ? (still getting the same behavior on most recent version) ?

    I don’t wanna nag or anything (but I do want to have better sound latency with jailed skype :) )

    Reply
      1. somePasserby

        Lubuntu 12.04

        I have reported this bug previously (here in the comments and on sourceforge)
        Basically, if pulse is configured to use shared memory and Skype is launched within firejail, trying to do a voice call with cause a crash.

      2. somePasserby

        Not to nag too much, but any ETA on pulseaudio shared memory-related bug (aka Skype segfaults when pulse has shared memory enabled) ?

        I realize that weirdo closed-source apps that rely on pulse specifically are probably not a priority :)

  4. vds

    Thanks a lot for releasing this application, it’s extremely useful and easy to use. I wonder if it is possible to restrict the access to /tmp and /var like the private option allows for $HOME. Thanks.

    Reply
    1. netblue30 Post author

      You’re welcome. Private option also installs a new /tmp directory, similar to /home.

      To install a new temporary fs (similar to /home and /tmp above) on top of any other directory use –tmpfs option:

      $ firejail –private –tmpfs=/var

      You will get a new /home/user, new /tmp, and a new /var.

      Reply
  5. Hackepeter

    Hi netblue30,

    Thank you for making POSIX capabilities fully configurable in the latest release! Now it would be very nice to have syscall whitelist filters too …

    Keep up your good work!

    Reply
  6. Hackepeter

    Hi netblue30,

    Why are the following options not allowed in profile files?
    chroot
    defaultgw
    dns
    ip
    ipc-namespace
    name
    net
    netfilter filename (netfilter without filename works!)
    overlay
    shell

    Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

    Reply
    1. netblue30 Post author

      The plan is to have all the command line options supported also in profile files.

      > Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

      What exactly are you trying to do, can you give an example, thanks!

      Reply
  7. Hackepeter

    Hi netblue30,

    > What exactly are you trying to do, can you give an example, thanks!

    Tabs between options and arguments *do* work – sorry for the false alarm! Looks like I had a typo in the profile file while testing this issue.

    Reply
  8. a name was required

    Can you add an option for starting without a shell?
    Currently if I want to sandbox an arbitrary program, ‘firejail “$@”‘ won’t work. There’s no “–” argument (usually used to terminate option lists and specify that everything afterwards is a positional argument), and there’s no –no-shell option or something like that.

    I’d like to be able to say ‘firejail — “$@”‘ and have it run the argument list as a program with the given arguments in the sandbox, but (as well as not having –), the presence of the shell means that special characters will get mangled and broken unless correctly escaped. Escaping should not be necessary.

    Test cases:
    firejail — echo ‘hello ” world’
    firejail — touch ‘file with spaces’
    firejail — echo ‘and & or |’
    # This next one needs a little preparation
    firejail — -dir-with-initial-hyphen/testscript

    (Also, if this were github, I’d probably just find and fix it myself and pull request it. It’s never anywhere near that convenient on SF)

    Reply
  9. droptorootshell

    Hello.
    Really fantastic Job bro.Keep up please!
    One question regarding whitelisting and blacklisting directories.
    /etc/firejail/firefox.profile

    blacklist /etc/
    whitelist /etc/pango/
    Is here any whitelist option? or At least like this:

    blacklist /etc/ ! /etc/pango/ #assuming /etc/ blocked except /etc/pango/
    Is here any such configuration about whitelist?
    Thanks in advance and please Keep Up!

    Reply
  10. AnArchy

    I started a thread over at ,
    http://forums.scotsnewsletter.com/index.php?showtopic=76690#entry419011
    If anyone has any tips and tricks to share they would be most welcom to do so.

    A very interesting program indeed and some of the best documentation for a new program, or a lot of more mature programs, that I have ever come across.
    The program runs fine in Arch 64 and seems to have minimal overheads. Tried running “$ firejail –private firefox” and “$ firejail firefox” and both ran as if I had started them as normal.
    Thanks for all the work.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s