Using Firejail

Firejail is a SUID (S et owner U ser ID up on execution) program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail gives you a sandbox for your applications to run, limiting the resources it sees and can access. This is useful to limit exposure applications have, to undesired effects by limiting files, network, processes it can see.

Once installed you are able to prefix applications with firejail and have them open in this sandbox. Firejail comes with many applications with preset profiles in /etc/firejail. Additional profiles are available in the source available on Github inside /etc at profile-a-l and profile-m-z.

If you want to make modifications, Firejail also supports configuration in your user directory. ~/.config/firejail/ is where you want to make these changes.

For instance to allow access to my games mount in Lutris, I can give it access.

~/.config/firejail/lutris.profile

whitelist /mnt/Games
include /etc/firejail/lutris.profile

Once you feel comfortable configuring you may want to have firejail always trigger for applications we have a profile for. So if you run firefox it automatically sandboxes it for you. This can be helpful for many entry points and make sure you always get your applications sandboxed. In most cases only a few rules are necessary to allow appropriate access. Many of the common applications are already available and work out of the box.

Accessing files in other mounts or other locations than home is a common “problem” that comes up when using applications as they can’t see the files anymore. Adding these directories to the whitelist is generally all you need in your user config.

Biggest suggestion is to take a look at the default profiles in /etc/firejail or in the source code. See how they configure things.

Firejail can help you automatically limit exposure for applications, especially ones that access content over the internet. These can be exposed and exploited, leaving you too vulnerable.

The documentation for Firejail is good. Configuring is pretty straight forward with common activities easily doable.