Firejail

Firejail is a lightweight security tool intended to protect a Linux system by setting up a restricted environment for running (potentially untrusted) applications.

More specifically, it is an SUID sandbox program that reduces the risk of security breaches by using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table and mount table. Firejail can work in an SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.

Videos

<table> <tr> <td> <a href="https://odysee.com/@netblue30:9/install" target="_blank"> <img src="https://thumbs.odycdn.com/f19bcfa08c2b35658dc18f4e2fd63f3f.webp" alt="Quick Start" width="240" height="142" border="10" /> <br/>Quick Start </a> </td> <td> <a href="https://odysee.com/@netblue30:9/firefox" target="_blank"> <img src="https://thumbs.odycdn.com/acf4b1c66737feb97640fb1d28a7daa6.png" alt="Advanced Browser Security" width="240" height="142" border="10" /> <br/>Advanced Browser Security </a> </td> <td> <a href="https://odysee.com/@netblue30:9/tor" target="_blank"> <img src="https://thumbs.odycdn.com/f6aa82bd7b86b2f17caed03ccb870d2b.webp" alt="Tor Browser Security" width="240" height="142" border="10" /> <br/>Tor Browser Security </a> </td> </tr> </table>

Links

• Project webpage: https://firejail.wordpress.com/
• IRC: https://web.libera.chat/#firejail
• Download and Installation: https://firejail.wordpress.com/download-2/
• Features: https://firejail.wordpress.com/features-3/
• Documentation: https://firejail.wordpress.com/documentation-2/
• FAQ: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
• Wiki: https://github.com/netblue30/firejail/wiki
• GitHub Actions: https://github.com/netblue30/firejail/actions
• GitLab CI: https://gitlab.com/Firejail/firejail_ci/pipelines
• Debian CI: https://salsa.debian.org/reiner/firejail
• Debian Package Tracker: https://tracker.debian.org/pkg/firejail
• Ubuntu PPA: https://launchpad.net/~deki/+archive/ubuntu/firejail
• Video Channel: https://odysee.com/@netblue30:9?order=new
• Backup Video Channel: https://www.bitchute.com/profile/JSBsA1aoQVfW/

Security vulnerabilities

See SECURITY.md.

Installing

For the supported versions, see SECURITY.md.

Debian

Note: The versions from Debian stable and backports are likely to be outdated, so currently we recommend either downloading and installing the .deb package from the latest release:

• https://github.com/netblue30/firejail/releases/latest

Or building from source.

<details> <summary>Old instructions</summary>

Debian stable (bullseye): We recommend to use the backports package.

</details>

Ubuntu

Note: The versions from the distribution and PPA are likely to be outdated, so currently we recommend either downloading and installing the .deb package from the latest release:

• https://github.com/netblue30/firejail/releases/latest

Or building from source.

<details> <summary>Old instructions</summary>

Note: The PPA recommendation is mainly for firejail itself; it should be fine to install firetools and firejail-related tools directly from the distribution if they are not in the PPA as they tend to be updated less frequently.

For Ubuntu 18.04+ and derivatives (such as Linux Mint), users are strongly advised to use the PPA.

How to add and install from the PPA:

sudo add-apt-repository ppa:deki/firejail
sudo apt-get update
sudo apt-get install firejail firejail-profiles

Reason: The firejail package for Ubuntu 20.04 has been left vulnerable to CVE-2021-26910 for months after a patch for it was posted on Launchpad:

• CVE-2021-26910
• firejail version in Ubuntu 20.04 LTS is vulnerable to CVE-2021-26910

See also https://wiki.ubuntu.com/SecurityTeam/FAQ:

What software is supported by the Ubuntu Security team?

Ubuntu is currently divided into four components: main, restricted, universe and multiverse. All binary packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while binary packages in universe and multiverse are supported by the Ubuntu community.

Additionally, the PPA version is likely to be more recent and to contain more profile fixes.

See the following discussions for details:

• Should I keep using the version of firejail available in my distro repos?
• How to install the latest version on Ubuntu and derivatives

</details>

Other

Firejail is available in multiple Linux distributions:

<details> <summary>Repology</summary> <p>

</p> </details>

Other than the aforementioned exceptions, as long as your distribution provides a supported version of firejail, it's generally a good idea to install it from the distribution.

The version can be checked with firejail --version after installing.

You can also install one of the released packages.

Building

Instructions for building and installing the current development version from source.

It is recommended to use the distribution-specific instructions below when applicable, as they generate native packages, which should make integration with the rest of the system and package management easier.

For other distributions, see the generic instructions.

See also .gitlab-ci.yml for how distribution-specific builds are done in CI.

Arch

Note: The AUR package is not maintained by us.

Install firejail-git from the AUR.

Example:

yay -S firejail-git

Debian

For Debian, Ubuntu and derivatives:

Note: Any ./configure flags should be passed to mkdeb.sh (such as ./mkdeb.sh --enable-foo).

sudo apt-get update -qy
sudo apt-get install -qy \
  git build-essential fakeroot lintian libapparmor-dev pkg-config gawk
git clone 'https://github.com/netblue30/firejail.git' &&
cd firejail &&
./configure &&
make dist &&
./mkdeb.sh &&
sudo dpkg -i ./*.deb &&
make installcheck

Fedora

For Fedora and derivatives:

Note: Any ./configure flags should be passed to mkrpm.sh (such as ./platform/rpm/mkrpm.sh --enable-foo).

sudo dnf update -y
sudo dnf install -y rpm-build gcc make
git clone 'https://github.com/netblue30/firejail.git' &&
cd firejail &&
./configure &&
make dist &&
./platform/rpm/mkrpm.sh &&
sudo rpm -i ./*.rpm &&
make installcheck

Generic

Generic build/install instructions:

git clone 'https://github.com/netblue30/firejail.git' &&
cd firejail &&
./configure &&
make -j "$(nproc)" &&
sudo make install-strip &&
make installcheck

On Debian/Ubuntu you will need to install git and gcc.

To build with AppArmor support (which is usually used on Debian, Ubuntu, openSUSE and derivatives), install the AppArmor development libraries and pkg-config and use the --enable-apparmor ./configure option:

sudo apt-get install git build-essential libapparmor-dev pkg-config gawk

To build with SELinux support (which is usually used on Fedora, RHEL and derivatives), install libselinux1-dev (libselinux-devel on Fedora) and use the --enable-selinux ./configure option.

Detailed information on using firejail from git is available