TechRepublic: How to install and use Firejail on Linux

Firejail is a Linux security SUID program that drastically reduces the risk of security breaches by sandboxing the running environment of untrusted applications. Firejail achieves this by using Linux namespaces and seccomp-bpf which allows the attaching of a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.

With Firejail installed, you can then launch applications from the command line, such that they have a private view of globally-shared kernel resources–such as the network stack. With this addition to your Linux platform, you’ll gain a heightened level of security to an already secure environment.

Firejail is not limited to graphical applications. In fact, Firejail can sandbox servers, GUI tools, and even user login sessions.

Believe it or not, Firejail is incredibly easy to use. I’m going to walk you through the process of installing and using Firejail.


4 thoughts on “TechRepublic: How to install and use Firejail on Linux

  1. Kevin

    Brave still cannot open in Firejail on Ubuntu/Mint under the current version of both Firejail and Firetools. Can we please get a patch for this? Maybe post that article on Brave’s Github to encourage them to help develop a patch. I’d rather use Brave than Firefox but I won’t until it is compatible with Firejail.


  2. Fernando

    Firejail can’t run type 2 appimages:
    $ firejail –appimage ./Rambox-0.7.5-linux-i386.AppImage
    Mounting appimage type 1
    Error mounting appimage: appimage.c:117 appimage_set: Invalid argument

    The appimage executes fine if I type:

    I am using 32-bit firejail in a 32-bit Linux to run 32-bit appimage.
    Here is the download link of the appimage:

    I have tested many type 2 appimages and nothing work

    My firejail version is:
    $ firejail –version
    firejail version 0.9.62

    Compile time support:
    – AppArmor support is disabled
    – AppImage support is enabled
    – chroot support is enabled
    – file and directory whitelisting support is enabled
    – file transfer support is enabled
    – firetunnel support is enabled
    – networking support is enabled
    – overlayfs support is enabled
    – private-home support is enabled
    – seccomp-bpf support is enabled
    – user namespace support is enabled
    – X11 sandboxing support is enabled


  3. kiers

    User Namespaces enabled is listed all over teh web as being massively UNSAFE for exploits?! Could you please clarify. Linux mint by default has kernel.unprivileged_userns_clone = 1


    1. netblue30 Post author

      You are right. The reason is they are making it available as a regular user, so there have been a number of exploits so far.

      In Firejail we use a subset of the functionality and we handle it strictly as root. Basically what we are doing is we remove the root user from namespace when we set up the sandbox. The thinking is without a root user, an intruder cannot become root. It worked fine so far, and we are watching it closely.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s