Linux Mint Sandboxing Guide


Firejail is an easy to use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications using seccomp-bpf and Linux namespaces.

The first seccomp/namespaces sandbox was built by Google for Chromium browser. It was released in 2012, replacing their existing SELinux sandbox. Shiny new technology, the sandbox flew under the radar gaining market share. By 2014 when Firejail project was started, Chromium browser was already running on 50% of Linux desktops. Today there are a small number of projects sandboxing browsers and other desktop applications using seccomp/namespaces technology. We are proud to be one of them.

From the beginning we realized the contradiction between security and comfort, and we made ease of use one of our main goals. We managed to achieve this goal without sacrificing the security functionality. We provide:

  • a simple method to start the sandbox from command line – prefix your application name with “firejail”, eg “firejail firefox”
  • full desktop integration – applications are sandboxed automatically when started by clicking on icons in file manager or desktop manager menus
  • an intuitive syntax for building advanced security profiles

      Our focus is GUI application sandboxing, with web browsers being the main target. The sandbox denies access to private files in user’s home directory. Inside the sandbox, Downloads directory and the browser configuration files are real, everything else is stored in a temporary filesystem and later discarded:

      Only Downloads directory is visible inside a sandboxed Firefox browser.

      This guide describes the steps necessary to install and configure Firejail sandbox on Linux Mint. Both Cinnamon and MATE desktop environments are supported. We provide similar support for all desktop managers.


      Installing and configuring Firejail

      Download the latest Firejail .deb package from our Download page and run the following three commands in a terminal:

      $ sudo dpkg -i firejail_0.9.46_1_amd64.deb
      $ firecfg --fix-sound
      $ sudo firecfg

      The first command installs Firejail software. The second command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The third command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.


      Running applications

      Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in Firejail version 0.9.46, and the number goes up with every new release. We keep the list in /usr/lib/firejail/firecfg.config file.

      Just for fun, start several programs by clicking your desktop manager menus, then open a terminal and run the following command:

      $ firejail --top

      This command tells you what programs are running in a Firejail sandbox. If your program was not sandboxed automatically, use the old method of prefixing your program with “firejail” command:

      $ firejail program-name

      firejail –top


      Installing new programs

      Run sudo firecfg every time you install a new program, here is a Chromium browser example:

      $ sudo apt-get install chromium-browser
      $ sudo firecfg

      Only Downloads directory is visible inside a sandboxed Chromium browser.


      Desktop launchers

      Cleaning up my software archive, I run into an old copy of Pentix. This is a very addictive Tetris clone I used to play in a DOS window way back when computers used to be fun. I created a directory pentix in my home and copied the game there. The next step was to go in Desktop directory and create a launcher for the game. The launcher is a regular text file with the following content:

      [Desktop Entry]
      Exec=dosbox /home/netblue/pentix/pentix.exe

      I use dosbox emulator (sudo apt-get install dosbox) to run the game. Firejail will sandbox the emulator automatically with a proper security profile. The icon pentix.png is something I grabbed from a clipart website. First time I click on the icon, a very annoyed Cinnamon tells me the launcher is not marked as trusted. I press “Mark as trusted” and get on with the game.

      A sandboxed Pentix game.


      The Linux desktop can also be customized using docks. A dock is a toolbar-like application launcher holding icons for frequently used programs. Docks are highly configurable and many users find them useful and beautiful.

      Several docks are available in Mint repositories. Among them Plank (sudo apt-get install plank), Docky (sudo apt-get install docky) and Cairo (sudo apt-get install cairo-dock). Similar to the regular desktop launchers, clicking on icons will sandbox applications automatically.

      Cairo dock starting sandboxed programs.


      Firejail is a must have tool for security concerned users. Like Mint, Firejail is a community project. We are not affiliated with any corporation, and pursue the user’s interest. If you run into problems, have new ideas, feature requests, whatever, join us on our development page. Thank you for reading!


10 thoughts on “Linux Mint Sandboxing Guide

  1. Gordon Driver

    Please please please someone tell me how to “undo” “reverse or “remove” this command: sudo firecfg (The second command integrates Firejail into your desktop).

    After issuing it, I cannot launch many, many programs. As a result, I can no longer use this software, and I really would like to continue doing so.


  2. Gordon Driver

    Sorry, panicked a bit. I easily fixed it with sudo firecfg –clean

    4 year-old running about and not paying attention.


  3. Pingback: Mint sandboxing guide | 0ddn1x: tricks with *nix

  4. Pingback: Links 1/6/2017: KDE Plasma 5.10, Qt 5.9 Released | Techrights

  5. Pingback: Links 18/6/2017: New Debian Release, Catchup With a Lot of News | Techrights

  6. Barry

    Good work. Great piece of software that solves a lot of problems. I am running Linux Mint and used firecfg as directed in this article. Most things work great, but there are a few exceptions that are causing me a lot of problems.

    What I need to know is how can I bypass firejail on a case by case basis?

    Sometimes I need to do a “quick – one shot”, and other times I need to create a permanent exemption for the program.

    Any assistance would be much appreciated.


    1. netblue30 Post author

      For example VLC. After you run firecfg, it will start jailed by default. If you want to start it without a jail, in your terminal run “/usr/bin/vlc”.

      For programs you never want jailed, delete the program link from /usr/local/bin directory (sudo rm /usr/local/bin/vlc).


  7. Barry

    I love using firejail with Firefox – it is so nice to be able to close the browser and have all the cookies and other garbage automatically gone.

    My only problem is that the default configuration set up by the Linux mint people does not include Google as a search engine, and uses yahoo as the default which serves more useless ads than useful content.

    Can you please tell me how I can establish my own custom starting point for Firefox under firejail? Thanks.


  8. Bob

    I’ve tried several times to install Firejail but every time, it kills my video display on either my laptop or HDMI out. The only way to fix this is to boot through a USB and delete the Firejail files from the HDD. I’ve read and searched everything but cannot figure out why this is happening.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s