Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:
$ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail "/etc/init.d/nginx start && sleep inf"
Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.
|Firejail Source Code Archive.
Firetools Source Code Archive.
|Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
Debian testing/unstable: apt-get install firejail
|Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
|Firejail Arch Linux package in AUR.
Firetools Arch Linux package in AUR
November 2015 – released Firejail version 0.9.34. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes. Release Announcement, Release Notes.
October 2015 – Firejail included in Ubuntu 15.10.
October 2015 – released Firejail version 0.9.32. The main feature in this release is –private-bin. It allows the user to build custom /bin, /sbin, /usr/bin and /usr/sbin directories, with only the programs specified by the user. The new version also allows the user to disable the sound system inside the sandbox by using –nosound option. IMPORTANT: a bug was introduced in Firejail version 0.9.30, that would allow a regular user logged into the system to elevate privileges and become root. Please update to the latest version. Release Announcement, Release Notes.
October 2015 – released Firetools version 0.9.30. This release brings in Arch Linux support, Qt5 support, 1h and 12h statistics, an updete of the application list, and lots of bugfixes.
September 2015 – released Firejail version 0.9.30. The main feature in this release is home directory whitelisting. There are also a number of modifications to the existing program options that might affect existing users. Release Announcement, Release Notes.
August 2015 – source code repository and bug tracker available on GitHub
August 2015 – released Firejail version 0.9.28. This release contains significant improvements, and a large number of enhancement and bug fixes. New features: network scanning (–scan option), interface MAC address support (–mac option), IP address range (–iprange option) and network traffic shaping (–bandwidth option). Default profile support was added for GNU Icecat, FileZilla, Pidgin, XChat, Empathy and DeaDBeeF. Release Announcement, Release Notes.
June 2015 – Firejail included in Debian.
- Building Custom Profiles
- Firejail Seccomp Guide
- Firejail Linux Capabilities Guide
- Firejail – A Security Sandbox for Mozilla Firefox
- Firejail – A Security Sandbox for Mozilla Firefox, Part 2
- Firejail – A Security Sandbox for Mozilla Firefox, Part 3
- Running Dropbox in Firejail Sandbox
- Debian/Ubuntu Cross-distro Gaming with Firejail
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
Across the Internet
- Sandboxing Firefox with Firejail
- Jailing the Browser
- Sandbox firefox in Linux with firejaill
- Sandboxing Seafile with firejail
- Alternatives to Docker and LXC (Flockport)
- HowTo: Using firejail as security sandbox for your programs (Linux Mint Forums)
- How To Use Firejail to Set Up a WordPress Installation in a Jailed Environment (digitalocean.com)
- Firejail featured on Linux Action Show (LAS 333, at 0:10:15)
- Live-Armor: Building Custom Linux Live Images for Security Sandboxing (github.io)
- Firejail featured in Linux Magazine issue 173/2015: The Jailer – Running your programs in a jail with Firejail
- Firejail featured in Linux Voice magazine, issue 4 – FOSSpicks
- Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail
All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by GitHub.
All security bugs in Firejail are taken seriously and should be reported by emailing firstname.lastname@example.org