Mastodawn

Why I use #Firejail in #Linux:
#cybersecurity #sandbox
Protect Your System: Run Your Browser In Firejail
https://www.dotlinux.net/blog/protect-your-system-run-your-browser-in-firejail/

Protect Your System: Run Your Browser In Firejail

In today’s digital age, web browsers are our primary gateway to the internet—we use them for banking, shopping, social media, and work. Unfortunately, this makes browsers a top target for cybercriminals. Malicious websites, drive-by downloads, exploited plugins, and tracking scripts can compromise your system, steal data, or turn your device into a botnet. While antivirus software and ad-blockers help, they’re not foolproof. A more robust defense is **sandboxing**—isolating applications from the rest of your system to limit damage if they’re compromised. Enter **Firejail**: a lightweight, open-source sandboxing tool designed to restrict applications (especially browsers) using Linux kernel features like namespaces and seccomp. In this guide, we’ll explore why browsers need special protection, how Firejail works, and how to set it up to secure your daily browsing.

DotLinux.net

The Subliminal Press Mar 9

https://grapheneos.social/@GrapheneOS/116200213555848065
Graphene has bad things to say about its competitors. What is the Truth?
@postmarketOS
@WeAreFairphone
@linmob

Does GOS' comment have in mind Volla #SailfishOS or UbuntuTouch? I am not a fan of Ubuntu much but love Debian. Volla, however is just way over-priced for most people outside the EU who can not order it anyway. Maybe GOS rates UbuntuTouch as a low grade product.
But Sailfish makes use of #firejail, which is very comprehensive on the command line level. If an app on GOS is not using
Compatibilty Mode, then it might be better off than with firejail or at least on par in terms of sandboxing. There are of course other factors.

Mainly, just wanted to make the point of distinguishing hardware projects from software projects here.

How would you rate Postmarket OS' security strategy (on Fairphone, for example)?

Michael Altfield 🛡️Feb 3

Have you ever been locked-out of your own account "for your protection"? 🤦

🔗 https://tech.michaelaltfield.net/2026/02/03/single-site-browser-firejail-proxychains/

This guide 👆 shows how to setup a Persistent, Sandboxed, Single-Site-Browser using #firejail and #proxychains to minimize the risk of Evil-Corp effectively issuing a #DOS attack against you (due to false positives)

#ai #aislop #opsec #infosec #security #privacy

Persistent, Sandboxed, Single-Site Browser (firejail and proxychains) - Michael Altfield's Tech Blog

Or how to avoid getting locked-out of another Google Account This guide will describe how to setup a persistent browser (for Evil Corp) that’s isolated in a sandbox (with firejail) and forced to use a SOCKS5 proxy to retain a static IP address (using proxychains) Have you ever been locked out of your own account, and then got an email for your service provider annoyingly letting you know that they’ve “blocked a login attempt — for your protection?“ There’s countless reports of frustrated users who have permanently lost access to their own gmail accounts because of Google’s faulty “fraud protection” systems that locked the account owner out of their own account, due to false-positives. Problem Especially the past 10 years, large corporations have been using machine learning anomaly detection systems on their login pages. Unfortunately, sometimes this is (ab)used to have priority over credential authentication challenges. Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked out of your own account because you “look different” Even if you enter your username, password, and 2FA credentials correctly on the very first login attempt, you may get locked . . . → Read More: Persistent, Sandboxed, Single-Site Browser (firejail and proxychains)

Michael Altfield's Tech Blog

alip Feb 2

Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!

Yes, please!

80%

No, go away!

I'll DM or mail [email protected]

I want to see you at RustConf2026

20%

Poll ended at Feb 9 at 11:54pm.

mintbug Dec 12

Кто-нибудь знает проект, подобный #firejail, но написанный не шизами для шизов? А то ощущения такие, что целевая аудитория этой поделки — чуваки, которые не использует ПО, а лишь пишут конфиги firejail для ПО, а потом довольные сидят и радуются, как они всё огородили. Я не хочу волшебным образом вычислять и после вручную перечислять ВСЕ директории, используемые программой. Я просто хочу псевдохомяк, просто преобразовывать `~/somefile` в `~/jail/somefile`, а не вот это вот всё.

Tamás Dec 2

Hardening with Firejail, Landlock, and bubblewrap

Recently I've been looking into securing my laptop a bit. By default, every single program has access to everything: filesystem, network, other programs.

First, I started looking into Firejail. It allows specifying paths the program can access, as well as the network and other special things. It's not bad and I used it for a while.

What I don't like about Firejail is that it's setuid: it runs as root, sets up the sandbox, then starts the program that is passed as an argument. If there is a problem in Firejail then it can even extend the blast radius.

Then I learned about Landlock. It is unprivileged and also allows restricting the network. At some point I found a [CLI](https://github.com/Zouuup/landrun) that makes it easy to run. Landlock solves the privilege problem: it restricts the process without having more permissions to do so.

The problem with Landlock is its fs restrictions are a bit too coarse: if a directory is allowed then everything below it is also allowed. For example, giving read access to $HOME also gives read access to the chromium profile.

Now I'm looking into bubblewrap. It promises to combine Firejail and Landlock in the best way: unprivileged and also allows layering filesystem access.

I'm still working on moving my dotfiles to bubblewrap and it takes some mental energy to do that. But is seems like it's going to be a good next step.

#security #linux #bwrap #landlock #firejail

Originally published [on my blog](https://advancedweb.hu/shorts/hardening-with-firejail-landlock-and-bubblewrap/)

GitHub - Zouuup/landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock. Think firejail, but lightweight, user-friendly, and baked into the kernel.

Run any Linux process in a secure, unprivileged sandbox using Landlock. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun

GitHub

Show thread

mintbug Nov 26

Я запустил террарию, и у меня даже не исчезают сохранения после перезапуска. Я считаю, это победа.

~/.config/firejail/lutris.local:
```
name lutris

ignore noblacklist ${HOME}/Games
noblacklist ${HOME}/.lutris
ignore mkdir ${HOME}/Games
mkdir ${HOME}/.lutris
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/Games
whitelist ${HOME}/.lutris

# terraria
ignore noexec /tmp
noblacklist ${HOME}/.local/share/Terraria
mkdir ${HOME}/.local/share/Terraria
whitelist ${HOME}/.local/share/Terraria

# ???
# https://github.com/netblue30/firejail/issues/6941
whitelist /usr/share/glycin-loaders
noblacklist /usr/bin/bwrap
noblacklist /proc/sys/kernel/overflowuid
noblacklist /proc/sys/kernel/overflowgid

ignore seccomp !chroot
seccomp !chroot,!mount,!pivot_root,!umount2
```

#firejail #lutris

lutris: fails to start: No image loaders are configured · Issue #6941 · netblue30/firejail

Description Starting lutris with firejail results in error Arch Linux, KDE Steps to Reproduce Link /usr/bin/firejail to /usr/local/bin/lutris and start it Expected behavior Lutris should start Beha...

GitHub

histrio Nov 15

#firejail is good. I always thought of it as a filesystem sandbox, but it's a network tool too. Just used it to create a network jail for #Steam, forcing it to use only my Wi-Fi.

Show thread

Droppie Nov 3

@grafov fwiw... atm posting this reply from my "normal" boot, #ArchLinux #KDE, wherein i've run #Firejail since the beginning [& in all distros before Arch]. Later today shall be booting back into my "new" boot, only ~week old & still finessing it; #KDELinux. Tis my first #immutable #atomic i've run on SSD rather than just in VMs. Really enjoying it, but not being able to use FJ anymore is a very unsettling feeling for me. 😳 I reckon FJ is pretty fab.

Alexander Grafov Nov 3

I switched from #AppArmor to #Firejail on my desktop. For me Firejail's configuration is much less cryptic than AppArmor's :) But I noticed there was no syntax highlighting for Firejail config files in #Emacs, so I created a simple mode using SMIE:

https://github.com/grafov/firejail-mode

Because GNU/Emacs should have a mode for any task, you know! #butterfly