Firejail — Linux Application Sandboxing with Zero Configuration

Introduction

Firejail sandboxes Linux applications by wrapping them in isolated namespaces with restricted filesystem, network, and system call access. It requires no root daemon and works out of the box with pre-built profiles for browsers, media players, chat clients, and development tools.

What Firejail Does

• Isolates applications using Linux namespaces (mount, PID, network, user)
• Restricts system calls with seccomp-bpf filters to reduce kernel attack surface
• Provides filesystem whitelisting and blacklisting to control which files an app can see
• Supports private home directories and temporary filesystems for disposable sessions
• Includes network sandboxing with optional per-app firewall rules

Architecture Overview

Firejail is a SUID C executable that sets up namespaces and cgroups before exec-ing the target application. Security profiles define per-application restrictions as declarative rule files. At runtime, Firejail mounts a filtered filesystem view, applies seccomp filters, drops capabilities, and optionally assigns the process to a separate network namespace with its own interface. No background daemon is required.

Self-Hosting & Configuration

• Available in most Linux distribution repositories (apt install firejail)
• Pre-built profiles for 1,000+ applications are installed automatically
• Custom profiles are plain text files in ~/.config/firejail/ or /etc/firejail/
• Global configuration in /etc/firejail/firejail.config controls default behavior
• Firecfg utility can set up automatic sandboxing for all supported applications via desktop file symlinks

Key Features

• Over 1,000 pre-built security profiles covering browsers, editors, media players, and dev tools
• Whitelist mode: only explicitly listed files and directories are visible to the sandboxed app
• Network namespaces with optional virtual Ethernet pairs for per-app network isolation
• Overlay filesystem support for running applications without modifying the real filesystem
• AppArmor and AppImage integration for layered security

Comparison with Similar Tools

• Bubblewrap (bwrap) — lower-level sandboxing primitive used by Flatpak; Firejail adds user-friendly profiles and broader feature set
• Flatpak/Snap — package-level sandboxing; Firejail sandboxes any existing application without repackaging
• Docker — container runtime for services; Firejail targets desktop and CLI applications
• AppArmor — mandatory access control via kernel profiles; Firejail combines namespaces, seccomp, and MAC in one tool
• systemd-nspawn — lightweight container tool; Firejail is optimized for single-application sandboxing with desktop integration

FAQ

Q: Does Firejail work with Wayland? A: Yes. Firejail supports both X11 and Wayland sessions and includes Xephyr/Xpra integration for X11 isolation.

Q: Can I sandbox development tools like VS Code or terminal emulators? A: Yes. Profiles exist for many development tools. You may need to whitelist specific project directories for the sandboxed IDE to access your code.

Q: Does Firejail impact application performance? A: The overhead is negligible. Namespace setup happens once at launch, and seccomp filters add minimal per-syscall cost.

Q: Is Firejail suitable for server applications? A: It can sandbox server processes, but Docker or systemd sandboxing features are more common in server environments. Firejail excels at desktop application isolation.

Sources

• https://github.com/netblue30/firejail
• https://firejail.wordpress.com