Firejail Usage

Welcome to Firejail, a SUID security sandbox based on Linux namespaces and seccomp-bpf. We are a volunteer weekend project and our target is the desktop. Linux beginner or accomplished programmer, you are welcome to join us at http://github.com/netblue30/firejail.

This document is an effort to centralize Firejail information currently spread across several howtos, blogs and discussion threads. I’ll start with a short description of the kernel technologies involved, move to sandbox configuration and management, and explore some of the most common usage scenarios.

 

Contents

1. Technology
        1.1 The Linux Kernel
        1.2 What is SUID, and how does it affect me?

2. Usage and Configuration
        2.1 Installation
        2.2 Basic Usage
        2.3 Desktop Integration
        2.4 Security Profiles
        2.5 Managing Sandboxes

3. Filesystem
        3.1 Private Mode
        3.2 Chroot
        3.3 OverlayFS
        3.4 AppImage
        3.5 AppArmor
        3.6 EncFS and SSHFS

4. Networking
        4.1 Direct Network Setup
        4.2 Routed network Setup
        4.3 Traffic Shaping

5. X11 Sandboxing

6. Servers

 

1. Technology

There is nothing magic about the internal workings of a sandbox, just some kernel security technologies stack one on top of the other. As a user you don’t deal with them directly, Firejail takes care of it. We offer preconfigured security profiles for more than 400 Linux applications, and if your application is not among them, no problem – the default configuration should just work!

 

1.1. The Linux Kernel

All Firejail security features are implemented inside Linux kernel. The sandbox program configures the kernel and goes to sleep. The setup is very fast, usually tens of milliseconds. In very complicated setups it can go as high as 1 second. The memory requirements are low, all it needs is a few MB of memory. As for slowing down the application, I don’t think you’ll notice any.

We divide the kernel technologies used for sandboxing in three categories:

Front-end sandboxing technologies:

  • Mount namespace
  • PID namespace
  • Network namespace
  • Optional: chroot, overlayfs, netfilter
Back-end sandboxing technologies

  • seccomp-bpf
  • Linux capabilities
  • Optional: noroot user namespace, AppArmor
     
Kernel config technologies:

  • SUID

Front-end technologies are simple and very effective. They are designed to withstand a massive attack. We use mount, PID and network namespaces. The user can also request chroot, overlayfs and a netfilter firewall.

Back-end technologies are smart and sophisticated. They play a support role: to keep the front-end in place. Our main support technologies are seccomp and Linux capabilities. We use them to lock the attacker inside the sandbox, and prevent him from becoming root. If requested, we also start a noroot user namespace, and configure an AppArmor profile.

In the third category, we place the technologies we use to configure the kernel. Currently there are exactly two technologies available: SUID and user namespaces. Both of them are insecure. User namespace has the advantage when things go wrong you can blame it on kernel developers. For Firejail we use SUID.

 

1.2 What is SUID, and how does it affect me?

SUID (Set owner User ID upon execution) is a special type of file permissions. Most programs running on your computer inherit access permissions from the user logged in. SUID allows the program to run as root, rather that the user who started the program.

We use this Linux feature to start the sandbox, since most kernel technologies involved in sandboxing require root access. Once the sandbox is installed, root permissions are dropped, and the real program is started with regular user permissions. For example in the case of a Firefox browser, we start the sandbox as root, drop privileges, then we start the browser as a regular user.

SUID programs are considered dangerous on multiuser systems. It is not a great idea to install Firejail on such systems. If you have a server full of people logging in over SSH, forget about it!

Firejail was built for single-user desktop systems. We try to address desktop specific threats, such as:

  • Mozilla Firefox PDF exploit (2015). You click on a link on a website, and by the time anything shows on the screen, the guys already read various passwords and encryption keys stored in your home directory. Among them, the private SSH keys in ~/.ssh.
  • Google Chrome scanning files in your Documents directory (2018). They say they scan for Windows malware and viruses. It is only a mater of time until this “technology” comes to Linux.

We make the assumption data stored on user’s computer is more valuable then the computer itself. This stands in direct contrast with the corporate/multiuser system philosophy, where the software the company is trying to sell is more important than user’s data. We also assume a clean, updated system without any malicious software already installed.

There are ways to mitigate some of the problems introduced by SUID. Here are some of them:

1. Use firecfg

Integrate your desktop software with Firejail, by running firecfg utility described in Desktop Integration section. As a result, most of your desktop programs will be sandboxed automatically. From inside a sandbox it is not possible to run SUID programs, including Firejail.

2. Set force-nonewprivs flag

If you are not using Chromium or a browser based on Chromium (Opera, etc.) turn on force-nonewprivs flag in /etc/firejail/firejail.config file. As root, open the file in a text editor and add this line:

force-nonewprivs yes

The flag prevents rising privileges after the sandbox was started. It is believed to clean most SUID problems that will ever be attributed to Firejail. Unfortunately, Chromium-based browsers need to rise privileges in order to install their own SUID sandbox.

3. Create a special firejail group

To further restrict the SUID binary, create a firejail group, set /usr/bin/firejail executable as part of this group, change the file mode to 4750, and add only the users allowed to use Firejail to the group. Sample set of instructions on Debian:

$ su
# addgroup firejail
# chown root:firejail /usr/bin/firejail
# chmod 4750 /usr/bin/firejail
# ls -l /usr/bin/firejail
-rwsr-x--- 1 root firejail 1584496 Apr  5 21:53 /usr/bin/firejail

To add the user to the group, type:

# usermod -a -G firejail username

A logout and login back is necessary after adding the user to the group.

4. Consider running the long term support release

The current LTS release was branched out from version 0.9.38 in February 2016. It includes only bugfixes and additional SUID hardening. The code base is much smaller, and easier to audit.

 

2. Usage and Configuration

 

2.1 Installation

Try installing Firejail using your package manager first. Firejail is included in a large number of distributions. Among them Arch, Debian, Gentoo, Mint, Slackware, Ubuntu.

You can find newer versions of the software on our download page. We keep there up to date .deb packages for Debian/Ubuntu/Mint and .rpm packages for CentOS/Fedora/OpenSUSE. You can also download the source archive and compile it yourself. There are no external dependencies, all you need is a C compiler (sudo apt-get install build-essential) and a regular compile/install (./configure && make && make install).

After install run:

$ firecfg --fix-sound

This command fixes some bugs in PulseAudio software versions available on most Linux platforms. After running it, logout and login again for the modifications to take effect.

 

2.2 Basic Usage

Start the sandbox by prefixing your application with “firejail”:

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Blacklist violations are logged to syslog
Child process initialized

Any type of GUI programs should work, with sound, video and hardware acceleration support. This makes Firejail ideal for running desktop applications such as web browsers, media players, and games.

 

2.3 Desktop Integration

To integrate Firejail with your desktop environment run:

$ sudo firecfg

As a result:

  • Clicking on desktop manager icons and menus will sandbox the application automatically. We support Cinnamon, KDE, LXDE/LXQT, MATE and XFCE desktop managers, and partially Gnome 3 and Unity. This part works well across all Linux distributions.
  • Clicking on files in your file manager will open the file in a sandboxed application. It works fine in newer Linux distributions like Debian “stretch”, Ubuntu 17.04, Arch, Gentoo.

You can always check if your application was sandboxed by running "firejail --list" in a terminal. Or you can keep a terminal running "firejail --top" to track your sandboxes.

Monitoring sandboxes with “firejail –top”

Some users prefer desktop launchers for stating applications. A launcher is a regular text file with .desktop extension placed in ~/Desktop directory. This is an example for Mozilla Firefox browser:

$ cat ~/Desktop/firefox.desktop
[Desktop Entry]
Type=Application
Name=Firefox
Icon=firefox.png
Exec=firejail firefox
Terminal=false
 

2.4 Security profiles

We distribute Firejail with over 400 security profiles, covering most common Linux applications. Profile files have a friendly syntax, and are stored in /etc/firejail directory.

Profiles build by users should be placed in ~/.config/firejail directory. If you need to add something to an existing profile, use "include" command to bring in the original profile file, then add your commands. For example, this is a profile for a VLC media player without network access:

$ cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

For more information see Building Custom Profiles and Building Whitelisted Profiles documents.

 

2.5 Managing Sandboxes

The relevant command line options are as follow:

  • firejail --list – list all running sandboxes
  • firejail --tree – list all running sandboxes and the processes running in each sandbox
  • firejail --top – similar to Linux top command

In case a sandbox is not responding and you need to shut it down, use --shutdown option. First, list the sandboxes,

$ firejail --list
3787:netblue:firejail --private 
3860:netblue:firejail firefox 
3963:root:firejail /etc/init.d/nginx start
$

and then shutdown the sandbox using the PID number from the list. In this example I shut down Firefox browser:

$ firejail --shutdown=3860

Use --join option if you need to join an already running sandbox and modify the filesystem, the network parameters, or do some other admin work. I am using firefox sandbox from the previous example:

$ firejail --join=3860
Switching to pid 3861, the first child process inside the sandbox

[netblue@debian ~]$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
netblue      1 12.1  4.5 996168 320576 ?       Sl   07:33   1:59 firefox
netblue     77  2.5  0.0  20916  3716 pts/2    S    07:49   0:00 /bin/bash
netblue    120  0.0  0.0  16840  1256 pts/2    R+   07:49   0:00 ps aux

[netblue@debian ~]$ 

--join works like a regular terminal login in the sandbox. The new shell session inherits all the sandbox restrictions.

 

3. Filesystem

 

3.1 Private Mode

Private mode is a quick way to hide all the files in your home directory from sandboxed programs. Enable it using --private command line option:

$ firejail --private firefox
 

Firejail mounts a temporary tmpfs filesystem on top of /home/user directory. Any files created in this directory will be deleted when you close the sandbox. You can also use an existing directory as home for your sandbox, allowing you to have a persistent home:

$ firejail --private=~/my_private_dir firefox
 

3.2 Chroot

Most of the time I’m happy with the applications distributed by Debian “stable”, but occasionally I need a much newer version of a program or another. In this case, I build a Debian “unstable” chroot on my “stable” system, and run my application using Firejail’s chroot feature. These are the steps:

Step 1: Build a basic Debian sid filesystem:

$ sudo mkdir /chroot
$ sudo debootstrap --arch=amd64 sid /chroot/sid

Step 2: Add a regular user account and install the target application (youtube-dl in this example):

$ sudo firejail --noprofile --chroot=/chroot/sid
# adduser netblue
# apt-get install youtube-dl
# exit

Step 3: Run the application:

$ firejail --chroot=/chroot/sid
$ youtube-dl https://www.youtube.com/watch?v=Yk1HVPOeoTc

The setup also works for GUI programs such as mpv and HandBrake, you just have to bring the programs in:

$ sudo firejail --noprofile --chroot=/chroot/sid
# apt-get update
# apt-get upgrade
# apt-get install handbrake mpv
 

3.3 OverlayFS

One use case for Firejail’s OverlayFS front-end is testing new software packages. All filesystem modifications performed while installing and running the software are stored in overlay layer. The host filesystem is not touched.

This is an example of testing Gnome AisleRiot game from the regular Debian repository. AisleRiot is a collection of over eighty different solitaire card games, including popular variants such as spider, freecell, klondike, thirteen (pyramid), yukon, canfield and many more.

The steps are as follow:

Step 1: Start a root sandbox with a temporary OverlayFS filesystem

$ sudo firejail --noprofile --overlay-tmpfs
# 

This is a very relaxed sandbox. All directories are visible, with an overlay on top of them. The only filter installed is seccomp. This means you package manager will not be able to install and load new kernel modules. Also, if you are thinking about installing server programs, it will not work – systemd lives in a different namespace, and it will fail to find your new server.

Step 2: Install the program

# apt-get install aisleriot

Step 3: Switch to your regular user and run the program

# su netblue
$ sol
Playing Klondike (AisleRiot) in a Firejail sandbox

Playing Klondike (AisleRiot) in a Firejail sandbox

 

3.4 AppImage

The previous chroot and OverlayFS tricks will only get you so far. As more and more complex applications are built by thousands of Linux users, new ways of distributing software emerged. My favourite is AppImage.

We introduced AppImage support in 2016, and since then we added more features, bug fixes etc. On their side, AppImage team kept on bringing in new cool stuff, such as a new filesystem layout and a croud-sourced repository of appimages for most Linux applications.

Here is a simple usage example: the latest and greatest Kdenlive video editor built and distributed by the developer.

Kdenlive AppImage running in Firejail

Kdenlive AppImage running in Firejail

I create a private home directory for this application and start the appimage in this directory:

$ mkdir ~/mykdenlive
$ firejail --private=~/mykdenlive --appimage ~/Downloads/Kdenlive-17.12.0d-x86_64.AppImage
Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 17670, child pid 17673
Dropping all Linux capabilities and enforcing default seccomp filter
Child process initialized in 60.82 ms
...

All the files I am editing are in ~/mykdenlive directory, no other files in my home are visible in the sandbox. You can find more examples in our AppImage Support document.

 

3.5 AppArmor

Currently, AppArmor Linux security module is enabled by default on Ubuntu. On other distribution you’ll have to enable it yourself. The setup process is very easy, and it can be followed even by Linux beginners. Here are the official instructions for Debian:

$ sudo apt install apparmor apparmor-utils
$ sudo mkdir -p /etc/default/grub.d
$ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \
  | sudo tee /etc/default/grub.d/apparmor.cfg
$ sudo update-grub

Long story short, run these commands in a terminal and restart the computer. And these are the instructions for Arch Linux and Gentoo.

Like Firejail, AppArmor restricts programs’ capabilities with per-program profiles. If you have an AppArmor profile for your application, enable it. Firejail should work fine on top of AppArmor. There is some overlap between the two technologies: both of them blacklist the same filesystem. In case one of them misses something important, hopefully the other one picks it up.

If you don’t have an AppArmor profile for your specific application, we give you one. The profile is installed in /etc/apparmor.d/firejail-default file when you install Firejail. You would need to load it into the kernel by running the following command:

$ sudo aa-enforce firejail-default

Note: next time you start your computer, Firejail AppArmor profile will be loaded automatically into the kernel.

Use --apparmor command line option to enable AppArmor confinement inside your sandboxed application:

$ firejail --apparmor warzon2100

In profile files, use apparmor command. This is the previous VLC profile with AppArmor support:

$ cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none
apparmor
 

3.6 EncFS and SSHFS

EncFS is an encrypted filesystem built on top of FUSE library. It is available on most Linux distributions, and it runs in user space. Integrating EncFS with Firejail brings up an interesting problem. Take a look at this paragraph in man encfs:

By default, all FUSE based filesystems are visible only to the user who mounted them. No other users (including root) can view the filesystem contents.

For various reasons, during sandbox setup Firejail handles EncFS filesystems as root user. FUSE will prevent the root access to user’s files and the sandbox will fail to start.

This problem affects all filesystems based on FUSE library. Quite popular among them is sshfs. The solution is to allow root user to access the filesystem using allow_root FUSE mount flag. On some distributions (Debian & friends) you might have to change FUSE config file in /etc/fuse.conf and uncomment user_allow_other line:

$ cat /etc/fuse.conf 
# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)

# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#mount_max = 1000

# Allow non-root users to specify the allow_other or allow_root mount options.
user_allow_other

This is how to start a Firejail-friendly EncFS:

$ encfs -o allow_root ~/.crypt ~/crypt

And this is a SSHFS:

sshfs -o reconnect,allow_root netblue@192.168.1.25:/home/netblue/work work

After mounting your FUSE filesystem, start your sandboxes the regular way.

 

4. Networking

A network namespace is a new, independent TCP/IP stack attached to the sandbox. The stack has its own routing table, firewall and set of interfaces. Apart from “net none” and an optional “netfilter”, we never configure networking features in the security profiles distributed with the sandbox software.

You can create a network namespace with –net command. There are three setups to choose from:

  • –net=none creates a network namespace unconnected to the real network. The sandbox looks like a computer without any network interfaces.
  • –net=macvlan-device creates a direct network setup. The namespace is connected on the same network as your Ethernet interface using a macvlan kernel device. This is the easiest setup for home users. Unfortunately, the macvlan Linux kernel device works only for wired Ethernet interfaces.
  • –net=bridge-device connects the sandbox to a bridge kernel device. The regular network stack routes the sandbox traffic to your main wired/wireless interface.
 

4.1 Direct Network Setup

Run “ip addr show” to find the name of your wired Ethernet interface (eth0 in my case):

$ ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e0:3f:4f:72:14:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.50/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::e23f:49ff:fe7a:1409/64 scope link 
       valid_lft forever preferred_lft forever

and start the sandbox

$ firejail --net=eth0 firefox

You can specify an IP address (–ip=192.168.1.207), a range of IP addresses (–iprange=192.168.1.100,192.168.1.240) to choose from, or you can let the sandbox find an unused IP address on your network.

Because of the way macvlan kernel drivers are wired to the real Ethernet interface, it is not possible for the sandboxed application to access TCP/IP services running on the host, and the other way around. The sandbox and the host are totally disconnected, even if both of them are on the same network.

Direct network

Direct network

This is a Firefox profile adding network namespace support to the sandbox:

$ cat ~/.config/firejail/firefox-exr.profile
include /etc/firejail/firefox-esr.profile
net eth0
iprange 192.168.1.100,192.168.1.240

Similar, a profile for Transmission:

$ cat ~/.config/firejail/transmission-qt.profile
include /etc/firejail/transmission-qt.profile
net eth0
iprange 192.168.1.100,192.168.1.240

In the examples above, I let Firefox and Transmission fight for address in 192.168.1.100 – 192.168.1.240 range. Actually, all network clients on my home network are fighting for addresses in this range. To monitor the traffic use “firejail –netstats”.

Monitoring network traffic with “firejail –netstats”

 

4.2 Routed Network Setup

In a routed setup sandboxes are connected to a Linux bridge, and the bridge traffic is routed by the host. This setup works for both wired and wireless interfaces. Address translation needs to be enabled on the host in order for the sandbox traffic to go out on Internet:

routednet

Script for setting this up – I assume a wired eth0 interface for the system:

#!/bin/bash
 
#
# Routed network configuration script
#
 
# bridge setup
brctl addbr br0
ifconfig br0 10.10.20.1/24 up
 
# enable ipv4 forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
 
# netfilter cleanup
iptables --flush
iptables -t nat -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
 
# netfilter network address translation
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.20.0/24  -j MASQUERADE

Starting the sandbox:

$ firejail --net=br0 firefox

For running servers I replace network address translation with port forwarding in the script above:

# host port 80 forwarded to sandbox port 80
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 10.10.20.10:80

4.3 Traffic shaping

Network bandwidth is an expensive resource shared among all sandboxes running on a system. Traffic shaping allows the user to increase network performance by controlling the amount of data that flows into and out of sandboxes. Firejail implements a simple rate-limiting shaper based on Linux tc command. The shaper works at sandbox level:

$ firejail --name=browser --net=eth0 firefox &
$ firejail --bandwidth=browser set eth0 80 20

In this example I set a bandwidth of 80 kilobytes per second on receive side and a bandwidth of 20 kilobytes per second on transmit side. As the sandbox is running, I can change the values or even reset them:

$ firejail --bandwidth=browser set eth0 40 10
$ firejail --bandwidth=browser clear eth0
 

5. X11 Sandboxing

In the absence of Wayland, the most reliable way to sandbox X11 in Firejail is Xephyr. Xephyr is a light X11 server you can run in parallel with the main xorg server on your machine. The software is part of X.Org.

In this example I use Firejail to sandbox two applications, Inkscape and Firefox, in a the same Xephyr window.

Step 1. Sandbox Xephyr

In order to be able to rearrange and resize windows, I start OpenBox window manager on top of Xephyr. Notice --net=none command option.

$ firejail --x11=xephyr --net=none openbox&

Note: You can replace openbox with any other supported window manager. Currently we support openbox, fluxbox, blackbox, awesome and i3.

As a rule, whenever we are dealing with X11 we also need to install a new network namespace. This is the only way to block access to the abstract Unix socket opened by the main X11 server already running on your box. Every application sandboxed on this display server is required to install a network namespace, either --net=none or --net=eth0.

Step 2. Find the display number for the new server

Each X11 server server running on your box is identified by a unique display number. This number is used to connect X11 applications to a specific X11 server. Run firemon -x11 to find Xephyr’s display number:

$ firemon --x11
2377:netblue::/usr/bin/firejail /usr/bin/Xephyr -ac -br -noreset -screen 1024x
2394:netblue::firejail --net=none openbox 
  DISPLAY :265

The display number is 265. Notice how Xephyr and OpenBox are running in independent Firejal sandboxes. Let’s start some more sandboxes:

Step 3. Start your applications

$ DISPLAY=:265 firejail --net=eth0 firefox -no-remote &
$ DISPALY=:265 firejail --net=none inkscape &
Independent Inkscape and Firefox sandboxes running in a Xephyr X11 window

Independent Inkscape and Firefox sandboxes running in a Xephyr X11 window

In this moment I have 4 independent sandboxes, one for each program involved: Xephyr, OpenBox, Inkscape and Firefox.

X11 sandboxing using Xephyr

X11 sandboxing using Xephyr

 

6. Servers

As a rule, always use a new network namespace for server sandboxes in order to isolate services such as SSH, X11, DBus running on your workstation. This is an Apache server example:

# firejail --net=eth0 --ip=192.168.1.244 /etc/init.d/apache2 start

The default server profile is /etc/firejail/server.profile. To further restrict your servers, here are some ideas:

# capabilities list for Apache server
caps.keep chown,sys_resource,net_bind_service,setuid,setgid

# capabilities list for nginx server
caps.keep chown,net_bind_service,setgid,setuid

# use a netfilter configuration
netfilter /etc/firejail/webserver.net

# instead of /var/www/html for webpages, use a different directory
bind /server/web1,/var/www/html

You can run thousands of webservers on a regular system, each one with its own IP address, webpages, and applications.

Advertisements

59 thoughts on “Firejail Usage

  1. Robert

    Hi netblue30

    Do you have any pointers to getting firejail runing under (Debian 8) systemd?

    I currently have transmission-daemon running fine under systemd at system startup and I can successfully run firejail + transmission-daemon as a background task from the command line (subject to a few tweaks regarding location of config files) but I simply cannot get firejail + transmission-daemon to work together under systemd. If there is any documentation on the subject of firejail and systemd, please let me know.

    Like

    Reply
    1. netblue30 Post author

      Start by locating the service file. I just installed transmission-daemon on a Debian 8 computer, the file seems to be /etc/systemd/system/multi-user.target.wants/transmission-daemon.service

      Open the file and on “ExecStart” line add firejail. You will also need to add a profile file, I think /etc/firejail/transmission-gtk.profile will work. So, your ExecStart line would look like this:

      ExecStart=firejail –profile=/etc/firejail/transmission-gtk.profile /usr/bin/transmission-daemon -f –log-error

      Like

      Reply
  2. Robert

    Hi netblue31,

    It’s always difficult to know where to pitch a first post where things could become quite involved, so my default is always to ask for direction to the relevant documentation, if available. That way, the workload is on me, rather than you, and I can read it and try things out without resorting to a to-and-fro session of questions and answers.

    While I’ll freely admit that I’m still learning about systemd, I’ve already tried the (logical) option of prefixing the ExecStart line with /usr/bin/firejail. I even created a transmission-daemon.profile and tweaked the location of the config files, but transmission-daemon still fails without a clear reason as to why.

    Feb 19 11:13:57 megat firejail[18624]: #033]0;firejail /usr/bin/transmission-daemon -f #007Child process initialized
    Feb 19 11:13:57 megat firejail[18624]: Parent pid 18624, child pid 18625
    Feb 19 11:13:57 megat firejail[18624]: Parent is shutting down, bye…
    Feb 19 11:13:57 megat systemd[1]: transmission-daemon.service: Main process exited, code=exited, status=1/FAILURE

    Part of the problem is likely to be down to my transmission-daemon.profile needing some tweaking but I’m hitting a fundamental issue that seems to be systemd-related and is blocking my attempts at debugging.

    So, instead of running with a modified copy of the transmission-gtk.profile, I tried running with the –noprofile option, to keep things as simple as possible. The system log file then get spammed wuth this message:

    Feb 19 11:28:39 megat systemd[1]: transmission-daemon.service: Got notification message from PID 18737, but reception only permitted for main PID 18734

    that gets repeated every second until some timeout mechanism intervenes.

    Those process ids are as follows:

    user@megat:~$ ps -ef|grep [t]ransmission
    root 18731 18547 0 11:27 pts/0 00:00:00 sudo systemctl start transmission-daemon
    root 18732 18731 0 11:27 pts/0 00:00:00 systemctl start transmission-daemon
    debian-+ 18734 1 0 11:27 ? 00:00:00 /usr/bin/firejail –noprofile /usr/bin/transmission-daemon -f
    debian-+ 18735 18734 0 11:27 ? 00:00:00 /usr/bin/firejail –noprofile /usr/bin/transmission-daemon -f
    debian-+ 18737 18735 0 11:27 ? 00:00:00 /usr/bin/transmission-daemon -f

    So the transmission-daemon [PID 18737] is trying to send some notification but systemd only permits notification from PID 18734. Thus the information never makes it to the system log. Unfortunately, adding the transmission options -e /tmp/translog -log-debug to the command line doesn’t write anything (or even create the file).

    Systemd seems to be a very different beast from the traditional init. As I said in my initial post, systemd + transmission-daemon works fine, as does firejail + transmission-daemon. Systemd + firejail + transmission-daemon is the problem combination. I have tried many different combinations but so far to no avail.It might simply be my lack of systemd knowledge but I’ve hit the stops for now.

    Like

    Reply
  3. songo

    Thanks for this program, I like it
    one thing, when i use with firefox ( firejail firefox -no-remote) sometimes I see this

    1487853543335 addons.update-checker WARN Update manifest for firefox@getpocket.com did not contain an updates property
    1487853543350 addons.update-checker WARN Update manifest for webcompat@mozilla.org did not contain an updates property
    1487853543366 addons.update-checker WARN Update manifest for e10srollout@mozilla.org did not contain an updates property
    1487853543417 addons.update-checker WARN Update manifest for aushelper@mozilla.org did not contain an updates property
    1487853543596 addons.update-checker WARN Update manifest for {972ce4c6-7e08-4474-a285-3208198ce6fd} did not contain an updates property
    1487853543642 addons.update-checker WARN Update manifest for diagnostics@mozilla.org did not contain an updates property
    1487853543769 addons.update-checker WARN Update manifest for hsts-priming@mozilla.org did not contain an updates property
    1487853543803 addons.update-checker WARN Update manifest for disableSHA1rollout@mozilla.org did not contain an updates property

    What is this?
    Many Thanks

    Like

    Reply
  4. Robert

    Hi netblue30,

    Any feedback yet on the problems I experienced combining firejail and transmission-daemon under systemd? I see you didn’t publish my follow-up note in which I detailed a partial answer to the issue.

    Robert

    Like

    Reply
  5. Robert

    Well, it was received by your site and was “awaiting moderation”.

    Anyway, a partial solution to my problem was to include a further line in the transmission-daemon.service file:

    NotifyAccess=all

    This at least allow transmission-daemon to start without reporting any major problems.

    However, shutdown is another matter entirely. Often (but not always), transmission-daemon will segfault and, whether it segfaults or not, the shutdown hangs for at least 90 seconds until some timeout mechanism finally kills all running processes. It’s very ugly and things are clearly not working as they should.

    Robert

    Like

    Reply
  6. Robert

    Oh well, it was certainly received by your site and was “awaiting moderation”.

    Anyway, a partial solution to my problem was to include a further line in the transmission-daemon.service file:

    NotifyAccess=all

    This at least allow transmission-daemon to start without reporting any major problems.

    However, shutdown is another matter entirely. Often (but not always), transmission-daemon will segfault and, whether it segfaults or not, the shutdown hangs for at least 90 seconds until some timeout mechanism finally kills all running processes. It’s very ugly and things are clearly not working as they should.

    Robert

    Like

    Reply
  7. Robert

    Further to my last post, I restarted the machine this morning and transmission daemon took about 5 minutes to shut down under firejail. Here are the syslogd messages for shutdown and startup:

    Mar 26 08:28:10 dy2 rsyslogd: [origin software=”rsyslogd” swVersion=”8.4.2″ x-pid=”546″ x-info=”http://www.rsyslog.com”] exiting on signal 15.
    Mar 26 08:33:54 dy2 rsyslogd: [origin software=”rsyslogd” swVersion=”8.4.2″ x-pid=”555″ x-info=”http://www.rsyslog.com”] start

    That’s 5 minutes 44 seconds, with no other log messages in between.. For almost all of this time, the console showed that it was waiting to shut down transmission daemon.

    Without firejail, it all works just fine..

    Robert

    Like

    Reply
    1. netblue30 Post author

      This is very strange. Sandbox problems are usually seen when you start the sandbox, not when you shut it down. The problems are very visible, most of the time the program will not start or will not work at all.

      Like

      Reply
      1. Robert

        It is the interaction between systemd and firejail that appears to be the problem area.

        First, if you recall, transmission-daemon would not start under firejail until I amended the systemd .service file to include NotifyAccess=all, so there were already startup issues apparent with the default installation that were overcome by tweaking a systemd-related file..

        Now we see that systemd simply can’t handle the shutdown in a graceful way if firejail is placed between systemd and transmission-daemon. It might be that a solution exists by again making some change to a systemd file somewhere but it is clear that systemd and firejail have some interaction issues and the transmission-daemon shutdown problem currently remains unsolved.

        I didn’t see this issue listed on git.

        Like

  8. Robert

    Already mentioned back on Feb 17: Debian 8 (Jessie). It’s a very vanilla installation running under KVM/QEMU, though I doubt if that’s relevant.

    uname -a
    Linux dl 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux

    Like

    Reply
  9. recio

    Hi,
    Nice program.
    I’m trying to apply what explains the network setup.
    As my net interface is wlan0 I use next command:
    firejail –net=wlan0 firefox
    The output I obtain is next:
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 7831, child pid 7832

    Interface MAC IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    eth0-7831 5e:2d:0f:68:xx:xx 192.168.1.148 255.255.255.0 UP
    Default gateway 192.168.1.1

    Blacklist violations are logged to syslog
    Child process initialized in 232.56 ms

    When I try to navigate I don’t have internet connection. Can anyone let me know where is the problem?

    Like

    Reply
    1. netblue30 Post author

      Unfortunately, wireless interfaces are not supported at this moment. We do plan to add them at some point, so far we have support only for regular ethenet and bridge interfaces.

      Like

      Reply
  10. FJedjit

    I’m using PCLOS KDE5. Firejail came with several apps already firejailed and I totally loved that. Now I’d like to firejail seamonkey and trying to do so in the terminal brings:

    [xxx@localhost ~]$ firejail seamonkey
    Reading profile /etc/firejail/seamonkey.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 14600, child pid 14601
    Blacklist violations are logged to syslog
    Child process initialized in 26.07 ms
    /bin/bash: seamonkey: command not found

    Parent is shutting down, bye…
    [xxx@localhost ~]$

    I tried the configuration wizard -couldn’t figure out how -everything in the sandbox seems to be in /usr/bin but seamonkey is in /usr/lib64/seamonkey/seamonkey %u

    I’ll stop now as I don’t know the devil what I’m saying -hope someone can shed some light on how to get seamonkey in the sandbox. thx

    Like

    Reply
  11. Rosika

    Hi,

    I´ve created a portable version of the opera-browser (see https://gist.github.com/ruario/8416e36372f1a976a713 ).

    In order to open it I´ve got to type the command “opera-developer_27.0.1670.0_amd64/run &” in the respective directory.
    This works quite well. But when trying to run it within firejail using the command “firejail opera-developer_27.0.1670.0_amd64/run &” it won´t work.

    Using the “–noprofile”-option however gives me fine results. So “firejail –noprofile opera-developer_27.0.1670.0_amd64/run &” works alright.

    Yet what I really want to do is running it with the “–private” option.
    So “firejail –private=[path to a specified working directory] opera-developer_27.0.1670.0_amd64/run &” would be nice.
    Yet I found out that this very command cannot work together with the “–noprofile option”.

    Is there a way to start my portable opera-browser within firejail using the –private-option?

    Thanks a lot in advance.

    Rosika

    Like

    Reply
    1. Rosika

      Hello again,

      seems like there was some sort of misconception on my part.
      When using the “–private”-option firejail seems to have no access to the folder from where I start the opera-browser.
      Thinking of it this makes sense as “–private” represents the highest degree of security firejail can produce.

      So I did the following:

      I created a dedicated folder named “opera-browser” within my “work”-directory (which I already use for firefox etc. together with the “–private”-option).
      My new command is:
      firejail –noprofile –private=/home/rosika/Schreibtisch/work/opera_portable/ opera-developer_49.0.2695.0_amd64/run &

      This one works as desired. And it has the additional benefit of keeping my add-ons and settings. I´m glad I could solve this problem.

      Rosika

      Like

      Reply
      1. netblue30 Post author

        You have opera-portable installed in your home directory, and –private will hide it from the sandbox. You would need to use –private= as you described, or just install opera-portable in /opt.

        I usually put outside programs under /opt so it doesn’t clash with –private or home directory whitelists.

        Like

      2. Rosika

        Hi,

        a happy New Year to you.

        I´ve got a question regarding setting chromium-browser as standard-browser.

        Up and until now my situation is the following:

        I start thunderbird within firejail and then I start firefox within firejail.
        Whenever I click on a link within an e-mail in thunderbird the link immediately opens in firefox (which is already running within firejail).

        What I want to do now is making chromium-browser my standard-browser.
        Therefore I changed the system-wide settings:

        – xdg-mime default chromium-browser.desktop application/https

        I controlled everything by typing
        “xdg-mime query default x-scheme-handler/https”,
        ” xdg-mime query default x-scheme-handler/http” and
        “xdg-mime query default text/html”.
        In all cases “chromium-browser.desktop” is set. So it should work just fine.

        But when clicking on a link from an e-mail within “firejail thunderbird” virtually nothing happens. The link won´t open in “firejail chromium-browser”.
        Neither does it in a non-sandboxed chromium-browser.

        My question now is: why does it work with firefox but not with chromium-browser?
        And is there anything I can do about it?

        Thanks a lot in advance.

        Greetings.
        Rosika

        Like

  12. Rosika

    Hi,

    I want to ask a question regarding the “–private”-option.

    If I understand it correctly using the “–private”-option without defining a work-directory represents the highest degree of security.
    So the programm which is started within firejail would see just empty /root- and /home – directories.

    One thing I don´t understand though: When trying to watch a clip which is located on a USB-stick: that´s no problem.
    My command is: firejail –private vlc
    and the location of the -mp4-file is: /media/rosika/28BC-DAFC/clips/film.mp4 .
    When trying to access that clip on the USB-stick from within vlc, it works, but access to such a file located within /home/rosika/Videos is blocked (which is alright).
    Shouldn´t access to the file on the USB-stick also be blocked? I´m a bit confused here.

    Thanks in advance.
    Rosika

    Like

    Reply
    1. netblue30 Post author

      You can also block /mnt and /media. I’m not doing it by default because people use to bring all kind of video and music files on USB devices and play them. Or they can bring documents and work on them.

      To disable it use –disable-mnt (disables both /media and /mnt). On older firejail versions use –blacklist=/media.

      Like

      Reply
  13. Rosika

    Hi again,

    thanks a lot for your reply.
    So now everything is clear. I was just wondering…..
    The –disable-mnt option may come in handy from time to time.

    I´m very grateful for your practical programme and I use it on a daily basis. It offers an active plus in terms of safety.
    Thanks again and kep up your good work.

    Gretings.
    Rosika

    Like

    Reply
  14. Rosika

    Hi,

    a happy New Year to all of you.

    I´ve got a question regarding setting chromium-browser as standard-browser.

    Up and until now my situation is the following:

    I start thunderbird within firejail and then I start firefox within firejail.
    Whenever I click on a link within an e-mail in thunderbird the link immediately opens in firefox (which is already running within firejail).

    What I want to do now is making chromium-browser my standard-browser.
    Therefore I changed the system-wide settings:

    xdg-mime default chromium-browser.desktop application/https

    I controlled everything by typing

    xdg-mime query default x-scheme-handler/https
    xdg-mime query default x-scheme-handler/http
    xdg-mime query default text/html
    In all cases “chromium-browser.desktop” is set. So it should work just fine.

    But when clicking on a link from an e-mail within “firejail thunderbird” virtually nothing happens. The link won´t open in “firejail chromium-browser”.
    Neither does it in a non-sandboxed chromium-browser.

    My question now is: why does it work with firefox but not with chromium-browser?
    And is there anything I can do about it?

    Thanks a lot in advance.

    Greetings.
    Rosika

    Like

    Reply
    1. netblue30 Post author

      Try this:

      There is a redirection at the end of /etc/firejail/thunderbird.profile to firefox profile:

      # Redirect
      include /etc/firejail/firefox.profile

      All you have to do is to add one for chromium-browser:

      # Redirect
      include /etc/firejail/chromium-browser.profile

      Like

      Reply
      1. Rosika

        Hi,
        thank you for your answer.
        Yet I´m not quite sure what to do. I have no redirection entry in my profile.
        My thunderbird.profile looks like this:
        ———————————————————————————————————————-
        # Firejail profile for Mozilla Thunderbird (Icedove in Debian)
        noblacklist ${HOME}/.gnupg
        include /etc/firejail/disable-mgmt.inc
        include /etc/firejail/disable-secret.inc
        include /etc/firejail/disable-devel.inc

        # Users have thunderbird set to open a browser by clicking a link in an email
        # We are not allowed to blacklist browser-specific directories
        #include /etc/firejail/disable-common.inc thunderbird icedove
        blacklist ${HOME}/.adobe
        blacklist ${HOME}/.macromedia
        blacklist ${HOME}/.filezilla
        blacklist ${HOME}/.config/filezilla
        blacklist ${HOME}/.purple
        blacklist ${HOME}/.config/psi+
        blacklist ${HOME}/.remmina
        blacklist ${HOME}/.tconn

        caps.drop all
        seccomp
        protocol unix,inet,inet6
        netfilter
        tracelog
        noroot
        —————————————————————————————————————-

        So what should I do? Just enter “# Redirect
        include /etc/firejail/chromium-browser.profile”
        as you suggested? And if so, where exactly should I put it?

        Greetings.
        Rosika

        Like

  15. Rosika

    Hi netblue30.

    thank you for your response.

    Alas it didn´t work as desired.

    I inserted

    # Redirect
    include /etc/firejail/chromium-browser.profile

    as you suggested at the end if of thunderbird.profile. But when I now open thunderbird with “firejail thunderbird” a completely new profile is loaded, as if I just had installed thunderbird.
    That means no existing e-mail accounts are loaded. Neither are any add-ons. In other words: no access to my existing thunderbird-profile.

    All I wanted to achieve is setting chromium-browser as default so that links within an e-mail can be clicked on and opened in chromium-browser.

    Do you have any other suggestions as how to achieve this goal?

    Thank you so much.
    Rosika

    Like

    Reply
    1. netblue30 Post author

      Hi, sorry for the late response. Wine is available in this moment, run “firejail wine” from the command line. I don’t think anybody tried winetricks yet. PlayOnLinux is already available in the development version on GitHub.

      Like

      Reply
  16. Bruce

    I know that using the –join option allows you to open an interactive shell in an existing sandbox, is there any way to run a non-interactive command or script inside an existing sandbox? I would like to be able to run kdocker in my browser sandbox so that it will minimize to the system tray. I know this works interactively by using the –join option but would like to be able to do it via a script.

    Thanks.

    Like

    Reply
    1. netblue30 Post author

      Yes, this is an example:

      firejail –join=PID ls -al

      You can specify any command, it will go inside the sandbox, execute the command and exit the sandbox.

      One thing to keep in mind is some applications disable /bin/bash and various executable. Once you join such a sandbox your executable might not be available. In this case is you will have to comment out (add a #) “shell none” and “private-bin …” lines in the application profile in /etc/firejail directory.

      Like

      Reply
  17. Josh

    “$ firejaile –apparmor warzon2100”

    “firejaile” The e at the end has to be a typo, right?

    “It is only a mater of time”
    matter, not mater 😉

    Like

    Reply
  18. Josh

    There is no firejail-local or firejail-default present in the folders they should be in. Is this a bug or did I fuck up the installation somehow? 😦

    I added them manually and even to this day Firejail tells me “Error: invalid –apparmor command line option”

    Like

    Reply
      1. Josh

        From the downloads on this site. Is there any pre-compiled version with Firejail support enabled available?

        Like

      2. netblue30 Post author

        The official Debian and Ubuntu packages have AppArmor support pre-compiled in by default. I am not sure about Mint, but it could be also in.

        Like

  19. Rosika Schreck

    Hi, I´ve got a question regarding “–net=none” vs. “–protocol=unix”.

    I´ve been using the command
    firejail –net=none evince /home/rosika/Dokumente/Zeitschriften_und_Bücher/Bücher_für_script-Referenz/Wrox_Shell_Scripting_Expert_Recipes_For_Linux_Bash_And_More.pdf 2>/dev/null

    in a script in order to open a pdf-file within the sandbox.

    I noticed that evince always opens with a very small window. Every time I use my script I have to make it larger manually.
    Yet I found out the following:

    When replacing “–net=none” with “protocol=unix” in the above command (in my script) the evince-window opens much larger.
    That´s the effect I wanted to achieve.

    My question is: Are there any objections of using “–protocol=unix” instead of “–net=none”? What I want to achieve is starting evince with no internet-connection.

    Many thanks in advance.

    Greetings.
    Rosika Schreck

    Like

    Reply
    1. Rosika Schreck

      Hi again,

      in addition to my recent post i may add the following:

      When typing the command

      firejail –private=/home/rosika/Dokumente/Zeitschriften_und_Bücher/Bücher_für_script-Referenz evince Wrox_Shell_Scripting_Expert_Recipes_For_Linux_Bash_And_More.pdf

      the respective window opens in the small variant.
      Whereas the command

      firejail evince /home/rosika/Dokumente/Zeitschriften_und_Bücher/Bücher_für_script-Referenz/Wrox_Shell_Scripting_Expert_Recipes_For_Linux_Bash_And_More.pdf

      opens a much larger window (as desired).
      Resolving the cause of the different behaviour might help to solve my problem.

      Greetings.
      Rosika

      Like

      Reply
    2. netblue30 Post author

      > Are there any objections of using “–protocol=unix” instead of “–net=none”?

      The tow commands are slightly different, but the result will be the same. In both cases there will be no network access.

      Probably –net=none stops evince from accessing the configuration stored in your home directory – I guess it depends how the system is set up.

      Like

      Reply
      1. Rosika Schreck

        Hi,
        thanks for the clarification.
        I guess from your answer I may deduce that using “–protocol=unix” will be okay.

        Like

  20. Rosika Schreck

    Hi,

    I´ve encountered a phenomenon which isn´t complete clear to me.

    My understanding has always been that whenever I start a programm/process in firejail that process is sandboxed.
    Fine, that´s clear.
    I also was of the opinion that whenever that sandboxed process triggers another process that one is by default sandboxd, too.

    This is the case e.g. when doing this:
    “firejail thunderbird” and then clicking on a link within a mail. So (in my case) firefox, which
    is my default browser, opens up and displays the website the link is referring to. Plus: firefox is sandboxed, too. I think this is
    what it should be like.

    But:
    whenever I statrt calibre with “firejail calibre”, that one is sandboxed. O.K. That´s fine too.

    Now for the tricky part: When trying to open a pdf-file within the sandoxed calibre my default pdf-raeder (evince) fires up but isn´t sandboxed.

    “firejail –tree” doesn´t list it, nor does “firetools”.
    I also can shutdown calibre and evince (displaying) the pdf-file remains open.

    Can you tell me anything about that phenomenon?

    Tnx a lot in advance.

    Rosika

    Like

    Reply
    1. netblue30 Post author

      > When trying to open a pdf-file within the sandoxed calibre my default pdf-raeder (evince) fires up but isn´t sandboxed.

      Probably they send a request over DBus and systemd or somebody else listening on DBus starts evince. We’ve seen this with many other programs, usually Gnome or KDE programs. This is desktop integration gone wrong, there isn’t too much you can do about it,

      Thunderbird, firefox, chromium, file managers and most other programs are starting the external program directly. They don’t depend on DBus in any way.

      Like

      Reply
      1. Rosika Schreck

        Hi netblue30,

        thanks a lot for your reply and for the explanation of the background processes.

        > […] there isn’t too much you can do about it
        At least it´s good to know where I stand.
        Otherwise I would have kept wondering what´s going on….

        Tnx again and have a nice day.

        Rosika

        Like

  21. Rosika Schreck

    Hi,
    I´ve got a question concerning the –private option.

    I was of the opinion that “firejail –private chromium-browser” gives me utmost protection because I´m using the –private option.

    When trying to open a file within chromium with “CTRL+O” I have no access to the “real” home directory. That´s, I suppose, as it should be.
    But I can see under “/” everything else from “bin” to “var”…..

    I managed to gain access fo a file that resides in “/usr/local/bin”. In it there´s a script I wrote, and I even suceeded in download it from there.

    But isn´t the –private option supposed not to allow access to such paths?

    Please help me understand why that is and how it works.

    Greetings
    Rosika

    Like

    Reply
    1. netblue30 Post author

      Currently –private deals only with with the home directory. For most programs files under /bin, /usr/bin, /usr/local/bin are left as they are. The only thing we do is to make the directories read-only.

      Like

      Reply
      1. Rosika Schreck

        Hi,
        thanks for the clarification.
        I understand it better now. Thanks also for this fine sandbox. I use it every day.
        Greetings.
        Rosika

        Like

Leave a Reply to Robert Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s