# Firejail

## el muchacho

I'm quite surprise to see that a search for "Firejail" on this forum didn't produce any result.

For those who are into the security aspect of Gentoo, this is a great tool to look at. This is not in the official portage tree but in the overlays.

What it basically does is, allows you to run any program in a sandbox with:

- the seccomp you decide

- the capabilities you decide

- the chroot environment you decied

- the linux namespace you decide (separate PID tree, separate network stack if you wish, and a few others).

I find it much easier than AppArmor or other tools which do not even cover all those aspects at the same time.

All that config is very simple. In a config file, you put one-liners which will blacklist/whitelist/make read-only/make invisible the directories/files/system calls you wish to avoid:

```
# system directories 

blacklist /sbin

blacklist /usr/sbin

# system management

blacklist ${PATH}/su

blacklist ${PATH}/sudo

blacklist ${PATH}/strace

seccomp.drop fork

seccomp.keep read
```

More info: https://l3net.wordpress.com/projects/firejail/

----------

## charles17

Thanks for the info. http://gpo.zugaina.org/Search?search=firejail

Version 0.9.24 seems not to be in the overlays yet.

----------

