Firejail: sandbox processes on Linux

cool_penguin_smallFirejail is a restricted sandbox primarily for running browsers (but works with any other program). Downloading unverified binaries is particularly dangerous. Rogue binaries may harm the system themselves or open up channels for an adversary to access the system. Though Linux is known to be less prone to virus and malware attacks, it’s always advisable not to compromise in terms of security. Firewall, antivirus software are recommended. Firejail reduces the risk of security breaches by using Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Firejail is implemented in C and needs only the libc and posix threads libraries which are available by default on any Linux system. The main features are:

  • Linux namespaces support: mount, UTS, IPC, PID, network
  • Process separation
  • Filesystem support: local filesystem mounted read-only, chroot filesystem, and overlay filesystem
  • Support for running multiple sandboxes on top of the same filesystem
  • Server sandboxing
  • GUI application sandboxing
  • User login session sandboxing
  • Private mode
  • Filesystem security profile support; default security profiles for Firefox, Midori and Evince
  • Bash, zsh and csh shell support
  • Seccomp support
  • Linux capabilities support
  • Extensive networking support
  • Extensive monitoring support
  • and more…

Firejail can be compiled easily on any Linux platform. Or download packages from here.


$ firejail firefox
$ firejail program_name

Webpage: Firejail

2 thoughts on “Firejail: sandbox processes on Linux”

  1. Pingback: Firejail: sandbox processes on Linux » Quality and security of information systems

Leave a Reply

Your email address will not be published. Required fields are marked *