Firejail Icon

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. Written in C, virtually no dependencies, runs on any modern Linux system, with no daemon running in the background, no complicated configuration, and it's super lightweight and super secure, since all actions are implemented by the kernel. It includes security profiles for over 800 common Linux applications. FireJail is recommended for running any app that may potential pose some kind of risk, such as torrenting through Transmission, browsing the web, opening downloaded attachments.

Open Source

Firejail Source Code

Author

netblue30

Description

Linux namespaces and seccomp-bpf sandbox

Homepage

https://firejail.wordpress.com

License

GPL-2.0

Created

08 Aug 15

Last Updated

29 Nov 24

Latest version

landlock-split

Primary Language

C

Size

21,651 KB

Stars

5,833

Forks

568

Watchers

5,833

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Kelvin M. Klann (29 Nov 24)

    private-etc: add gnutls dir to @network group This is currently only present in `private-etc` in mutt.profile, though it may also be used by other programs that use GNU TLS. This was added to mutt.profile on commit a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for neomutt", 2020-12-28) / PR #3849. Relates to #6400.

  • Kelvin M. Klann (29 Nov 24)

    RELNOTES: add profile items Relates to #6542 #6545 #6551 #6552 #6555.

  • Kelvin M. Klann (29 Nov 24)

    profiles: ensure allow-lua where mpv is allowed (#6555) mpv crashes if luajit is blocked: $ firejail --quiet --noprofile \ --include=/etc/firejail/disable-interpreters.inc /usr/bin/mpv /usr/bin/mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied So make sure that allow-lua.inc is always included when mpv paths (such as ~/.config/mpv) are allowed. Environment: luajit 2.1.1727870382-1, mpv 1:0.39.0-3 on Artix Linux. Related commits: * db2bdaadd ("add lua support for mpv (#3243)", 2020-02-24) / PR #3243 * d6a6fb905 ("Allow Lua for mpv in dolphin.profile", 2020-04-18) / issue #3363 * f3585e539 ("fixes, closes, enhances, improvements, and so on", 2020-11-09) / issue #3686 * 3ec523f11 ("profiles: anki: allow lua", 2024-11-14) / PR #6545

  • Kelvin M. Klann (25 Nov 24)

    profiles: tesseract: disable private-tmp to fix ocrmypdf (#6552) As reported by @kmille[1]: The current `tesseract` profile breaks `ocrmypdf`: kmille@linbox:scans ocrmypdf C.pdf del.pdf Scanning contents ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1/1 0:00:00 1 Error, could not create hOCR output file: No such file or directory tesseract.py:253 1 Error, could not create TXT output file: No such file or directory tesseract.py:253 OCR ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0% 0/1 -:--:-- An exception occurred while executing the pipeline _common.py:294 Traceback (most recent call last): File "/usr/lib/python3.12/site-packages/ocrmypdf/_pipelines/_common.py", line 259, in cli_exception_handler return fn(options, plugin_manager) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] File "/usr/lib/python3.12/pathlib.py", line 840, in stat return os.stat(self, follow_symlinks=follow_symlinks) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ocrmypdf.io.0od81kk5/000001_ocr_hocr.hocr' These are some of the commands that run in background: [...] 2024/11/23 22:13:53 PID=403915 UID=0 CMD=/usr/bin/firejail /usr/bin/tesseract --list-langs 2024/11/23 22:13:53 PID=403917 UID=0 CMD=/run/firejail/lib/fcopy /usr/bin/text2image /run/firejail/mnt/bin 2024/11/23 22:13:53 PID=403939 UID=1000 CMD=gs -dQUIET [...] -f /tmp/ocrmypdf.io.0od81kk5/origin.pdf [...] 2024/11/23 22:14:03 PID=403953 UID=0 CMD=tesseract -l eng /tmp/ocrmypdf.io.0od81kk5/000001_ocr.png [...] Fixes #6550. [1] https://github.com/netblue30/firejail/issues/6550#issue-2686607038 Reported-by: @kmille Suggested-by: @kmille

  • Kelvin M. Klann (25 Nov 24)

    profiles: wget: unify wget2 into wget profile (#6551) According to @rusty-snake[1]: > Distributions started to replace wget with wget2 (I.e. `wget` and > `wget2` are the same binary where one of them is a symlink to the > other). So move all custom entries (other than `private-bin`) from wget2.profile into wget.profile and turn wget2.profile into more of a redirect to wget.profile. [1] https://github.com/netblue30/firejail/pull/6542#pullrequestreview-2426287045

  • celenityy (24 Nov 24)

    profiles: wget: allow ~/.local/share/wget (#6542) wget appears to require access to this directory for HSTS & HPKP. Without access to this directory, I get the following error when running wget: Failed to read HSTS data Failed to read HPKP data Failed to write HSTS file This fixes it.

  • Kelvin M. Klann (19 Nov 24)

    profiles: chatterino: fix include comments Make them match the comments in profile.template. Command used to search for potential issues: $ git grep -E '# Allow [A-Z][A-Za-z]+ .* \(blacklisted' Added on commit 3af6c4068 ("Add Chatterino profile", 2022-12-24) / PR #5556.

  • Kelvin M. Klann (19 Nov 24)

    Merge pull request #6545 from haplo/anki-mpv-lua profiles: anki: fix opening, allow media & add to firecfg

  • Fidel Ramos (14 Nov 24)

    profiles: firecfg: enable anki

  • Fidel Ramos (14 Nov 24)

    profiles: anki: allow sound Anki needs sound access for recording and playing media.

  • Fidel Ramos (14 Nov 24)

    profiles: anki: allow lua Anki uses mpv to play media, which requires the lua interpreter. Without this, anki displays this error in the console and falls back to mplayer: mpv: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied Traceback (most recent call last): File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 854, in setup_audio mpvManager = MpvManager(base_folder, media_folder) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/aqt/sound.py", line 408, in __init__ super().__init__(window_id=None, debug=False) File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 442, in __init__ super().__init__(*args, **kwargs) File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 104, in __init__ self._start_socket() File "/usr/lib/python3.12/site-packages/aqt/mpv.py", line 194, in _start_socket raise MPVProcessError("unable to start process") aqt.mpv.MPVProcessError: unable to start process mpv too old or failed to open, reverting to mplayer

  • Kelvin M. Klann (18 Nov 24)

    profiles: anki: allow mpv/mplayer Anki relies on mpv/mplayer for playing audio and video files.

  • Fidel Ramos (12 Nov 24)

    profiles: anki: add mpv/mplayer to private-bin Without this change, Anki fails to start. Fixes #6544.

  • Kelvin M. Klann (18 Nov 24)

    README: fix typo of "several" This fixes the codespell job in CI[1]: $ make codespell Running codespell... ./README:1244: serveral ==> several make: *** [Makefile:393: codespell] Error 65 Added on commit 8e7996132 ("README file update", 2024-11-16). [1] https://github.com/netblue30/firejail/actions/runs/11874111807/job/33089673920

  • netblue30 (16 Nov 24)

    static IP map update

  • netblue30 (16 Nov 24)

    README file update

  • Kelvin M. Klann (08 Nov 24)

    RELNOTES: improve modif item Format and add missing PR reference. Relates to #5378 #5957.

  • Kelvin M. Klann (08 Nov 24)

    RELNOTES: add profile items Relates to #6533 #6534.

  • Kelvin M. Klann (08 Nov 24)

    profiles: game-launchers: disable nou2f (#6534) While gamepads apparently work fine in the Steam client itself, `nou2f` appears to make gamepads unresponsive inside certain games while using "Steam Input" (possibly due to `nou2f` blocking access to `/dev/hidraw*` devices). This issue reportedly affects at least the following games on Steam: "Undertale", "Persona 4 Golden" and "Persona 5 Royal". Disable nou2f to ensure that gamepads can be used. Relates to #6523. Reported-by: @opqriu

  • Kelvin M. Klann (08 Nov 24)

    profiles: firecfg.config: disable dnsmasq (#6533) There are multiple reports in #6121 that dnsmasq does not work when called by libvirt: $ sudo virsh net-start default error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq [...]) unexpected exit status 1: Error: PATH environment variable not set Also, note that this is a server program, so it might be better to disable it by default anyway. Reported-by: @marek22k

  • Kelvin M. Klann (07 Nov 24)

    RELNOTES: add docs and profile items Relates to #3314 #6524 #6526 #6531.

  • Kelvin M. Klann (07 Nov 24)

    keepassxc: allow access to ssh-agent socket (#6531) Fixes #3314. Relates to #6529.

  • Ted Robertson (04 Nov 24)

    docs: clarify intro and build section in README (#6524) Make the introduction friendlier for non-kernel geeks and clarify the build section. Relates to #4049.

  • dependabot[bot] (01 Nov 24)

    build(deps): bump github/codeql-action from 3.26.10 to 3.27.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.10 to 3.27.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e2b3eafc8d227b0241d48be5f425d47c2d750a13...662472033e021d55d94146f66f6058822b0b39fd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

  • dependabot[bot] (01 Nov 24)

    build(deps): bump actions/checkout from 4.2.0 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • Ted Robertson (31 Oct 24)

    docs: fix typos of --enable-selinux configure option (#6526)

  • Kelvin M. Klann (25 Oct 24)

    RELNOTES: add feature items Relates to #6435 #6514 #6515.

  • Kelvin M. Klann (25 Oct 24)

    profiles: firefox-esr: allow /etc/firefox-esr (#6515) This path is apparently used on Debian. Relates to #5518 #6400 #6435. Reported-by: @Boruch-Baum

  • celenityy (23 Oct 24)

    profiles: thunderbird: allow /etc/thunderbird (#6514) This fixes access to Thunderbird system policies, which can be set system-wide via `/etc/thunderbird/policies/policies.json`. Users can also use this directory to set different default preferences. Relates to #6400 #6435.

  • Foxreef (11 Oct 24)

    profiles: steam: add ~/.config/UNDERTALE (#6503) Whitelist ~/.config/UNDERTALE to allow the game to save.

Firejail Website

Website

GitHub: Let’s build from here Β· GitHub

GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 140.82.112.4
  • Hostname lb-140-82-112-4-iad.github.com
  • Location San Francisco, California, United States of America, NA
  • ISP GitHub Inc.
  • ASN AS36459

Associated Countries

  • US

Saftey Score

Website marked as safe

100%

Blacklist Check

github.com was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

Firejail Reviews

More Linux Defenses

About the Data: Firejail

API

You can access Firejail's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/operating-systems/linux-defenses/firejail

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share Firejail

Help your friends compare Linux Defenses, and pick privacy-respecting software and services.
Share Firejail and Awesome Privacy with your network!

View Linux Defenses (6)