Firejail is a SUID sandboxing program. It reduces the risk of security breaches by restricting the running environment of untrusted applications using, among other things, Linux namespaces and seccomp-bpf. The software includes security profiles for a large number of applications like Mozilla Firefox, Chromium, VLC, or Transmission.
USE flags for sys-apps/firejail Security sandbox for any type of processes
||Enable X11 sandboxing|
||Enable support for custom AppArmor profiles|
||Enable chrooting to custom directory|
||Install contrib scripts|
||Enable DBus proxying to filter access in supporting profiles|
||Enable file transfers between sandboxes and the host system|
||Enable global config file|
||Enable networking features|
||Enable private home feature|
||!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur|
||Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)|
||Enable attaching a new user namespace to a sandbox (--noroot option)|
X USE flag sandbox replaces the regular X11 server with Xpra or Xephyr server. This prevents X11 keyboard loggers and screenshot utilities from accessing the main X11 server but introduces a lot of additional dependencies.
emerge --ask sys-apps/firejail
Firejail comes with numerous default profiles for many popular applications located in /etc/firejail/. In many cases the default profile configuration is sufficient. In addition to configuring a profile users may wish to set up a shortcut to enable firejail to be run by default for their selected application.
The list of preconfigured profiles is available in /etc/firejail/.
If you wish to make customizations for an existing profile simply copy it to your home directory and edit as necessary:
cp /etc/firejail/firefox.profile ~/.config/firejail/firefox.profile
To make a profile for an application without a preconfigured profile you can use the default profile as a basis:
cp /etc/firejail/default.profile ~/.config/firejail/app-name.profile
Here are some example options you may wish to include in a custom profile:
whitelist ~/pictures/ whitelist ~/share/ read-only ~/share/ whitelist ~/dev/WebExtensions/ read-only ~/dev/WebExtensions/ whitelist ~/.cache/fish/ blacklist /mnt blacklist /opt
Using Firejail by default
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. A good place is /usr/local/bin directory. For example to run Firefox with firejail by default:
ln -s /usr/bin/firejail /usr/local/bin/firefox
This works for clicking on desktop environment icons, menus etc. Use firejail --tree to verify the program is sandboxed.
23615:larry:firejail /usr/bin/firefox 23616:larry:firejail /usr/bin/firefox 23618:larry:/usr/bin/firefox
Alternatively you can create the following file instead and make it executable:
#!/bin/bash firejail /usr/bin/firefox $@
This method allows command line options to be passed to firejail. Remember to make it executable with chmod +x /usr/local/bin/firefox.
To use Firejail by default for all applications for which it has profiles, run the firecfg tool as root.
In the default configuration, firecfg will build a symbolic link for patch, this action will make portage work incorrectly , maybe you need to remove the link or do some configurations for patch
System-wide configuration is set in /etc/firejail/firejail.config. If you have executables in /usr/local/bin corresponding to one of your firejailed applications combined with the
private-bin profile option then make sure
private-bin-no-local is set to
# Remove /usr/local directories from private-bin list, default disabled. private-bin-no-local yes
Optionally you can enable user namespaces in the kernel so they can be utilized by firejail:
General setup ---> Namespaces support ---> <*> User namespace
Usage is simple as:
Private mode can be used as a quick way of hiding all the files in your home directory from sandboxed programs. It is enabled using
--private command line option:
firejail --private firefox
Additionally, firejail can provide full graphical isolation for X11-based programs like firefox; an in-depth tutorial for doing so may be read here.
firejail comes with a tool firemon which can be used to help with troubleshooting. To use it run firemon as root then in a separate terminal start the application you wish to troubleshoot with firejail application.
Consider to use following arguments:
--trace --debug-caps --debug-errnos --debug-syscalls --debug-protocols --debug-blacklists --debug-whitelists --debug-caps --debug-errnos --debug-private-lib --debug-protocols --debug-syscalls
not all executables from --private-bin list were found.
Either disable the
private-bin option in your application profile or ensure
private-bin-no-local yes is set in /etc/firejail/firejail.config.
user namespaces not available in the current kernel.
Make sure user namespaces are set in the kernel.
User:Sakaki/Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail - tutorial-style article, introducing firejail's protection features in some depth, as well as the additional steps required to fully graphically isolate software such as firefox.