Simple application sandboxing using AppArmor and Firejail

Share on:
Lock against a green door

Security is one of the most important and overlooked aspects of modern computing. We tend to let the default security configurations do the work, or on Windows, we simply install some anti-virus and be done with it. However, applications are increasingly privileged and we find ourselves running programs that could represent a security vulnerability to our systems and, more importantly, to our information.

Sandboxing allows us to limit what each application can see and what it can access, as well as what it can do in your system. Clearly not all applications need sandboxing, for example, your text editor probably isn’t a security vulnerability. Regardless, applications like browsers are the source of many security vulnerabilities, even though they already do some sandboxing themselves.

In this post, we will use a very simple sandboxing method using Firejail and AppArmor on Linux.


AppArmor comes enabled in several Linux distributions. To check whether it’s running, type in:

$ aa-enabled

If you get a message telling you that it’s enabled, then AppArmor is up and running and you can skip to the next section.

If you get a message that says aa-enabled: command not found then you need to install AppArmor. To do so, simply install the package apparmor from your distribution’s repositories. For example, on Debian you would run:

$ sudo apt install apparmor apparmor-utils

To make sure it runs on boot, add the following kernel parameters:

apparmor=1 lsm=lockdown,yama,apparmor

If you’re using GRUB2, this is as simple as editing the following line in /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="apparmor=1 lsm=lockdown,yama,apparmor"

If the setting GRUB_CMDLINE_LINUX_DEFAULT is already assigned to something, add the new kernel parameters at the beginning of the quoted string. Reboot and run aa-enabled to verify that AppArmor is up and running.


Installing Firejail is as simple as installing the following packages under Debian:

$ sudo apt install firejail firejail-profiles

Running applications under Firejail

To run something with Firejail sandboxing, it’s as simple as adding firejail before the name of the application you want to run (in a terminal, that is). For example:

$ firejail firefox
$ firejail chromium
$ firejail emacs

Hundreds of applications have Firejail profiles predefined already for them. For example, when running Firefox, you will see a line like this:

Reading profile /etc/firejail/firefox.profile

This indicates a profile tailored specifically for the application you’re running is available. We will use Firefox for the remaining examples.

Seccomp (Secure Computing Mode) blocks applications from making system calls outside of a few select ones and limits what the application can access. To enable this, as well as disabling new privileges during execution, run:

$ firejail --seccomp firefox

Note: A few applications, Chromium for example, will not run with the --seccomp option enabled since they need to acquire new privileges in order to run their internal sandboxing processes.

Firejail + AppArmor

To enable the default AppArmor profile for Firejail, run:

$ sudo aa-enforce firejail-default

Now, to run an application with AppArmor enabled, simply run:

$ firejail --apparmor --seccomp firefox

Using a private home directory

You might not want a process to be able to access the rest of your files in your home directory. In order to do this, you might run a virtual home directory for the process you’re running. Create a new directory, for example:

$ mkdir ~/firefox

You can also use an existing directory and you can reuse this directory if you want. To set this as the home directory for the application, run:

$ firejail --apparmor --seccomp --private=/home/user/firefox firefox

The contents in that directory will be persistent even after you close the application. You can move files to and from the directory at any time. If you prefer a one-time temporary directory, deleted upon closing the application, run:

$ firejail --apparmor --seccomp --private firefox

This will store everything in memory and will discard it once the process is finished. If for some reason you wish to transfer files to or from this sandbox, you will need to locate the PID for the sandbox first by running:

$ firejail --list

Alternatively, you can assign a name to the sandbox on launch:

$ firejail -name=mysandbox firefox

We will assume the sandbox is named mysandbox, but if it’s not, you will simply need to replace the name with the PID. To list the contents in some directory, run:

$ firejail --ls=mysandbox ~/

This will list everything in the private home directory of the sandbox. In order to get a file named file.txt from the sandbox and put it in the current directory, run:

$ firejail --get=mysandbox ~/file.txt

To send a file named file.txt and put it in the Downloads folder, you simply run:

$ firejail --put=mysandbox file.txt ~/Downloads/file.txt

Use a sandboxed X server

For certain applications, you might want to run them on a separate X server. This will prevent the application from logging keystrokes outside of itself, as well as recording the screen or screenshooting it. We will use Xephyr in this example, though there are a few other options available. Make sure Xephyr is installed:

$ sudo apt install xserver-xephyr

To run the application under a separate X server, run:

$ firejail --apparmor --seccomp --x11=xephyr firefox

This will run in a normal window, though the window will not be resizeable. If you wish to change the resolution from the default (800x600), add the --xephyr-screen=WIDTHxHEIGHT option. If you wish to set a different default resolution, edit the xephyr-screen parameter in /etc/firejail/firejail.conf.

You can play around and mix the options as you desire. None of the ones showed here depend on one another (except for --xephyr-screen), so adjust them to your needs. This is a very simple and quick way to use Firejail for sandboxing. For further information and customization, check the Firejail usage page, as well as the manpages (run man firejail).