Firejail

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

 

Downloads

logo-sml Source Code Archive.
download-deb 64-bit DEB Package for Debian, Ubuntu, Linux Mint.
download-rpm 64-bit RPM Package for Fedora, openSUSE, Centos 7, RHEL 7.
download-arch Arch Linux package in AUR.
download-slackware Slackware Linux package on SlackBuilds.org.
 

News

February 2015 – first release candidate for version 0.9.22 (more).

February 2015 – version 0.9.20 released. This release fixes a number of bugs reported by users, and brings in several new features: Linux control group support, CPU affinity, Opera web browser and VLC media player support, and monitoring enhancements. A description of the new features is provided in our Release Announcement.
Release Notes

December 2014 – version 0.9.18 released. This release brings in support for transmission-gtk and transmissin-qt BitTorrent clients, support for tracing system, setuid, setgid, setfsuid, setfsgid, setreuid, setregid, setresuid, setresguid system calls and a number of bugfixes.
Release Notes

November 2014 – version 0.9.16 released. It includes a number of bugfixes, support for configurable private home directories, configurable user shell, and Dropbox support. Note: Linux capabilities and seccomp filters are enabled by default for Firefox, Mirodi, Evince and Dropbox. If you run into problems, please let us know!
Release Notes

October 2014 – version 0.9.14 released. This release brings in support for user-defined seccomp blacklists, tracing filesystem and network accesses, bind mounts, process resource limits, monitoring ARP tables, route tables and interfaces, and a number of smaller features and bugfixes.
Release Notes

 

Documentation

Features   Download and Installation   Usage

Manual Pages: firejail, firemon, firejail profile files

HOWTOs:

 

Support

Please use the comment section on any page on this blog, or sourceforge.net/projects/firejail/support. All contributions are welcome: ideas, patches, documentation, bug reports, complaints.

 

147 thoughts on “Firejail

  1. somePasserby

    With regards to pulseaudio segfaults mentioned above:

    Could it be so that it is related to the Skype-pulseaudio shared memory crash I described (and am still experiencing in most recent version)?

    Terrance Harris, could you try disabling shared memory for pulseaudio and see if problem persists ?

    Reply
  2. Pingback: Firejail, un sandbox universal para Linux - Detrás del pingüino

  3. somePasserby

    Any news with regards to skype-pulseaudio shared-memory related crash ? (still getting the same behavior on most recent version) ?

    I don’t wanna nag or anything (but I do want to have better sound latency with jailed skype :) )

    Reply
      1. somePasserby

        Lubuntu 12.04

        I have reported this bug previously (here in the comments and on sourceforge)
        Basically, if pulse is configured to use shared memory and Skype is launched within firejail, trying to do a voice call with cause a crash.

  4. vds

    Thanks a lot for releasing this application, it’s extremely useful and easy to use. I wonder if it is possible to restrict the access to /tmp and /var like the private option allows for $HOME. Thanks.

    Reply
    1. netblue30 Post author

      You’re welcome. Private option also installs a new /tmp directory, similar to /home.

      To install a new temporary fs (similar to /home and /tmp above) on top of any other directory use –tmpfs option:

      $ firejail –private –tmpfs=/var

      You will get a new /home/user, new /tmp, and a new /var.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s