Firejail

Firejail

Firejail is a SUID sandbox program for Linux that reduces the risk of security breaches by restricting the running environment of untrusted applications. It uses Linux kernel features like namespaces, seccomp-bpf, and capabilities to create lightweight, isolated sandboxes for any program — no virtual machines or complex configuration required. Simply prefix any command with firejail to run it in a sandboxed environment with restricted network access, filesystem visibility, and system call privileges.

Key Features

  • Linux namespace sandboxing — Uses mount, PID, network, IPC, UTS, and user namespaces to isolate applications from the host system and each other
  • Seccomp-bpf filtering — Restricts the system calls an application can make, blocking dangerous syscalls that could be used for privilege escalation or kernel exploits
  • Filesystem and network isolation — Limit which directories an application can read or write, and block or restrict its network access — perfect for sandboxing untrusted browsers or media players
  • Mandatory Access Control (MAC) — Applies AppArmor and SELinux profiles inside the sandbox for layered security enforcement
  • X11 and D-Bus sandboxing — Isolates the application’s graphical and inter-process communication, preventing keylogging, screen capture, and desktop manipulation from sandboxed programs
  • Over 1,000 pre-configured profiles — Comes with ready-made security profiles for popular applications (browsers, media players, office suites), so you can sandbox complex software without writing rules
  • Linux capabilities dropping — Automatically drops unnecessary kernel capabilities to reduce the attack surface of sandboxed applications
  • Firetools GUI — Optional graphical interface for managing sandboxes, monitoring running processes, and creating custom profiles without editing text files

Why Use Firejail?

Firejail provides zero-overhead application sandboxing that uses the Linux kernel’s built-in isolation features — no daemons, no heavy virtual machines, no container runtimes needed. Just prefix firejail to any command and get instant protection against common attack vectors: compromised browsers cannot read your SSH keys, a buggy PDF viewer cannot access your documents, and a malicious media file cannot escalate to a full system compromise. With over 1,000 pre-built profiles, it works out of the box for most desktop applications.

Use Cases

  • Browser isolation — Run your web browser in a sandbox so that a drive-by download or malicious website cannot access your home directory or SSH keys
  • Untrusted software testing — Test downloaded applications, scripts, or packages in an isolated environment without risking your main system
  • Media player containment — Sandbox VLC, MPV, or other media players to prevent malicious media files from compromising your system
  • Network service hardening — Run network-facing services (like a local web server or file share) with restricted filesystem access and limited capabilities

Platform

Linux (kernel 3.x+)

Licence

GNU General Public License v2 (GPL-2.0)

Website

firejail.wordpress.com

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.