Firejail is a security tool for Linux providing a security layer for most of the binary / processus by running them inside a restricted environment or, commonly named sandbox. With numerous of options and possibility of restriction. Firejail is a no-brainer pick for the Linux security.
A common usage of Firejail is to use a defined profile, located in /etc/firejail/{application}.profile. The profile file will contain the security options and restriction wanted for the application. Firejail offer numerous of template that will make the application working and more secure out of the box.
$ firejail firefox
While it's fine to use it on this way, you may need to write a profile file if no template is available for your application. You may even need to custom a offered template to work in your system or if you like add/remove/edit the security and restriction value.
Another way to use Firejail is to add the wanted option directly as argument in the command line.
List of some of the Firejail options
The root access do not exist in the sandbox, only the current user
noprofileDo not use the default profile defined for the processus. This option should be use when the command line is passed with several argument
nogroupsDo not share any other groups of the user. By default, the processus share all the groups of the user system
nonewprivsAny child processes of the running binary will not acquire different privilege or higher permission by calling a binary with a different suid.
caps.drop=allThe capabilities are a kernel feature that divide the root privilege into differents distinct units. By default a root privilege processus can bypass all kernel capabilities while an unprivilege processus trying to access to a capabilities will be subject to a control. This options will drop all capabilities access to the running process.
seccompThe sandboxing tool of the Linux kernel that reduice to the numbers of system calls of the running process.
nosoundDenied the access of the running process to the sound system (alsa, pulseaudio...) .
novideoDenied the access of the running process to the video system.
no3dDenied the access of the running process to the 3D acceleration of the system.
privateMount a temporary new /root and /home/directory for the sandbox, everything is discarded when the sandbox exit.
private=~/directory/Use the target directory as user home, that ensure the process to be isolated from the main home directory of the user
private-tmpCreate a temporary and uniq /tmp/ for the running process. The /tmp/ is removed when the processus exit
private-devCreate a new directory /dev/ directory for the running process. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available
ipc-namespaceEnable a new IPC namespace for the processus. Namespace is a feature of isolation and virtualization of the system ressources, it allow to virtualize ressources like the hostname, network access, filesystems... per thread
machine-idGenerate a random machine ID, usefull against the fingerprinting.
net=noneNo network connection will be available inside the sandbox. This should be used if you are running a processus that have no need to access to the network connection. Like Vlc or LibreOffice
dns=Set the dns server to use. You can pass multiples (up to 4) dns= options
debugMake the running processus printing debug messages
traceMake the running processus printing trace open, access and connect system calls.
env=Allow the run a customer environment variable inside the sandbox. --env=LD_PRELOAD=/usr/lib64/torsocks/libtorsocks.so will for example make the network connection trought TOR.
The full option list of Firejail is available in man page or with the --help parameters. You should consider to read the documentation of Firejail on the man page as often an update is release to stay up to date on the new features.
$ firejail --help
Some examples using the command line argument method
$ firejail --noprofile --nogroups --private=~/firejail/ --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --debug --trace --nosound --no3d firefox --new-instance
# no-sandbox parameters is needed to allow Firejail sandboxing for Chromium$ firejail --noprofile --nogroups --private=~/chromejail/ --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --nosound --no3d chromium -no-sandbox
# VLC$ firejail --noprofile --nogroups --net=none --private-tmp --seccomp --caps.drop=all vlc
# Irssi trough TOR.$ firejail --noprofile --nogroups --private=~/irssijail/ --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --nosound --novideo --env=LD_PRELOAD=/usr/lib64/torsocks/libtorsocks.so irssi
# Gimp$ firejail --noprofile --nogroups --noroot --net=none --caps.drop=all --seccomp --nosound gimp
# Shell sandboxing$ firejail --noprofile --nogroups --private --private-dev --private-tmp --ipc-namespace --machine-id --noroot --caps.drop=all --seccomp --nosound --novideo --env=LD_PRELOAD=/usr/lib64/torsocks/libtorsocks.so
# Zend IDE 13 (Jave closed source code)$ firejail --noprofile --net=none --private=~/zendjail/ --machine-id --noroot --caps.drop=all --seccomp --nosound ~/ZendStudio/./ZendStudio
Keep in mind that some application may crash a lot or not even run because of some restriction of your sandbox. A simple solution is to remove one by one, the passed Firejail argument, until success. (Using trace / debug / audit will help you to understand what's wrong)... The more you restrict, the more your system is protected. If one of your application offer a sandbox security but can't work inside a Firejail sandbox, you can disable the use of your application sandbox and use Firejail instead (Like Chromium)