Firejail – Securely Run Untrusted Applications in Linux

Sometimes you may want to use applications that have not been well tested in different environments, yet you must use them. In such cases, it is normal to be concerned about the security of your system. One thing that can be done in Linux is to use applications in a sandbox.

Sandboxing” is the ability to run application in a limited environment. That way the application is provided a tighten amount of resources, needed to run. Thanks to application called Firejail, you can safely run untrusted applications in Linux.

Firejail is a SUID (Set Owner User ID) application that decrease the exposure of security breaches by limiting the running environment of untrusted programs using Linux namespaces and seccomp-bpf.

It makes a process and all its descendants to have their own secret view of the globally shared kernel resources, such as the network stack, process table, mount table.

Some of the features that Firejail uses:

  • Linux namespaces
  • Filesystem container
  • Security filters
  • Networking support
  • Resource allocation

Detailed information about Firejail features can be found in the official page.

How to Install Firejail in Linux

The installation can be completed by downloading the latest package from the project’s github page using git command as shown.

$ git clone
$ cd firejail
$ ./configure && make && sudo make install-strip

In case you don’t have git installed on your system, you can install it with:

$ sudo apt install git  [On Debian/Ubuntu]
# yum install git       [On CentOS/RHEL]
# dnf install git       [On Fedora 22+]

An alternative way of installing firejail is to download the package associated with your Linux distribution and install it with its package manager. Files can be downloaded from SourceForge page of the project. Once you have the file downloaded, you can install it with:

$ sudo dpkg -i firejail_X.Y_1_amd64.deb   [On Debian/Ubuntu]
$ sudo rpm -i firejail_X.Y-Z.x86_64.rpm   [On CentOS/RHEL/Fedora]

How to Run Applications with Firejail in Linux

You are now ready to run your applications with firejail. This is accomplished by launching a terminal and adding firejail before the command you wish to run.

Here is an example:

$ firejail firefox    #start Firefox web browser
$ firejail vlc        # start VLC player

Create Security Profile

Firejail includes many security profiles for different applications and they are stored in:


If you have build the project from source, you can find the profiles in:

# path-to-firejail/etc/

If you have used the rpm/deb package, you can find the security profiles in:


Users, should place their profiles in the following directory:


If you want to extend an existing security profile, you can use include with path to the profile and add your lines afterwards. This should look something like this:

$ cat ~/.config/firejail/vlc.profile

include /etc/firejail/vlc.profile
net none

If you wish to restrict access of application to certain directory, you can use a blacklist rule to achieve exactly that. For example, you can add the following to your security profile:

blacklist ${HOME}/Documents

Another way to achieve the same result is to actually describe the full path to the folder you wish to restrict:

blacklist /home/user/Documents

There are many different ways in which you can configure your security profiles, such as disallowing access, allowing read-only access etc. If you are interested in building custom profiles, you can check the following firejail instructions.

Firejail is an awesome tool for the security minded users, who want to protect their system.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Marin Todorov

I am a bachelor in computer science and a Linux Foundation Certified System Administrator. Currently working as a Senior Technical support in the hosting industry. In my free time I like testing new software and inline skating.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

2 Responses

  1. yep says:

    default profiles are pretty bad, otherwise it’s fine

  2. dragonmouth says:

    Firejail can be used to sandbox and secure ANY application, whether trusted or untrusted.

    Firejail users should also download/install Firetools package which provides a GUI front end for Firejail as well as other helpful options.

Leave a Reply to yep Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.