Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.
|Source Code Archive.|
|64-bit DEB Package for Debian, Ubuntu, Linux Mint.
32-bit DEB Package for Debian, Ubuntu, Linux Mint.
|64-bit RPM Package for Fedora, openSUSE, Centos 7, RHEL 7.|
|Arch Linux package in AUR.|
|Slackware Linux package on SlackBuilds.org.|
April 2015 – version 0.9.26-rc2 released. This is the second release candidate for version 0.9.26. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces and bugfixes. Release Announcement, Download.
April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.
March 2015 – version 0.9.22 released. Starting with this release, 32-bit builds are supported. A 32-bit .deb package for Debian/Ubuntu/Mint and derivatives is available in our download section. The release implements Linux capability whitelists and blacklists filters, macvlan networking support, Netfilter and DNS support, network statistics support via –netstats options, overlay filesystem support when running on Linux kernel version 3.18 or newer (–overlay option), and sandbox standard output logging. The release also introduces support for Thunderbirs/Icedove email client and updated security profiles for all other applications supported by default by Firejail.
Release Announcement, Release Notes
February 2015 – version 0.9.20 released. This release fixes a number of bugs reported by users, and brings in several new features: Linux control group support, CPU affinity, Opera web browser and VLC media player support, and monitoring enhancements. A description of the new features is provided in our Release Announcement.
- Building Custom Profiles
- Firejail Seccomp Guide
- Firejail Linux Capabilities Guide
- Firejail – A Security Sandbox for Mozilla Firefox
- Firejail – A Security Sandbox for Mozilla Firefox, Part 2
- Running Dropbox in Firejail Sandbox
- Debian/Ubuntu Cross-distro Gaming with Firejail
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
Across the Internet
- How To Use Firejail to Set Up a WordPress Installation in a Jailed Environment (digitalocean.com)
- Firejail featured on Linux Action Show (LAS 333, at 0:10:15)
- Live-Armor: Building Custom Linux Live Images for Security Sandboxing (github.io)
- Firejail: Sandbox Firefox in (Arch) Linux (youtube.com)
- Firejail featured in Linux Magazine issue 173/2015: The Jailer – Running your programs in a jail with Firejail
- Firejail featured in Linux Voice magazine, issue 4 – FOSSpicks
- Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail
Please use the comment section on any page on this blog, or sourceforge.net/projects/firejail/support. All contributions are welcome: ideas, patches, documentation, bug reports, complaints.