Firejail

Firejail is a SUID sandboxing program that reduces the risk of security breaches by restricting the running environment of untrusted applications using, inter alia, Linux namespaces and seccomp-bpf. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc.

USE flags
The  USE flag sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server but introduces a lot of additional dependencies.

Emerge
Alternatively can be used.

Configuration
Firejail comes with numerous default profiles for many popular applications located in. In many cases the default profile configuration is sufficient. In addition to configuring a profile users may wish to set up a shortcut to enable firejail to be run by default for their selected application.

Profiles
The list of preconfigured profiles is available in.

If you wish to make customizations for an existing profile simply copy it to your home directory and edit as necessary:

To make a profile for an application without a preconfigured profile you can use the default profile as a basis:

Here are some example options you may wish to include in a custom profile:

Using Firejail by default
A symbolic  link to  under the name of a program, will start the program in Firejail sandbox. A good place is. For example to run Firefox with firejail by default:

This works for clicking on desktop environment icons, menus etc. Use to verify the program is sandboxed.

Alternatively you can create the following file instead and make it executable:

This method allows command line options to be passed to firejail. Remember to make it executable with.

To use Firejail by default for all applications for which it has profiles, run the firecfg tool as root.

System-wide Configuration
System-wide configuration is set in. If you have executables in corresponding to one of your firejailed applications combined with the   profile option then make sure   is set to

Kernel
Optionally you can enable user namespaces in the kernel so they can be utilized by firejail:

Usage
Usage is simple as:

Private mode can be used as a quick way of hiding all the files in your home directory from sandboxed programs. It is enabled using  command line option:

Additionally, can provide full graphical isolation for X11-based programs like ; an in-depth tutorial for doing so may be read here.

firemon
firejail comes with a tool firemon which can be used to help with troubleshooting. To use it run as root then in a separate terminal start the application you wish to troubleshoot with.

not all executables from --private-bin list were found.
Either disable the  option in your application profile or ensure   is set in.

user namespaces not available in the current kernel.
Make sure user namespaces are set in the kernel.

External resources

 * Basic Usage on the Firejail Wordpress
 * Firefox Guide on the Firejail Wordpress
 * Firejail on the Arch Wiki