Esta página se muestra en inglés. Una traducción al español está en curso.
ConfigsMay 27, 2026·3 min de lectura

Firejail — Linux Application Sandboxing with Zero Configuration

Firejail is a lightweight SUID sandbox for Linux that restricts the running environment of untrusted applications using namespaces, seccomp-bpf, and capability dropping. It ships with profiles for hundreds of common applications.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
Firejail Overview
Comando de instalación directa
npx -y tokrepo@latest install e8e7d897-5983-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

Firejail sandboxes Linux applications by wrapping them in isolated namespaces with restricted filesystem, network, and system call access. It requires no root daemon and works out of the box with pre-built profiles for browsers, media players, chat clients, and development tools.

What Firejail Does

  • Isolates applications using Linux namespaces (mount, PID, network, user)
  • Restricts system calls with seccomp-bpf filters to reduce kernel attack surface
  • Provides filesystem whitelisting and blacklisting to control which files an app can see
  • Supports private home directories and temporary filesystems for disposable sessions
  • Includes network sandboxing with optional per-app firewall rules

Architecture Overview

Firejail is a SUID C executable that sets up namespaces and cgroups before exec-ing the target application. Security profiles define per-application restrictions as declarative rule files. At runtime, Firejail mounts a filtered filesystem view, applies seccomp filters, drops capabilities, and optionally assigns the process to a separate network namespace with its own interface. No background daemon is required.

Self-Hosting & Configuration

  • Available in most Linux distribution repositories (apt install firejail)
  • Pre-built profiles for 1,000+ applications are installed automatically
  • Custom profiles are plain text files in ~/.config/firejail/ or /etc/firejail/
  • Global configuration in /etc/firejail/firejail.config controls default behavior
  • Firecfg utility can set up automatic sandboxing for all supported applications via desktop file symlinks

Key Features

  • Over 1,000 pre-built security profiles covering browsers, editors, media players, and dev tools
  • Whitelist mode: only explicitly listed files and directories are visible to the sandboxed app
  • Network namespaces with optional virtual Ethernet pairs for per-app network isolation
  • Overlay filesystem support for running applications without modifying the real filesystem
  • AppArmor and AppImage integration for layered security

Comparison with Similar Tools

  • Bubblewrap (bwrap) — lower-level sandboxing primitive used by Flatpak; Firejail adds user-friendly profiles and broader feature set
  • Flatpak/Snap — package-level sandboxing; Firejail sandboxes any existing application without repackaging
  • Docker — container runtime for services; Firejail targets desktop and CLI applications
  • AppArmor — mandatory access control via kernel profiles; Firejail combines namespaces, seccomp, and MAC in one tool
  • systemd-nspawn — lightweight container tool; Firejail is optimized for single-application sandboxing with desktop integration

FAQ

Q: Does Firejail work with Wayland? A: Yes. Firejail supports both X11 and Wayland sessions and includes Xephyr/Xpra integration for X11 isolation.

Q: Can I sandbox development tools like VS Code or terminal emulators? A: Yes. Profiles exist for many development tools. You may need to whitelist specific project directories for the sandboxed IDE to access your code.

Q: Does Firejail impact application performance? A: The overhead is negligible. Namespace setup happens once at launch, and seccomp filters add minimal per-syscall cost.

Q: Is Firejail suitable for server applications? A: It can sandbox server processes, but Docker or systemd sandboxing features are more common in server environments. Firejail excels at desktop application isolation.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados