Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”:
$ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start # starting nginx web server
To protect user’s privacy, we deploy a very strict Mandatory Access Control (MAC) on top of the existing file system. Access to passwords, encryption keys, and private data is blocked for more than 1000 desktop applications supported by default. For most networked apps and games the sandbox is configured to hide all the files in home directory, with the exception of app configuration and Downloads.
The sandbox can be easily integrated with the desktop manager. Applications are sandboxed automatically as they are started by the user.
We offer two Firejail flavors (mainline and long term support) and a number of additional sandbox plug-ins.
- Mainline is our latest and greatest sandbox version. It includes new features and developments, updated profiles, and support for the latest desktop applications. The target audience is desktop home users. (development page)
- Long Term Support (LTS) – Every two or three years we cut a branch from mainline git, we remove rarely used features (chroot, overlay, rlimits, cgroups, etc.), incomplete features (private-bin, private-lib, etc.), and a lot of instrumentation (build profile feature, tracing, auditing, etc). Sandbox-specific security features such as seccomp, capabilities, filesystem whitelist/blacklist and networking are updated and hardened. LTS receives periodic security updates, but no new features are ever added. The end result is a more stable software base, and a much smaller attack surface. Please use this version for any kind of enterprise deployment. (development page)
- Firetools is the graphical user interface of Firejail. The application is built using Qt4/Qt5 libraries. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. (project webpage, development page)
- FDNS is a DNS over HTTPS (DoH) proxy server. FDNS protects your computer against some of the most common cyber threats, all while improving the privacy and the system performance. We use only DoH services from non-logging providers, while preferring small operators such as open-source enthusiasts and privacy-oriented non-profit organizations. (project webpage, development page)
- Firetunnel allows the user to connect multiple Firejail sandboxes on a virtualized Ethernet network. Applications include virtual private networks (VPN), overlay networks, peer-to-peer applications. Currently the project is in beta-testing phase, you can find out more on our development page.
Firejail is a community project. We are not affiliated with any company, and we don’t have any commercial goals. Our focus is the Linux desktop. Home users and Linux beginners are our target market. The software is built by a large international team of volunteers on GitHub. Expert or regular Linux user, you are welcome to join us!
Security bugs are taken seriously, please email them to netblue30 at protonmail.com
June 2021 – Firejail 0.9.66 released: lots of new features; rework of some of the most important modules and lots of hardening; a new tool, jailcheck, that allows the user to quickly asses the security of user installed applications; new application security profiles and updates. Release Notes
May 2021 – released Firejail DNS Proxy Server (FDNS) 0.9.66. This release brings in support for a servers.local file in etc directory, added several new commands for server file, new command line options, a new utility program (nxdomain) to clean up expired adblocker domains, removed non-profit tag from the server list, and lots of bug fixes. The adblocker filter and the server list have been updated. FDNS packages are currently available in Arch Linux (AUR) and Slackware (Slackbuilds). Release Notes
- HOWTO: Firejailed Tor Browser
- fjp is a handy command line program to work fast and straightforward with firejail profiles.
- Fireinvoke is a program that allows to easily run appimages and programs extracted from archives in the firejail sandbox by running simple command or by just double clicking it in file manager.
- fire-install installs programs from archives and appimages into ~/.programs and creates launchers in ~/.local/bin. The programs are executed with fireinvoke.
- Firewarden is a bash script used to open a program within a private Firejail sandbox.
- Ansible role to setup Firejail
- firejail-extras: Arch Linux AUR package containing extra security profiles for Firejail
- https://github.com/chiraag-nataraj/firejail-profiles – This is a collection of tighter security profiles maintained by a member of Firejail development team.
- Firejail package on SlackBuilds.org
- ansible-firejail – Ansible playbook for Firejail.