A Quick Overview of Firejail for Quickly Sandboxing Any Application on Linux

Firejail is a Linux security tool that isolate application within the system through the use of Linux namespaces and seccomp-bpf (Secure Computing Mode). It creates lightweight sandboxes that restrict privileges and resources for individual applications, thereby minimizing security risks and limiting potential damages from breaches.

There is some discussions on the web about how you should not use Firejail because it's not secured enough so if you want a real solution maybe check for another tool. 

Firejail is easy to use, probably in your distribution repository and doesn't affect software performances. 

Firejail is bundled with defaults configuration for many software, try to check them out before tinkering with your terminal. 

All the given examples won't use the file configuration but how by running them in terminal or as a command prefix (in software like Lutris).

How to block network access

You can easily block any network all with the following:

firejail --noprofile --read-only=/ --net=none Executable

• --noprofile is used when you don't want to use a firejail config file and just pass parameters through cmd.
• --read-only=/ prevents any write on your root file-system.
• --net=none is the important part, with this now network call can be done by the software.

I can give you another version of it for running it through Lutris command prefix (video games).

firejail --noprofile --read-only=/ --net=none --nodbus  --whitelist=/path/to/.lutris/ --whitelist=~/.local Executable

• --nodbus prevents any dbus request to another software. 
• --whitelist is used to give read and write access to specific directories, for lutris the ability for the application to write in wine/proton prefixes.

How to block access to your home

One elegant way to hide you /home but still have somewhere to write is to use the --private argument.

firejail --noprofile --private=/somwhere/to/put/the/fake/home

This will create a fake home, achieving the protection of your real home data and relocating all files usually written in your home by the application somewhere else.

Conclusion

With these tips you quickly sandbox some applications, but I strongly encourage you to use the file conf provided by sandbox, it will detect which software is launch and will apply the correct configuration for you, then you just have to prepend "firejail" to your launch options.

If you want it more professional, you should try another solution, like apparmor or selinux, these software are probably the right choice, i don't really know, i'm just tinkering ¯\_(ツ)_/¯ .