Firejail is a SUID (
IDup on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Firejail gives you a sandbox for your applications to run, limiting the resources it sees and can access. This is useful to limit exposure applications have, to undesired effects by limiting files, network, processes it can see.
Once installed you are able to prefix applications with
firejail and have them
open in this sandbox. Firejail comes with many applications with preset profiles
/etc/firejail. Profiles are available in the source available on
/etc at profile-a-l and profile-m-z.
If you want to make modifications, Firejail also supports configuration in your
~/.config/firejail/ is where you want to make these changes.
For instance to allow access to my games mount in Lutris, I can give it access.
whitelist /mnt/Games include /etc/firejail/lutris.profile
Once you feel comfortable configuring you may want to have Firejail always
trigger for applications we have a profile for. If you run
automatically sandboxes it for you. This can be helpful for many entry points
and make sure you always get your applications sandboxed. In most cases only a
few rules are necessary to allow appropriate access. Many of the common
applications are already available and work out of the box.
Accessing files in other mounts or other locations than home is a common “problem” that comes up when using applications as they can’t see the files anymore. Adding these directories to the whitelist is generally all you need in your user config.
Biggest suggestion is to take a look at the default profiles in
or in the source code. See how they configure things.
Firejail can help you automatically limit exposure for applications, especially ones that access content over the internet. These can be exposed and exploited, leaving you too vulnerable.
The documentation for Firejail is good. Configuring is pretty straight forward with common activities easily doable.