firejail

Firejail is a security tool for Linux that runs applications inside a restricted environment, limiting what they can access or affect on the rest of your computer. The idea is that if a program is compromised, the damage it can do is contained. It is written in C, has almost no external dependencies, and works on any Linux system running a kernel from version 3.x onward.

Under the hood, it uses a set of Linux kernel features: namespaces (which give each sandboxed process its own isolated view of the network, running processes, and file system mounts), seccomp-bpf (which restricts which system calls a process is allowed to make), and Linux capabilities (which control what privileged operations a process can perform). These are all standard kernel mechanisms, so no daemons need to run in the background and there are no complicated configuration files to set up.

The tool can sandbox graphical desktop applications, servers, and even full user login sessions. It ships with ready-made security profiles for widely used programs like Firefox, Chromium, VLC, and Transmission, so in many cases you can start using it without writing any configuration yourself. It can also work alongside SELinux, AppArmor, and Linux Control Groups if those are already in use on the system.

Installation is available through most major Linux distributions, including Debian and Ubuntu, though the README notes that distribution-packaged versions may lag behind the latest release. The project recommends installing from the GitHub releases page or building from source when an up-to-date version matters. A video channel with tutorials and an IRC channel are available for getting started.