**What is firejail?** Firejail is *an easy to use setuid sandbox program that reduces the risk of security breaches.* > **How does firejail reduce the risk of security breaches?** > Firejail reduces the risk of security breaches *by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf, and Linux capabilities.* **Is running untrusted code ever safe?** *No*, running untrusted code is never safe. # 1 Installation ... **What do most of the supplied profiles heavily rely on?** Most of the supplied profiles heavily rely on *blacklists.* > **What does using a blacklist allow an application to do?** > Using a blacklist allows an application to *access anything not explicitly forbidden by the blacklist.* > [!example] > If you have btrfs snapshots available in `/mnt/btrfs`, a jailed program may be forbidden from accessing `$HOME/.ssh`, but would still be able to access `/mnt/btrfs/@snapshot/$HOME/.ssh`. # 2 Configuration **What does firejail use to set the security protections for each application?** To set the security protections for each application, firejail uses *profiles.* > **Where are the default application profiles located?** > The default application profiles are located *at `/etc/firejail/`.* > > **Where can you put custom profiles?** > You can put custom profiles *at `~/.config/firejail`.* **What does firejail do if there's no profile for a particular application?** If there's no profile for a particular application, firejail *uses its restrictive system-wide default profile.* > **What can using the default system-wide profile cause?** > Using the default system-wide profile can cause *a program to not function as desired.* # 3 Usage ...