Firejail
github.com/netblue30/firejailFirejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. Written in C, virtually no dependencies, runs on any modern Linux system, with no daemon running in the background, no complicated configuration, and it's super lightweight and super secure, since all actions are implemented by the kernel. It includes security profiles for over 800 common Linux applications. FireJail is recommended for running any app that may potential pose some kind of risk, such as torrenting through Transmission, browsing the web, opening downloaded attachments.
- Homepage: github.com/netblue30/firejail
- GitHub: github.com/netblue30/firejail
- Web info: web-check.xyz/results/github.com
Firejail Source Code
Author
Description
Linux namespaces and seccomp-bpf sandbox
Homepage
https://firejail.wordpress.comLicense
GPL-2.0
Created
08 Aug 15
Last Updated
18 Jan 25
Latest version
Primary Language
C
Size
22,594 KB
Stars
5,907
Forks
578
Watchers
5,907
Language Usage
Star History
Top Contributors
-
@glitsj16 (1210)
-
@kmk3 (945)
-
@netblue30 (867)
-
@smitsohu (790)
-
@Fred-Barclay (494)
-
@SkewedZeppelin (342)
-
@rusty-snake (339)
-
@reinerh (332)
-
@dependabot[bot] (130)
-
@startx2017 (120)
-
@SYN-cook (90)
-
@Vincent43 (79)
-
@manevich (60)
-
@avoidr (59)
-
@topimiettinen (58)
-
@valoq (48)
-
@Neo00001 (47)
-
@chiraag-nataraj (45)
-
@vismir2 (40)
-
@kris7t (37)
-
@crass (35)
-
@bbhtt (35)
-
@tredondo (32)
-
@jose1711 (30)
-
@flacks (27)
-
@nidamanx (24)
-
@veloute (24)
-
@Kishore96in (24)
-
@KellerFuchs (21)
-
@pirate486743186 (16)
Recent Commits
-
Kelvin M. Klann (18 Jan 25)
build: rename print-version target to installcheck (#6620) To make it consistent with the standard GNU make targets. From the manual of GNU Make (version 4.4.1-2): > 'installcheck' > Perform installation tests (if any). The user must build and > install the program before running the tests. You should not > assume that '$(bindir)' is in the search path. Commands used to search and replace: $ git grep -Ilz print-version | xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \ 's/print-version/installcheck/g' '{}')\" >'{}'" $ git grep -Ilz 'print version' .github/workflows | xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \ 's/print version/make installcheck/g' '{}')\" >'{}'" Added on commit c9531d95e ("build: add print-version target and use in CI", 2024-02-22) / #6230.
-
Kelvin M. Klann (16 Jan 25)
RELNOTES: line-wrap profile item Relates to #6444 #6499.
-
Kelvin M. Klann (16 Jan 25)
RELNOTES: add modif, docs and profile items Relates to #6471 #6581 #6582 #6605 #6607.
-
amano-kenji (16 Jan 25)
profiles: anki: fix dark mode detection & misc changes (#6581) Relates to #6545.
-
Kelvin M. Klann (16 Jan 25)
warn when running firejail with --disable-sandbox-check Clarify that it is only intended for development (and thus that it may potentially cause issues). Relates to #6592 #6619.
-
Kelvin M. Klann (16 Jan 25)
Revert "build: move HAVE_SANDBOX_CHECK out of MANFLAGS" This reverts commit 5c6fa6ab584eb6241467b5d5aea76f26dcc922fb. The commit in question causes `HAVE_SANDBOX_CHECK` to always be unset (instead of only when `--disable-sandbox-check` is used), as its value was being passed to the compiler through `MANFLAGS`. Move the macro back into `MANFLAGS` for simplicity. Also, using `--disable-sandbox-check` breaks the tests and thus also breaks CI (see #6619). Relates to #6592.
-
Kelvin M. Klann (16 Jan 25)
profiles: aria2p: disable x11 and clipboard managers (#6609) aria2p is a command-line tool, so these should not be needed (and it's unclear how/why they would be used by the program). See also: https://github.com/netblue30/firejail/pull/6583#discussion_r1912891807 Added on commit c869f11d5 ("New profile: aria2p/aria2rpc", 2024-12-27) / PR #6583.
-
Kelvin M. Klann (15 Jan 25)
docs: github: add program name/version to bug_report.md (#6607) See also commit 9bccccfa7 ("docs: github: streamline environment in issue templates (#6471)", 2024-09-13).
-
Kelvin M. Klann (15 Jan 25)
ci: disable build_src_package GitLab job due to libtrace errors Build log[1]: $ make [...] make -C src/libtrace/ make[1]: Entering directory '/builds/Firejail/firejail_ci/src/libtrace' gcc -ggdb -O2 -DVERSION='"0.9.73"' [...] -c ../../src/libtrace/libtrace.c -o ../../src/libtrace/libtrace.o ../../src/libtrace/libtrace.c:451:59: warning: 'struct stat64' declared inside parameter list will not be visible outside of this definition or declaration 451 | typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf); | ^~~~~~ ../../src/libtrace/libtrace.c:453:41: warning: 'struct stat64' declared inside parameter list will not be visible outside of this definition or declaration 453 | int stat64(const char *pathname, struct stat64 *statbuf) { | ^~~~~~ ../../src/libtrace/libtrace.c: In function 'stat64': ../../src/libtrace/libtrace.c:457:40: error: passing argument 2 of 'orig_stat64' from incompatible pointer type [-Wincompatible-pointer-types] 457 | int rv = orig_stat64(pathname, statbuf); | ^~~~~~~ | | | struct stat64 * ../../src/libtrace/libtrace.c:457:40: note: expected 'struct stat64 *' but argument is of type 'struct stat64 *' ../../src/libtrace/libtrace.c: At top level: ../../src/libtrace/libtrace.c:476:60: warning: 'struct stat64' declared inside parameter list will not be visible outside of this definition or declaration 476 | typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf); | ^~~~~~ ../../src/libtrace/libtrace.c:478:42: warning: 'struct stat64' declared inside parameter list will not be visible outside of this definition or declaration 478 | int lstat64(const char *pathname, struct stat64 *statbuf) { | ^~~~~~ ../../src/libtrace/libtrace.c: In function 'lstat64': ../../src/libtrace/libtrace.c:482:41: error: passing argument 2 of 'orig_lstat64' from incompatible pointer type [-Wincompatible-pointer-types] 482 | int rv = orig_lstat64(pathname, statbuf); | ^~~~~~~ | | | struct stat64 * ../../src/libtrace/libtrace.c:482:41: note: expected 'struct stat64 *' but argument is of type 'struct stat64 *' make[1]: Leaving directory '/builds/Firejail/firejail_ci/src/libtrace' Environment: gcc (14.2.0-r4), musl-dev (1.2.5-r8) on Alpine Linux v3.21. Relates to #6610. [1] https://gitlab.com/Firejail/firejail_ci/-/jobs/8853165146
-
Kelvin M. Klann (15 Jan 25)
build: fix formatting --disable-sandbox-check Make it match the other `AC_ARG_ENABLE` code. This amends commit a53de4926 ("build: improve --disable-sandbox-check help string", 2025-01-13). Relates to #6592.
-
Kelvin M. Klann (13 Jan 25)
build: improve --disable-sandbox-check help string This amends commit 108327c5a ("feature: build: add --disable-sandbox-check configure flag", 2024-12-27) / PR #6592.
-
Kelvin M. Klann (13 Jan 25)
build: move HAVE_SANDBOX_CHECK out of MANFLAGS It is not used in the man pages. This amends commit 108327c5a ("feature: build: add --disable-sandbox-check configure flag", 2024-12-27) / PR #6592.
-
Kelvin M. Klann (13 Jan 25)
RELNOTES: sort/reword feature This amends commit 56566fd41 ("merges", 2025-01-12).
-
Kelvin M. Klann (13 Jan 25)
profiles: monero-wallet-cli: fix missing EOL at EOF This amends commit a7bf93426 ("New profile: monero-wallet-cli", 2024-12-27) / PR #6586.
-
Kelvin M. Klann (13 Jan 25)
fix misc copyright years Commands used to check for issues: git grep 'Copyright .*Firejail' | grep -v 2014-2025 Misc: This was noticed on commit 212ac3cb1 ("update copyright", 2025-01-12).
-
netblue30 (13 Jan 25)
update copyright
-
netblue30 (12 Jan 25)
Merge branch 'master' of ssh://github.com/netblue30/firejail
-
netblue30 (12 Jan 25)
merges
-
netblue30 (12 Jan 25)
Merge pull request #6590 from amano-kenji/tremc New profile: tremc
-
netblue30 (12 Jan 25)
Merge pull request #6586 from amano-kenji/monero New profile: monero-wallet-cli
-
netblue30 (12 Jan 25)
Merge pull request #6584 from amano-kenji/buku New profile: buku
-
netblue30 (12 Jan 25)
Merge pull request #6583 from amano-kenji/aria2 New profile: aria2p/aria2rpc
-
netblue30 (12 Jan 25)
Merge pull request #6592 from powerjungle/feat/run-firejail-in-sandbox-for-testing feature: build: add --disable-sandbox-check configure flag
-
Kelvin M. Klann (12 Jan 25)
refactor: deduplicate definition of RUN_FIREJAIL_NAME_DIR Reuse the definition from src/include/rundefs.h. Related commits: * 07c05e8a5 ("moved sandbox name to /run/firejail/name/<PID>", 2016-02-19) * 57ffc35a8 ("added sandbox name support in firemon", 2018-03-21)
-
Kelvin M. Klann (11 Jan 25)
modif: clarify error messages in profile.c (#6605) Relates to #3478 #3798 #6604.
-
Kelvin M. Klann (06 Jan 25)
ci: check-profiles: fix git diff not running This amends commit c222b7f69 ("build: sort.py: fix whitespace in entire profile (#6593)", 2024-12-28).
-
amano-kenji (06 Jan 25)
profiles: refactor com.github.johnfactotum.Foliate into foliate.profile (#6582) On Gentoo Linux, there is `/usr/bin/foliate` instead of `/usr/bin/com.github.johnfactotum.Foliate`.
-
Kelvin M. Klann (04 Jan 25)
profiles: singularity: fix profile path Commands used to check for issues: $ git ls-files 'etc/profile-a-l/' | grep 'etc/profile-a-l/[m-z]' etc/profile-a-l/singularity.profile $ git ls-files 'etc/profile-m-z/' | grep 'etc/profile-a-l/[a-l]' $ Command used to fix the path: $ git mv \ etc/profile-a-l/singularity.profile \ etc/profile-m-z/singularity.profile Relates to #6463.
-
Kelvin M. Klann (04 Jan 25)
build: sort.py: ignore empty files Currently it adds a newline to empty files. Before: $ : >foo.profile $ contrib/sort.py foo.profile sort.py: checking 1 profile(s)... foo.profile:(fixed whitespace) [ Fixed ] foo.profile $ od -A n -t x1 foo.profile 0a After: $ : >foo.profile $ contrib/sort.py foo.profile sort.py: checking 1 profile(s)... $ This amends commit c222b7f69 ("build: sort.py: fix whitespace in entire profile (#6593)", 2024-12-28).
-
Kelvin M. Klann (04 Jan 25)
bugfix: update syscalls.list Commands used to update it: touch src/include/syscall_aarch64.h # potentially needed make syntax This amends commit 508cd6a6c ("feature: add aarch64 syscalls (#6574)", 2024-12-21).
Firejail Website
Website
GitHub: Letβs build from here Β· GitHub
GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.
Redirects
Does not redirect
Security Checks
All 66 security checks passed
Server Details
- IP Address 140.82.112.4
- Hostname lb-140-82-112-4-iad.github.com
- Location San Francisco, California, United States of America, NA
- ISP GitHub Inc.
- ASN AS36459
Associated Countries
-
US
Saftey Score
Website marked as safe
100%
Blacklist Check
github.com was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
Firejail Reviews
More Linux Defenses
-
Open source GUI firewall for Linux, allowing you to block internet access for certain applications. Supports both simple and advanced mode, GUI and CLI options, very easy to use, lightweight/ low-overhead, under active maintenance and backed by a strong community. Installable through most package managers, or compile from source.
-
ClamTk is basically a graphical front-end for ClamAV, making it an easy to use, light-weight, on-demand virus scanner for Linux systems.
-
Locally checks for signs of a rootkit.
-
Open source intrusion prevention system capable of real-time traffic analysis and packet logging.
-
Clears cache and deletes temporary files very effectively. This frees up disk space, improves performance, but most importantly helps to protect privacy.
About the Data: Firejail
API
You can access Firejail's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/operating-systems/linux-defenses/firejail
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share Firejail
Help your friends compare Linux Defenses, and pick privacy-respecting software and services.
Share Firejail and Awesome Privacy with your network!