Why This Matters
It’s absolutely better, for many applications, to run in a sandbox. Browsers (especially closed source ones) and email clients are highly suggested candidates for sandboxing. A sandbox restricts an application to a limited set of safe directories and blocks access to the rest of the system.When to Use FireJail
FireJail is particularly useful for:- Web browsers (Chrome, Firefox, Chromium)
- Email clients (Evolution, Thunderbird)
- Media players
- Any application that processes untrusted content
Installation
Install FireJail
On Debian based systems:
For Debian 10 Stable, the official backport is recommended:
Create symbolic links for applications
To run an application in a sandbox, create a symbolic link in
/usr/local/bin that points to firejail.Examples for common applications:This works because
/usr/local/bin typically appears before /usr/bin or /bin in your system’s PATH. When you launch the application, the system finds the symbolic link first and runs firejail instead.Managing Sandboxed Applications
Remove Sandboxing
To allow a sandboxed app to run normally again, simply remove the symbolic link:Custom Profiles
FireJail comes with pre-configured profiles for many applications. You can customize these profiles in:How It Works
When you launch a sandboxed application:- The system executes the firejail symbolic link
- FireJail reads the application name and loads the appropriate profile
- FireJail creates an isolated environment with:
- Limited filesystem access
- Restricted network capabilities (if configured)
- Separate process namespace
- The application runs within these constraints
What This Provides
Filesystem Isolation
Applications can only access specific directories, preventing unauthorized file access
Process Isolation
Sandboxed processes are separated from the rest of the system
Network Control
Optional network restrictions can prevent unauthorized connections
Easy Management
Simple symlink-based activation and deactivation