Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software should run on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:
$ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail "/etc/init.d/nginx start && sleep inf"
Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.
|Firejail Source Code Archive.
Firetools Source Code Archive.
|Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
Official Debian Sid package
|Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
|Arch Linux package in AUR.|
|Slackware Linux package on SlackBuilds.org.|
July 2015 – released Firejail version 0.9.28-rc1 (Download). This is a test version, the final 0.9.28 version will follow shortly. This release contains significant improvements, and a large number of enhancement and bug fixes. New features: network scanning (–scan option), interface MAC address support (–mac option), IP address range (–iprange option) and network traffic shaping (–bandwidth option). Default profile support was added for GNU Icecat, FileZilla, Pidgin, XChat, Empathy and DeaDBeeF. Release Announcement, Release Notes.
June 2015 – Firejail included in Debian.
June 2015 – released Firetools version 0.9.26.1. This is a bugfix release.
May 2015 – released Firetools version 0.9.26. Firetools is a graphical user interface for Firejail sandbox. This is the first release of the program.
May 2015 – version 0.9.26 released. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces, default profiles for Deluge and qBittorrent, and lots of bugfixes. Release Announcement, Release Notes.
April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.
- Building Custom Profiles
- Firejail Seccomp Guide
- Firejail Linux Capabilities Guide
- Firejail – A Security Sandbox for Mozilla Firefox
- Firejail – A Security Sandbox for Mozilla Firefox, Part 2
- Running Dropbox in Firejail Sandbox
- Debian/Ubuntu Cross-distro Gaming with Firejail
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
Across the Internet
- How To Use Firejail to Set Up a WordPress Installation in a Jailed Environment (digitalocean.com)
- Firejail featured on Linux Action Show (LAS 333, at 0:10:15)
- Live-Armor: Building Custom Linux Live Images for Security Sandboxing (github.io)
- Firejail: Sandbox Firefox in (Arch) Linux (youtube.com)
- Firejail featured in Linux Magazine issue 173/2015: The Jailer – Running your programs in a jail with Firejail
- Firejail featured in Linux Voice magazine, issue 4 – FOSSpicks
- Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail
All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by sourceforge.net.