Firejail can integrate its own TCP/IP networking stack to the sandbox. The new stack comes with its own routing table, firewall and set of interfaces. Implemented as a Linux namespace inside the kernel, the stack is totally independent of host network stack.
You can connect the TCP/IP network interface with an existing network bridge, which is useful for setting up a demilitarized zone (DMZ), or for testing.
Profile files describe the filesystem container, the security filters and network configuration.
In these security profiles, you can enable the –seccomp and –caps functions. Additionally, you can define which directories Firejail will not pass through to the sandbox, or where access will be restricted to read-only, and you can define mount points to match. You can also define limits for the sandbox.
Firejail can switch the sandbox to Private mode. Here, the sandbox hides the complete home directory specifically from the running software.
Resources can be allocated using control groups and rlimits.
There’s support for both AppImage and Snap packages. AppImage is a format for distributing portable software on Linux without needing superuser permissions to install the application. Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run.
This feature helps users find any gaps in security profiles.
There’s also options to monitor system resources, tracing system calls, and logging access to blacklisted files and directories.