Our focus is GUI application sandboxing, with web browsers being the main target. The sandbox denies access to private files in user’s home directory. Inside the sandbox, Downloads directory and the browser configuration files are real, everything else is stored in a temporary filesystem and later discarded:

This guide describes the steps necessary to install and configure Firejail sandbox on Linux Mint. Both Cinnamon and MATE desktop environments are supported. We provide similar support for all desktop managers.

Installing and configuring Firejail

Download the latest Firejail .deb package from our Download page and run the following three commands in a terminal:

$ sudo dpkg -i firejail_0.9.46_1_amd64.deb $ firecfg --fix-sound $ sudo firecfg

The first command installs Firejail software. The second command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The third command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.

Running applications

Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are about 250 default applications in Firejail version 0.9.46, and the number goes up with every new release. We keep the list in /usr/lib/firejail/firecfg.config file.

Just for fun, start several programs by clicking your desktop manager menus, then open a terminal and run the following command:

$ firejail --top

This command tells you what programs are running in a Firejail sandbox. If your program was not sandboxed automatically, use the old method of prefixing your program with “firejail” command:

$ firejail program-name

Installing new programs

Run sudo firecfg every time you install a new program, here is a Chromium browser example:

$ sudo apt-get install chromium-browser $ sudo firecfg

Desktop launchers

Cleaning up my software archive, I run into an old copy of Pentix. This is a very addictive Tetris clone I used to play in a DOS window way back when computers used to be fun. I created a directory pentix in my home and copied the game there. The next step was to go in Desktop directory and create a launcher for the game. The launcher is a regular text file with the following content:

[Desktop Entry] Type=Application Name=Pentix Icon=/home/netblue/pentix/pentix.png Exec=dosbox /home/netblue/pentix/pentix.exe Terminal=false

I use dosbox emulator (sudo apt-get install dosbox) to run the game. Firejail will sandbox the emulator automatically with a proper security profile. The icon pentix.png is something I grabbed from a clipart website. First time I click on the icon, a very annoyed Cinnamon tells me the launcher is not marked as trusted. I press “Mark as trusted” and get on with the game.

Docks

The Linux desktop can also be customized using docks. A dock is a toolbar-like application launcher holding icons for frequently used programs. Docks are highly configurable and many users find them useful and beautiful.

Several docks are available in Mint repositories. Among them Plank (sudo apt-get install plank), Docky (sudo apt-get install docky) and Cairo (sudo apt-get install cairo-dock). Similar to the regular desktop launchers, clicking on icons will sandbox applications automatically.

Conclusion

Firejail is a must have tool for security concerned users. Like Mint, Firejail is a community project. We are not affiliated with any corporation, and pursue the user’s interest. If you run into problems, have new ideas, feature requests, whatever, join us on our development page. Thank you for reading!