firejail command

firejail sandboxes applications

Typical usage: constructing sandbox environments, confinement of processes, testing software

Introduction into firejail

Firejail is a program that can sandbox other programs. Its intended purpose is to restrict a program by limiting what a process and its children can see or do.

To achieve sandboxing functionality, Firejail uses Linux capabilities, namespaces, and secure computing in the form of seccomp-bpf. The current implementation of Firejail uses a SUID binary. That means that there is a risk of compromise if a bug in Firejail can be exploited. The project therefore recommends limiting who can access the tooling.

As Firejail is an alternative sandboxing tools to flatpak and snap, these will not work together.

Examples

Tracing DNS requests

Firejail comes with a very handy option --dnstrace to see the initiated DNS requests. If a program is specified, then it will show the DNS request for the applicable namespaces. When providing just the option alone, all namespaces will be monitored. This is very useful to quickly see what DNS requests happen on a system.

# firejail --dnstrace
DNS trace for Sun Dec 15 00:02:21 2024
00:02:28  192.168.123.1    _http._tcp.security.debian.org (type 33)
00:02:28  192.168.123.1    _http._tcp.deb.debian.org (type 33)
00:02:28  192.168.123.1    debian.map.fastlydns.net (type 1)
00:02:28  192.168.123.1    debian.map.fastlydns.net (type 28)

Blocking capabilities

To see if a tool uses any capabilities, we can tell Firejail to block them all. If it is required for proper functioning, then it will show up very quickly.

# firejail --caps.drop=all ping 192.168.1.1
/bin/bash: line 1: /usr/bin/ping: Operation not permitted

So this needs filecap we can easily find that `ping` requires a capability. Which one?

```plaintext {hl_lines=1}
# filecap /usr/bin/ping
set       file                 capabilities  rootid
effective /usr/bin/ping    net_raw

So in this case we need to allow the CAP_NET_RAW capability.

# firejail --caps.keep=net_raw ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.474 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.474/0.474/0.474/0.000 ms

Now the ping command works again.

Project details

Background information about the firejail command.
Background information
Author (alias)netblue30
First release version0.9
First release date2014-04-12
LicenseGPLv2
Requires root permissionsno

Installation

When firejail command is not installed by default, it can be added to the system using the relevant software package.

Package information for firejail command

Operating systemPackage nameInstallation
AlmaLinuxfirejail
dnf install firejail
Arch Linuxfirejail
pacman -S firejail
Debianfirejail
apt install firejail
Fedorafirejail
dnf install firejail
Red Hat Enterprise Linuxfirejail
dnf install firejail
Rocky Linuxfirejail
dnf install firejail
Ubuntufirejail
apt install firejail

Your Linux distribution using a different package? Share your feedback.

Usage

Available options

OptionDescription
--buildRun a program and build a profile that uses the concept of allow-listing. After the application ends, the suggested profile will be displayed.
--caps.dropDefine which Linux capabilities to drop. Use 'all' to deny all capabilities, or define a comma-separated list for capabilities to block. This is the concept of deny-listing.
--caps.keepDefine which Linux capabilities should be allowed. Use comma-separated list to define multiple capabilities.
--versionShow version and built-in application support

Missing an option in this overview? Share your feedback.

Relevant articles using the firejail command

The following articles include an example on how to use firejail and might be worth further exploring.

Frequently Asked Questions

What is the firejail command and its purpose?

Firejail is a tool to sandbox applications to restrict what they can do. It is a useful tool to limit the risk on privilege escalation and exploits.

Which package provides the firejail command?

The command firejail is provided by the firejail package.