Firejail: run apps inside a sandbox

Firejail creates a restricted environment for untrusted applications. It’s written in C and it’s lightweight and easy to use.

Installation
Creating sandboxes
Monitoring and management
Desktop integration

Installation

Firejail is available on most Linux-based operating systems (Debian, Arch Linux, etc.). Install firejail using your system package manager.

Creating sandboxes

firejail <options> <command>
# e.g.: firejail firefox

Without arguments, executes user preferred shell (specified in $SHELL). In this case, exit from sandbox by typing exit (or press Ctrl + D).
Firejail does not work with Flatpak or Snap packages.

Some of the available options are:

--name=<name>: set a sanbox name.
--net=none: no network access.
--nosound: disable sound.
--novideo: disable video devices such as the webcam.
--private: mount new /root and /home/user directories in temporary filesystems.
--appimage <appimage file>: sandbox an AppImage.
--disable-mnt: blacklist /mnt, /media, /run/mount and /run/media access.
--blacklist=<folder or file path>: blacklist a folder or file.
--private-bin=<file>, --private-etc=<file,directory>, --private-home=<file,directory>, --private-opt=<file,directory>, --private-srv=<file,directory>: create a new /bin, /etc, /home or /opt with only the files and folders specified.
--private-tmp: create an empty /tmp.
--read-only=<folder or file path>: set directory or file read-only.

Run man firejail for more info.

Monitoring and management

firejail --list: list sandboxes.
firejail --top: top-like statistics.
firejail --tree: print a tree of all sandboxed processes.
firejail --shutdown=<name|pid>: shutdown a sandbox.
firemon <pid>

Desktop integration

A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place is /usr/local/bin directory. For example (run as root or with ‘sudo’):

ln -s /usr/bin/firejail /usr/local/bin/firefox

Verify the right path for your app is the newly created:

$ which firefox
/usr/bin/firefox
$ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
$ which firefox
/usr/local/bin/firefox

When you don’t need to sandbox the application anymore, just delete the symbolic link (run as root or with ‘sudo’):

rm /usr/local/bin/firefox

If you have any suggestion, feel free to contact me via social media or email.

Firejail: run apps inside a sandbox

Table of Contents

Installation

Creating sandboxes

Monitoring and management

Desktop integration

Speech Note: Text-To-Speech, Speech-To-Text and Translations within the same application

Fixing WebGL issues in LibreWolf

How to run CLI scripts inside a GUI environment

Open source projects to follow (XI)

Convert between several markup formats with Pandoc

timeout: run a command with a time limit

Export a manpage to (almost) any format

RSS readers: read feeds with these graphical and command line tools

RS1 Linux News: news aggregator focused on Linux and open source

Open source projects to follow (X)

Joplin: an awesome note-taking application, available on multiple devices

mpv Media Player: one of the best media players on Linux

Mabox Linux: a lightweight Manjaro with Openbox WM

scan4all: a new vulnerability scanner

Using Kali Linux on Linode (VNC)

Alternative search engines: life beyond Google

Ultramarine Linux: Fedora with some useful tweaks

How to run Linux commands on a Google Colab notebook

Limit available system resources per user with Systemd and cgroups

Bliss OS: Android on your PC

Google Colab: some great projects

Quickemu: an alternative to GNOME Boxes for using virtual machines

Running desktop apps on Docker containers: X11 forwarding

List of Linux and FOSS websites