Firejail can also be a useful option, though no good if you're on Mac https://firejail.wordpress.com/ Uses the same Linux primitives as docker etc, but can be a bit more ergonomic for this use case. - Source: Hacker News / 7 months ago
You can find more info on its world-press website: https://firejail.wordpress.com/. Source: 12 months ago
Try running your Wine app through something like Firejail. Source: about 1 year ago
Firejail is a program that helps to improve the security of your system by creating a restricted environment for running non-trusted applications. It does this using Linux namespaces, seccomp-bpf, and Linux capabilities, and is easy to use thanks to its setuid sandbox feature. Source: over 1 year ago
Sorry, missed "avoid having libs on local machie". Someone mentioned chroot. That's good! Also maybe firejail. I also use x11-docker. Source: over 1 year ago
Sandboxing by default is great, but you can also sandbox appimages using firejail. Source: over 1 year ago
Firejail is a good option (though not the only one) for sandboxing applications. Source: over 1 year ago
Maybe firejail might help? https://firejail.wordpress.com/. Source: over 1 year ago
I am just its (mostly happy) user. I wrote that rule on my phone so you are right, it is not complete. On the other hand raw sockets require CAP_NET_RAW capability which is often assigned to root only so running a capability-untreated binary as an unprivileged user should not allow any raw socket ops (ping often uses file capabilities or setuid root). AFAIK it requires root to load/reload profiles. And that is... - Source: Hacker News / almost 2 years ago
Could the CLI tool be combined with something like firejail [1] to solve the filesystem blindspot issue? [1] https://firejail.wordpress.com/. - Source: Hacker News / almost 2 years ago
> I like Android's system of per-app uid/gid. But AFAIK it's not implemented by any mainstream Linux kernel or distro. You can create users manually for each app. For GUI apps, https://firejail.wordpress.com/. - Source: Hacker News / almost 2 years ago
Strong sandboxing solution such as that found in macOS, ChromeOS, and Android. Commonly used Linux sandboxing solutions such as Flatpak and Firejail still have a long way to go. Source: almost 2 years ago
Use some sandbox application like firejail. Source: about 2 years ago
Firejail to isolate applications within the same user account. Tmux to have detachable multiple windows and multiple panes in the terminal. Jq to parse JSON. q to run SQL queries on CSV files. Yt-dlp to download videos from everywhere. Ncdu to visualize and explore disk usage. Htop to monitor processes and resources. Source: about 2 years ago
Or download Firefox v97 and Sandbox it myself with Firejail. I get the latest Firefox, but I hear very mixed reviews on Firejail. Anything from it's perfect and easy to use, to it froze and crashed my whole system. Source: about 2 years ago
For #1, I'm not great at security. I just learned that firejail exists. Can limit the environment that programs see, like not having access to your actual /home/username/. You could maybe get it to work with something like --private=/path/to/minecraft/ so it thinks only those files exist. Source: about 2 years ago
Use firejail or other sandboxing solutions. Source: over 2 years ago
I do use Firejail (unrelated to Firefox: https://firejail.wordpress.com/), but always have and it's never been an issue with browser instances in the past. I've confirmed there's no interference by running the non-firejailed binary directly with /bin/firefox. Source: over 2 years ago
You can use firejail to run the program. See their github. Source: over 2 years ago
That said: what's your threat model for privacy? If you're aiming to avoid work seeing your personal, you likely can try something like multiple accounts if it's an installed work app situation, or in a browser using something like Firefox Containers, or Firejail. Those would get you much of the isolation from non-directed "attacks" without having to send the time/energy making Qubes work for you properly. Source: over 2 years ago
Crosvm mentions minijail, which is a sandboxing tool that can sandbox individual processes in a machine. Other tools in that space are firejail and bubblewrap. Source: over 2 years ago
Do you know an article comparing Firejail to other products?
Suggest a link to a post with product alternatives.
This is an informative page about Firejail. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.