Firejail

Related articles

Firejail is an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. Used alone or combined with Grsecurity or other kernel hardening systems can further increase the security provided. Firejail is ideal for use with browsers, desktop applications, and daemons/servers alike.

Installation

Note: The User-namespace (CONFIG_USER_NS=Y) isn't set in the kernel configuration, but may be required for Firejail to function properly. See bug #36969 for details why this namespace is disabled by default.

Install the firejail or firejail-gitAUR package which provide all of the requirements out of the box.

Configuration

Firejail uses profiles for the applications executed inside of it - you can find the default profiles in /etc/firejail/application.profile. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in ~/.config/firejail.

Paths with spaces

If you need to reference, whitelist, or blacklist a directory within a custom profile, such as with palemoonAUR, you must do so using the absolute path, without encapsulation or escapes:

/home/user/.moonchild productions

Usage

To execute an application using firejail with seccomp protection, such as okular, execute the following:

$ firejail --seccomp okular

Private mode

Firejail also includes a one time private mode, in which no mounts are made in the chroots to your home directory. In doing this, you can execute applications without performing any changes to disk. For example, to execute okular in private mode, do the following:

$ firejail --seccomp --private okular

Using Firejail by default

To execute an application in Firejail per default, create a symbolic link pointing to /usr/bin/firejail. For example:

$ ln -s /usr/bin/firejail /usr/local/bin/okular

The firecfg tool can be used to automate this process.

Tip: To open the application with your custom Firejail options, create the following file instead for Okular and make it executable:
/usr/local/bin/okular
firejail --seccomp /usr/bin/okular $@

Desktop files

Some applications use non standard paths. For these you will want to copy the .desktop launchers from /usr/share/applications/*.desktop to ~/.local/share/applications/ and then proceed to include firejail (and possibly seccomp) on the EXEC line.

Daemons

For a daemon, you will need to overwrite the systemd unit file for that daemon to call firejail, see systemd#Editing provided units.

Notes

Some applications do not work properly with Firejail, and others simply require special configuration. In the instance any directories are disallowed or blacklisted for any given application, you may have to further edit the profile to enable nonstandard directories that said application needs to access. One example is wine; wine will not work with seccomp in most cases.

Other configurations exist; it is suggested you check out the man page for firejail to see them all, as firejail is in rapid development.

Firetools

A GUI application for use with Firejail is also available, firetoolsAUR.

Troubleshooting

PulseAudio

If Firejail causes PulseAudio to misbehave, there is a known issue. A temporary workaround:

cp /etc/pulse/client.conf ~/.config/pulse/
echo "enable-shm = no" >> ~/.config/pulse/client.conf

See also