explaingit

netblue30/firejail

7,365CAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

Firejail is a Linux security tool that runs any application inside an isolated sandbox using standard kernel features, so a compromised program can't access or damage the rest of your system.

Mindmap

mindmap
  root((Firejail))
    How it works
      Namespaces
      seccomp-bpf
      Linux capabilities
    Supported apps
      Firefox
      Chromium
      VLC
      Servers
    Features
      Built-in profiles
      No daemon needed
      SELinux compatible
    Setup
      Linux distros
      Build from source
      Kernel 3 or newer
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run Firefox or Chromium inside a Firejail sandbox so a browser exploit can't read your other files or network.

USE CASE 2

Sandbox an untrusted Linux application to restrict its access to the file system, network, and system calls.

USE CASE 3

Harden a Linux server by running services inside kernel namespace isolation with no daemon overhead.

USE CASE 4

Layer Firejail sandbox profiles on top of existing SELinux or AppArmor policies for defense in depth.

Tech stack

CLinux

Getting it running

Difficulty · moderate Time to first run · 30min

Distribution packages may lag the latest release, install from the GitHub releases page for the most current version.

In plain English

Firejail is a security tool for Linux that runs applications inside a restricted environment, limiting what they can access or affect on the rest of your computer. The idea is that if a program is compromised, the damage it can do is contained. It is written in C, has almost no external dependencies, and works on any Linux system running a kernel from version 3.x onward. Under the hood, it uses a set of Linux kernel features: namespaces (which give each sandboxed process its own isolated view of the network, running processes, and file system mounts), seccomp-bpf (which restricts which system calls a process is allowed to make), and Linux capabilities (which control what privileged operations a process can perform). These are all standard kernel mechanisms, so no daemons need to run in the background and there are no complicated configuration files to set up. The tool can sandbox graphical desktop applications, servers, and even full user login sessions. It ships with ready-made security profiles for widely used programs like Firefox, Chromium, VLC, and Transmission, so in many cases you can start using it without writing any configuration yourself. It can also work alongside SELinux, AppArmor, and Linux Control Groups if those are already in use on the system. Installation is available through most major Linux distributions, including Debian and Ubuntu, though the README notes that distribution-packaged versions may lag behind the latest release. The project recommends installing from the GitHub releases page or building from source when an up-to-date version matters. A video channel with tutorials and an IRC channel are available for getting started.

Copy-paste prompts

Prompt 1
How do I run Firefox in a Firejail sandbox on Ubuntu to prevent browser exploits from accessing my home directory?
Prompt 2
Show me how to write a custom Firejail security profile for an application that isn't covered by the built-in profiles.
Prompt 3
How do I use Firejail's seccomp-bpf support to whitelist only the system calls an application actually needs?
Prompt 4
What Linux kernel features does Firejail use internally, and what is the minimum kernel version required?
Prompt 5
How do I install the latest version of Firejail from the GitHub releases page instead of using the distribution package?
Open on GitHub → Explain another repo

← netblue30 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.