Firejail - sandbox your Linux apps

Hi there,

I have been using Firejail for a while now and think it's pretty awesome.


I can sandbox my browsers, mail clients, torrent clients pretty much any web facing app.

I have just been poking around in the man pages and found...

 firejail --dns= --dns= firefox

This command will run Firefox sandboxed and only allow the designated DNS.

Obviously  Googles DNS is just an example.


For those who haven't seen this app it's definitely worth taking some time to check it out.




Yes it is a great tool, been using it myself too. Although AppArmor/SELinux can do all of that (and more) and are more tightly integrated/preinstalled in many Linux distros, I find firejail to be much easier to configure.


Any firejail user should definitely spend some time to fully understand how to use the profiles in /etc/profile/firejail and how to customize them. Perhaps one of the most useful features: limit filesystem access.

Remember the recent Firefox PDF exploit that allowed malicious websites to read and upload arbitrary files from your computer?

Firejail could have protected your documents:


blacklist ${HOME}/Documents


You still want Firefox to access your nested "Screenshots" folder?

noblacklist ${HOME}/Documents/Screenshots


It's that easy!

all of my content is released under CC-BY-SA 2.0

Is there a way to use this for skype?


Yes, using AppArmor for example.

But note that Skype is not under the same threat as a Browser - it does not get fed by hundreds of scripts, plugins and parsing libraries like Firefox.

Skype essentially needs (I assume) access to hardware components like Webcam, Microphone and so on, and will probably not function properly without it.


I think you should look for an alternative software if you can, many people leave Skype because of horrible mobile support, bloat, and the deal with Microsoft.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

How much cpu overhead is this using?


Could be a nice way to keep two instances of steam running for inhome streaming ( wine & native )

