Frequently Asked Questions


Why on earth should I use Firejail?

Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.

For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.

If you are running Linux in a business setting, you are not forgotten. Firejail won’t put a major dent in your IT budget and doesn’t require much in the way of new staff or skills either.

Also, we use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.


How much does this cost?

Firejail is 100% free, you don’t have to pay anything. We publish the program under GPL v2 license. You are in control of the software, and you are in control of your data.


Why Firejail is not packaged by XYZ Linux distribution?

Firejail is a young project. As the project matures, Linux distros will package it if there is enough user interest. Currently, Firejail is included in Arch, Debian, Gentoo, NixOS, and Ubuntu – if you find another one, please let me know.


How does it compare with Docker, LXC, nspawn?

Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.

Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.


I recently heard of the sandbox command (it uses SELinux I believe). What’s the advantage of using firejail instead of that?

As the attacks become more and more sophisticated, new security features are added to the Linux kernel. A nice description is available here. Firejail uses a combination of these technologies and closely tracks the new kernel developments.


What is the overhead of the sandbox?

The sandbox itself is a very small process. The setup is fast, typically under one second. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.

It is very difficult to measure the effect various security technologies can have. Take for example the sandbox network namespaces as compared to the system network namespace – you are running a in a network namespace anyway, there should be no speed difference! The only kernel technology that can introduce a small delay is seccomp-bpf.


Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance

By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.


I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?

The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.

The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site:


Can you sandbox Steam games and Skype?

Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.

Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.

148 thoughts on “Frequently Asked Questions

  1. Robert

    It would be a great feature if there was a build option to specify which dir it uses instead of the default “/run/firejail”. Trying to use it on systems which have a read only / dir does not work.


  2. Paulo M.


    First of all congratulations on your excellent work!

    I’m trying sandboxes for the very first time so I know close to nothing about it. I just tried to run Kodi Media Center in Firejail but it just won’t start. I ran the command in terminal:
    firestart kodi
    Also tried with the private prefix but still no luck.

    Is there a way to run Kodi on Firejail?

    Let me know if you need details/info/logs but for what it looks like, it’s not a matter of config but rather not being able to run at all. Tried both the 38 and 44 versions of Firejail, my OS is a Linux distro based on Ubuntu 16.04.1.

    Thank you very much in advance. Keep up with the good work!


    1. netblue30 Post author

      I don’t think anybody tried kodi. I’ll try to bring it up in the next release.

      Run “firejail –noprofile kodi”, if this is working it would be easy to build a profile for it.


      1. Paulo M.

        Thank you very much for getting back to me and for your help.

        Unfortunately it didn’t work:

        “$ firejail –noprofile kodi
        Reading profile /etc/firejail/generic.profile
        Reading profile /etc/firejail/
        Reading profile /etc/firejail/
        Reading profile /etc/firejail/

        ** Note: you can use –noprofile to disable generic.profile **

        Parent pid 15563, child pid 15564

        Child process initialized
        /bin/bash: –noprofile: command not found

        parent is shutting down, bye…”

        If you can make Kodi fully working on Firejail and spread the word I believe many will get Firejail just based on that. Kodi is becoming more and more popular everyday and since it uses online connections from various sources, it’s a security hazard for the system.

        Once again thank you very much and keep up with the good work!


  3. pytaoxlfak

    create file:

    with following content:
    noblacklist ~/.kodi
    caps.drop all
    protocol unix,inet,inet6,netlink
    shell none

    firejail kodi


      1. GNUser

        Shouldn’t the profile for KODI be more restrictive? I think for people who use KODI to play internet streams (like sports live events and such) it shouldn’t have any “read” access to files on the home partition. Maybe a whitelist kinda thing. Any thoughts?


      2. netblue30 Post author

        I’ll add KODI support in the next release. It will probably be a simple blackilst-based profile. Once the release is out, we’ll figure out some whitelisting for it.


  4. GlobalLover

    Hello, im run 8steams at firejail. All working correctly, i run Counter-Strike Global:Offensive and this work. If im run more than 5 csgo clients(5clients work perfectly), more cant start.. for some second im see window of cs go, and this close. In console im dont see some errors. Steam clients work correctly. Somebody know to fix?

    im running with command
    firejail –private=nameofbox steam

    System is Ubuntu 16.04,installed latest nvidia drivers(im try too with old versions), firejail latest version, specs of pc; i7 6700hq 32gb ram, gtx960m 4gb gddr5

    Somebody can help me?


  5. Alex

    Hello! I want to prevent all apps on my machine from keylogging Firefox so I can be safe. Is this possible with Firejail? I want to be safe from malware that may run without me noticing.


  6. Ian

    I’m using on Ubuntu 16.10. I have a problem where some applications aren’t remembering settings. Cherrytree forgets that I enlarged the UI because I have a high dpi screen and also doesn’t open the last used file like it used to (with an older version of firejail). Transmission forgets that I set it to always use encryption instead of the default of “prefer encryption”. I’ve made sure that the profiles allow those specific applications to read the relevant .config/ files and have double checked, e.g., that transmission’s settings.json has the desired encryption setting. It seems these applications are starting up using default settings for some reason?


    1. netblue30 Post author

      To make sure what profile your app is using, start it from the command line. It will list all the profiles as they are loaded:

      netblue@debian:~$ firejail transmission-gtk
      Reading profile /home/netblue/.config/firejail/transmission-gtk.profile
      Reading profile /etc/firejail/transmission-gtk.profile
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/disable-common.local
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/
      Parent pid 3633, child pid 3634


      1. Ian

        Thanks. It turns out I left an old cherrytree profile in ~/.config/firejail/

        As for Transmission, those issues are caused by it being launched within the firefox sandbox. I tried whitelisting Transmission’s configuration file in the firefox profile but that didn’t seem to work so I’m just pasting any magnet links in to Transmission manually until I work out the correct firefox profile changes


      2. netblue30 Post author

        I also use magnet links for transmission. The idea is to have the browser and the bittorrent client, each one of them sandboxed independently as strongly as possible.


  7. wheezy


    I just stumbled over this promising little program of yours. What I do not understand is the difference to SElinux, AppArmor and other MAC systems. I never used any of these, but recently they found ransomware even for Linux. Thats why i was thinking of chroot or a MAC system like yours.

    I really appreciate your efforts on this highly important subject.

    Many thanks!


  8. shawn

    Firstly, great application. Usingl firejail_0.9.44.8_1_amd64.deb and Palemoon 27.1.2. However I have one issue when using Pale Moon on Linux Mint-Mate 18.1 with the default configuration.. In the title bar it states that I am running as a super user and obviously this is not something to advise. If I look at the hierarchy it looks as if I am running a user. I do not have this issue in Firefox.
    Terminal states:
    shawn@HPLaptop ~ $ firejail –tree palemoon
    6199:shawn:/usr/bin/firejail /usr/bin/palemoon
    6202:shawn:/usr/bin/firejail /usr/bin/palemoon

    I took screen print of browser, but do not know how to attach.

    Have you any ideas or am I being paranoid?


    1. netblue30 Post author

      It’s fine, some window managers have this problem. The best way to check is to run “ps aux | grep palemon” in a new terminal. It will tell you palemoon runs as a regular user (shawn). It is a window manager bug.


  9. Karl

    Awesome tool, thanks!

    Can you please elaborate if there is a recommended way to make sure that a specific application (like Firefox) is only started via Firejail when starting (a) from the shell (without the need to specify “firejail” explicitely) and (b) from the desktop environment of choice (xfce, Gnome, KDE, …)?

    I can imagine multiple ways but did not start to evaluate them: shell-alias, correctly placed desktop-file which overrides the default ones, modifying the application menu entry (xfce, Gnome, KDE, …) with a modified one, …



    1. netblue30 Post author

      Whatever works for you. We have a tool in firejail package that will make a symbolic link from /usr/local/bin/firefox to firejail executable. As a result, when you run “firefox” in a bash terminal it will actually run “firejail firefox”. In some cases, the same trick seems to be taking care of applications started from desktop manager menu. To set the links run “sudo firecfg” (also see “man firecfg”).

      Desktop files also work, but when you update firefox, the desktop file will be overwritten.

      Another way to do it is to set icons on you desktop.


  10. 1llusion

    I just now tried firejail with firefox:
    $ firejail firefox
    and it is working nicely. However, a thing that greatly disturbs me is the fact that the title bar of firefox now says that it is running as root. Do you know anything about that?



  11. Jeff

    Thanks so much for this great addition to the linux ecosystem. I’m running Ubuntu and trying to use firejail with Wire ( but get an error that says:


    Reading profile /etc/firejail/generic.profile
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/

    ** Note: you can use –noprofile to disable generic.profile **

    Parent pid 7523, child pid 7524

    Child process initialized
    [2:0331/] Check failed: monitor_.
    #0 0x000001e5855e
    #1 0x000001e6e25b
    #2 0x000000cbe6a6
    #3 0x000001248602
    #4 0x000001e59226
    #5 0x000001e74755
    #6 0x000001e74a48
    #7 0x000001e74e9b
    #8 0x000001e4e669
    #9 0x000001e8d41e
    #10 0x000001eac40a
    #11 0x000002707e36
    #12 0x00000270803e
    #13 0x000001eac4ce
    #14 0x000001ea8a53
    #15 0x7f8142e336ba start_thread
    #16 0x7f813c8c182d clone

    parent is shutting down, bye…


    Any suggestions that might get me around this?
    Thank you.


  12. Daniel11609

    Hello everyone, hey netblue,
    I need help with running multiple instances of steam using firejail.
    Another user already asked for this but he got another problem.
    I can perfectly run a single instance of steam+game using firejail steam, but even if I use –private=steam1 steam or something it logs in but the game (in this case csgo) won’t run because it detects that it already running.
    Also I don’t want to have the game stored in another folder for each instance, just 1 game folder but different instances of steam and csgo.

    If this is possible with firejail I’d love to get some help I think it might be useful for a lot of people.

    Kind regards


  13. harri

    “firefox –new-instance” can be used to open a new firefox in a separate sandbox. I often run multiple instances in parallel using that. Without –new-instance firefox opens in a new tab or new window of some existing sandboxed and running firefox.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s