Building Custom Profiles


Firejail is a security system implemented using modern kernel technologies such as Linux namespaces and seccomp-bpf. On top of namespaces we place a thin software layer to control file access. By enforcing specific rules for each application, the access control layer proactively protects the system from external threats.

Security rules are stored in /etc/firejail directory in regular text files, one file for each application. We call these files security profiles. We recently passed the 1000 profile mark, covering various desktop programs people use every day. That’s about 10x more applications than SELinux and AppArmor combined!

This article is all about the access layer: how is built, how to create security profiles, how to test and how to customize them. I also describe jailcheck, a tool we introduced in version 0.9.66. The tool provides a high level view of the access system, warning the user in case of possible problems.


The Access Control Layer

C code, complicated at times, it already went trough several iterations. This is the code that provides security and privacy to our users. Contrary to popular opinion, seccomp plays a secondary role in the grand scheme of things.

For Firefox we start with a list of directories the browser needs to work correctly:

  • .mozilla, .pki, .config/pulse, .cache/mozilla, .local/share, Downloads

Next, the list of directories we definitely don’t want the browser to access:

  • .ssh, .gnupg

This list is much longer. It is spread over several files such as this one in our git repository. There are literally hundreds of entries, everything from desktop configuration, to X11, compilers, and system tools.

Lastly, we build a list with directories we don’t want to expose for privacy reasons:

  • Documents, Desktop, Pictures … and any other user directory

As we put all the lists together and load them in our file access engine, we end up with something like this:

User home directory in a sandboxed browser

The home directory is virtual. Downloads and the config files are brought in from the real file system, everything else is temporary and will be removed when the sandbox is closed.

We use this type of setup for networked applications, games, desktop tools such as calculators etc. For media players we bring in Music and Videos, for emails we bring in the email storage directory, and so on. Programs such as editors and console tools end up without the privacy list, and have access to most user directories (the security list is still included).

Firejail has no impact on the application speed, and it has a neglijable impact on user convenience. For example, the user won’t be able to download and upload files from random places in the file system, and web-based SSH tools won’t work in the browser. In our view, that’s a small price to pay for privacy and security.


Building Security Profiles

Security profiles are usually built starting from the template installed in /usr/share/doc/firejail/profile.template. Make a copy of the file and modify it. The details are in the template file, the sandbox commands are described in man firejail-profile.

You can also generate profiles automatically by running your application under firejail --build as described in the video above.


Testing Security Profiles

Here is a simple, practical method for testing file system access. It applies to any other mandatory access control system. Let’s start with this user question:

“I have the key I use to connect to GitHub in ~/.ssh directory, and another key I use to sign the release in ~/.gnupg. That’s my threat exposure. How do I test Firejail?”


Copy a PNG file in .ssh directory and try to open it in GIMP:

$ cp test.png ~/.ssh/.
$ firejail gimp ~/.ssh/test.png
Access test for .ssh directory

Copy the same file in .gnupg or any other directory you want to test. Do the same for other programs – for a media player use a test.mp4 file and so on.

Even better, go in File/Open menu in your application and soon you’ll get an idea what’s covered and what’s not. This is LibreOffice:

LibreOffice ~/.ssh test

For browsers, use the address bar to access your home directory:

Access denied!

Customizing Security Profiles

One funny complaint I got was “I want to put my pictures on Facebook and ~/Pictures is not there!”. Go in ~/.config/firejail directory and create a text file firefox.profile with the following content:

$ cat ~/.config/firejail/firefox.profile
whitelist ~/Pictures
include /etc/firejail/firefox.profile

Or you can just copy your pictures temporarily in ~/Downloads.

One popular customization is removing network access for media players such as VLC:

$ cat ~/.config/firejail/vlc.profile
net none
include /etc/firejail/vlc.profile

Another interesting one is shutting down the sound in Warzone2100:

$ cat ~/.config/firejail/warzone2100.profile
include /etc/firejail/warzone2100.profile

A More Complex Example

Audacity, the open source audio editor, has been in the news recently. The program was acquired by Muse Group, a multi-national company involved in data harvesting. Among other changes, starting with version 3.0.3 they introduced telemetry, a mechanism for phoning home with various pieces of data taken from user computers. Here is the problem:

Every telemetry program stores on hard disk an universally unique identifier (UUID). This is a huge random number used to track program install instances. This way they can differentiate users on a local network behind a network address translation (NAT) firewall.

Now, let’s say you start your computer, telemetry phones home, your IP address is recorded. Later, you start your VPN software and connect to Internet with a different IP. Telemetry phones home again, same UUID but a different IP – instant de-anonymization!

We’ve had "net none" in the default Audacity security profile distributed with Firejail software for a very long time. This disables network access. But since it’s the intention that counts, segregate Audacity in its own private home directory:

Create a new directory in your home, ~/myaudio, and a new profile in ~/.config/firejail:

$ cd ~
$ mkdir myaudio

$ cat ~/.config/firejail/audacity.profile
private ~/myaudio
net none
include /etc/firejail/audacity.profile

I added "net none" just in case you have an old version of Firejail. Move the files you want to edit in ~/myaudio, and start the program (firejail audacity):

Segregated home directory for Audacity


jailcheck is a small program we use to simplify the testing. The program will attach itself to all running sandboxes and try to access .ssh and .gnupg directories. You can add more directories on the command line, see man jailcheck.

$ sudo jailcheck
2014:netblue::firejail /usr/bin/gimp
   Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
   Warning: I can run programs in /home/netblue
   Networking: disabled

2055:netblue::firejail /usr/bin/ssh -X
   Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
   Warning: I can read ~/.ssh
   Networking: enabled

2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
   Virtual dirs: /tmp, /var/tmp, /dev,
   Networking: enabled

26090:netblue::/usr/bin/firejail /opt/firefox/firefox
   Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
   Networking: enabled

As I write this article I have Firefox, LibreOffice and GIMP open. I also have an SSH connection going out. As expected, .ssh directory is visible in SSH session. Nobody has access to .gnupg.

jailcheck also flags the presence of several system tools such as sudo, mount and strace, compilers such as gcc and clang, and networking tools such as dig, ncat, nmap and tcpdump, since these provide the perpetrators with a huge opportunity for mischief.

For each sandbox we list the most important virtual directories in use. These directories are build in temporary file systems by bringing in either real files and directories, or by copying files from the real file system. We deploy this type of mandatory access control in all sandboxes, with some differences here and there, depending on the application.

Another test is noexec test. In GIMP example above, the home directory allows GIMP to start programs stored locally. Usually these are application plugins the user installed himself, but they can also be aggressive malware programs inserted in the sandbox using a zero-day app exploit. If you don’t have external plugins installed, it is a good idea to make the home directory noexec:

$ cat ~/.config/firejail/gimp.profile
noexec ${HOME}
include /etc/firejail/gimp.profile


To give credit where credit is due, I’ve first seen people blocking access to .ssh and .gnupg in 2012 in a Firefox AppArmor profile in Ubuntu. In Debian 10 the block file is /etc/appamor.d/abstractions/private-files-strict. To test AppArmor or SELinux, copy a file in .ssh directory and try to open it in your application. Apparently, stealing SSH credentials is quite a sport in business environments. That’s all for now, have fun!


55 thoughts on “Building Custom Profiles

  1. Harri

    I’m trying to make a custom profile like this:
    include /etc/firejail/generic.profile
    whitelist ${HOME}/somefile
    read-only ${HOME}/somefile

    For some reason using a white-list seems to discard access to home directory (only “somefile” shown). Does using any white-listed file for example home directory whitelisted by default?
    For some reason “somefile” is also read-write instead of read-only. Is this a bug perhaps? Also some files blacklisted in generic.profile seem to be accessible and readable. (I’m using version firejail_0.9.36_1_amd64.deb on Mint 17.2)

    Liked by 1 person

    1. netblue30 Post author

      > For some reason using a white-list seems to discard access to home directory (only “somefile” shown).

      Yes, this is true. Whitelisting allows only the files and directories you specify in the list, everything else is removed.

      > For some reason “somefile” is also read-write instead of read-only.

      It seems to work:

      $ cd ~
      $ touch t
      $  firejail --whitelist=~/t --read-only=~/t
      Reading profile /etc/firejail/generic.profile
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/
      Reading profile /etc/firejail/
      ** Note: you can use --noprofile to disable generic.profile **
      Parent pid 1563, child pid 1564
      Child process initialized
      $ echo "asdfasdfadsf" > t
      bash: t: Read-only file system

      Also blacklisting seems to work, give me an example. Thanks!


  2. Ronald McDonald


    I want to use firejail with soulseek, which is a music sharing program (the linux client is nicotine).

    While protecting my system using firejail, I also have to make 1000s (literally thousands) or directories available read only. These thousands of directories all descend from one of five base directories, and ultimately from one single directory. above that.

    The problem is that – as far as can see – firejail does not give recursive permissions to sub-directories. I will have to (make a script to) write thousands of
    whitelist some/dir/name/dir1/
    read-only some/dir/name/dir1/
    whitelist some/dir/name/dir2/
    read-only some/dir/name/dir2/

    Is there any way, like linking under my (firejail faked) home directory, to have firejail make thousands of directories available read only?

    thanks for any help and thanks for a great application.



    1. netblue30 Post author

      You only need to whitelist the top directory. The top directory needs to be in your user home directory. If the top directory is a symbolic link, the real directory also needs to be in user home.


  3. Doud

    If I enter $firejail firefox then Firejail opens the distribution version, 44, of Firefox.
    I use a different version 38esr, of Firefox as my default. How do I get Firejail to open my default version?


  4. Richard

    Is there anywhere custom profiles can be checked? I think I have my ktorrent profile configured correctly but it would be nice to be certain


    1. netblue30 Post author

      Yes, in a terminal run a simple sandbox with your profile:

      $ firejail –profile=path_to_your_profile_file

      It will complain if it finds a problem with the profile file.


  5. fox12

    how do i know which files and directories to whitelist? im trying to generate a custom profile for liferea rss reader.


    1. netblue30 Post author

      I’ll try to bring in support for it in the next version. You need to find the directories where liferea is keeping its internal data in your home directory. They seem to be ~/.config/liferea and ~/.local/share/liferea/


  6. Alex Turbov

    Is there a way to make some directory RO, but one child of it as RW w/o root privileges?
    I’m trying to sandbox my unit tests and disabling any write the sources tree, but have a build tree (which is a child) enabled… i.e. smth like:

    read-only /work/my-sources
    read-write /work/my-sources/build/debug

    unit tests are executed as a separate `builder` user (and it is not supposed to be the `root` user!)


    1. netblue30 Post author

      Yes, this is supported in upcoming version 0.9.42:

      $ man firejail
                    Set  directory  or  file  read-write.  Only files or directories
                    belonging to the current user are allowed  for  this  operation.
                    $ mkdir ~/test
                    $ touch ~/test/a
                    $ firejail --read-only=~/test --read-write=~/test/a

      There is a 0.9.42~rc1 version on the download page, or you can grab the latest on mainline from github.


  7. Roger

    Can –whitelist and –noexec be combined?
    I want whitelisted folders to block execution of scripts.
    A jailed app should be able to read/write only from a whitelisted folder and no other folders but not be able to execute.


  8. Roger

    Thanks for the answers. I tried to keep them short and simple.
    I have an app from here that is for recording audio (dictation mostly):

    I am trying to block internet access and confine to a folder.
    Seems like something common someone would want to do to an new app that handles sensitive information.

    If I run with just firejail it is fine:
    $ firejail audio-recorder –show-window=0
    Reading profile /home/dad/.config/firejail/audio-recorder.profile
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Parent pid 29206, child pid 29211
    Child process initialized

    Parent is shutting down, bye…
    (the gui launches)

    If I add the whitelist option I get this:
    $ firejail –whitelist=~/Audio audio-recorder –show-window=0
    Reading profile /home/dad/.config/firejail/audio-recorder.profile
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Parent pid 29313, child pid 29314
    Child process initialized
    libdc1394 error: Failed to initialize libdc1394
    (gst-plugin-scanner:5): GLib-GObject-WARNING **: cannot register existing type ‘ClutterGstVideoSink’
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
    (gst-plugin-scanner:5): GLib-CRITICAL **: g_once_init_leave: assertion ‘result != 0’ failed
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_object_new: assertion ‘G_TYPE_IS_OBJECT (object_type)’ failed
    ERROR: Caught a segmentation fault while loading plugin file:
    Please either:
    – remove it and restart.
    – run with –gst-disable-segtrap –gst-disable-registry-fork and debug.
    (audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider v4l2deviceprovider0 which is already stopped
    (audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider pulsedeviceprovider0 which is already stopped
    Parent is shutting down, bye…

    (the gui launches and is missing quite a few options)


    1. netblue30 Post author

      Use –net=none on command line or “net none” in your profile file. It will block any network access.

      libdc1394 error – in your profile file use “protocol unix,inet,inet6,netlink”. You need “netlink” protocol, the program probably tries to access a video camera.


  9. Roger

    I have been experimenting with –net=none.
    It seems to block all networking.
    As an experiment I disabled my Internet access and ran VLC using firejail. No issues.
    I turned the internet back on and ran:
    >firejail –net=none vlc
    Got all kinds of errors.

    Can I block the Internet only or do I have to block all networking?
    With all of the damn spying going on nowadays apps will “phone home” like E.T.
    This must absolutely come to a stop.
    I am hopeful firejail can help me get this done.
    I am also concerned that apps may be accessig my home folder files.
    firejail handles this quite well and for that I am very grateful.

    I really cannot turn off my internet every single time an app runs.
    Windows XP had an app firewall.
    I have been looking into various app firewalls for linux such as Leopard Flower Firewall and Douane
    I am still hopeful that firejail is the one stop solution I have been looking for.

    Liked by 1 person

    1. netblue30 Post author

      > firejail –net=none vlc – Got all kinds of errors.

      –net command also disables Unix sockets, some of the program functionality will be lost. – for example DBus functionality. Some applications don’t like it and will not manage to start.

      Another way to disable internet access is to use –private command. For your VLC example, you open /etc/firejail/vlc.profile file in a text editor and replace the line “protocol unix,inet,inet6” with “protocol unix”.

      Liked by 1 person

  10. uli

    There was no default tor profile so I wrote this file ~/.config/firejail/torbrowser-launcher.profile
    # Firejail profile for Tor Browser Bundle
    include /etc/firejail/
    include /etc/firejail/
    include /etc/firejail/
    include /etc/firejail/
    caps.drop all
    shell none
    protocol unix,inet,inet6,netlink
    When I try to start up with the command firejail torbrowser-launcher the newest tor browser is loaded down and installed, then I get the following error message:
    Running /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
    Unhandled Error
    Traceback (most recent call last):
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 916, in dispatcher
    return func(*args, **kwargs)
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 1472, in _finishResponse_WAITING
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 1525, in _giveUp
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 1513, in _disconnectParser
    — —
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 537, in connectionLost
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 916, in dispatcher
    return func(*args, **kwargs)
    File “/usr/lib64/python2.7/site-packages/twisted/web/”, line 1161, in _bodyDataFinished_CONNECTED
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 329, in connectionLost
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 346, in response_finished
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 282, in run_task
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 491, in verify
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 286, in run_task
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 531, in extract
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 290, in run_task
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/”, line 583, in run[self.common.paths[‘tbb’][‘start’]], cwd=self.common.paths[‘tbb’][‘dir_tbb’])
    File “/usr/lib64/python2.7/”, line 523, in call
    return Popen(*popenargs, **kwargs).wait()
    File “/usr/lib64/python2.7/”, line 711, in __init__
    errread, errwrite)
    File “/usr/lib64/python2.7/”, line 1343, in _execute_child
    raise child_exception
    exceptions.OSError: [Errno 13] Permission denied
    Any idea what went wrong?


    1. netblue30 Post author

      My guess will be “private” command in your profile. This cleans up you home directory, and it will remove /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop from the sandbox.


  11. adsfasdfasdfasdf

    How to configure to use the custom profiles by default. For the default profiles I can just use firecfg. How about the custom ones?


    1. netblue30 Post author

      If you have a profile file, you put it in /home/username/.config/firejail directory. Then, you can create symbolic links by hand in /usr/local/bin directory (ln -s /usr/local/bin/program-name /usr/bin/firejail)


  12. Mr.Fox

    Is there a way i can start my local applications in firejail as different users 🙂 its like make the application started in firejail think its running on different user. While still it should have access to my local content.


  13. Chong

    when using firejail –private firefox
    i have noticed that after closing the session and starting a new session that my history is saved off? I was expecting that using the private option would have started a clean session the second time around.


  14. Karl

    Can somebody help me defining a profile which allows network for the LAN only? I would like to start some apps with eth0 (the default NIC) having full access to 192.168.0.* except for the gateway to the Internet which is
    How do I define this?


  15. Antonio Tovar

    I’d like to run the program update-manager with other IP address, but with full write access to the root file system. Is it possible?
    My firewall don’t allow almost any program to go out to internet (only to dns servers, ntp servers and some IP:ssh).
    To allow update-manager to work I have to disable the firewall or I have to add lots of rules.
    If I could run update-manager with its own IP, I would permit this IP to go out anyware.
    I do this with dropbox and with firefox, which run each in its own sandbox with its own IP.
    I have tried with –no-profile, but /bin, /sbin and the others are mounted read-only in the sandbox.



      1. Antonio Tovar

        Thanks for your answer, but I tried it and I got a lot of error messages saying that the file systems were in read-only mode.
        The root file system is in rw, but the output of the mount command (inside the sandbox) shows also:
        /dev/sdb1 on /bin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/bin)
        /dev/sdb1 on /sbin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/sbin)
        /dev/sdb1 on /lib type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib)
        /dev/sdb1 on /lib64 type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib64)
        /dev/sdb1 on /usr type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/usr)
        As you can see, the directories needed to do an update or upgrade are in ro mode.
        I created the sanpshot with:
        $ sudo firejail –name=sudo –noprofile –net=enp3s0 –dns=
        I am in Ubuntu 17.04 with firejail
        Any idea?
        Thanks again and happy new year.


  16. Antonio Tovar

    Even with –noprofile option some directories like /bin, /lib, /usr/bin are mounted in read-only mode, so I can’t install anything.


  17. Rosika Schreck

    I have a question concerning the use of profiles.

    I want to run VMwarePlayer (terminal-command is “vmplayer”) within firejail. But when typing “firejail vmplayer” I run into problems.
    The “VWware Kernel Module Updater” presents itself and if I click on “intsall” the following message appears (in German):
    ‘/usr/bin/vmware-modconfig’ –icon=’vmware-player’ –appname=’VMware’ konnte nicht als Anwender root ausgeführt werden:

    Failed to exec new process: Keine Berechtigung

    The thing is: vmplayer doesn´t use the profile which already exists.

    As there is no vmplayer.profile ( see ) I tried the following:
    “firejail –noprofile vmplayer”. This one worked. I could use my virtual machine (which by the way is bodhi linux).

    My questions is:
    What is the security status of my application with the –noprofile-option? Does it provide sufficient security?
    Or is there another/a better way of running vmplayer within firejail?

    Thanks a lot in advance.


    system: Lubuntu 16.04.3 LTS, 64 bit


    1. netblue30 Post author

      Actually this is a bug, thanks! In a text editor open (as root user) /etc/firejail/ping.profile and comment out (add a #) private-etc line, something like this:

      # pivate-etc resolv.conf


  18. Pingback: Sécuriser Firefox sous Linux avec la sandbox Firejail – W3btr0tt3ur

  19. geekabit

    Would it be possible to have an –exec option, just like –no-exec? Ideally both –exec and –no-exec can be combined, for instance:

    firejail –no-exec=${HOME} –exec=${HOME}/bin/

    Just like you can already do with –read-only and –read-write:

    firejail –read-only=${HOME} –read-write=${HOME}/test/

    Or am I the only person that would see the use for this?


  20. Pingback: Securely Run Untrusted Applications in Linux | Tech News One


    I install and run games from using Firejail, I usually start with default.profile, in isolated / home, for example

    $ firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/’

    I want to launch the game not through the command line, but through a button in the application menu, in order for the sandbox to work with the game I need automatically. But I have difficulty with this implementation.
    I thought that the right way is to create Whitelisted Profiles for a particular game, then edit file.desktop, specifying the necessary launch command in the Exec = line, for example:
    firejail The Coma Recut
    But this will not work, because in file.desktop, in Exec, instead of the name of the application, the full path to the script is specified. Thus, Firejail does not understand exactly which name of the game, despite the fact that the file desktop is filled correctly (probably).

    I can’t write firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/’

    to the desktop file in the Exec = line because this the line is forbidden to use commands with the symbol “=”. similarly with the firejail –profile=filename ‘/home/tom/GOG Games/The Coma Recut/’

    I am at a dead end, and I don’t know how to be, I need help, or at least a hint. You can ask me for the distribution of the game from GOG.сom for tests.



      Sorry, was wrong. The command firejail –net=none –profile=name_profile “/home/tom/GOG Games/The Coma Recut/” works great, including from the desktop file. Request moderator to remove my previous stupid message. And this message too.


  22. Tome

    I need to write in profile Firejail, the path to the directory which contains spaces, how can I do this correctly?


  23. Pingback: Firejail, un sandbox para Linux para ejecutar programas de forma segura

  24. Pingback: Выпуск системы изоляции приложений Firejail 0.9.62 |

  25. Pingback: Linux Security Hardening and Other Tweaks - ZoStore

  26. Pingback: Firejail - безопасный запуск потенциально уязвимых приложений

  27. Pingback: Linux Security Hardening and Other Tweaks | صحافة حرة FREE PRESS

  28. Pingback: Firejail – Securely Run Untrusted Applications in Linux – Tech Blog

  29. Trejkaz

    I have to say as a brand new user coming to this thing, the most confusing thing is that _anything_ is permitted by a default, empty profile, whereas general security wisdom is to permit nothing until it is granted.

    So I had naturally assumed that making an empty profile and running that against my build script, that my build script _should_ initially fail, telling me what file it had tried writing to, which would allow me to writelist the writable locations one by one. But what _actually_ happens is that the build works, all the tests pass, and I’m left here scratching my head, wondering whether the sandbox is even working. (The only evidence is one message I get if I Ctrl-C, where the sandbox declares that it’s shutting down.)


    1. netblue30 Post author

      > whereas general security wisdom is to permit nothing until it is granted

      That’s not exactly true. Take for example, iptables/netfilter: it is up an running when you start your box, and it allows by default all the network traffic. Same deal with SELinux and Apparmor. Although the security software is fully running, if you don’t configure it nothing is restricted.

      If you force firejail with no profile, only a handful of files and directories are restricted by default. In a terminal run “firejail –noprofile –debug”, it will give you a list with all the default actions. Add “–debug” when your start your sandboxes to get an idea what is restricted, and then you add more files to is using “–blacklist”.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s