Malware seeks to exploit vulnerabilities in the browser or background services. After gaining access, malicious software changes configuration files, installs rootkits, or exploits other software. Firejail prevents malware from taking over by locking away Firefox, Apache, or any other at risk software in a jail.
Firejail is a security sandbox that works on your existing filesystem. It’s not like a container manager (Docker, nspawn, LXC) with a separate root filesystem. Containers focus on the virtualization market, while sandboxes focus on application security. Firejail can be invoked and configured by normal unprivileged users.
Firejail contains software like web browsers, email clients, games, and utility software to ensure any potentially harmful content doesn’t spread and damage the rest of your computer. It offers another layer of protection between your computer and the net. It also protects user login sessions.
To add the layer of protection, simply prefix your command with “firejail”. For example, to start Firefox, Chromium, Skype, Spotify you’d type at a shell:
$ firejail firefox
$ firejail chromium
$ firejail skype
$ firejail spotify
When you type such a command, Firejail seeks a security profile based on the name of the application. There are various protection mechanisms Firejail can employ, and these are automatically specified on a per-application basis through the use of a profile configuration file. If such a profile is not found, the software uses a default profile which is quite restrictive. There are hundreds of software that come with profiles.
There’s desktop integration in Firejail. Type “sudo firecfg” in a terminal. And see page 4 for details about Firetools, the graphical user interface.