Published release of the project Firejail 0.9.78, which develops a system for isolated execution of graphical, console and server applications, allowing to minimize the risk of compromising the main system when running untrustworthy or potentially vulnerable programs. The program is written in C, distributed under the GPLv2 license and can run on any Linux distribution with a kernel older than 3.0. Ready-made packages with Firejail prepared in deb (Debian, Ubuntu) and rpm (CentOS, Fedora) formats.
For isolation in Firejail namespaces are used (namespaces), AppArmor and system call filtering (seccomp-bpf) in Linux. Once launched, the program and all its child processes use separate views of kernel resources, such as the network stack, process table, and mount points. Applications that are dependent on each other can be combined into one common sandbox. If desired, Firejail can also be used to launch Docker, LXC and OpenVZ containers.
Unlike container isolation tools, firejail is extremely simple in configuration and does not require the preparation of a system image – the composition of the container is formed on the fly based on the contents of the current FS and is deleted after the application is completed. Flexible means of setting access rules to the file system are provided; you can determine which files and directories are allowed or denied access, connect temporary file systems (tmpfs) for data, limit access to files or directories to read-only, combine directories through bind-mount and overlayfs.
For a large number of popular applications, including Firefox, Chromium, VLC and Transmission, ready-made profiles system call isolation. To obtain the privileges necessary to set up a sandboxed environment, the firejail executable is installed with the SUID root flag (privileges are reset after initialization). To run a program in isolation mode, simply specify the application name as an argument to the firejail