We take a lot of risks with our computers. Sure, we dutifully apply the latest security patches from our software and operating system vendors but those don't
UNIXs and UNIX like operating systems have long had the concept of a 'jail' as a way to sandbox untrusted software away from the rest of the system. But it's generally difficult to set up and consumes a good amount of resources. That type of sandboxing is also best suited for servers and isn't as useful for desktop users.
Firejail is a new application sandboxing tool that allows you to quickly and easily set up a jail for any program you don't want to have access to your entire system. Using the concept of setuid, Firejail jails applications so that, if they are compromised, the attacker only has access to a very limited part of your system and is effectively blocked away from all other parts - even the parts that the user running the application has access to.
Firejail is also amazingly easy to use. While you can get a bit complicated with the way you configure the program, you don't have to. For example, running Firefox in its own jail is as simple as typing
Seriously, that's it. This simple command sets up a jail with default restrictions and then starts the Firefox web browser inside that jail. Of course, the default jail might be too restrictive for some programs so you can customize what each program has access to by creating application profiles.
I've been playing with Firejail for a few weeks now and love it. Sure, it's not a guarantee that someone isn't going to breach your system and wreak havoc. But it's just another layer they have to get to in order to do so and, historically, jails have shown to be pretty secure.
So if you want to bolt one more layer onto your security, check out Firejail and see what you think! it's available for all Linxes and BSD's.