Firejail is an easy to use sandbox that reduces the risk of security breaches by restricting the running environment of untrusted applications using seccomp-bpf and Linux namespaces.
The first seccomp/namespaces sandbox was built by Google for Chromium browser. It was released in 2012, replacing their existing SELinux sandbox. Shiny new technology, the sandbox flew under the radar gaining market share. By 2014 when Firejail project was started, Chromium browser was already running on 50% of Linux desktops. Today there are a small number of projects sandboxing browsers and other desktop applications using seccomp/namespaces technology. We are proud to be one of them.
From the beginning we realized the contradiction between security and comfort, and we made ease of use one of our main goals. We managed to achieve this goal without sacrificing the security functionality. We provide:
- a simple method to start the sandbox from command line – prefix your application name with “firejail”, eg “firejail firefox”
- full desktop integration – applications are sandboxed automatically when started by clicking on icons in file manager or desktop manager menus
- an intuitive syntax for building advanced security profiles
Our focus is GUI application sandboxing, with web browsers being the main target. The sandbox denies access to private files in user’s home directory. Inside the sandbox, Downloads directory and the browser configuration files are real, everything else is stored in a temporary filesystem and later discarded:
Only Downloads directory is visible inside a sandboxed Firefox browser.
This guide describes the steps necessary to install and configure Firejail sandbox on Linux Mint. Both Cinnamon and MATE desktop environments are supported. We provide similar support for all desktop managers.
Installing and configuring Firejail
Download the latest Firejail .deb package from our Download page and run the following three commands in a terminal:
$ firecfg --fix-sound
$ sudo firecfg
The first command installs Firejail software. The second command solves some shared memory/PID namespace bugs in PulseAudio software prior to version 9. The third command integrates Firejail into your desktop. You would need to logout and login back to apply PulseAudio changes.
Running applications
Start your programs the way you are used to: desktop manager menus, file manager, desktop launchers. The integration applies to any program supported by default by Firejail. There are more than 1000 default applications in Firejail version 0.9.64, and the number goes up with every new release. We keep the list in /usr/lib/firejail/firecfg.config file.
Just for fun, start several programs by clicking your desktop manager menus, then open a terminal and run the following command:
This command tells you what programs are running in a Firejail sandbox. If your program was not sandboxed automatically, use the old method of prefixing your program with “firejail” command:
firejail –top
Installing new programs
Run sudo firecfg every time you install a new program, here is a Chromium browser example:
$ sudo firecfg
Only Downloads directory is visible inside a sandboxed Chromium browser.
Desktop launchers
Cleaning up my software archive, I run into an old copy of Pentix. This is a very addictive Tetris clone I used to play in a DOS window way back when computers used to be fun. I created a directory pentix in my home and copied the game there. The next step was to go in Desktop directory and create a launcher for the game. The launcher is a regular text file with the following content:
Type=Application
Name=Pentix
Icon=/home/netblue/pentix/pentix.png
Exec=dosbox /home/netblue/pentix/pentix.exe
Terminal=false
I use dosbox emulator (sudo apt-get install dosbox) to run the game. Firejail will sandbox the emulator automatically with a proper security profile. The icon pentix.png is something I grabbed from a clipart website. First time I click on the icon, a very annoyed Cinnamon tells me the launcher is not marked as trusted. I press “Mark as trusted” and get on with the game.
A sandboxed Pentix game.
Docks
The Linux desktop can also be customized using docks. A dock is a toolbar-like application launcher holding icons for frequently used programs. Docks are highly configurable and many users find them useful and beautiful.
Several docks are available in Mint repositories. Among them Plank (sudo apt-get install plank), Docky (sudo apt-get install docky) and Cairo (sudo apt-get install cairo-dock). Similar to the regular desktop launchers, clicking on icons will sandbox applications automatically.
Cairo dock starting sandboxed programs.
Conclusion
Firejail is a must have tool for security concerned users. Like Mint, Firejail is a community project. We are not affiliated with any corporation, and pursue the user’s interest. If you run into problems, have new ideas, feature requests, whatever, join us on our development page. Thank you for reading!
More info:
Firejail 
Please please please someone tell me how to “undo” “reverse or “remove” this command: sudo firecfg (The second command integrates Firejail into your desktop).
After issuing it, I cannot launch many, many programs. As a result, I can no longer use this software, and I really would like to continue doing so.
LikeLike
Sorry, panicked a bit. I easily fixed it with sudo firecfg –clean
4 year-old running about and not paying attention.
LikeLike
no problem
LikeLike
Pingback: Mint sandboxing guide | 0ddn1x: tricks with *nix
Pingback: Links 1/6/2017: KDE Plasma 5.10, Qt 5.9 Released | Techrights
Pingback: Links 18/6/2017: New Debian Release, Catchup With a Lot of News | Techrights
Good work. Great piece of software that solves a lot of problems. I am running Linux Mint and used firecfg as directed in this article. Most things work great, but there are a few exceptions that are causing me a lot of problems.
What I need to know is how can I bypass firejail on a case by case basis?
Sometimes I need to do a “quick – one shot”, and other times I need to create a permanent exemption for the program.
Any assistance would be much appreciated.
LikeLike
For example VLC. After you run firecfg, it will start jailed by default. If you want to start it without a jail, in your terminal run “/usr/bin/vlc”.
For programs you never want jailed, delete the program link from /usr/local/bin directory (sudo rm /usr/local/bin/vlc).
LikeLike
I love using firejail with Firefox – it is so nice to be able to close the browser and have all the cookies and other garbage automatically gone.
My only problem is that the default configuration set up by the Linux mint people does not include Google as a search engine, and uses yahoo as the default which serves more useless ads than useful content.
Can you please tell me how I can establish my own custom starting point for Firefox under firejail? Thanks.
LikeLike
You should be able to configure the browser to use Google search. It is a browser setting, not affected by Firejail. Click on the three lines in the upper right-hand corner of the browser window, and go to “Preferences” and set the search to Google.
Firejail goes into play only if you start it with –private command line option. In this case the browser starts with factory defaults, and any change in browser configuration will not be saved when you close the browser.
LikeLike
I’ve tried several times to install Firejail but every time, it kills my video display on either my laptop or HDMI out. The only way to fix this is to boot through a USB and delete the Firejail files from the HDD. I’ve read and searched everything but cannot figure out why this is happening.
LikeLike
What happens if you run “firejail –igonre=private-dev firefox”?
LikeLike
I can not run type 2 AppImage with firejail:
$ firejail –appimage LibreOffice-5.4.4-i386.AppImage
Error mounting appimage: appimage.c:113 appimage_set: Invalid argument
AppImage type 1 works. Is AppImage type 2 unsupported? Is this a bug in firejail?
LikeLike
Support for appimage type 2 was introduced in firejail version 0.9.46. Check your firejail version.
LikeLike
I’m using the latest firejail version, but the problem still occurs:
$ firejail –version
firejail version 0.9.52
Compile time support:
– AppArmor support is disabled
– AppImage support is enabled
– bind support is enabled
– chroot support is enabled
– file and directory whitelisting support is enabled
– file transfer support is enabled
– git install support is disabled
– networking support is enabled
– overlayfs support is enabled
– private-home support is enabled
– seccomp-bpf support is enabled
– user namespace support is enabled
– X11 sandboxing support is enabled
$ firejail –appimage ./LibreOffice-5.4.4-i386.AppImage
Error mounting appimage: appimage.c:113 appimage_set: Invalid argument
How to fix this? Appimage only works without firejail.
LikeLike
I am looking for a LibreOffice appimage to try it out. Where did you get it? Also, are you running on a 32bit system (i386)? The appimage you have is a 32bit one.
LikeLike
Yes, I am running a 32bit system. The appimage works perfectly without firejail. Here is the Google Drive link for the LibreOffice appimage (LibreOffice-5.4.4-i386.AppImage):
https://drive.google.com/open?id=1pqTl1hlJNCcJLUmwD0vE3YUcvz7QXKl-
Just do “chmod +x LibreOffice-5.4.4-i386.AppImage; ./LibreOffice-5.4.4-i386.AppImage” and it will work perfecly. However, if you type “firejail –appimage LibreOffice-5.4.4-i386.AppImage” it do not work.
In folder “build_appimage” you can see the build scripts.
LikeLike
Yes, I am running a 32bit system. The appimage works perfectly without firejail. Here is the Google Drive link for the LibreOffice appimage (LibreOffice-5.4.4-i386.AppImage):
https://drive.google.com/open?id=1pqTl1hlJNCcJLUmwD0vE3YUcvz7QXKl-
Just do “chmod +x LibreOffice-5.4.4-i386.AppImage; ./LibreOffice-5.4.4-i386.AppImage” and it will work perfecly. However, if you type “firejail –appimage LibreOffice-5.4.4-i386.AppImage” it do not work.
In folder “build_appimage” you can see the build scripts.
LikeLike
I’m using the latest firejail version, but the problem still occurs:
$ firejail –version
firejail version 0.9.52
Compile time support:
– AppArmor support is disabled
– AppImage support is enabled
– bind support is enabled
– chroot support is enabled
– file and directory whitelisting support is enabled
– file transfer support is enabled
– git install support is disabled
– networking support is enabled
– overlayfs support is enabled
– private-home support is enabled
– seccomp-bpf support is enabled
– user namespace support is enabled
– X11 sandboxing support is enabled
$ firejail –appimage ./LibreOffice-5.4.4-i386.AppImage
Error mounting appimage: appimage.c:113 appimage_set: Invalid argument
How to fix this? Appimage only works without firejail.
LikeLike
Netflix doesn’t work in Firefox since installing firejail. How do I kill any and all sandboxes and start Firefox in a firejail-free environment to test if firejail is the culprit or not?
LikeLike
It is a known problem. Close all your firefox windows to make sure nothing is running, and then start firefox as follows:
$ firefox –ignore=seccomp firefox -no-remote
I think this should take care of netfilx. If not, you can also start firefox without a sandbox by typing the full path:
$ /usr/bin/firefox -no-remote
What version of Firejail are you running, and also did you run “sudo firecfg” after installing it?
LikeLike
George March 5, 2018 at 5:55 am
Netflix doesn’t work in Firefox since installing firejail. How do I kill any and all sandboxes and start Firefox in a firejail-free environment to test if firejail is the culprit or not?
~~~~~
netblue30 Post authorMarch 5, 2018 at 2:37 pm It is a known problem. Close all your firefox windows to make sure nothing is running, and then start firefox as follows:
$ firefox –ignore=seccomp firefox -no-remote
I think this should take care of netfilx. If not, you can also start firefox without a sandbox by typing the full path:
$ /usr/bin/firefox -no-remote
What version of Firejail are you running, and also did you run “sudo firecfg” after installing it?
~~~~~
To answer your question concerning the firejail version:
$ firejail –version
firejail version 0.9.52
Compile time support:
– AppArmor support is disabled
– AppImage support is enabled
– bind support is enabled
– chroot support is enabled
– file and directory whitelisting support is enabled
– file transfer support is enabled
– git install support is enabled
– networking support is enabled
– overlayfs support is enabled
– private-home support is enabled
– seccomp-bpf support is enabled
– user namespace support is enabled
– X11 sandboxing support is enabled
I believe that I ran firecfg at installation. I believe that was the recommended process that I read. I have an entry /usr/bin/firecfg. Can I run it again if I’ve already run it?
After closing Firefox and all other programs that open in Firejail before starting each of the following command lines, I got the following results:
$ firefox –-ignore=seccomp firefox –no-remote
Firefox starts, Netflix login works, attempting to start a show gets openning frame of show with animated red circle being drawn over and over.
$ /usr/bin/firefox -no-remote
Firefox starts, Netflix login works, attempting to start a show gets an error screen.
I have a WordPress account under a different email account and can’t find a way to follow Firejail. I believe my WordPress account is linked to a specific site for which I used WordPress, though, that doesn’t seem likely. I’m looking into this. I’d appreciate any suggestions you may have on this issue, and it really isn’t your issue, I understand.
Thanks,
George
LikeLike
What happens if you run:
$ firejail –noprofile firefox -no-remote
If this is fine you can debug it. You’ll go in /etc/firejail/firefox.profile and comment out (add a #) the lines in that files. One or more of them are creating the problem.
LikeLike
The command that you suggested generated the following result:
~ $ firejail –noprofile firefox –no-remote
Parent pid 3578, child pid 3579
Child process initialized in 119.06 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
{comment: Netflix started as usual. Attempting to run a movie generated a “Whoops…” error. I closed the termingal process at that point which closed Netflix.}
^C
Parent received signal 2, shutting down the child process…
Parent is shutting down, bye…
Child received signal 15, shutting down the sandbox…
~ $
I appreciate the help your sending.
George
LikeLike
What video card are you using (Nvidia, Amd….) We do have some problems with some of the drivers for them, usually the drivers from the manufacturer.
LikeLike
lspci lists the following video card: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06)
George
LikeLike
I’m stumped with the Netflix problem for which you’ve been assisting me. I like the sandbox concept very much, but don’t know what to do here. Can you advise me on how to uninstall and reinstall? Oh, and how do I access this forum from my WordPress account. I can’t see a way to add anything.
thanks,
George
LikeLike
Love the guide! But I don’t suppose you could also add a simple guide for how to make it work with AppArmor? 😉
LikeLike
I ahve something here: https://firejail.wordpress.com/documentation-2/basic-usage/#apparmor
LikeLike
Hi,
Testing with firejail xed I get the following…
———————————————————————–
Reading profile /etc/firejail/xed.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10670, child pid 10671
1 program installed in 2.58 ms
Blacklist violations are logged to syslog
Child process initialized in 70.96 ms
Could not find platform independent libraries
Could not find platform dependent libraries
Consider setting $PYTHONHOME to [:]
Fatal Python error: Py_Initialize: Unable to get the locale encoding
ImportError: No module named ‘encodings’
Current thread 0x00007ffa072a9a40 (most recent call first):
Parent is shutting down, bye…
—————————————————————
Linux Mint 18.03 with default Python 2 and 3 installed.
I had Python 3.6.4 installed also with following cmds and played around with it some time ago and had no issues:
sudo apt-get install build-essential checkinstall && sudo apt-get install libreadline-gplv2-dev libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev && cd /usr/src && sudo wget https://www.python.org/ftp/python/3.6.4/Python-3.6.4.tgz && sudo tar xzf Python-3.6.4.tgz && cd Python-3.6.4 && sudo ./configure –enable-optimizations && sudo make altinstall
There are no $PYTHONHOME or $PYTHONPATH env variables set as I was told by someone not to play with it until you know what you’re doing, (still learning to code in other languages, haven’t got around to getting serious with python yet)
XED runs fine without firejail along with associated Python plugins
Appreciate your assistance and advice in fixing otherwise will avoid firejail with xed for now.
Many thanks
LikeLike
gah sorry … firejail ver 0.9.54 btw
LikeLike
I’ll take a look, thanks for the report.
LikeLike
Firejail is an awesome project. I feel safer using it.
If I start conky in a firejail, the only processes and memory usage it shows are for conky and firejail with a brief, occasional flash of usage for dig and curl which are used by my conky setup. I think that firejail needs to whitelist /proc to show cpu and memory usage of the overall system. Is this possible using firejail 0.9.52 from the Linux Mint 19 MATE repository?
LikeLike
Thanks! If you start conky in a sandbox, it will monitor only the memory/cpu/etc. inside the sandbox. So all the numbers printed by conky refer to the sandbox, not to all your system.
> 0.9.52 from the Linux Mint 19 MATE repository
I would suggest to grab 0.9.56 from our download page. We keep there a .deb package.
LikeLike
How do I create a single symbolic link for a firejail app instead of all at once; please make an option for this in firecfg; this is useful in fedora and centos esp, where due to SELinux, there is very little need for firejail. Thanks!
LikeLike
Thanks so much for developing this program. Really appreciated!
2 questions:
(sorry if this has been answered elsewhere)
if I install a program via snap – I can’t ‘firejail’ it, is that correct?
(for example Brave browser, installed via snap)
I understand that snap applications are sandboxed already.
The second issue may be a bit odd. I have altered the launchers of common programs to include firejail, so for example the PDF viewer Xreader is launched via ‘firejail xreader %U’
so, if I open any PDF documents with Xreader it automatically opens Xreader in sandboxed mode.
HOWEVER somehow this doesn’t work with Okular. [I run Linux Mint Mate, so not KDE] If I launch okular via launcher /usr/bin/firejail okular [or firejail okular ] it opens Okular in sandboxed mode; but NOT if I just open a PDF document with Okular.
I am concerned about in error opening a not sandboxed PDF. Any suggestions?
Sorry if stupid question
LikeLike
I can’t seem to find the command to create default profiles in /etc/firejail. Running the firecfg command doesn’t create the profiles in this location.
LikeLike
The program is not perfect.
But I hope it gets better in the future.
1. The execution of firecfg commands can be automated.
– each time you run the system update application or package manager
– or when file “lock” is detected ( protection against running two package managers simultaneously )
but I don’t know if the file is also created with “apt get install”
2. [b]firecfg[/b] command is very helpful. Because it allows you to run applications by default straight from the menu immediately from the sandbox.
But this applies to applications for which a profile has been created or installed.
My English is not perfect, I hope I wrote well.
Maybe in the future it will be possible to remove some paths from the [b]$PATH[/b] environment variable.
and create a profile automatically for any application except those launched from root. ( /sbin and maybe /usr/sbin ).
3. Then maybe a better graphical manager for the application will be created.
The basic graphical manager for application configuration would include
– default policy for all applications
– basic permission configuration for each application or a ready profile if it exists.
Basic because the application has a lot of options and the profile contains a lot of “blacklist”.
If I wrote too much, sorry.
LikeLike
how to access a pdf file that firefox downloaded and I move it to different location? it won’t open access denied
LikeLike
I read the tutorial, but the download page makes me download a .tar file, not .deb
LikeLike