The beauty of the Privacy Cookbook is that I can jump around between different chapters & sections and provide updates and insights on new products and developments almost in real time.

So, today I want to jump back to Secure PC setup and add to the information on Linux!

Sandboxing is one of those things that makes QubesOS one of the best, if not the best, Linux distros out there. It takes entire systems into different Qubes and even different operation system setups for each of your setups. However, you can Sandbox also on any other Linux system. not as powerfully as on QubesOS, but still making your OS pretty secure.

PDF, Browsers, perhaps your email application and some other apps are running in the background and are potential targets for hackers and attackers.

"Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups."
Linux namespaces and seccomp-bpf sandbox. Contribute to netblue30/firejail development by creating an account on GitHub.

Firejail should be in most Software centers, regardless of if you're running Majaro, Ubuntu or any other distro. Once installed, it's dead simple!

Firefox is one of the first things you should run in Firejail, to do so just start the terminal and run:

firejail firefox

Firefox can now only connect to a few files

Note:  Only ~/Downloads and ~/.mozilla directories are real, all  other directories are created by Firefox. The same home directory layout  is imposed by Firejail for all supported browsers and BitTorrent  clients. Please make sure you save all your downloaded files in ~/Downloads directory.

This is what the rest of the file system looks like:

  • /boot – blacklisted
  • /bin – read-only
  • /dev – read-only; a small subset of drivers is present, everything else has been removed
  • /etc – read-only; /etc/passwd and /etc/group have been modified to reference only the current user; you can enable a subset of the files by editing /etc/firejail/firefox-common.profile (uncomment private-etc line in that file)
  • /home – only the current user is visible
  • /lib, /lib32, /lib64 – read-only
  • /proc, /sys – re-mounted to reflect the new PID namespace; only processes started by the browser are visible
  • /sbin – blacklisted
  • /selinux – blacklisted
  • /usr – read-only; /usr/sbin blacklisted
  • /var – read-only; similar to the home directory, only a skeleton filesystem is available
  • /tmp – only X11 directories are present

This is the setup for your already used Firefox, including all the Firefox add-ons you installed.

If you would like to use a virgin Firefox setup, just enter:

firejail --private

man firejail-profile

  • –net=none: With this you could, for example, start a PDF file, as it would not allow the application to have internet access anymore
  • –private: Brand new virgin start of an application, as in our example Firefox, just after an installation
  • –private=directory: You can save files to a specific directory, these files are still existing after you close Firejail
  • –private-tmp: No connection to /tmp and you mount a fresh /tmp directory
  • –blacklist=dirname_or_filename:  Blocks a specific file directory from the application

Let's use Firefox again as an example:

firejail --net=none firefox

Firefox without internet

firejail --private --dns= firefox

This would start a fresh Firefox in a sandbox with the family protection of AdGuard

The Privacy Cookbook - Chapter 2 – Protecting your DNS
We promised you that within this cookbook we will go deeper into the rabbithole....well, here we go and in this chapter let’s start with something simple!DNS! Most people are not aware what DNS is or what it does.
The Domain Name System(DNS) is one of the foundations of the internet, yet most p…

firejail --net=eth0 --netfilter=/etc/firejail/ firefox

Firefox with a new IP table and no local network connection.

You do not need to Firejail every app, but I would recommend to do so with your browser apps, email and PDF readers.

Firejail is an absolute winner when it comes to securing your computer. Use it, learn more about it and use it even more!

Linux namespaces and seccomp-bpf sandbox. Contribute to netblue30/firejail development by creating an account on GitHub.

Stay safe,

The Privacy Advocate

We publish a daily dose of decentralization here every day (UTC+8), for additional daily updates follow us on Mastodon, Twitter, Telegram or Element(Matrix). Please like & share all our output. We rely on User-Generated Content so why not write for us and since we try to avoid ads and sponsorship, why not donate to help us continue our work - all major cryptos accepted. You can contact us at and at
Share this post