Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It includes sandbox profiles for Iceweasel/Mozilla Firefox, Chromium, Midori, Opera, Evince, Transmission, VLC, Audoacious, Clementine, Rhythmbox, Totem, Deluge, qBittorrent. DeaDBeeF, Dropbox, Empathy, FileZilla, IceCat, Thunderbird/Icedove, Pidgin, Quassel and XChat. Firejail also expands the restricted shell facility found in bash by adding Linux namespace support. It supports sandboxing specific users upon login. Download: http://sourceforge.net/projects/firejail/files/ Build and install: ./configure && make && sudo make install Documentation and support: https://firejail.wordpress.com/ Development: https://github.com/netblue30/firejail License: GPL v2 Firejail Authors: netblue30 (netblue30@yahoo.com) Reiner Herrmann (https://github.com/reinerh) - a number of build patches - man page fixes - Debian and Ubuntu integration - clang-analyzer fixes - Debian reproducible build - unit testing framework - moved build to .xz - detached signatures for source archive - recursive mkdir Aleksey Manevich (https://github.com/manevich) - several profile fixes - fix problem with relative path in storage_find function - fix build for systems without bash - fix double quotes/single quotes problem - big rework of argument processing subsystem - --join fixes - spliting up cmdline.c - Busybox support - X11 support rewrite - gether shell selection code in one place - fixed several TOCTOU security problems - added --fix option to firecfg utility - read_pid fix - added --x11=block options - x11 xpra, xphyr, none profile commands - added --join-or-start command - CVE-2016-7545 Fred-Barclay (https://github.com/Fred-Barclay) - lots of profile fixes - added Vivaldi, Atril profiles - added PaleMoon profile - split Icedove and Thunderbird profiles - added 0ad profile - fixed version for .deb packages - added Warzone2100 profile - blacklisted VeraCrypt - added Gpredict profile - added Aweather, Stellarium profiles - fixed HexChat and Atril profiles - fixed disable-common.inc for mate-terminal - blacklisted escape-happy terminals in disable-common.inc - blacklisted g++ - added xplayer, xreader, and xviewer profiles - added Brave profile - added Gitter profile - various organising - added LibreOffice profile - added pix profile - added audacity profile - fixed Telegram and qtox profiles - added Atom Beta and Atom profiles - tightened 0ad, atril, evince, gthumb, pix, qtox, and xreader profiles - several private-bin conversions - added jitsi profile - pidgin private-bin conversion - added eom profile - added gnome-chess profile - added DOSBox profile - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles - added xed and pluma profiles - added Cryptocat profile valoq (https://github.com/valoq) - lots of profile fixes - added support for /srv in --whitelist feature - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - blacklist suid binaries in disable-common.inc - fix man pages - added keypass2, qemu profiles - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles - added wget profile Lari Rauno (https://github.com/tuutti) - qutebrowser profile fixes SpotComms (https://github.com/SpotComms) - added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles - added PDFSam, Pithos, and Xonotic profiles Vasya Novikov (https://github.com/vn971) - Wesnoth profile - Hedegewars profile - manpage fixes - fixed firecfg clean/clear issue - found the ugliest bug so far - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile - okular and gwenview profiles - cherrytree profile fixes - added quiterss profile - added guayadeque profile Simon Peter (https://github.com/probonopd) - set $APPIMAGE and $APPDIR environment variables - AppImage version detection - Leafppad type v1 and v2 appimage packages in test/appimage BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) - added mumble profile Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) - chromium profile fixes for Arch Linux Deelvesh Bunjun (https://github.com/DeelveshBunjun) - added xpdf profile Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix vismir2 (https://github.com/vismir2) - feh, ranger, 7z, keepass, keepassx and zathura profiles - claws-mail, mutt, git, emacs, vim profiles - lots of profile fixes - support for truecrypt and zuluCrypt graywolf (https://github.com/graywolf) - spelling fix Tomasz Jan Góralczyk (https://github.com/tjg) - fixed Steam profile pwnage-pineapple (https://github.com/pwnage-pineapple) - update Okular profile Sergey Alirzaev (https://github.com/l29ah) - firejail.h enum fix greigdp (https://github.com/greigdp) - Gajim IM client profile - fix Slack profile Icaro Perseo (https://github.com/icaroperseo) - Icecat profile - several profile fixes hamzadis (https://github.com/hamzadis) - added --overlay-named=name and --overlay-path=path Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile greigdp (https://github.com/greigdp) - fixed spotify profile - added Slack profile Laurent Declercq (https://github.com/nuxwin) - fixed test for shell interpreter in chroots Franco (nextime) Lanza (https://github.com/nextime) - added --private-template/--private-home xee5ch (https://github.com/xee5ch) - skypeforlinux profile Peter Hogg (https://github.com/pigmonkey) - WeeChat profile - rtorrent profile - bitlbee profile fixes - mutt profile fixes Thomas Jarosch (https://github.com/thomasjfox) - disable keepassx in disable-passwdmgr.inc - added uudeview profile - added tar (gtar), unzip and unrar profile - added file profile - improved profile list - fixed small variable glitch in stat64() / lstat64() (libtracelog) - added lstat() / lstat64() support to libtrace - include mkuid.sh in make dist Niklas Haas (https://github.com/haasn) - blacklisting for keybase.io's client Jaykishan Mutkawoa (https://github.com/jmutkawoa) - cpio profile Paupiah Yash (https://github.com/CaffeinatedStud) - gzip profile Akhil Hans Maulloo (https://github.com/kouul) - xz profile Rahul Golam (https://github.com/technoLord) - strings profile geg2048 (https://github.com/geg2048) - kwallet profile fixes maces (https://github.com/maces) - Franz messenger profile KellerFuchs (https://github.com/KellerFuchs) - nonewpriv support, extended profiles for this feature - make `restricted-network` prevent use of netfilter - disable-common.inc additions ValdikSS (https://github.com/ValdikSS) - Psi+, Corebird, Konversation profiles - various profile fixes avoidr (https://github.com/avoidr) - whitelist fix - recently-used.xbel fix - added parole profile - blacklist ncat - hostname support in profile file - Google Chrome profile rework - added cmus profile - man page fixes - add net iface support in profile files - paths fix - lots of profile fixes - added mcabber profile - fixed mpv profile - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) - added abrowser profile - added Google-Play-Music-Desktop-Player - added cyberfox profile Petter Reinholdtsen (pere@hungry.com) - Opera profile patch n1trux (https://github.com/n1trux) - fix flashpeak-slimjet profile typos Felipe Barriga Richards (https://github.com/fbarriga) - --private-etc fix Alexander Stein (https://github.com/ajstein) - added profile for qutebrowser Benjamin Kampmann (https://github.com/ligthyear) - Forward exit code from child process dshmgh (https://github.com/dshmgh) - overlayfs fix for systems with /home mounted on a separate partition yumkam (https://github.com/yumkam) - add compile-time option to restrict --net= to root only - man page fixes mahdi1234 (https://github.com/mahdi1234) - cherrytree profile - Seamonkey profiles jrabe (https://github.com/jrabe) - disallow access to kdbx files - Epiphany profile - Polari profile - qTox profile - X11 fixes jgriffiths (https://github.com/jgriffiths) - make rpm packages support Tom Mellor (https://github.com/kalegrill) - mupen64plus profile Martin Carpenter (https://github.com/mcarpenter) - security audit and bug fixes - Centos 6.x support pszxzsd (https://github.com/pszxzsd) -uGet profile Rahiel Kasim (https://github.com/rahiel) - Mathematica profile - whitelisted Dropbox profile - whitelisted keysnail config for firefox creideiki (https://github.com/creideiki) - make the sandbox process reap all children sinkuu (https://github.com/sinkuu) - blacklisting kwalletd - fix symlink invocation for programs placing symlinks in $PATH Bader Zaidan (https://github.com/BaderSZ) - Telegram profile Holger Heinz (https://github.com/hheinz) - manpage work Andrey Alekseenko (https://github.com/al42and) - fixing lintian warnings - fixed Skype profile Ivan Kozik (https://github.com/ivan) - speed up sandbox exit Christian Stadelmann (https://github.com/genodeftest) - profile fixes pirate486743186 (https://github.com/pirate486743186) - KMail profile Kaan Genç (https://github.com/SeriousBug) - dynamic allocation of noblacklist buffer Veeti Paananen (https://github.com/veeti) - fixed Spotify profile rogshdo (https://github.com/rogshdo) - BitlBee profile Bruno Nova (https://github.com/brunonova) - whitelist fix - bash arguments fix Matt Parnell (https://github.com/ilikenwf) - whitelisting for core firefox related functionality Ondra Nekola (https://github.com/satai) - allow firefox theming with non-global themes emacsomancer (https://github.com/emacsomancer) - added profile for Conkeror browser Daan Bakker (https://github.com/dbakker) - protect shell startup files Duncan Overbruck (https://github.com/Duncaen) - musl libc fix - utmp fix andrew160 (https://github.com/andrew160) - profile and man pages fixes Loïc Damien (https://github.com/dzamlo) - small fixes greigdp (https://github.com/greigdp) - add Spotify profile Mattias Wadman (https://github.com/wader) - seccomp errno filter support Peter Millerchip (https://github.com/pmillerchip) - memory allocation fix - --private.keep to --private-home transition - support for files and directories starting with ~ in blacklist option - support for files and directories with spaces in blacklist option - lots of other fixes sarneaud (https://github.com/sarneaud) - rewrite globbing code to fix various minor issues - added noblacklist command for profile files - various enhancements and bug fixes Patrick Toomey (http://sourceforge.net/u/ptoomey/profile/) - user namespace implementation sshirokov (http://sourceforge.net/u/yshirokov/profile/) - Patch to output "Reading profile" to stderr instead of stdout G4JC (http://sourceforge.net/u/gaming4jc/profile/) - ARM support - profile fixes dewbasaur (https://github.com/dewbasaur) - block access to history files - Firefox PDF.js exploit (CVE-2015-4495) fixes - Steam profile Michael Haas (https://github.com/mhaas) - bugfixes mjudtmann (https://github.com/mjudtmann) - lock firejail configuration in disable-mgmt.inc iiotx (https://github.com/iiotx) - use generic.profile by default pstn (https://github.com/pstn) - added install-strip, make install without strip Alexey Kuznetsov (kuznet@ms2.inr.ac.ru) - src/lib/libnetlink.c extracted from iproute2 software package Copyright (C) 2014-2016 Firejail Authors