Linux namespaces

The core technology behind Firejail is Linux Namespaces. We use this lightweight visualization technology as the first step of isolating the application.


Filesystem container

We build the application containers automatically when we start the sandbox, and we destroy them when we close the sandbox. The container is based on the filesystem currently installed. If the user keeps his system updated with all the security patches provided by the Linux distribution, the containers are also up to date.

Filesystem operations:

  • blacklisting – deny access to files and directories. Access attempts are reported to syslog.
  • whitelisting – allow only the files and directories specified by the user.
  • read-only, read-write, noexec – set file and directory attributes.
  • temporary filesystem – mount a temporary filesystem on top of a directory.
  • bind – bind-mount a file or directory on top of another file or directory.
  • private – mount copies of files and directories and discard them when the sandbox is closed.
  • restricted user home – only the current user home directory is available inside the sandbox. This is also reflected in the structure of /etc/passwd and /etc/group files.
  • reduced system information leakage – restrict access to directories such as /boot, /proc, and /sys.

Container types:

  • regular filesystem – container created using files and directories from the current filesystem
  • chroot filesystem – use a regular chroot filesystem as the container.
  • overlay filesystem – mount a Linux overlayfs filesystem on top of regular filesystem. All modifications stay in overlay layer. The user can reload the overlay later in a different sandbox.

The filesystem operations described above are available for all three types of containers.

Whitelisted home directory in Mozilla Firefox

Security filters

The following security filters are currently implemented:

  • seccomp-bpf – a simple, yet effective sandboxing technology, seccomp-bpf allows the user to attach a system call filter to a process and all its descendants, thus reducing the attack surface of the kernel.
  • protocol – based on seccomp, it filters the first argument of socket system call. Most default profiles allow only unix, inet and inet6 communication protocols.
  • noroot user namespace – install a user namespace with only one valid user, the current user.
  • Linux capabilities – Linux Capabilities (POSIX 1003.1e) are designed to split up the root privilege into a set of distinct privileges which can be independently enabled or disabled. These are used to restrict what a process running as root can do in the system. Most default profiles disable all capabilities.
  • X11 sandboxing support is built around two external X11 server software packages, Xpra and Xephyr.
  • direct support for Grsecurity and AppArmor.
An Openbox desktop manager running in a Xephyr/X11 Firejail sandbox

Networking support

Network namespace configured in a Firejail sandbox

Firejail can attach a new TCP/IP networking stack to the sandbox. The new stack comes with its own routing table, firewall and set of interfaces. Implemented as a Linux namespace inside the kernel, the stack is totally independent of host network stack.

Some people use the networking features as a means to block the access to all listening system sockets – most sandbox escape exploits are based on this type of interprocess communication. For example, the only way to disable X11 support inside a sandbox is using a network namespace.

These are the networking operations supported by Firejail:

  • create new interfaces – create Linux kernel macvlan and bridge devices and move them in the sandbox.
  • move existing interfaces inside the sandbox. The interface configuration is preserved. We use this feature to connect sandboxes to specific VLANs.
  • assign addresses – Firejail assigns IP addresses automatically using a simple ARP-scan mechanism. The user can also specify IP addresses. Both IPv4 and IPv6 are supported.
  • hostname support.
  • DNS support.
  • Linux netfilter support – a custom netfilter configuration can be installed in the sandbox.
  • traffic shaping – control the amount of data that flows into and out of sandboxes.

Security profiles

Located in /etc/firejail directory, profile files describe the filesystem container, the security filters and network configuration.

Most default security profiles use a restrictive seccomp-bpf dual 32-bit/64-bit filter, disable all capabilities, and enable a noroot user namespace inside the sandbox. The filesystem denies access to password and encryption keys. Some application classes such as web browsers use a whitelisted home directory, hiding all user files.

Default profile statistics describing the various technologies used by Firejail. More than 1000 application profiles are available by default in /etc/firejail as of version 0.9.64.

Resource allocation

Allocate resources such as CPU time, system memory, and network bandwidth, using Linux Control Groups and Linux rlimits.


Universal packaging formats

Firejail supports AppImage packaging format natively. Simply add –appimage command line option and the package is mounted and run inside the sandbox.


Sandbox auditing

Audit feature allows the user to point out gaps in security profiles. The implementation replaces the program to be sandboxed with a test program. We distribute a generic auditing program, but the user can also use custom programs.

Audit8ing transmission-qt profile

Statistics and monitoring

Firejail provides a large number of options to track all the aspects of sandboxed applications. This includes monitoring CPU/memory/bandwidth usage, tracing system calls, monitoring exec and fork events, and logging accesses to blacklisted files and directories.

Monitoring sandboxes with “firejail –top”

Graphical user interface

A GUI application, Firetools, is available as a separate software package.

Firefox Aurora sandbox statistics

18 thoughts on “Features

  1. Pingback: Обновление системы изоляции приложений Firejail 0.9.42 | Linux-House.ru

  2. Tom

    Hi there,
    Sorry if this is not the smartest to ask and ive overlooked in my complacency.
    Firejail is amazing, thank you. Ease of use and abilities. Hats off to you, though had me thinking. Can it box the entire OS and have more box’s inside that as they usually are set on chrome and firefox etc etc..?
    I’m a week into my journey of Linux, apologies again if this is a bit of a….idioitic question


    1. netblue30 Post author

      Thanks for your kind words. The idea so far was to target specific applications, such as Firefox and Chromium, or closed source apps like Steam and Skype. We are moving in the direction of sandboxing a full OS, but it will take some time to get there.


  3. Pingback: Firejail Tutorial – eirenicon llc

  4. Pingback: Firejail - Securely Run Untrusted Applications in Linux

  5. Pingback: Securely Run Untrusted Applications in Linux | Top Tech Stories

  6. Pingback: Securely Run Untrusted Applications in Linux | Tech News One

  7. Pingback: Firejail – Securely Run Untrusted Applications in Linux – Clockwork Network

  8. Pingback: Firejail, ejecuta de forma segura aplicaciones no confiables en Ubuntu

  9. Pingback: Выпуск системы изоляции приложений Firejail 0.9.60 — AllUNIX.ru — Всероссийский портал о UNIX-системах

  10. Pingback: Выпуск системы изоляции приложений Firejail 0.9.60 |

  11. Pingback: Выпуск системы изоляции приложений Firejail 0.9.62 |

  12. Pingback: Firejail - Führen Sie nicht vertrauenswürdige Anwendungen unter Linux sicher aus - okidk.de

  13. Pingback: Firejail - безопасный запуск потенциально уязвимых приложений

  14. Pingback: [linux] 파일 열기, 분기 등을 방지하는 Linux의 샌드 박스에서 신뢰할 수없는 C 프로그램을 실행 하시겠습니까? - 리뷰나라

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s