How to use Firejail on Linux to isolate and protect applications

If you use GNU/Linux daily and are concerned about security, privacy, and unreliable programsSooner or later, you'll come across Firejail. This little utility has been one of the easiest ways to enclose applications in an isolated environment for years, without setting up a virtual machine or going crazy with endless configurations.

The idea is simple: You run your program "inserted" inside Firejail And from there, that process sees a file system, a network, users, and devices that are much more limited than the real ones. In that way, a PDF Suspicious, a browser loaded with extensions or a weird game from itch.io have much less room to wreak havoc on the system.

What is Firejail and how does it work inside?

Firejail is a C program, of type SUID and GPLv2 licenseIt acts as a sandbox for processes in GNU/Linux. Its job is to minimize the impact of a compromised application by creating a restricted-privilege execution environment where each process has its own "sliced-off view" of the system.

At a technical level, it relies on several Linux kernel security featuresNamespaces, system call filters with seccomp-bpf, capacity control, and file system isolation. Thanks to this, the process running within the sandbox has its own process table, network stack, mount table, and, in general, a collection of virtualized resources.

One of its great assets is that It has hardly any dependencies and its overhead is minimal.It doesn't launch background daemons, open sockets for management, or require additional services. It simply starts when invoked and consumes resources while keeping the sandbox active.

In addition, Firejail comes with predefined security profiles for hundreds of programs desktop and services: browsers like Firefox and Chromium, media players like VLC, BitTorrent clients like Transmission, email clients, games (including Steam), chat tools, servers like Apache or Nginx, clients SSH, Wineetc. If there is no specific profile for a program, a generic profile is applied.

Main security mechanisms used by Firejail

To truly understand what Firejail does, it's helpful to review the kernel mechanisms that it takes advantage ofYou don't need to be a kernel hacker, but you do need some context to know what you're hardening when you play with its options.

Linux namespaces They allow a group of processes to share their own "namespace": process identifiers (PIDs), hostnames, users, mount points, network, etc. Firejail creates these namespaces so that the sandboxed program only sees the resources that correspond to it within that encapsulated environment.

From kernel branch 2.6 onwards, and especially from version 3.x, different types of namespaces (PID, UTS, mount, user, network, IPC, etc.) were added. Firejail relies on these to... the process has its own network, its own process tree, and its own file system, all separate from the rest of the system.

In addition to namespaces, Firejail implements file system level access control policies based on whitelists and blacklists. This allows you to define directories that the application can access, others that it can only read, and others that are completely blocked, both in the root directory and within the user's home directory.

In parallel, the following comes into play seccomp-bpfA system call filter is associated with the process and its descendants. Using a filtering language based on Berkeley Packet Filter (BPF), Firejail restricts which syscalls the application can execute. If it attempts to do something the policy doesn't allow, the call is blocked or the process is killed, significantly reducing the attack surface.

Firejail also integrates well with AppArmor and SELinuxThese solutions MAC (Mandatory Access Control) defines what resources an application can use, while Firejail adds an additional layer of isolation: even if two applications have permission on the same resource according to AppArmor, with Firejail you can make them unable to interact with each other because each one lives in its own sandbox.

Practical advantages of using Firejail

For the average user, what matters is not so much the theory as what you achieve in everyday use: More security without changing the way you work radically. Firejail focuses precisely on that.

On the one hand, there is the isolation of potentially hazardous applicationsA PDF that doesn't feel right, an office document sent to you by email, a shady website, or an AppImage downloaded from who-knows-where, all run in an environment that limits their ability to access the system.

On the other hand, it offers very granular resource constraintYou can limit the network (cut off the internet completely, give it its own IP address, restrict bandwidth), reduce access to the file system (whitelist and blacklist), trim devices from /dev, control the sound server, or even change the DNS servers that the application communicates with.

One very interesting point is that the basic use is ridiculously simple: firejail program_nameYou don't need to edit configuration files to get started; the predefined profiles cover most common uses. Only if you want to get more complex should you start tweaking custom profiles.

Despite focusing on GNU/Linux, Firejail has also been ported or adapted to other type systems Unix such as some BSD variants or even macOS, although where it really shines is in Linux environments with a 3.xo kernel or higher.

Installing Firejail and Firetools on different distributions

Installing Firejail is as easy as pulling the package manager of your distributionIt doesn't usually come pre-installed, but it is in the official repositories of almost all modern distributions.

On Debian and Ubuntu-based systems, simply use APT: sudo apt install firejailIn derivatives like Linux Mint, Elementary or similar, the command is exactly the same and will download the package from the distro's repositories.

In "pure" Debian you can resort to sudo apt-get install firejailWhereas in Arch Linux and derivatives like Manjaro, the package is in the official repositories and is installed with sudo pacman -S firejailIn Gentoo, it is located in the main tree as sys-apps/firejail and is installed using emerge –ask sys-apps/firejail or its LTS variant.

In Fedora you can choose to download the RPM from SourceForge and launch it with `sudo rpm -i`, or enable a specific Copr repository (for example, `ssabchew/firejail`) and then install it with `dnf`. On openSUSE, it is available through the classic system of one-click installation from the recommended repos for Tumbleweed or Leap.

If your distribution doesn't offer it packaged, you can always compile it from source code: git clone https://github.com/netblue30/firejail.git; cd firejail; ./configure && make && sudo make install-stripIt's a lightweight project with few dependencies, so it usually compiles without any problems.

To have a graphical interface you have Firetools, which is usually installed with the same package manager, for example sudo apt install firetoolsThis package adds a small launcher to the system tray and utilities for managing sandboxes graphically.

How to use Firejail from the terminal

The most direct way to take advantage of Firejail is through the line of commandsTheir philosophy is very clear: add the word firejail to the command you want. Nothing else.

For example, to run sandboxed Firefox you would use Firejail Firefoxfor VLC Firejail VLC, for Transmission Firejail transmission-gtk or for gedit firejail geditFirejail detects the program, checks if there is a corresponding profile in /etc/firejail and applies the defined restrictions.

It can also be used with services or demons server, launched as rootA typical example would be starting Nginx with `sudo firejail /etc/init.d/nginx start`, or any other service you want to live inside a sandbox with its own network and limited file system.

If you want to know at any given time which sandboxes are active, you can run firejail –listThe program will show you a list with the PID, the user, and the command associated with each isolated environment, very similar to a filtered ps.

When you want to inspect resources consumed by applications under Firejail, you have the subcommand firejail –top, which displays a table with PID, user, resident memory, shared memory, CPU used, child processes and execution time, all focused on instances launched through the sandbox.

To see the complete process hierarchy within each sandbox, you can run firejail –treewhich presents a process tree with the "parent" instance firejail and all processes hanging from it. If any instance becomes unresponsive, firejail –shutdown=PID It allows you to kill that specific sandbox.

Firejail profiles: where they are and how to modify them

Firejail's true potential lies in its configuration profilesThese are texture files that describe how each application should be isolated: what directories it can see, what kernel capabilities it can use, what happens to the network, whether alternative graphics servers are enabled, etc.

System profiles are usually stored in /etc/firejail/If you do an ls in that directory you will see a collection of files with the .profile extension, each one associated with a specific program: firefox.profile, vlc.profile, chromium.profile, steam.profile, server.profile, etc.

To customize the behavior of a standard profile, simply open it with your favorite editor, for example with sudo nano /etc/firejail/firefox.profileThere you can enable or disable policies such as blacklist, whitelist, /dev restrictions, network options, sound control, or disable 3D acceleration.

If you want to know what syntax the profiling language supports, Firejail includes a dedicated man page: man 5 firejail-profileIt details the meaning of each command (include, blacklist, whitelist, caps.keep, net, x11, etc.) and how to combine them to achieve the isolation policy you are interested in.

When you want to customize a program without touching the global profile of /etc, you can create a local user profileThey are stored in ~/.config/firejail/ and have the same name as the official profile. For example, if you want VLC to never have internet access, you could create ~/.config/firejail/vlc.profile with content similar to:

include /etc/firejail/vlc.profile
net none

The next time you run Firejail VLCThe system profile will be applied first, and then your additional settings, enforcing extra network isolation without needing to change the file in /etc.

Whitelists, blacklists, and file system control

One of Firejail's most powerful uses is its ability to limit specific directories which an application can access. You achieve this with whitelist and blacklist rules, both in global and custom profiles.

If you want, for example, to prevent an application from accessing the user's Documents folder, you could add a line blacklist ${HOME}/Documents to the profile. Alternatively, you can use the full path like blacklist /home/user/Documents if you prefer not to use variables.

Conversely, if you want a program to have access only to a very specific subset of the HOME directory, you can work with whitelistA very common combination is to generally block access to /boot, /root or certain sensitive directories, and in parallel grant permission to a single directory of downloads or a temporary folder where you will save what you really need.

List rules are combined with options such as –read-only=/etc so that a given directory is accessible, but only in read mode, or with –private-home, –private-etc, –private-bin to set up ephemeral versions of those routes within the sandbox.

In advanced profiles you can even use binding directives such as bind origin,destination, typical in server environments, so that a real system directory (for example /server/web1) is seen within the sandbox as /var/www/html, all under much stricter access control.

Private mode and temporary file systems

When you're looking for maximum insulation, Firejail offers a particularly aggressive mode: –privateWhen activated, the application sees a temporary HOME mounted on tmpfs, with a minimal directory structure, and everything it writes will disappear when the sandbox is closed.

This mode is ideal for check online banking or run particularly sensitive applications without carrying over the usual settings, extensions, caches, history, etc. If you launch a browser with firejail --private, it will use its default configuration, without add-ons or customizations, which reduces the attack surface.

You can also refine this behavior with –private=directoryindicating a persistent alternative HOME, or mixing it with –private-tmp y –private-cache so that directories like /tmp or ~/.cache are temporary, while you keep other "real" profile elements.

Another powerful mechanism is –overlay-tmpfsThis creates an overlay, ephemeral file system on top of the real system, so all write changes remain in the temporary layer. This allows, for example, install a package within the sandbox and test it without leaving a trace on the host system when you close the Firejail session.

In these scenarios, it's important to be very careful with the combination of options, because if you use –noprofile And if you don't properly block /tmp, you could still allow writes to parts of the system you didn't intend to touch. A common practice is to add directives like `--blacklist=/tmp` or work with very specific whitelists to limit the write area.

Network control: cut off internet access, separate IPs, and bandwidth limits

Another key aspect of Firejail is network management. With a single parameter, you can allow an application to... completely offline or set up its own network stack with individual IP, firewall and ARP table separate from the system.

To disable connectivity, simply use –net=noneFor example, in commands like `firejail --net=none vlc`, `firejail --net=none clementine`, or any other program you want to block from the internet. It's ideal for media players, image viewers, text editors, or similar programs that don't need to access the network.

If you want to set up a specific network, you can use –net=interfacewhere interface is usually something like eth0 on wired networks. You can even add –ip=192.168.1.80 so that the sandbox has a different internal IP address than the computer, very useful in server contexts or network testing.

With option –dns=IP You can overwrite the DNS servers for that specific sandbox. For example, a very common combination for online banking would be something like `firejail --private --dns=8.8.8.8 --dns=8.8.4.4 google-chrome`, ensuring that those queries are resolved using the DNS servers you specify.

Firejail also lets you limit bandwidth per sandboxFirst, you create a named instance, for example firejail --name=browser --net=eth0 firefox, and then, from another terminalYou apply rules with `firejail --bandwidth=browser set eth0 80 20` to set it to 80 KB/s download and 20 KB/s upload. To remove the limit, you would use `firejail --bandwidth=browser clear eth0`.

Keep in mind that certain network options (such as macvlan) only work on wired interfacesNot on Wi-Fi. portable With wireless networks, you will need to adjust your sandbox design accordingly.

Alternative graphics servers and protection against keyloggers

In addition to network and file system isolation, Firejail includes mechanisms to harden the X11 graphics layerInstead of using the user's "normal" X session, you can launch a program within alternative graphics servers such as Xpra or Xephyr.

To do this, you must first install the corresponding packages, usually with a command like sudo apt-get install xpra xserver-xephyr on Debian/Ubuntu-based systems. Once present, Firejail allows launching applications using –x11=server_name, which creates an additional isolated graphical environment.

For example, you could run firejail –x11=xephyr –net=none vlc to open VLC on a Xephyr server with the network cut off, or firejail –x11=xpra –net=none vlc to do it under Xpra. This helps to Protect yourself against keyloggers and screen capture devices that may be operating in the main X session.

When you do not explicitly specify the graphics server, the option –x11 Try Xpra first, then Xephyr, and finally the X11 security extension if the previous options are unavailable. Depending on your distribution and desktop environment, some combinations may not work perfectly, and you may need to adjust the settings manually.

Use Firejail “by default” in your applications

If you wish, you can make certain applications, or even all those with a profile, run. always Under Firejail, without having to type the word "firejail" every time. For that, there's an auxiliary tool. firecfg.

When running sudo firecfgThe program scans the installed binaries and creates symbolic links in /usr/local/bin for all applications that have a profile in /etc/firejail. These links point to /usr/bin/firejail, so that when the user runs “firefox”, Firejail is actually being invoked with the corresponding profile.

If you change your mind and want to restart the programs without sandboxing, you can clear that configuration with firecfg –cleanor manually delete the symlinks from /usr/local/bin. Another alternative is to configure only a specific application this way, manually creating a symbolic link with sudo ln -s /usr/bin/firejail /usr/local/bin/program_name.

In graphical environments you can also edit the .desktop files In your desktop launchers, add `firejail` to the command line. For example, in a custom `firefox.desktop` file, set the `Exec` line to `Exec=firejail firefox`. This way, every click on the icon will launch the program already encapsulated.

If you install Firetools, you'll also get a small graphical sandbox manager that displays applications with available profiles. From there, you can launch them, see what's running, check resource consumption, or tweak some parameters without using the terminal.

Advanced management: entering a sandbox, debugging, and AppArmor/SELinux

It can be very useful for advanced administrative tasks enter “inside” a sandboxFirejail allows this with the –join option, which connects a new shell to the namespace of an existing process.

The typical procedure would be to execute firejail –list To see the PIDs of the instances, locate the sandbox's main process number (for example, 5394) and then do sudo firejail –join=5394Firejail will jump to the first child process within the sandbox and leave you in a shell as root within that isolated environment.

Once there, you can use commands like df -h, ip addr, ps aux or any diagnostic tool to see exactly what the application sees from inside the sandbox. When you're finished, simply run `exit` to exit and return to the normal environment.

To detect configuration problems or understand what's blocking an application, you have the following options –debug y –traceThese show debugging information and system calls while the command is running. They are especially useful when an overly aggressive profile is preventing the program from working. Boot or function normally.

Firejail complements well with AppArmor and SELinuxIn distributions that enable AppArmor by default, many Firejail profiles are designed to coexist with AppArmor profiles, adding an extra layer of isolation without breaking existing policies. Examples of specific rules for further strengthening services such as web servers, SSH, or critical desktop applications are available on GitHub and in the official documentation.

If you are going to use Firejail on multi-user servers, it is advisable to review the configuration in /etc/firejail/firejail.config, enable options such as force-nonewprivs and limit which users can run /usr/bin/firejail by adjusting their group and permissions (for example, by creating a group “firejail” and restricting SUID to its members).

Firejail offers a A very interesting balance between safety and comfort.It doesn't replace full virtualization, but for many everyday tasks, quick software tests, or isolating browsers, AppImages, Wine, and games, it provides remarkable protection with very low complexity. A thorough understanding of its profiles, network options, private modes, and integrations with AppArmor/SELinux allows you to customize it to your liking and truly harden your Linux desktop without sacrificing usability.