About

Introduction

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”:

$ firejail firefox                       # starting Mozilla Firefox
$ firejail transmission-gtk              # starting Transmission BitTorrent 
$ firejail vlc                           # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start  # starting nginx web server
 

To protect user’s privacy, we deploy a very strict Mandatory Access Control (MAC) on top of the existing file system. Access to passwords, encryption keys, and private data is blocked for more than 1000 desktop applications supported by default. For most networked apps and games the sandbox is configured to hide all the files in home directory, with the exception of app configuration and Downloads.

 
Whitelisted home directory in Mozilla Firefox
User home directory as seen by Mozilla Firefox browser process
 

We offer two Firejail flavors (mainline and long term support) and a number of additional sandbox plug-ins.

Firetools Demo
  • Firetools is the graphical user interface of Firejail. The application is built using Qt5 libraries. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. (project webpage, development page)
  • FDNS is a DNS over HTTPS (DoH) proxy server. FDNS protects your computer against some of the most common cyber threats, all while improving the privacy and the system performance. We use only DoH services from non-logging providers, while preferring small operators such as open-source enthusiasts and privacy-oriented non-profit organizations. (project webpage, development page)
 

About Us

Firejail is a community project. We are not affiliated with any company, and we don’t have any commercial goals. Our focus is the Linux desktop. Home users and Linux beginners are our target market. The software is built by a large international team of volunteers on GitHub. Expert or regular Linux user, you are welcome to join us!

Security bugs are taken seriously, please email them to netblue30 at protonmail.com

 

News

October 2023 – released FDNS 0.9.72. In this release we continue the development of our nxdomain tool, streamlined some of the least-used features, and added --disable-syslog command line option. The adblock filters have been fully rebuilt, we introduced a new phishing filter, and updated the server list. Release Notes

January 2023 – released Firetools version 0.9.72. Release Notes

January 2023 – released Firejail version 0.9.72. In this release we introduce a new seccomp filter for restricting the creation of Linux namespaces, and continue with the implementation of our network tracing feature. There are also lots of security updates, bug fixes, and new application profiles. Release Notes

June 2022 – released Firejail 0.9.70.

  • Fixed CVE-2022-31214 – root escalation in –join logic. The problem was reported by Matthias Gerstner, and independently by Birk Blechschmidt. Full working exploit code was provided in both cases. It allows an attacker that already has access to the system to gain root privileges. If for any reason you cannot update Firejail software, disable –join functionality in /etc/firejail/firejail.config file, and enforce nonewprivs (set “join no” and “force-nonewprivs yes” in this file).
  • Retired Firejail LTS version. The latest LTS has the same –join problem, and it will be replaced with something different in the near future.
  • a number of small features, bugfixes, and new profiles. Release Notes

March 2022 – released Firejail DNS Proxy Server (FDNS) 0.9.68: small number of new features, server and adblocker list updates, bugfixes. Release Notes

February 2022 – Firejail 0.9.68 released. In this release we introduce a large number of new features such as: AppImage support for our profile builder; network monitoring and locking capabilities; a simple intrusion detection system; support for base AppArmor abstraction; support for disabling printers; new application profiles and a lot of bugfixes. Release Notes

June 2021 – Firejail 0.9.66 released: lots of new features; rework of some of the most important modules and lots of hardening; a new tool, jailcheck, that allows the user to quickly asses the security of user installed applications; new application security profiles and updates. Release Notes

May 2021 – released Firejail DNS Proxy Server (FDNS) 0.9.66. This release brings in support for a servers.local file in etc directory, added several new commands for server file, new command line options, a new utility program (nxdomain) to clean up expired adblocker domains, removed non-profit tag from the server list, and lots of bug fixes. The adblocker filter and the server list have been updated. FDNS packages are currently available in Arch Linux (AUR) and Slackware (Slackbuilds). Release Notes

 

External Projects

Firejail
Firejailed!
  • HOWTO: Firejailed Tor Browser
  • fjp is a handy command line program to work fast and straightforward with firejail profiles.
  • Fireinvoke is a program that allows to easily run appimages and programs extracted from archives in the firejail sandbox by running simple command or by just double clicking it in file manager.
  • fire-install installs programs from archives and appimages into ~/.programs and creates launchers in ~/.local/bin. The programs are executed with fireinvoke.
  • Firewarden is a bash script used to open a program within a private Firejail sandbox.
  • Ansible role to setup Firejail
  • firejail-extras: Arch Linux AUR package containing extra security profiles for Firejail
  • https://github.com/chiraag-nataraj/firejail-profiles – This is a collection of tighter security profiles maintained by a member of Firejail development team.
  • Firejail package on SlackBuilds.org
  • ansible-firejail – Ansible playbook for Firejail.

2 thoughts on “About

  1. joe425g

    hello, thank you for your firejail program very useful under linux. i use it all the time to isolate programs. recently i wanted to install the nim language in a private directory. normally the installer is supposed to believe that it is located at the root of home and doesn’t go out of the sandbox but this time it’s not the case, i can find traces of the program in the real user’s directory, here’s the command that i used:

    firejail –noprofile –ipc-namespace –no3d –nodbus –nodvd –notv –nou2f –novideo –shell=none –noexec=all –disable-mnt –nogroups –private-dev –private-tmp –noroot –caps.drop=all –seccomp –nonewprivs –private=/private/directory/name curl https://nim-lang.org/choosenim/init.sh -sSf | sh

    I took the installation order on the official nim website. please note that i have installed the latest version of firejail (0.9.70) and the result is the same. just for information. thank you for your excellent work.

    Like

    Reply

Leave a comment