<br/><center><b>Sandbox Configuration</b></center><br/><br/><br/>
Firejail is a SUID program that reduces the risk of security breaches by restricting the running 
environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a 
process and all its descendants to have their own private view of the globally shared kernel 
resources, such as the network stack, process table, mount table.<br/><br/>
Even though hundreds of user-space applications are already supported by Firejail, 
sometimes is necessary to customize the sandbox environment. This configuration 
wizard was built in order to make this task easier.<br/><br/>
Start with the filesystem configuration, 
where the most sensitive directory is the user home directory, move to the network and 
multimedia subsytems, and finish with the kernel. In the end, you can turn on debugging and 
get all the sensible information in a terminal, such as network requests and files accessed by 
the application.<br/>
<br/><b>Filesystem</b><br/><br/>
User home directory contains all personal user files, 
including music, pictures and videos. In this directory, a crook can also find  
browser history and bookmarks, passwords and encryption keys. 
By default, Firejail denies access to some of the most sensitive files. 
This can be enhanced by checking <i>Restrict home directory</i> 
in the left pane, and choosing what directories are visible in the right pane.<br/>
<blockquote>
<i><b>Restrict home directory:</b> Choose the directories visible inside the sandbox. 
By default, with the exception of some well-known password and encryption files, 
all home files and directories are available inside the sandbox.</i><br/><br/>
</blockquote>
Any other file or directory can be restricted in the command line version of Firejail. 
We provide here only a small number of more common options. We believe these options will work 
for most applications.<br/>
<blockquote>
<i><b>Restrict /dev directory:</b> A small number of very basic devices are visible inside the sandbox. 
Sound and 3D acceleration should also be available if this checkbox is set.<br/><br/>
<b>Restrict /tmp directory:</b> Start with a clean /tmp directory, only X11 directory is available 
there.<br/><br/>
<b>Restrict /mnt and /media:</b> Blacklist /mnt and /media directories.:</i><br/><br/>
</blockquote>
<b>Networking</b><br/><br/>
A network namespace is a separate copy of the TCP/IP networking stack. 
Initially all the processes share the same default networking stack from the init process.
Firejail allows users to attach a different network stack to the sandbox, therefore isolating
all the traffic. The default system stack is not accessible from inside the sandbox. For example,
an SSH server or a HTTP server running on the system will not be visible inside the sandbox.

<blockquote>
<i><b>System network:</b></i> Use the default networking stack provided by the system.<br/><br/>
<i><b>Network namespace:</b></i> Install a separate networking stack and connect it to the 
main Ethernet interface. A new IP address is assigned, and a new network filter is installed 
using <i>iptables</i> command.<br/><br/>
<i><b>Disable networking:</b></i> Use an unconnected network stack. There will be no traffic 
coming in or going out of the sandbox.<br/><br/>
</blockquote>
<b>Multimedia</b><br/><br/>
If the application is not using sound or 3D acceleration, it is always a good idea to drop the support 
inside the sandbox. For servers or console programs, disabling X11 graphic interface is recommended.
<blockquote>
<i><b>Disable sound:</b></i> The sound subsystem is not available inside the sandbox.<br/><br/>
<i><b>Disable 3D acceleration:</b></i> Hardware acceleration drivers are disabled.<br/><br/>
<i><b>Disable X11:</b></i> X11 graphical user interface subsystem is disabled. 
Use this option when running console programs or servers. The setting requires a new
network namespace to be configured, see <i>Networking</i> section for more details.
<br/><br/>
</blockquote>
<b>Kernel</b><br/><br/>
These are some of the most powerful sandboxing features implemented by the Linux kernel.
<blockquote>
<i><b>Enable seccomp-bpf:</b></i> This security facility allows filtering out the most dangerous system calls 
inside the kernel, therefore reducing the attack surface. 
A Linux Kernel version 3.5 is required for this option to work.<br/><br/>
<i><b>Disable all Linux capabilities:</b></i> Capabilities (POSIX 1003.1e) are designed to split up the root privilege
into a set of distinct privileges which can be independently enabled or disabled. For regular user-space programs,
all these privileges should be disabled.<br/><br/>
<i><b>Restricted user namespace (noroot):</b></i> This option installs a user namespace with a single 
user - the current  user. <i>root</i> user  does  not  exist  in  the new namespace. 
A Linux Kernel version 3.8 is required for this option to work.<br/><br/
</blockquote>
