Firejail (sys-apps/firejail, sys-apps/firejail-lts) is a SUID sandboxing program that reduces the risk of security breaches by restricting the running environment of untrusted applications using, inter alia, Linux namespaces and seccomp-bpf. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc.
- 1 Installation
- 2 Configuration
- 3 Usage
- 4 Troubleshooting
- 5 See also
- 6 External resources
USE flags for sys-apps/firejail Security sandbox for any type of processes
||Enable support for custom AppArmor profiles|
||Enable chrooting to custom directory|
||Install contrib scripts|
||Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces|
||Enable file transfers between sandboxes and the host system|
||Enable global config file|
||Enable networking features|
||Enable private home feature|
||Enable system call filtering|
||Enable setuid root program, with potential security risks|
||Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)|
||Enable attaching a new user namespace to a sandbox (--noroot option)|
||Pulls in related vim syntax scripts|
||Enable X11 sandboxing|
x11 USE flag sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server but introduces a lot of additional dependencies.
emerge --ask sys-apps/firejail
Alternatively sys-apps/firejail-lts can be used.
Firejail comes with numerous default profiles for many popular applications located in /etc/firejail/. In many cases the default profile configuration is sufficient. In addition to configuring a profile users may wish to set up a shortcut to enable firejail to be run by default for their selected application.
The list of preconfigured profiles is available in /etc/firejail/.
If you wish to make customizations for an existing profile simply copy it to your home directory and edit as necessary:
cp /etc/firejail/firefox.profile ~/.config/firejail/firefox.profile
To make a profile for an application without a preconfigured profile you can use the default profile as a basis:
cp /etc/firejail/default.profile ~/.config/firejail/app-name.profile
Here are some example options you may wish to include in a custom profile:
whitelist ~/pictures/ whitelist ~/share/ read-only ~/share/ whitelist ~/dev/WebExtensions/ read-only ~/dev/WebExtensions/ whitelist ~/.cache/fish/ blacklist /mnt blacklist /opt
Using Firejail by default
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. A good place is /usr/local/bin directory. For example to run Firefox with firejail by default:
ln -s /usr/bin/firejail /usr/local/bin/firefox
This works for clicking on desktop environment icons, menus etc. Use firejail --tree to verify the program is sandboxed.
23615:gentoouser:firejail /usr/bin/firefox 23616:gentoouser:firejail /usr/bin/firefox 23618:gentoouser:/usr/bin/firefox
Alternatively you can create the following file instead and make it executable:
#!/bin/bash firejail /usr/bin/firefox $@
This method allows command line options to be passed to firejail. Remember to make it executable with chmod +x /usr/local/bin/firefox.
To use Firejail by default for all applications for which it has profiles, run the firecfg tool as root.
System-wide configuration is set in /etc/firejail/firejail.config. If you have executables in /usr/local/bin corresponding to one of your firejailed applications combined with the
private-bin profile option then make sure
private-bin-no-local is set to
# Remove /usr/local directories from private-bin list, default disabled. private-bin-no-local yes
Optionally you can enable user namespaces in the kernel so they can be utilized by firejail:
General setup ---> Namespaces support ---> <*> User namespace
Usage is simple as:
Private mode can be used as a quick way of hiding all the files in your home directory from sandboxed programs. It is enabled using
--private command line option:
firejail --private firefox
Additionally, firejail can provide full graphical isolation for X11-based programs like firefox; an in-depth tutorial for doing so may be read here.
firejail comes with a tool firemon which can be used to help with troubleshooting. To use it run firemon as root then in a separate terminal start the application you wish to troubleshoot with firejail application.
not all executables from --private-bin list were found.
Either disable the
private-bin option in your application profile or ensure
private-bin-no-local yes is set in /etc/firejail/firejail.config.
user namespaces not available in the current kernel.
Make sure user namespaces are set in the kernel.
Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail - tutorial-style article, introducing firejail's protection features in some depth, as well as the additional steps required to fully graphically isolate software such as firefox.