Firejail
Firejail is a SUID sandbox program for Linux that reduces the risk of security breaches by restricting the running environment of untrusted applications. It uses Linux kernel features like namespaces, seccomp-bpf, and capabilities to create lightweight, isolated sandboxes for any program — no virtual machines or complex configuration required. Simply prefix any command with firejail to run it in a sandboxed environment with restricted network access, filesystem visibility, and system call privileges.
Key Features
- Linux namespace sandboxing — Uses mount, PID, network, IPC, UTS, and user namespaces to isolate applications from the host system and each other
- Seccomp-bpf filtering — Restricts the system calls an application can make, blocking dangerous syscalls that could be used for privilege escalation or kernel exploits
- Filesystem and network isolation — Limit which directories an application can read or write, and block or restrict its network access — perfect for sandboxing untrusted browsers or media players
- Mandatory Access Control (MAC) — Applies AppArmor and SELinux profiles inside the sandbox for layered security enforcement
- X11 and D-Bus sandboxing — Isolates the application’s graphical and inter-process communication, preventing keylogging, screen capture, and desktop manipulation from sandboxed programs
- Over 1,000 pre-configured profiles — Comes with ready-made security profiles for popular applications (browsers, media players, office suites), so you can sandbox complex software without writing rules
- Linux capabilities dropping — Automatically drops unnecessary kernel capabilities to reduce the attack surface of sandboxed applications
- Firetools GUI — Optional graphical interface for managing sandboxes, monitoring running processes, and creating custom profiles without editing text files
Why Use Firejail?
Firejail provides zero-overhead application sandboxing that uses the Linux kernel’s built-in isolation features — no daemons, no heavy virtual machines, no container runtimes needed. Just prefix firejail to any command and get instant protection against common attack vectors: compromised browsers cannot read your SSH keys, a buggy PDF viewer cannot access your documents, and a malicious media file cannot escalate to a full system compromise. With over 1,000 pre-built profiles, it works out of the box for most desktop applications.
Use Cases
- Browser isolation — Run your web browser in a sandbox so that a drive-by download or malicious website cannot access your home directory or SSH keys
- Untrusted software testing — Test downloaded applications, scripts, or packages in an isolated environment without risking your main system
- Media player containment — Sandbox VLC, MPV, or other media players to prevent malicious media files from compromising your system
- Network service hardening — Run network-facing services (like a local web server or file share) with restricted filesystem access and limited capabilities
Platform
Linux (kernel 3.x+)
Licence
GNU General Public License v2 (GPL-2.0)
Website
firejail.wordpress.com
Views: 0