Firejail Icon

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. Written in C, virtually no dependencies, runs on any modern Linux system, with no daemon running in the background, no complicated configuration, and it's super lightweight and super secure, since all actions are implemented by the kernel. It includes security profiles for over 800 common Linux applications. FireJail is recommended for running any app that may potential pose some kind of risk, such as torrenting through Transmission, browsing the web, opening downloaded attachments.

Open Source

Firejail Source Code

Author

netblue30

Description

Linux namespaces and seccomp-bpf sandbox

Homepage

https://firejail.wordpress.com

License

GPL-2.0

Created

08 Aug 15

Last Updated

05 Oct 24

Latest version

landlock-split

Primary Language

C

Size

21,675 KB

Stars

5,715

Forks

559

Watchers

5,715

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Kelvin M. Klann (04 Oct 24)

    RELNOTES: add private-etc rework feature item And move the #6104 item into it. Relates to #5518 #5608 #5609 #5629 #5638 #5641 #5642 #5643 #5650 #5655. Relates to #5681 #5737 #5844 #5989 #6016 #6104 #6400.

  • Kelvin M. Klann (04 Oct 24)

    RELNOTES: add profile items Relates to #6444 #6498 #6499.

  • Kelvin M. Klann (04 Oct 24)

    profiles: firefox-common: allow org.freedesktop.portal.Documents (#6499) This fixes drag and drop for at least Dolphin. Fixes #6444. Reported-by: @Utini2000 Suggested-by: @rusty-snake

  • Kelvin M. Klann (01 Oct 24)

    profiles: kube: sort dbus entries This amends commit 7df28c1ed ("New profiles for balsa,trojita,kube (#3603)", 2020-09-03).

  • Kelvin M. Klann (01 Oct 24)

    profiles: signal-desktop: sort dbus entries This amends commit 047d86f46 ("Add access to D-Bus freedesktop.org secret API", 2024-10-01) / PR #6498.

  • netblue30 (01 Oct 24)

    Merge pull request #6494 from netblue30/dependabot/github_actions/github/codeql-action-3.26.10 build(deps): bump github/codeql-action from 3.26.6 to 3.26.10

  • netblue30 (01 Oct 24)

    Merge pull request #6495 from netblue30/dependabot/github_actions/actions/checkout-4.2.0 build(deps): bump actions/checkout from 4.1.7 to 4.2.0

  • netblue30 (01 Oct 24)

    Merge pull request #6496 from netblue30/dependabot/github_actions/step-security/harden-runner-2.10.1 build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1

  • netblue30 (01 Oct 24)

    Merge pull request #6498 from corsac-s/patch-1 profiles: signal-desktop - Add access to D-Bus freedesktop.org secret API

  • Yves-Alexis Perez (01 Oct 24)

    Add access to D-Bus freedesktop.org secret API Signal recently started storing a local key in the freedesktop.org secret API so allow access in the profile

  • dependabot[bot] (01 Oct 24)

    build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.1 to 2.10.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde...91182cccc01eb5e619899d80e4e971d6181294a7) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

  • dependabot[bot] (01 Oct 24)

    build(deps): bump actions/checkout from 4.1.7 to 4.2.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

  • dependabot[bot] (01 Oct 24)

    build(deps): bump github/codeql-action from 3.26.6 to 3.26.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.6 to 3.26.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4dd16135b69a43b6c8efb853346f8437d92d3c93...e2b3eafc8d227b0241d48be5f425d47c2d750a13) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • Kelvin M. Klann (28 Sept 24)

    RELNOTES: add build item Added on commit ba00d135f ("fix for old compilers", 2023-04-06). Relates to #5778.

  • Kelvin M. Klann (28 Sept 24)

    RELNOTES: add profile items Relates to #5337 #5447 #5902 #6391 #6486.

  • qdii (28 Sept 24)

    profiles: keepassxc: add new socket location (#6391) The KeePassXC browser extension looks for the KeePassXC socket at `${RUNUSER}/app/org.keepassxc.KeePassXC`[1]. But `${RUNUSER}/app` seems to be blacklisted in disable-common.inc under the flatpak section[2], so the KeePassXC extension cannot connect to it. Fixes #5447. Relates to #3984. [1] https://github.com/keepassxreboot/keepassxc/blob/6b1ab1a5edd66ac10706a2fb5af34ec9458a901d/src/browser/BrowserShared.cpp#L41 [2] https://github.com/netblue30/firejail/blob/b89ec818926b4bcd3a58bb4e2a67b68a8090ba1c/etc/inc/disable-common.inc#L667

  • Kelvin M. Klann (28 Sept 24)

    Merge pull request #6486 from kmk3/browsers-improve-comments profiles: browsers: centralize/sync/improve comments

  • Kelvin M. Klann (14 Jul 24)

    profiles: browsers: format and improve comments

  • Kelvin M. Klann (14 Jul 24)

    profiles: firefox-common: centralize dbus comments Relates to #3326 #6285 #6444.

  • Kelvin M. Klann (14 Jul 24)

    profiles: firefox-common: centralize migration wizard comment Relates to #3014.

  • Kelvin M. Klann (14 Jul 24)

    profiles: browsers: centralize/sync keepassxc extension comment Centralize it on firefox-common and copy it to chromium-common. Relates to #3984 #6391.

  • Kelvin M. Klann (14 Jul 24)

    profiles: browsers: sort blacklist entries See etc/templates/profile.template. Added on commit f3d126bf1 ("disable curl and wget in browsers based on firefox and chromium", 2021-12-18). Relates to #4852.

  • Kelvin M. Klann (19 Sept 24)

    RELNOTES: add profile items Relates to #5816 #5877 #6002 #6477 #6478 #6479.

  • Kelvin M. Klann (19 Sept 24)

    profiles: firecfg: disable text editors (#6477) Disable common general-purpose text editors. They are likely to be the default OS text editor and users may want to use them for editing most/all files, which could include common sensitive files such as ~/.bashrc and profiles in ~/.config/firejail. Fixes #6002. Relates to #924 #941 #1154. Reported-by: @ilikenwf

  • Kelvin M. Klann (19 Sept 24)

    tests: partially disable private-home.exp to fix ci This test started failing today with "TESTING ERROR 3". Log from a CI re-run of test-fs on commit 897f12dd8 ("build(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1", 2024-09-01) / PR #6455[1]: 2024-09-19T13:39:04.5681290Z TESTING: private home (test/fs/private-home.exp) 2024-09-19T13:39:04.5713434Z spawn /bin/bash 2024-09-19T13:39:05.2772248Z touch ~/_firejail_test_file1 2024-09-19T13:39:05.2773779Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2774475Z <jail/firejail/test/fs$ touch ~/_firejail_test_file1 2024-09-19T13:39:05.2775175Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2776506Z <jail/firejail/test/fs$ touch ~/_firejail_test_file2 2024-09-19T13:39:05.2777841Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2778918Z <ejail/firejail/test/fs$ mkdir ~/_firejail_test_dir1 2024-09-19T13:39:05.2780080Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2780903Z <fs$ mkdir ~/_firejail_test_dir1/_firejail_test_dir2 2024-09-19T13:39:05.2781613Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2782461Z <_test_dir1/_firejail_test_dir2/_firejail_test_file3 2024-09-19T13:39:05.2783224Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2784047Z <firejail/test/fs$ ln -s /etc ~/_firejail_test_link1 2024-09-19T13:39:05.2784851Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2785861Z < ln -s ~/_firejail_test_dir1 ~/_firejail_test_link2 2024-09-19T13:39:05.2787008Z runner@fv-az1247-944:~/work/firejail/firejail/test/fs$ 2024-09-19T13:39:05.2788303Z <test_file1,_firejail_test_file2,_firejail_test_dir1 [...] 2024-09-19T13:39:05.4971716Z runner@fv-az1247-944:~$ find ~ 2024-09-19T13:39:05.4989255Z /home/runner 2024-09-19T13:39:05.4990116Z /home/runner/_firejail_test_file1 2024-09-19T13:39:05.4990768Z /home/runner/_firejail_test_file2 2024-09-19T13:39:05.4991299Z /home/runner/_firejail_test_dir1 2024-09-19T13:39:05.4992082Z /home/runner/_firejail_test_dir1/_firejail_test_dir2 2024-09-19T13:39:05.4992760Z /home/runner/_firejail_test_dir1/_firejail_test_dir2/_firejail_test_file3 [...] 2024-09-19T13:39:15.4995765Z runner@fv-az1247-944:~$ TESTING ERROR 3 2024-09-19T13:39:15.5000367Z Misc: This was noticed on #6477. [1] https://github.com/netblue30/firejail/actions/runs/10655583953/job/30378507249

  • Kelvin M. Klann (19 Sept 24)

    profiles: ssh: add ${RUNUSER}/gvfsd-sftp (#6479) Based on the report by @Saren-Arterius[1]: Since GNOME gvfs 1.53+, the ssh client options `ControlMaster=auto` and `ControlPath=/run/user/$UID/gvfsd-sftp/%C` are used to mount sftp. Since `/run/user/$UID/gvfsd-sftp` is not whitelisted, gvfs sftp mount with nautilus will fail with a meaningless error message shown in the UI. Steps to reproduce[1]: Prepare ssh server or localhost, then run: ssh -o"ForwardX11 no" -o"ForwardAgent no" \ -o"PermitLocalCommand no" -o"ClearAllForwardings yes" \ -o"NoHostAuthenticationForLocalhost yes" \ -o"ControlMaster auto" \ -o"ControlPath=/run/user/${UID}/gvfsd-sftp/test" \ -s {SSH_HOST} sftp stderr shows: unix_listener: cannot bind to path /run/user/$UID/gvfsd-sftp/test.{RANDOM_STRING}: No such file or directory And ssh exits with error code 255. Fixes #5816. [1] https://github.com/netblue30/firejail/issues/5816#issue-1695295931 Reported-by: @Saren-Arterius Suggested-by: @Saren-Arterius Reported-by: @Alex-Farol Reported-by: @mirko

  • Kelvin M. Klann (15 Sept 24)

    profiles: ssh: sort entries Related commits: * 4747e0ed7 ("Whitelist runuser common (#3286)", 2020-03-31) * ebd4b3eea ("profiles: ssh: allow gpgagent socket for custom homedir (#6419)", 2024-08-07)

  • Kelvin M. Klann (16 Sept 24)

    profiles: nextcloud: fix access to ~/Nextcloud (#6478) Related commits: * 7c481eb43 ("Add QOwnNotes profile", 2018-10-20) * 49a381c70 ("Add nextcloud-desktop", 2021-02-20) / PR #3997 Fixes #5877. Reported-by: @Sadoon-AlBader

  • Kelvin M. Klann (14 Sept 24)

    profiles: nextcloud: sort entries Relates to #3997.

  • Kelvin M. Klann (14 Sept 24)

    profiles: wesnoth: allow lua (#6476) Fixes the following error: $ LC_ALL=C firejail /usr/bin/wesnoth [...] /usr/bin/wesnoth: error while loading shared libraries: liblua++.so.5.4: cannot open shared object file: Permission denied Environment: lua 5.4.7-1, wesnoth 1:1.18.2-2 on Arch Linux. Fixes #6475. Reported-by: @marek22k

Firejail Website

Website

GitHub: Let’s build from here Β· GitHub

GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 140.82.112.4
  • Hostname lb-140-82-112-4-iad.github.com
  • Location San Francisco, California, United States of America, NA
  • ISP GitHub Inc.
  • ASN AS36459

Associated Countries

  • US

Saftey Score

Website marked as safe

100%

Blacklist Check

github.com was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

Firejail Reviews

More Linux Defenses

About the Data: Firejail

API

You can access Firejail's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/operating-systems/linux-defenses/firejail

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share Firejail

Help your friends compare Linux Defenses, and pick privacy-respecting software and services.
Share Firejail and Awesome Privacy with your network!

View Linux Defenses (6)