Introduction
There are two distinct types of profiles: blacklisted and whitelisted. In blacklisted profiles the user “blacklists” the files the application is not allowed to access. In whitelisted profiles the user “whitelists” the files necessary for the application to run, while everything else is off limits.
We present below both cases. For more information, you can also read our profile development document on GitHub.
Blacklisted Profiles
Several Firejail command line configuration options can be passed to the program using profile files. User-defined profiles are stored in ~/.config/firejail directory. Assuming app_name is the name of command you use to start the application, the steps for building a custom profile are as follows:
1. Create a .config/firejail directory in your home directory:
$ mkdir -p .config/firejail
$ cd .config/firejail
2. Copy in this directory the default security profile used by Firejail to run unrecognized applications:
The new profile file – app_name.profile – needs to have the same name as the application, with only a .profile extension added. For example, if you intend to run mplayer, your file name will be mplayer.profile.
3. Edit and modify the new profile file, comment out lines, blacklist directories, whitelist files, etc. Use “man 5 firejail-profile” for a description and the correct syntax of all commands.
4. Start your application:
As you start the application, you’ll see Firejail picking up the new security profile file (Reading profile /home/username/.config/firejail/app_name.profile.):
Reading profile /home/username/.config/firejail/app_name.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Whitelisted Profiles
1. Create a simple bash sandbox using –private. The sandbox has an empty home directory, with only a skeleton of files needed to run GUI applications. The directory is built in a temporary (tmpfs) filesystem. When the sandbox is closed, all files in this directory will be destroyed, and the regular home directory is restored.
Start a private sandbox and list the default files in home directory
2. Start the program in this bash session. I use Simutrans game as an example (sudo apt-get install simutrans). Play around for a while, then close the game and list all the files in the home directory using find utility.
Run the program, and list again the files in home directory
Notice the game creates a ~/.simutrans directory where it keeps program configuration and game data. This is the only directory that needs to be whitelisted. We have in this moment all the information we need, so we can type exit and close the sandbox.
3. Create the new profile in ~/.config/firejail directory using your favorite text editor. The file name is always appname.profile, in this case simutrans.profile. The content of the file is as follows:
noblacklist ~/.simutrans
mkdir ~/.simutrans
whitelist ~/.simutrans
include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile
I use mkdir to create the new ~/.simutrans directory in the real user home in case it doesn’t exist, and whitelist it. I also bring in session configuration such as fonts, desktop themes, GTK, Qt etc. by including /etc/firejail/whitelist-common.inc. In the end I also include the default blacklisting configuration from include /etc/firejail/default.profile in order to import the security filters such as seccomp and capabilities.
4. Test the new profile:
Test the new profile.
I’m trying to make a custom profile like this:
include /etc/firejail/generic.profile
whitelist ${HOME}/somefile
read-only ${HOME}/somefile
For some reason using a white-list seems to discard access to home directory (only “somefile” shown). Does using any white-listed file for example home directory whitelisted by default?
For some reason “somefile” is also read-write instead of read-only. Is this a bug perhaps? Also some files blacklisted in generic.profile seem to be accessible and readable. (I’m using version firejail_0.9.36_1_amd64.deb on Mint 17.2)
LikeLiked by 1 person
> For some reason using a white-list seems to discard access to home directory (only “somefile” shown).
Yes, this is true. Whitelisting allows only the files and directories you specify in the list, everything else is removed.
> For some reason “somefile” is also read-write instead of read-only.
It seems to work:
Also blacklisting seems to work, give me an example. Thanks!
LikeLike
Hi,
I want to use firejail with soulseek, which is a music sharing program (the linux client is nicotine).
While protecting my system using firejail, I also have to make 1000s (literally thousands) or directories available read only. These thousands of directories all descend from one of five base directories, and ultimately from one single directory. above that.
The problem is that – as far as can see – firejail does not give recursive permissions to sub-directories. I will have to (make a script to) write thousands of
:
whitelist some/dir/name/dir1/
read-only some/dir/name/dir1/
whitelist some/dir/name/dir2/
read-only some/dir/name/dir2/
:
:
pairings.
Is there any way, like linking under my (firejail faked) home directory, to have firejail make thousands of directories available read only?
thanks for any help and thanks for a great application.
R
LikeLike
You only need to whitelist the top directory. The top directory needs to be in your user home directory. If the top directory is a symbolic link, the real directory also needs to be in user home.
LikeLike
If I enter $firejail firefox then Firejail opens the distribution version, 44, of Firefox.
I use a different version 38esr, of Firefox as my default. How do I get Firejail to open my default version?
LikeLike
Is there anywhere custom profiles can be checked? I think I have my ktorrent profile configured correctly but it would be nice to be certain
LikeLike
Yes, in a terminal run a simple sandbox with your profile:
$ firejail –profile=path_to_your_profile_file
It will complain if it finds a problem with the profile file.
LikeLike
how do i know which files and directories to whitelist? im trying to generate a custom profile for liferea rss reader.
LikeLike
I’ll try to bring in support for it in the next version. You need to find the directories where liferea is keeping its internal data in your home directory. They seem to be ~/.config/liferea and ~/.local/share/liferea/
LikeLike
Is there a way to make some directory RO, but one child of it as RW w/o root privileges?
I’m trying to sandbox my unit tests and disabling any write the sources tree, but have a build tree (which is a child) enabled… i.e. smth like:
–[unit-tests.profile]—
read-only /work/my-sources
read-write /work/my-sources/build/debug
——
unit tests are executed as a separate `builder` user (and it is not supposed to be the `root` user!)
LikeLike
Yes, this is supported in upcoming version 0.9.42:
There is a 0.9.42~rc1 version on the download page, or you can grab the latest on mainline from github.
LikeLike
Can –whitelist and –noexec be combined?
I want whitelisted folders to block execution of scripts.
A jailed app should be able to read/write only from a whitelisted folder and no other folders but not be able to execute.
LikeLike
Yes, it should work:
$ firejail –whitelist=~/mydir –noexec=~/mydir program-name
LikeLike
Does the whitelist option on the command line override the default.profile or do I need the –no-profile option also?
LikeLike
No, it does not overwrite it. It is equivalent with adding a whitelist entry in the profile.
LikeLike
Thanks for the answers. I tried to keep them short and simple.
I have an app from here that is for recording audio (dictation mostly):
https://launchpad.net/~audio-recorder/+archive/ubuntu/ppa
I am trying to block internet access and confine to a folder.
Seems like something common someone would want to do to an new app that handles sensitive information.
If I run with just firejail it is fine:
$ firejail audio-recorder –show-window=0
Reading profile /home/dad/.config/firejail/audio-recorder.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 29206, child pid 29211
Child process initialized
Parent is shutting down, bye…
(the gui launches)
If I add the whitelist option I get this:
$ firejail –whitelist=~/Audio audio-recorder –show-window=0
Reading profile /home/dad/.config/firejail/audio-recorder.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 29313, child pid 29314
Child process initialized
libdc1394 error: Failed to initialize libdc1394
(gst-plugin-scanner:5): GLib-GObject-WARNING **: cannot register existing type ‘ClutterGstVideoSink’
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
(gst-plugin-scanner:5): GLib-CRITICAL **: g_once_init_leave: assertion ‘result != 0’ failed
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_object_new: assertion ‘G_TYPE_IS_OBJECT (object_type)’ failed
ERROR: Caught a segmentation fault while loading plugin file:
/usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstclutter-3.0.so
Please either:
– remove it and restart.
– run with –gst-disable-segtrap –gst-disable-registry-fork and debug.
(audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider v4l2deviceprovider0 which is already stopped
(audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider pulsedeviceprovider0 which is already stopped
Parent is shutting down, bye…
(the gui launches and is missing quite a few options)
LikeLike
Use –net=none on command line or “net none” in your profile file. It will block any network access.
libdc1394 error – in your profile file use “protocol unix,inet,inet6,netlink”. You need “netlink” protocol, the program probably tries to access a video camera.
LikeLike
I have been experimenting with –net=none.
It seems to block all networking.
As an experiment I disabled my Internet access and ran VLC using firejail. No issues.
I turned the internet back on and ran:
>firejail –net=none vlc
Got all kinds of errors.
Can I block the Internet only or do I have to block all networking?
With all of the damn spying going on nowadays apps will “phone home” like E.T.
This must absolutely come to a stop.
I am hopeful firejail can help me get this done.
I am also concerned that apps may be accessig my home folder files.
firejail handles this quite well and for that I am very grateful.
I really cannot turn off my internet every single time an app runs.
Windows XP had an app firewall.
I have been looking into various app firewalls for linux such as Leopard Flower Firewall and Douane
I am still hopeful that firejail is the one stop solution I have been looking for.
LikeLiked by 1 person
> firejail –net=none vlc – Got all kinds of errors.
–net command also disables Unix sockets, some of the program functionality will be lost. – for example DBus functionality. Some applications don’t like it and will not manage to start.
Another way to disable internet access is to use –private command. For your VLC example, you open /etc/firejail/vlc.profile file in a text editor and replace the line “protocol unix,inet,inet6” with “protocol unix”.
LikeLiked by 1 person
worked for me… thanks!!
LikeLike
There was no default tor profile so I wrote this file ~/.config/firejail/torbrowser-launcher.profile
# Firejail profile for Tor Browser Bundle
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
nonewprivs
nogroups
shell none
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
private
private-tmp
When I try to start up with the command firejail torbrowser-launcher the newest tor browser is loaded down and installed, then I get the following error message:
Running /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Unhandled Error
Traceback (most recent call last):
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
return func(*args, **kwargs)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1472, in _finishResponse_WAITING
self._giveUp(Failure(reason))
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1525, in _giveUp
self._disconnectParser(reason)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1513, in _disconnectParser
parser.connectionLost(reason)
— —
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 537, in connectionLost
self.response._bodyDataFinished()
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
return func(*args, **kwargs)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1161, in _bodyDataFinished_CONNECTED
self._bodyProtocol.connectionLost(reason)
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 329, in connectionLost
self.all_done(reason)
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 346, in response_finished
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 282, in run_task
self.verify()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 491, in verify
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 286, in run_task
self.extract()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 531, in extract
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 290, in run_task
self.run()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 583, in run
subprocess.call([self.common.paths[‘tbb’][‘start’]], cwd=self.common.paths[‘tbb’][‘dir_tbb’])
File “/usr/lib64/python2.7/subprocess.py”, line 523, in call
return Popen(*popenargs, **kwargs).wait()
File “/usr/lib64/python2.7/subprocess.py”, line 711, in __init__
errread, errwrite)
File “/usr/lib64/python2.7/subprocess.py”, line 1343, in _execute_child
raise child_exception
exceptions.OSError: [Errno 13] Permission denied
Any idea what went wrong?
LikeLike
My guess will be “private” command in your profile. This cleans up you home directory, and it will remove /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop from the sandbox.
LikeLike
How to configure to use the custom profiles by default. For the default profiles I can just use firecfg. How about the custom ones?
LikeLike
You place them in ~/.config/firejail directory.
LikeLike
If you have a profile file, you put it in /home/username/.config/firejail directory. Then, you can create symbolic links by hand in /usr/local/bin directory (ln -s /usr/local/bin/program-name /usr/bin/firejail)
LikeLike
thanks for the reply, much appreciated
LikeLike
Is there a way i can start my local applications in firejail as different users 🙂 its like make the application started in firejail think its running on different user. While still it should have access to my local content.
LikeLike
You would need to have sudo access to switch the user:
$ sudo -u username firejail …
LikeLike
Sorry, I’ve missed the local content:
$ sudo -u username firejail –allusers …
LikeLike
when using firejail –private firefox
i have noticed that after closing the session and starting a new session that my history is saved off? I was expecting that using the private option would have started a clean session the second time around.
LikeLike
You are probably running into this problem: https://firejail.wordpress.com/support/frequently-asked-questions/#firefox
LikeLike
Hi!
Can somebody help me defining a profile which allows network for the LAN only? I would like to start some apps with eth0 (the default NIC) having full access to 192.168.0.* except for the gateway to the Internet which is 192.168.0.1.
How do I define this?
Thanks!
LikeLike
replace the line “protocol unix,inet,inet6,netlink” with “protocol unix”
LikeLiked by 1 person
I’d like to run the program update-manager with other IP address, but with full write access to the root file system. Is it possible?
My firewall don’t allow almost any program to go out to internet (only to dns servers, ntp servers and some IP:ssh).
To allow update-manager to work I have to disable the firewall or I have to add lots of rules.
If I could run update-manager with its own IP, I would permit this IP to go out anyware.
I do this with dropbox and with firefox, which run each in its own sandbox with its own IP.
I have tried with –no-profile, but /bin, /sbin and the others are mounted read-only in the sandbox.
Thanks.
LikeLike
One thing you can try is to start the sandbox with –noprofile (firejail –noprofile –net=… update-manager). It will give you a very relaxed sandbox.
LikeLike
Thanks for your answer, but I tried it and I got a lot of error messages saying that the file systems were in read-only mode.
The root file system is in rw, but the output of the mount command (inside the sandbox) shows also:
/dev/sdb1 on /bin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/bin)
/dev/sdb1 on /sbin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/sbin)
/dev/sdb1 on /lib type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib)
/dev/sdb1 on /lib64 type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib64)
/dev/sdb1 on /usr type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/usr)
As you can see, the directories needed to do an update or upgrade are in ro mode.
I created the sanpshot with:
$ sudo firejail –name=sudo –noprofile –net=enp3s0 –dns=8.8.8.8
I am in Ubuntu 17.04 with firejail 0.9.44.8
Any idea?
Thanks again and happy new year.
LikeLike
Even with –noprofile option some directories like /bin, /lib, /usr/bin are mounted in read-only mode, so I can’t install anything.
LikeLike
I have a question concerning the use of profiles.
I want to run VMwarePlayer (terminal-command is “vmplayer”) within firejail. But when typing “firejail vmplayer” I run into problems.
The “VWware Kernel Module Updater” presents itself and if I click on “intsall” the following message appears (in German):
———————————————————————————————————————–
‘/usr/bin/vmware-modconfig’ –icon=’vmware-player’ –appname=’VMware’ konnte nicht als Anwender root ausgeführt werden:
Failed to exec new process: Keine Berechtigung
———————————————————————————————————————–
The thing is: vmplayer doesn´t use the profile which already exists.
As there is no vmplayer.profile ( see https://github.com/netblue30/firejail/tree/master/etc ) I tried the following:
“firejail –noprofile vmplayer”. This one worked. I could use my virtual machine (which by the way is bodhi linux).
My questions is:
What is the security status of my application with the –noprofile-option? Does it provide sufficient security?
Or is there another/a better way of running vmplayer within firejail?
Thanks a lot in advance.
Greetings.
Rosika
P.S.:
system: Lubuntu 16.04.3 LTS, 64 bit
LikeLike
I try to make ping able to read /etc/hosts but not getting it
could you give me an example ? plz 🙂
LikeLike
Actually this is a bug, thanks! In a text editor open (as root user) /etc/firejail/ping.profile and comment out (add a #) private-etc line, something like this:
# pivate-etc resolv.conf
LikeLike
Pingback: Sécuriser Firefox sous Linux avec la sandbox Firejail – W3btr0tt3ur
Would it be possible to have an –exec option, just like –no-exec? Ideally both –exec and –no-exec can be combined, for instance:
firejail –no-exec=${HOME} –exec=${HOME}/bin/
Just like you can already do with –read-only and –read-write:
firejail –read-only=${HOME} –read-write=${HOME}/test/
Or am I the only person that would see the use for this?
LikeLike
Pingback: Securely Run Untrusted Applications in Linux | Tech News One
I install and run games from GOG.com using Firejail, I usually start with default.profile, in isolated / home, for example
$ firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/start.sh’
I want to launch the game not through the command line, but through a button in the application menu, in order for the sandbox to work with the game I need automatically. But I have difficulty with this implementation.
I thought that the right way is to create Whitelisted Profiles for a particular game, then edit file.desktop, specifying the necessary launch command in the Exec = line, for example:
firejail The Coma Recut
But this will not work, because in file.desktop, in Exec, instead of the name of the application, the full path to the start.sh script is specified. Thus, Firejail does not understand exactly which name of the game, despite the fact that the file desktop is filled correctly (probably).
I can’t write firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/start.sh’
to the desktop file in the Exec = line because this the line is forbidden to use commands with the symbol “=”. similarly with the firejail –profile=filename ‘/home/tom/GOG Games/The Coma Recut/start.sh’
I am at a dead end, and I don’t know how to be, I need help, or at least a hint. You can ask me for the distribution of the game from GOG.сom for tests.
LikeLike
Sorry, was wrong. The command firejail –net=none –profile=name_profile “/home/tom/GOG Games/The Coma Recut/start.sh” works great, including from the desktop file. Request moderator to remove my previous stupid message. And this message too.
LikeLike
I need to write in profile Firejail, the path to the directory which contains spaces, how can I do this correctly?
LikeLike
Please help me with creation profile for popular ssh client Putty.
LikeLike
Pingback: Firejail, un sandbox para Linux para ejecutar programas de forma segura
Pingback: Выпуск системы изоляции приложений Firejail 0.9.62 |
Pingback: Linux Security Hardening and Other Tweaks - ZoStore