Firejail Basics
Firejail - Linux namespaces sandbox program
Installing#
$ apt install firejail
NixOS#
programs.firejail.enable = true;
Profiles#
$ firejail firefox # Run firefox with the default profile
$ firejail --noprofile firefox # Run firefox without a profile
$ firejail --profile=firefox.profile firefox
# Run firefox with profile firefox.profile
Hint: there are default profiles for a lot of programs in /etc/firejail
Jails#
$ mkdir -p ~/jails/firefox1 # Create a jail
$ firejail --private=$HOME/jails/firefox1 firefox # Run firefox in a jail
firefox will now run as if ~/jails/firefox1 is the home folder and it will not be able to access your actual home folder
$ firejail --private firefox # Run firefox in a temporary jail
$ firejail --private=$HOME/jails/firefox1 --keep-var-tmp firefox
# Expose /var/tmp to a jail
firefox will run in a jail with to access /var/tmp
Manage running programs#
$ firejail --list # List running programs
$ firejail --top # Get a top-like monitor
Misc Features#
$ firejail --net=none emacs # Run Emacs without internet access
$ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
# Run firefox with a specific dns server
$ firejail --caps.drop=all # Run a shell that cannot sudo
# Running firejail without a program will run a shell
$ firejail --nosound firefox # Run a program without sound
$ firejail --novideo firefox # Run a program without access to webcams