программа-песочница для пространств имен Linux (Linux namespaces sandbox program)
Описание (Description)
Firejail is a SUID sandbox program that reduces the risk of
security breaches by restricting the running environment of
untrusted applications using Linux namespaces, seccomp-bpf and
Linux capabilities. It allows a process and all its descendants
to have their own private view of the globally shared kernel
resources, such as the network stack, process table, mount table.
Firejail can work in a SELinux or AppArmor environment, and it is
integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on
any Linux computer with a 3.x kernel version or newer. It can
sandbox any type of processes: servers, graphical applications,
and even user login sessions.
Firejail allows the user to manage application security using
security profiles. Each profile defines a set of permissions for
a specific application or group of applications. The software
includes security profiles for a number of more common Linux
programs, such as Mozilla Firefox, Chromium, VLC, Transmission
etc.
Alternative sandbox technologies like snap
(https://snapcraft.io/) and flatpak (https://flatpak.org/) are
not supported. Snap and flatpak packages have their own native
management tools and will not work when sandboxed with Firejail.
