Firejail Icon

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. Written in C, virtually no dependencies, runs on any modern Linux system, with no daemon running in the background, no complicated configuration, and it's super lightweight and super secure, since all actions are implemented by the kernel. It includes security profiles for over 800 common Linux applications. FireJail is recommended for running any app that may potential pose some kind of risk, such as torrenting through Transmission, browsing the web, opening downloaded attachments.

Open Source

Firejail Source Code

Author

netblue30

Description

Linux namespaces and seccomp-bpf sandbox

Homepage

https://firejail.wordpress.com

License

GPL-2.0

Created

08 Aug 15

Last Updated

17 May 24

Latest version

landlock-split

Primary Language

C

Size

20,803 KB

Stars

5,476

Forks

552

Watchers

5,476

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • glitsj16 (17 May 24)

    New profile: nhex (#6341) Description: Tauri-based IRC client inspired by HexChat. https://nhexirc.com/ https://github.com/nhexirc/nhex

  • glitsj16 (14 May 24)

    profiles: hexchat: add noprinters (#6340)

  • dependabot[bot] (13 May 24)

    build(deps): bump github/codeql-action from 3.25.3 to 3.25.4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.3 to 3.25.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/d39d31e687223d841ef683f52467bd88e9b21c14...ccf74c947955fd1cf117aef6a0e4e66191ef6f61) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • dependabot[bot] (13 May 24)

    build(deps): bump actions/checkout from 4.1.4 to 4.1.5 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/0ad4b8fadaa221de15dcec353f45205ec38ea70b...44c2b7a8a4ea60a981eaca3cf939b5f4305c123b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • duevo (12 May 24)

    profiles: steam: update novideo comment for webcam motion trackers (#6334) Update comment to account for camera-based motion trackers. Fixes an issue with https://github.com/markx86/opentrack-launcher, where video input devices won't show up unless novideo is removed.

  • Kelvin M. Klann (12 May 24)

    profiles: loupe: harden and disable apparmor (#6333) The profile currently does not include disable-common nor makes `${HOME}` read-only, so the program can simply write to ~/.bashrc directly[1]. disable-common.inc was commented due to it apparently breaking bwrap. As discovered by @glitsj16, it seems that allowing the bwrap binary is enough to make it work (and that apparmor breaks loupe)[2]. So disable apparmor, allow bwrap and include disable-common.inc, plus other hardening by @glitsj16. This amends commit 9a0db13e1 ("profiles: add loupe", 2024-04-30) / PR #6327. [1] https://github.com/netblue30/firejail/pull/6327#pullrequestreview-2033860865 [2] https://github.com/netblue30/firejail/pull/6333#issuecomment-2099805480

  • Kelvin M. Klann (12 May 24)

    landlock: fix misc alignment/newline This amends commit bf5a99360 ("landlock: add support for PATH macro", 2023-12-22). Relates to #6078.

  • glitsj16 (07 May 24)

    profiles: hexchat: allow lua/downloads and harden (#6331) * profiles: hexchat: hardenings * profiles: hexchat: allow lua/downloads and harden Allow more paths and add some extra options to harden the profile. We allow Perl but keep it out of private-bin. Do the same for Lua and clarify in the private-bin comment how to enable these interpreters. Consulted resources: - https://github.com/hexchat/hexchat/ - https://hexchat.readthedocs.io/

  • dependabot[bot] (06 May 24)

    build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.0 to 2.7.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/63c24ba6bd7ba022e95695ff85de572c04a18142...a4aa98b93cab29d9b1101a6143fb8bce00e2eac4) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • glitsj16 (02 May 24)

    New profile: d-spy (#6328) Description: D-Bus debugger for GNOME https://gitlab.gnome.org/GNOME/d-spy From [1]: > D-Feet is no longer maintained. Please use d-spy [1] https://wiki.gnome.org/Apps/DFeet

  • dependabot[bot] (29 Apr 24)

    build(deps): bump github/codeql-action from 3.24.10 to 3.25.3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.10 to 3.25.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4355270be187e1b672a7a1c7c7bae5afdc1ab94a...d39d31e687223d841ef683f52467bd88e9b21c14) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

  • dependabot[bot] (29 Apr 24)

    build(deps): bump actions/checkout from 4.1.2 to 4.1.4 Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.2 to 4.1.4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/9bb56186c3b09b4f86b1c65136769dd318469633...0ad4b8fadaa221de15dcec353f45205ec38ea70b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

  • Tavi (30 Apr 24)

    profiles: add loupe Signed-off-by: Tavi <[email protected]>

  • netblue30 (01 May 24)

    add support for comm, coredump, and prctl procevents in firemon

  • Kelvin M. Klann (28 Apr 24)

    landlock: fix building without landlock.h landlock.h may not be available on the system (such as with older versions of Linux API headers), so only try to include it if `HAVE_LANDLOCK` is defined. This fixes the following error from `build_debian_package` (which uses `debian:buster`) on GitLab CI[1]: $ ./mkdeb.sh --enable-fatal-warnings [...] gcc [...] -c ../../src/firejail/landlock.c -o ../../src/firejail/landlock.o ../../src/firejail/landlock.c:22:10: fatal error: linux/landlock.h: No such file or directory #include <linux/landlock.h> ^~~~~~~~~~~~~~~~~~ compilation terminated. This amends commit a05ae97af ("landlock: amend empty functions and comments", 2024-04-08) / PR #6305. Relates to #6078. [1] https://gitlab.com/Firejail/firejail_ci/-/jobs/6743161059

  • Kelvin M. Klann (29 Apr 24)

    profiles: fix new game profiles Fix sorting and improve comments. See etc/templates/profile.template. This amends commit 4c5f55899 ("several kids programs", 2024-04-29).

  • netblue30 (29 Apr 24)

    several kids programs

  • netblue30 (29 Apr 24)

    whitelisting /var/games by default

  • netblue30 (28 Apr 24)

    Merge branch 'master' of ssh://github.com/netblue30/firejail

  • netblue30 (28 Apr 24)

    --fbuilder cleanup

  • glitsj16 (25 Apr 24)

    profiles: fluffychat: remove option already present in disable-common.inc (#6322)

  • glitsj16 (25 Apr 24)

    profiles: audacity: allow networking by default (#6321) Newly-released audacity 3.5 supports cloud-saving and remote backup features: - https://www.audacityteam.org/blog/audacity-3-5/ - https://support.audacityteam.org/additional-resources/changelog/audacity-3.5#cloud-project-saving

  • Kelvin M. Klann (25 Apr 24)

    RELNOTES: add feature, modif and profile items Relates to #6302 #6305 #6307 #6308 #6309.

  • Kelvin M. Klann (25 Apr 24)

    Merge pull request #6307 from spiiroin/serialize_remounts modif: populate /run/firejail while holding flock

  • Simo Piiroinen (04 Apr 24)

    modif: populate /run/firejail while holding flock There are reports of firejail sandboxed applications occasionally taking a long time (12 seconds) to start up. When this happens, it affects all sandboxed applications until the device is rebooted. The reason for the slowdown seems to be a timing hazard in the way remounts under /run/firejail are handled. This gets triggered when multiple firejail processes are launched in parallel as part of user session bring up and results in some, dozens, hundreds, or even thousands of stray /run/firejail/xxx mounts. The amount of mount points then affects every mount operation that is done during sandbox filesystem construction. To stop this from happening, arrange it so that only one firejail process at time is inspecting and/or modifying mountpoints under /run/firejail by doing: 1. Create /run/firejail directory (without locking) 2. Create and obtain a lock for /run/firejail/firejail-run.lock 3. Setup files, directories and mounts under /run/firejail 4. Release /run/firejail/firejail-run.lock

  • Simo Piiroinen (17 Apr 24)

    modif: improve flock handling Changes: * Centralize flock handling in preproc.c * Add debug and error logging * Abort if anything fails Co-authored-by: Kelvin M. Klann <[email protected]>

  • Kelvin M. Klann (17 Apr 24)

    refactor: make rundir lock variables global To enable using them outside of src/firejail/main.c.

  • netblue30 (23 Apr 24)

    static ip map

  • tools200ms (20 Apr 24)

    profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6309) The path is used in the Gentoo net-misc/openssh package (9.6_p1-r3). Fixes #6308.

  • glitsj16 (20 Apr 24)

    New profile: axel (#6315) https://github.com/axel-download-accelerator/axel

Firejail Website

Website

GitHub: Let’s build from here Β· GitHub

GitHub is where over 100 million developers shape the future of software, together. Contribute to the open source community, manage your Git repositories, review code like a pro, track bugs and features, power your CI/CD and DevOps workflows, and secure code before you commit it.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 140.82.112.4
  • Hostname lb-140-82-112-4-iad.github.com
  • Location San Francisco, California, United States of America, NA
  • ISP GitHub Inc.
  • ASN AS36459

Associated Countries

  • US

Saftey Score

Website marked as safe

100%

Blacklist Check

github.com was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

Firejail Reviews

More Linux Defenses

About the Data: Firejail

API

You can access Firejail's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/operating-systems/linux-defenses/firejail

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share Firejail

Help your friends compare Linux Defenses, and pick privacy-respecting software and services.
Share Firejail and Awesome Privacy with your network!

View Linux Defenses (6)