Privacy Tools #firejail#linux security#sandboxing

Firejail Linux App Sandboxing: Complete Security Guide

Sandbox any Linux application with Firejail to restrict filesystem, network, and system call access. Protect your system from untrusted apps.

7 min read

Running untrusted applications, browsers, or media players without isolation is a significant security risk. Firejail is a SUID sandboxing program that restricts the environment of Linux processes using Linux namespaces, seccomp-bpf, and filesystem sandboxing. It requires no root privileges to run and works with almost any application out of the box.

Why Use Firejail?

When an application is compromised — through a malicious PDF, a browser exploit, or a supply-chain attack — it normally has full access to your home directory, your SSH keys, your GPG keyring, and your entire filesystem. Firejail limits this damage by:

  • Restricting filesystem access — the sandbox sees only what you allow
  • Filtering system calls with seccomp-bpf profiles
  • Isolating network namespaces — some apps get no internet access at all
  • Dropping Linux capabilities that applications don’t need

Installing Firejail

Debian/Ubuntu

sudo apt update && sudo apt install firejail

Fedora/RHEL

sudo dnf install firejail

Arch Linux

sudo pacman -S firejail

From Source (Latest Version)

git clone https://github.com/netblue30/firejail.git
cd firejail
./configure && make
sudo make install-strip

After installation, verify it works:

firejail --version

Basic Usage

The simplest way to sandbox an application is to prefix it with firejail:

firejail firefox
firejail vlc
firejail evince suspicious.pdf

Firejail automatically applies a built-in security profile if one exists for the application. Check available profiles:

ls /etc/firejail/*.profile | head -20

Firejail ships with over 900 pre-built profiles for common applications including Firefox, Chromium, LibreOffice, VLC, Transmission, and many more.

Understanding Firejail Profiles

A Firejail profile defines exactly what a sandboxed process can and cannot access. Profiles are stored in /etc/firejail/ and ~/.config/firejail/.

Example: Firefox Profile Snippet

# /etc/firejail/firefox.profile
include firefox-common.profile

# Restrict home directory access
whitelist ${HOME}/.mozilla
whitelist ${HOME}/Downloads
whitelist ${HOME}/Desktop

# Block sensitive directories
blacklist ${HOME}/.ssh
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.config/keepassxc

Creating a Custom Profile

Create ~/.config/firejail/myapp.profile:

# Custom profile for myapp
include default.profile

# Only allow access to specific directories
whitelist ${HOME}/Documents/myapp-data
blacklist ${HOME}/.ssh
blacklist ${HOME}/.gnupg

# No network access
net none

# Drop dangerous capabilities
caps.drop all
noroot

Run it:

firejail --profile=~/.config/firejail/myapp.profile myapp

Key Firejail Options

OptionEffect
--net=noneDisable all network access
--norootDisable root escalation inside sandbox
--privateUse temporary home directory
--private-tmpUse empty /tmp
--seccompEnable seccomp system call filter
--caps.drop=allDrop all Linux capabilities
--no3dDisable 3D acceleration (useful for GPU exploit mitigation)
--nodvdDisable DVD/CD access
--nosoundDisable audio

Sandboxing with No Network

Run a PDF viewer with no network and a private home:

firejail --net=none --private evince ~/Downloads/document.pdf

Sandboxing with a Private Home

firejail --private firefox

This gives Firefox a fresh, empty home directory — no existing cookies, profiles, or saved passwords. When you close it, all data is discarded.

Firetools: GUI Frontend

Firetools provides a graphical interface for managing Firejail sandboxes:

sudo apt install firetools

It shows a list of running sandboxed processes and lets you launch applications with profiles through a point-and-click interface — useful for users who prefer not to use the terminal for every launch.

Integrating Firejail with Desktop Launchers

Make Firejail the default for an application by editing its .desktop file:

sudo cp /usr/share/applications/firefox.desktop ~/.local/share/applications/
nano ~/.local/share/applications/firefox.desktop

Change the Exec line:

# Before
Exec=firefox %u

# After
Exec=firejail firefox %u

Now every time you click the Firefox icon in your application menu, it launches in a Firejail sandbox automatically.

Monitoring Sandboxed Processes

List all currently sandboxed processes:

firejail --list

Join a running sandbox for debugging:

firejail --join=PID

View the network interfaces inside a sandbox:

firejail --netstats

Combining Firejail with AppArmor

On Ubuntu systems with AppArmor enabled, you can stack Firejail with AppArmor profiles for defense-in-depth:

sudo firejail --apparmor firefox

This applies both Firejail’s namespace isolation and AppArmor’s MAC policy simultaneously.

Common Pitfalls

Profile conflicts: If an app behaves strangely under Firejail, check for profile errors:

firejail --debug firefox 2>&1 | grep -i error

Missing whitelists: Applications that store config in non-standard locations may need custom whitelist entries added to their profile.

SUID issues: Some apps that require SUID bits may fail inside Firejail. Use --caps.keep=setuid cautiously for those specific cases.

Final Thoughts

Firejail is one of the most practical security tools available on Linux. It requires no complex configuration to get started, integrates with your existing desktop environment, and dramatically reduces the attack surface of any compromised application. Whether you’re opening a suspicious file or simply want to keep your browser from accessing sensitive files, Firejail delivers strong isolation with minimal overhead.

#privacy #app isolation #sandboxing #linux security #firejail

// related articles

privacy-tools Using Virtual Machines for Privacy and Sandboxing 7 min read privacy-tools DNSCrypt-Proxy: Set Up Encrypted DNS on Any System 7 min read privacy-tools I2P Anonymous Network: Complete Setup and Browsing Guide 7 min read