Firejail - Linux namespaces sandbox program

Installing

$ apt install firejail

NixOS

programs.firejail.enable = true;

Profiles

$ firejail firefox             # Run firefox with the default profile

$ firejail --noprofile firefox # Run firefox without a profile

$ firejail --profile=firefox.profile firefox
                               # Run firefox with profile firefox.profile

Hint: there are default profiles for a lot of programs in /etc/firejail

Jails

$ mkdir -p ~/jails/firefox1                       # Create a jail

$ firejail --private=$HOME/jails/firefox1 firefox # Run firefox in a jail

firefox will now run as if ~/jails/firefox1 is the home folder and it will not be able to access your actual home folder

$ firejail --private firefox # Run firefox in a temporary jail

$ firejail --private=$HOME/jails/firefox1 --keep-var-tmp firefox
                             # Expose /var/tmp to a jail

firefox will run in a jail with to access /var/tmp

Manage running programs

$ firejail --list # List running programs

$ firejail --top  # Get a top-like monitor

Misc Features

$ firejail --net=none emacs # Run Emacs without internet access
$ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
                            # Run firefox with a specific dns server
$ firejail --caps.drop=all   # Run a shell that cannot sudo
                             # Running firejail without a program will run a shell
$ firejail --nosound firefox # Run a program without sound

$ firejail --novideo firefox # Run a program without access to webcams