SYSTEM Cited by 1 source
firejail¶
firejail is a SUID (Set-owner User ID) command-line sandbox for Linux that lets unprivileged users place processes inside a restricted environment combining Linux namespaces, seccomp-bpf, and Linux capabilities. Along with systems/nsjail, it is cited by Figma as a canonical example of combining containerisation primitives with syscall filtering: "seccomp can be combined with containerization to provide robust, multilayered sandbox-focused systems, such as nsjail and firejail." (Source: sources/2026-04-21-figma-server-side-sandboxing-containers-and-seccomp)
Mechanism¶
- SUID binary: executes as root-setuid so it can create namespaces / apply seccomp / drop capabilities on behalf of an unprivileged caller.
- Profile files declare the sandbox: filesystem allow/deny lists, seccomp allowlist, network namespacing, DNS policy, environment-variable filtering.
- Ships pre-built profiles for common desktop apps (browsers, PDF viewers, media players) โ the origin of firejail as a desktop sandboxing tool, distinct from nsjail's server-side orientation.
Positioning¶
- vs systems/nsjail: same layered-composition design (patterns/seccomp-bpf-container-composition); firejail is SUID-based and ships profile libraries, nsjail is command-line-driven with explicit configuration. Both stack the same kernel primitives.
- vs Docker / runC: same underlying kernel primitives but no image / daemon / registry โ firejail is invocation- time, not container-platform.
- Not seen in server-side production examples in the current wiki corpus; Figma's RenderServer picked nsjail.
Seen in¶
- sources/2026-04-21-figma-server-side-sandboxing-containers-and-seccomp โ named as a composition-sibling of nsjail in Figma's discussion of seccomp + container composition.