Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software should run on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:
$ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail "/etc/init.d/nginx start && sleep inf"
Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.
|Firejail Source Code Archive.
Firetools Source Code Archive.
|Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
|Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
|Arch Linux package in AUR.|
|Slackware Linux package on SlackBuilds.org.|
June 2015 – Firejail included in Debian.
June 2015 – released Firetools version 0.9.26.1. This is a bugfix release.
May 2015 – released Firetools version 0.9.26. Firetools is a graphical user interface for Firejail sandbox. This is the first release of the program.
May 2015 – version 0.9.26 released. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces, default profiles for Deluge and qBittorrent, and lots of bugfixes. Release Announcement, Release Notes.
April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.
March 2015 – version 0.9.22 released. Starting with this release, 32-bit builds are supported. A 32-bit .deb package for Debian/Ubuntu/Mint and derivatives is available in our download section. The release implements Linux capability whitelists and blacklists filters, macvlan networking support, Netfilter and DNS support, network statistics support via –netstats options, overlay filesystem support when running on Linux kernel version 3.18 or newer (–overlay option), and sandbox standard output logging. The release also introduces support for Thunderbirs/Icedove email client and updated security profiles for all other applications supported by default by Firejail.
Release Announcement, Release Notes
- Building Custom Profiles
- Firejail Seccomp Guide
- Firejail Linux Capabilities Guide
- Firejail – A Security Sandbox for Mozilla Firefox
- Firejail – A Security Sandbox for Mozilla Firefox, Part 2
- Running Dropbox in Firejail Sandbox
- Debian/Ubuntu Cross-distro Gaming with Firejail
- How to Restrict a Login Shell Using Linux Namespaces
- Securing a Web Server Using a Linux Namespaces Sandbox
Across the Internet
- How To Use Firejail to Set Up a WordPress Installation in a Jailed Environment (digitalocean.com)
- Firejail featured on Linux Action Show (LAS 333, at 0:10:15)
- Live-Armor: Building Custom Linux Live Images for Security Sandboxing (github.io)
- Firejail: Sandbox Firefox in (Arch) Linux (youtube.com)
- Firejail featured in Linux Magazine issue 173/2015: The Jailer – Running your programs in a jail with Firejail
- Firejail featured in Linux Voice magazine, issue 4 – FOSSpicks
- Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail
All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by sourceforge.net.