Firejail   Firetools   News   Downloads   Install   HOWTOs

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:

$ firejail firefox            # starting Mozilla Firefox
$ firejail transmission-gtk   # starting Transmission BitTorrent 
$ firejail vlc                # starting VideoLAN Client
$ sudo firejail "/etc/init.d/nginx start && sleep inf"

Documentation: Features   Installation   Usage   FAQ
Manual Pages: firejail, firemon, firejail profile files



Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.

Firetools launcher and active sandbox list

Firetools launcher and active sandbox list

Dependencies: Firejail, Qt4 or Qt5 libraries, xterm
Documentation: Installation, Screenshots
Manual Pages: firetools



logo-sml Firejail Source Code Archive.
Firetools Source Code Archive.
download-deb Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
Debian testing/unstable: apt-get install firejail
download-rpm Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
download-arch Firejail Arch Linux package in AUR.
Firetools Arch Linux package in AUR


November 2015 – released Firejail version 0.9.34. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes. Release Announcement, Release Notes.

October 2015 – Firejail included in Ubuntu 15.10.

October 2015 – released Firejail version 0.9.32. The main feature in this release is –private-bin. It allows the user to build custom /bin, /sbin, /usr/bin and /usr/sbin directories, with only the programs specified by the user. The new version also allows the user to disable the sound system inside the sandbox by using –nosound option. IMPORTANT: a bug was introduced in Firejail version 0.9.30, that would allow a regular user logged into the system to elevate privileges and become root. Please update to the latest version. Release Announcement, Release Notes.

October 2015 – released Firetools version 0.9.30. This release brings in Arch Linux support, Qt5 support, 1h and 12h statistics, an updete of the application list, and lots of bugfixes.

September 2015 – released Firejail version 0.9.30. The main feature in this release is home directory whitelisting. There are also a number of modifications to the existing program options that might affect existing users. Release Announcement, Release Notes.

August 2015 – source code repository and bug tracker available on GitHub

August 2015 – released Firejail version 0.9.28. This release contains significant improvements, and a large number of enhancement and bug fixes. New features: network scanning (–scan option), interface MAC address support (–mac option), IP address range (–iprange option) and network traffic shaping (–bandwidth option). Default profile support was added for GNU Icecat, FileZilla, Pidgin, XChat, Empathy and DeaDBeeF. Release Announcement, Release Notes.

June 2015 – Firejail included in Debian.






Across the Internet



All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by GitHub.

All security bugs in Firejail are taken seriously and should be reported by emailing


278 thoughts on “Firejail

  1. Brohn Doe


    The company I work for is looking for an easy way to sandbox some of the development environments, it have everything we need except for one thing: it’s not available on Ubuntu’s repositories. I see they are available upstream. Any plans to get it approved so we can just apt-get? It’s the only way I could justify the use for my company, they don’t even allow PPAs.

    Thank you for this amazing piece of software!

  2. SomeoneWhoCares

    Regarding the Pulseaudio discussion in
    There is no need to disable shared memory in Pulseaudio entirely, or to copy files from ~/.config/pulse/ into the sandbox.
    Just edit /etc/pulse/ – change the line

    load-module module-native-protocol-unix


    load-module module-native-protocol-unix srbchannel=no

    and restart the pulseaudio daemon.

    Sorry for posting this here, but I don’t have a Github acct.

    1. netblue30 Post author

      Thanks for the hint. Today I put a fix in firejail code (on github), so it will always start PulseAudio client with enable-shm=no inside the sandbox.

  3. Utini

    I wished there was a way where firejail would “watch” which protocols/mime/apps are getting started and if they are in the “sandbox list” then firejail would automatically sandbox them.

    E.g. if I run “okular” from the application finder than okular wont simply start but firejail will interupt and run “firejail okular”.
    Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would dedect and interupt and start “firejail iceweasel” -> link.

      1. netblue30 Post author

        You are talking about integrating firejail in the desktop, so when you click on an icon, or menu, or some file in the file manager, the program will run inside the sandbox instead of running directly. This feature is still under development, and it will be a while until something like this becomes available. btw, there’s nothing wrong with your English!

      2. Utini

        Btw sorry for that bad english.. I will re-write with correct english lol

        E.g. if I would run “okular” from the application finder then okular wouldn’t simply start but firejail would interupt the start of “okular” and instead runs “firejail okular”.
        Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would detect, interupt and start as “firejail iceweasel” -> link.

  4. Ali Abdallah

    I did not manage in any way to get it working with Skype. Even with a basic profile, when running firejail skype, I get:
    Child process initialized
    parent is shutting down, bye…

    And nothing else.

  5. Pingback: Unix:LXC containers as a sandbox environment – Unix Questions

  6. Pingback: Unix:Can LXC be used to jail instances of an installed browser? – Unix Questions

  7. Batmancatman

    Sorry if I’m stupid, but… Is there a Chrome profile included? I’m considering making an idiot proof computer with Linux Mint, Chrome and Firejail, but I don’t feel like dedicating my life to it. Great program by the way!

      1. netblue30 Post author

        The same profile is used for Chromium and Google Chrome. This is how you start Google Chrome:

        $ firejail --profile=/etc/firejail/chromium.profile google-chrome
      2. Batmancatman

        Yeah but does that work for Google Chrome? I’m not talking about Chromium. Sorry if I’m unclear as… I dunno, only slept 4 hours tonight. Thanks for the response!

  8. Pingback: Unix:How can I use Skype with lxc? – Unix Questions

  9. Pingback: Unix:replicate and isolating user environments on the fly – Unix Questions

  10. Pingback: Lightweight method of an application sandbox for which I can control network settings of? « news-Knowlage FeeD

    1. netblue30 Post author

      Once you started the sandbox, you can modify the bandwidth for the sandbox, and make it 0 if this is what you need. Example:

      Start the sandbox with a network namespace:

      $ firejail --name=browser --net=eth0 chromium

      From a different terminal window you set the bandwidth. The first number is rx bandwidht in (kilobytes per second), the second number is tx bandwidth:

      $ firejail --bandwidth=browser set eth0 80 20

      I’ll try to bring into the next version support to change iptables/netfilter configuration for a running sandbox. In this moment netfilter config is supported only when the sandbox is started.

  11. anonymous

    How would I go about sandboxing my browser so that it can only connect to localhost:9050 (my socks proxy)? It would be great if there was a –net=local option that only allowed connections to the existing loopback interface, because I can’t for the love of me figure out how to do this. Maybe I’m just missing something obvious.

  12. p

    Thanks for firejail. I get the following crash for Firefox:

    Firefox 42.0 in Ubuntu 64 bit, firejail –version 0.9.34
    crash with:

    (firefox:1): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.
    WARNING: content window passed to PrivateBrowsingUtils.isWindowPrivate. Use isContentWindowPrivate instead (but only for frame scripts).
    Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider’ of type `gboolean’ from rc file value “((GString*) 0x7f9f8accc3c0)” of type `GString’
    Vector smash protection is enabled.
    libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
    libdc1394 error: Failed to initialize libdc1394
    ERROR: Could not determine network interfaces, you must use a interfaces config line

    1. netblue30 Post author

      I have Firefox 42.0 running fine under Arch Linux. Try this command:

      $ firejail –noprofile firefox

      This disables the default profile for Firefox. If it works, it means it is something in the profile that bothers him. So, you open the profile file in an editor and comment up lines in the file until you find the one that creates the problem. The profile file is /etc/firejail/firefox.profile, you’ll have to edit it as user root. Start with “noroot” and”protocol …” lines, just a guess. When you do this test, you start firefox as usual:

      $ firejail firefox

      1. p

        Thanks for the reply. Commenting out #protocol unix,inet,inet6 line in profile seems to work. What could be the problem?

      2. p

        I managed to get some more log lines from firefox crash when firejail protocol line is not commented. I have to browse for a few seconds for it to crash. It seems I have to add netlink to protocol. When set as protocol unix,inet,inet6,netlink fireforks works ok.

        libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
        libdc1394 error: Failed to initialize libdc1394
        ERROR: Could not determine network interfaces, you must use a interfaces config line
        [NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768
        [NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768

      3. netblue30 Post author

        It is trying to connect some firewire or usb camera and it fails to open the socket (netlink is disabled by default). It is a firefox bug, it should not crash. I will enable netlink in the next release, so for now use “protocol unix,inet,inet6,netlink”. Thanks!

  13. GNUser

    Hey, how’s it going?
    Look, I have been thinking, is Firejail possible to port to ARM architecture? Specifically to work with debian armhf.
    If you could provide a deb package for that architecture it would be useful for use with boards like banana pi, raspberry pi, beagleboard, etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s