

1·
2 days agoJust so you know Firejail is a setuid root binary with a lot of code. This means that if that code gets exploited and the sandboxed process escapes the sandbox it will have root privileges instead of the running users.
Sources: https://github.com/netblue30/firejail, https://madaidans-insecurities.github.io/linux.html#firejail
Yes, however, it won’t prevent the process launching as root because firejail is setuid. This means that the person executing the file transitions into the privileges of the owner of the file, in this case, root. Since this root process remains in the background it can theoretically be exploited by the sandboxed process that firejail spawns.
The odds of this happening to someone who isn’t getting targeted are very very low so using firejail is still alright, but you should consider a non-setuid solution like bubblewrap or just a VM.