Firejail – Securely Run Untrusted Applications in Linux

Sometimes you may want to use applications that have not been well tested in different environments, yet you must use them. In such cases, it is normal to be concerned about the security of your system. One thing that can be done in Linux is to use applications in a sandbox.

Sandboxing” is the ability to run application in a limited environment. That way the application is provided a tighten amount of resources, needed to run. Thanks to application called Firejail, you can safely run untrusted applications in Linux.

Firejail is a SUID (Set Owner User ID) application that decrease the exposure of security breaches by limiting the running environment of untrusted programs using Linux namespaces and seccomp-bpf.

It makes a process and all its descendants to have their own secret view of the globally shared kernel resources, such as the network stack, process table, mount table.

Some of the features that Firejail uses:

  • Linux namespaces
  • Filesystem container
  • Security filters
  • Networking support
  • Resource allocation

Detailed information about Firejail features can be found in the official page.

How to Install Firejail in Linux

The installation can be completed by downloading the latest package from the project’s github page using git command as shown.

$ git clone https://github.com/netblue30/firejail.git
$ cd firejail
$ ./configure && make && sudo make install-strip

In case you don’t have git installed on your system, you can install it with:

$ sudo apt install git  [On Debian/Ubuntu]
# yum install git       [On CentOS/RHEL]
# dnf install git       [On Fedora 22+]

An alternative way of installing firejail is to download the package associated with your Linux distribution and install it with its package manager. Files can be downloaded from SourceForge page of the project. Once you have the file downloaded, you can install it with:

$ sudo dpkg -i firejail_X.Y_1_amd64.deb   [On Debian/Ubuntu]
$ sudo rpm -i firejail_X.Y-Z.x86_64.rpm   [On CentOS/RHEL/Fedora]

How to Run Applications with Firejail in Linux

You are now ready to run your applications with firejail. This is accomplished by launching a terminal and adding firejail before the command you wish to run.

Here is an example:

$ firejail firefox    #start Firefox web browser
$ firejail vlc        # start VLC player

Create Security Profile

Firejail includes many security profiles for different applications and they are stored in:

/etc/firejail

If you have build the project from source, you can find the profiles in:

# path-to-firejail/etc/

If you have used the rpm/deb package, you can find the security profiles in:

/etc/firejail/

Users, should place their profiles in the following directory:

~/.config/firejail

If you want to extend an existing security profile, you can use include with path to the profile and add your lines afterwards. This should look something like this:

$ cat ~/.config/firejail/vlc.profile

include /etc/firejail/vlc.profile
net none

If you wish to restrict access of application to certain directory, you can use a blacklist rule to achieve exactly that. For example, you can add the following to your security profile:

blacklist ${HOME}/Documents

Another way to achieve the same result is to actually describe the full path to the folder you wish to restrict:

blacklist /home/user/Documents

There are many different ways in which you can configure your security profiles, such as disallowing access, allowing read-only access etc. If you are interested in building custom profiles, you can check the following firejail instructions.

Firejail is an awesome tool for the security minded users, who want to protect their system.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Marin Todorov
I am a bachelor in computer science and a Linux Foundation Certified System Administrator. Currently working as a Senior Technical support in the hosting industry. In my free time I like testing new software and inline skating.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

2 Comments

Leave a Reply
  1. Firejail can be used to sandbox and secure ANY application, whether trusted or untrusted.

    Firejail users should also download/install Firetools package which provides a GUI front end for Firejail as well as other helpful options.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.