Introduction
Firejail is a security system implemented using modern kernel technologies such as Linux namespaces and seccomp-bpf. On top of namespaces we place a thin software layer to control file access. By enforcing specific rules for each application, the access control layer proactively protects the system from external threats.
Security rules are stored in /etc/firejail directory in regular text files, one file for each application. We call these files security profiles. We recently passed the 1000 profile mark, covering various desktop programs people use every day. That’s about 10x more applications than SELinux and AppArmor combined!
This article is all about the access layer: how is built, how to create security profiles, how to test and how to customize them. I also describe jailcheck, a tool we introduced in version 0.9.66. The tool provides a high level view of the access system, warning the user in case of possible problems.
The Access Control Layer
C code, complicated at times, it already went trough several iterations. This is the code that provides security and privacy to our users. Contrary to popular opinion, seccomp plays a secondary role in the grand scheme of things.
For Firefox we start with a list of directories the browser needs to work correctly:
.mozilla, .pki, .config/pulse, .cache/mozilla, .local/share, Downloads
Next, the list of directories we definitely don’t want the browser to access:
.ssh, .gnupg…
This list is much longer. It is spread over several files such as this one in our git repository. There are literally hundreds of entries, everything from desktop configuration, to X11, compilers, and system tools.
Lastly, we build a list with directories we don’t want to expose for privacy reasons:
Documents, Desktop, Pictures… and any other user directory
As we put all the lists together and load them in our file access engine, we end up with something like this:
The home directory is virtual. Downloads and the config files are brought in from the real file system, everything else is temporary and will be removed when the sandbox is closed.
We use this type of setup for networked applications, games, desktop tools such as calculators etc. For media players we bring in Music and Videos, for emails we bring in the email storage directory, and so on. Programs such as editors and console tools end up without the privacy list, and have access to most user directories (the security list is still included).
Firejail has no impact on the application speed, and it has a negligible impact on user convenience. For example, the user won’t be able to download and upload files from random places in the file system, and web-based SSH tools won’t work in the browser. In our view, that’s a small price to pay for privacy and security.
Building Security Profiles
Security profiles are usually built starting from the template installed in /usr/share/doc/firejail/profile.template. Make a copy of the file and modify it. The details are in the template file, the sandbox commands are described in man firejail-profile.
You can also generate profiles automatically by running your application under firejail –build as described in the video above.
Testing Security Profiles
Here is a simple, practical method for testing file system access. It applies to any other mandatory access control system. Let’s start with this user question:
“I have the key I use to connect to GitHub in
~/.sshdirectory, and another key I use to sign the release in~/.gnupg. That’s my threat exposure. How do I test Firejail?”
Copy a PNG file in .ssh directory and try to open it in GIMP:
$ cp test.png ~/.ssh/.
$ firejail gimp ~/.ssh/test.png
Copy the same file in .gnupg or any other directory you want to test. Do the same for other programs – for a media player use a test.mp4 file and so on.
Even better, go in File/Open menu in your application and soon you’ll get an idea what’s covered and what’s not. This is LibreOffice:
For browsers, use the address bar to access your home directory:
Customizing Security Profiles
One funny complaint I got was “I want to put my pictures on Facebook and ~/Pictures is not there!”. Go in ~/.config/firejail directory and create a text file firefox.profile with the following content:
$ cat ~/.config/firejail/firefox.profile
whitelist ~/Pictures
include /etc/firejail/firefox.profile
Or you can just copy your pictures temporarily in ~/Downloads.
One popular customization is removing network access for media players such as VLC:
$ cat ~/.config/firejail/vlc.profile
net none
include /etc/firejail/vlc.profile
Another interesting one is shutting down the sound in Warzone2100:
$ cat ~/.config/firejail/warzone2100.profile
nosound
include /etc/firejail/warzone2100.profile
A More Complex Example
Audacity, the open source audio editor, has been in the news recently. The program was acquired by Muse Group, a multi-national company involved in data harvesting. Among other changes, starting with version 3.0.3 they introduced telemetry, a mechanism for phoning home with various pieces of data taken from user computers. Here is the problem:
Every telemetry program stores on hard disk an universally unique identifier (UUID). This is a huge random number used to track program install instances. This way they can differentiate users on a local network behind a network address translation (NAT) firewall.
Now, let’s say you start your computer, telemetry phones home, your IP address is recorded. Later, you start your VPN software and connect to Internet with a different IP. Telemetry phones home again, same UUID but a different IP – instant de-anonymization!
We’ve had “net none” in the default Audacity security profile distributed with Firejail software for a very long time. This disables network access. But since it’s the intention that counts, segregate Audacity in its own private home directory:
Create a new directory in your home, ~/myaudio, and a new profile in ~/.config/firejail:
$ cd ~
$ mkdir myaudio
$ cat ~/.config/firejail/audacity.profile
private ~/myaudio
net none
include /etc/firejail/audacity.profile
I added “net none” just in case you have an old version of Firejail. Move the files you want to edit in ~/myaudio, and start the program (firejail audacity):
jailcheck
jailcheck is a small program we use to simplify the testing. The program will attach itself to all running sandboxes and try to access .ssh and .gnupg directories. You can add more directories on the command line, see man jailcheck:
$ sudo jailcheck
2014:netblue::firejail /usr/bin/gimp
Virtual dirs: /tmp, /var/tmp, /dev, /usr/share,
Warning: I can run programs in /home/netblue
Networking: disabled
2055:netblue::firejail /usr/bin/ssh -X netblue@x.y.z.net
Virtual dirs: /var/tmp, /dev, /usr/share, /run/user/1000,
Warning: I can read ~/.ssh
Networking: enabled
2186:netblue:libreoffice:firejail --appimage /opt/LibreOffice-fresh.appimage
Virtual dirs: /tmp, /var/tmp, /dev,
Networking: enabled
26090:netblue::/usr/bin/firejail /opt/firefox/firefox
Virtual dirs: /home/netblue, /tmp, /var/tmp, /dev, /etc, /usr/share,
/run/user/1000,
Networking: enabled
As I write this article I have Firefox, LibreOffice and GIMP open. I also have an SSH connection going out. As expected, .ssh directory is visible in SSH session. Nobody has access to .gnupg.
jailcheck also flags the presence of several system tools such as sudo, mount and strace, compilers such as gcc and clang, and networking tools such as dig, ncat, nmap and tcpdump, since these provide the perpetrators with a huge opportunity for mischief.
For each sandbox we list the most important virtual directories in use. These directories are build in temporary file systems by bringing in either real files and directories, or by copying files from the real file system. We deploy this type of mandatory access control in all sandboxes, with some differences here and there, depending on the application.
Another test is noexec test. In GIMP example above, the home directory allows GIMP to start programs stored locally. Usually these are application plugins the user installed himself, but they can also be aggressive malware programs inserted in the sandbox using a zero-day app exploit. If you don’t have external plugins installed, it is a good idea to make the home directory noexec:
$ cat ~/.config/firejail/gimp.profile
noexec ${HOME}
include /etc/firejail/gimp.profile
Conclusion
To give credit where credit is due, I’ve first seen people blocking access to .ssh and .gnupg in 2012 in a Firefox AppArmor profile in Ubuntu. In Debian 10 the block file is /etc/apparmor.d/abstractions/private-files-strict. To test AppArmor or SELinux, copy a file in .ssh directory and try to open it in your application. Apparently, stealing SSH credentials is quite a sport in business environments. That’s all for now, have fun!
Firejail 
I’m trying to make a custom profile like this:
include /etc/firejail/generic.profile
whitelist ${HOME}/somefile
read-only ${HOME}/somefile
For some reason using a white-list seems to discard access to home directory (only “somefile” shown). Does using any white-listed file for example home directory whitelisted by default?
For some reason “somefile” is also read-write instead of read-only. Is this a bug perhaps? Also some files blacklisted in generic.profile seem to be accessible and readable. (I’m using version firejail_0.9.36_1_amd64.deb on Mint 17.2)
LikeLiked by 1 person
> For some reason using a white-list seems to discard access to home directory (only “somefile” shown).
Yes, this is true. Whitelisting allows only the files and directories you specify in the list, everything else is removed.
> For some reason “somefile” is also read-write instead of read-only.
It seems to work:
Also blacklisting seems to work, give me an example. Thanks!
LikeLike
Hi,
I want to use firejail with soulseek, which is a music sharing program (the linux client is nicotine).
While protecting my system using firejail, I also have to make 1000s (literally thousands) or directories available read only. These thousands of directories all descend from one of five base directories, and ultimately from one single directory. above that.
The problem is that – as far as can see – firejail does not give recursive permissions to sub-directories. I will have to (make a script to) write thousands of
:
whitelist some/dir/name/dir1/
read-only some/dir/name/dir1/
whitelist some/dir/name/dir2/
read-only some/dir/name/dir2/
:
:
pairings.
Is there any way, like linking under my (firejail faked) home directory, to have firejail make thousands of directories available read only?
thanks for any help and thanks for a great application.
R
LikeLike
You only need to whitelist the top directory. The top directory needs to be in your user home directory. If the top directory is a symbolic link, the real directory also needs to be in user home.
LikeLike
If I enter $firejail firefox then Firejail opens the distribution version, 44, of Firefox.
I use a different version 38esr, of Firefox as my default. How do I get Firejail to open my default version?
LikeLike
Is there anywhere custom profiles can be checked? I think I have my ktorrent profile configured correctly but it would be nice to be certain
LikeLike
Yes, in a terminal run a simple sandbox with your profile:
$ firejail –profile=path_to_your_profile_file
It will complain if it finds a problem with the profile file.
LikeLike
how do i know which files and directories to whitelist? im trying to generate a custom profile for liferea rss reader.
LikeLike
I’ll try to bring in support for it in the next version. You need to find the directories where liferea is keeping its internal data in your home directory. They seem to be ~/.config/liferea and ~/.local/share/liferea/
LikeLike
Is there a way to make some directory RO, but one child of it as RW w/o root privileges?
I’m trying to sandbox my unit tests and disabling any write the sources tree, but have a build tree (which is a child) enabled… i.e. smth like:
–[unit-tests.profile]—
read-only /work/my-sources
read-write /work/my-sources/build/debug
——
unit tests are executed as a separate `builder` user (and it is not supposed to be the `root` user!)
LikeLike
Yes, this is supported in upcoming version 0.9.42:
There is a 0.9.42~rc1 version on the download page, or you can grab the latest on mainline from github.
LikeLike
Can –whitelist and –noexec be combined?
I want whitelisted folders to block execution of scripts.
A jailed app should be able to read/write only from a whitelisted folder and no other folders but not be able to execute.
LikeLike
Yes, it should work:
$ firejail –whitelist=~/mydir –noexec=~/mydir program-name
LikeLike
Does the whitelist option on the command line override the default.profile or do I need the –no-profile option also?
LikeLike
No, it does not overwrite it. It is equivalent with adding a whitelist entry in the profile.
LikeLike
Thanks for the answers. I tried to keep them short and simple.
I have an app from here that is for recording audio (dictation mostly):
https://launchpad.net/~audio-recorder/+archive/ubuntu/ppa
I am trying to block internet access and confine to a folder.
Seems like something common someone would want to do to an new app that handles sensitive information.
If I run with just firejail it is fine:
$ firejail audio-recorder –show-window=0
Reading profile /home/dad/.config/firejail/audio-recorder.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 29206, child pid 29211
Child process initialized
Parent is shutting down, bye…
(the gui launches)
If I add the whitelist option I get this:
$ firejail –whitelist=~/Audio audio-recorder –show-window=0
Reading profile /home/dad/.config/firejail/audio-recorder.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 29313, child pid 29314
Child process initialized
libdc1394 error: Failed to initialize libdc1394
(gst-plugin-scanner:5): GLib-GObject-WARNING **: cannot register existing type ‘ClutterGstVideoSink’
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
(gst-plugin-scanner:5): GLib-CRITICAL **: g_once_init_leave: assertion ‘result != 0’ failed
(gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_object_new: assertion ‘G_TYPE_IS_OBJECT (object_type)’ failed
ERROR: Caught a segmentation fault while loading plugin file:
/usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstclutter-3.0.so
Please either:
– remove it and restart.
– run with –gst-disable-segtrap –gst-disable-registry-fork and debug.
(audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider v4l2deviceprovider0 which is already stopped
(audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider pulsedeviceprovider0 which is already stopped
Parent is shutting down, bye…
(the gui launches and is missing quite a few options)
LikeLike
Use –net=none on command line or “net none” in your profile file. It will block any network access.
libdc1394 error – in your profile file use “protocol unix,inet,inet6,netlink”. You need “netlink” protocol, the program probably tries to access a video camera.
LikeLike
I have been experimenting with –net=none.
It seems to block all networking.
As an experiment I disabled my Internet access and ran VLC using firejail. No issues.
I turned the internet back on and ran:
>firejail –net=none vlc
Got all kinds of errors.
Can I block the Internet only or do I have to block all networking?
With all of the damn spying going on nowadays apps will “phone home” like E.T.
This must absolutely come to a stop.
I am hopeful firejail can help me get this done.
I am also concerned that apps may be accessig my home folder files.
firejail handles this quite well and for that I am very grateful.
I really cannot turn off my internet every single time an app runs.
Windows XP had an app firewall.
I have been looking into various app firewalls for linux such as Leopard Flower Firewall and Douane
I am still hopeful that firejail is the one stop solution I have been looking for.
LikeLiked by 1 person
> firejail –net=none vlc – Got all kinds of errors.
–net command also disables Unix sockets, some of the program functionality will be lost. – for example DBus functionality. Some applications don’t like it and will not manage to start.
Another way to disable internet access is to use –private command. For your VLC example, you open /etc/firejail/vlc.profile file in a text editor and replace the line “protocol unix,inet,inet6” with “protocol unix”.
LikeLiked by 1 person
worked for me… thanks!!
LikeLike
There was no default tor profile so I wrote this file ~/.config/firejail/torbrowser-launcher.profile
# Firejail profile for Tor Browser Bundle
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
nonewprivs
nogroups
shell none
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
private
private-tmp
When I try to start up with the command firejail torbrowser-launcher the newest tor browser is loaded down and installed, then I get the following error message:
Running /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
Unhandled Error
Traceback (most recent call last):
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
return func(*args, **kwargs)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1472, in _finishResponse_WAITING
self._giveUp(Failure(reason))
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1525, in _giveUp
self._disconnectParser(reason)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1513, in _disconnectParser
parser.connectionLost(reason)
— —
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 537, in connectionLost
self.response._bodyDataFinished()
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
return func(*args, **kwargs)
File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1161, in _bodyDataFinished_CONNECTED
self._bodyProtocol.connectionLost(reason)
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 329, in connectionLost
self.all_done(reason)
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 346, in response_finished
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 282, in run_task
self.verify()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 491, in verify
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 286, in run_task
self.extract()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 531, in extract
self.run_task()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 290, in run_task
self.run()
File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 583, in run
subprocess.call([self.common.paths[‘tbb’][‘start’]], cwd=self.common.paths[‘tbb’][‘dir_tbb’])
File “/usr/lib64/python2.7/subprocess.py”, line 523, in call
return Popen(*popenargs, **kwargs).wait()
File “/usr/lib64/python2.7/subprocess.py”, line 711, in __init__
errread, errwrite)
File “/usr/lib64/python2.7/subprocess.py”, line 1343, in _execute_child
raise child_exception
exceptions.OSError: [Errno 13] Permission denied
Any idea what went wrong?
LikeLike
My guess will be “private” command in your profile. This cleans up you home directory, and it will remove /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop from the sandbox.
LikeLike
How to configure to use the custom profiles by default. For the default profiles I can just use firecfg. How about the custom ones?
LikeLike
You place them in ~/.config/firejail directory.
LikeLike
If you have a profile file, you put it in /home/username/.config/firejail directory. Then, you can create symbolic links by hand in /usr/local/bin directory (ln -s /usr/local/bin/program-name /usr/bin/firejail)
LikeLike
thanks for the reply, much appreciated
LikeLike
Is there a way i can start my local applications in firejail as different users 🙂 its like make the application started in firejail think its running on different user. While still it should have access to my local content.
LikeLike
You would need to have sudo access to switch the user:
$ sudo -u username firejail …
LikeLike
Sorry, I’ve missed the local content:
$ sudo -u username firejail –allusers …
LikeLike
when using firejail –private firefox
i have noticed that after closing the session and starting a new session that my history is saved off? I was expecting that using the private option would have started a clean session the second time around.
LikeLike
You are probably running into this problem: https://firejail.wordpress.com/support/frequently-asked-questions/#firefox
LikeLike
Hi!
Can somebody help me defining a profile which allows network for the LAN only? I would like to start some apps with eth0 (the default NIC) having full access to 192.168.0.* except for the gateway to the Internet which is 192.168.0.1.
How do I define this?
Thanks!
LikeLike
replace the line “protocol unix,inet,inet6,netlink” with “protocol unix”
LikeLiked by 1 person
I’d like to run the program update-manager with other IP address, but with full write access to the root file system. Is it possible?
My firewall don’t allow almost any program to go out to internet (only to dns servers, ntp servers and some IP:ssh).
To allow update-manager to work I have to disable the firewall or I have to add lots of rules.
If I could run update-manager with its own IP, I would permit this IP to go out anyware.
I do this with dropbox and with firefox, which run each in its own sandbox with its own IP.
I have tried with –no-profile, but /bin, /sbin and the others are mounted read-only in the sandbox.
Thanks.
LikeLike
One thing you can try is to start the sandbox with –noprofile (firejail –noprofile –net=… update-manager). It will give you a very relaxed sandbox.
LikeLike
Thanks for your answer, but I tried it and I got a lot of error messages saying that the file systems were in read-only mode.
The root file system is in rw, but the output of the mount command (inside the sandbox) shows also:
/dev/sdb1 on /bin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/bin)
/dev/sdb1 on /sbin type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/sbin)
/dev/sdb1 on /lib type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib)
/dev/sdb1 on /lib64 type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/lib64)
/dev/sdb1 on /usr type btrfs (ro,relatime,space_cache,subvolid=341,subvol=/@/usr)
As you can see, the directories needed to do an update or upgrade are in ro mode.
I created the sanpshot with:
$ sudo firejail –name=sudo –noprofile –net=enp3s0 –dns=8.8.8.8
I am in Ubuntu 17.04 with firejail 0.9.44.8
Any idea?
Thanks again and happy new year.
LikeLike
Even with –noprofile option some directories like /bin, /lib, /usr/bin are mounted in read-only mode, so I can’t install anything.
LikeLike
I have a question concerning the use of profiles.
I want to run VMwarePlayer (terminal-command is “vmplayer”) within firejail. But when typing “firejail vmplayer” I run into problems.
The “VWware Kernel Module Updater” presents itself and if I click on “intsall” the following message appears (in German):
———————————————————————————————————————–
‘/usr/bin/vmware-modconfig’ –icon=’vmware-player’ –appname=’VMware’ konnte nicht als Anwender root ausgeführt werden:
Failed to exec new process: Keine Berechtigung
———————————————————————————————————————–
The thing is: vmplayer doesn´t use the profile which already exists.
As there is no vmplayer.profile ( see https://github.com/netblue30/firejail/tree/master/etc ) I tried the following:
“firejail –noprofile vmplayer”. This one worked. I could use my virtual machine (which by the way is bodhi linux).
My questions is:
What is the security status of my application with the –noprofile-option? Does it provide sufficient security?
Or is there another/a better way of running vmplayer within firejail?
Thanks a lot in advance.
Greetings.
Rosika
P.S.:
system: Lubuntu 16.04.3 LTS, 64 bit
LikeLike
I try to make ping able to read /etc/hosts but not getting it
could you give me an example ? plz 🙂
LikeLike
Actually this is a bug, thanks! In a text editor open (as root user) /etc/firejail/ping.profile and comment out (add a #) private-etc line, something like this:
# pivate-etc resolv.conf
LikeLike
Pingback: Sécuriser Firefox sous Linux avec la sandbox Firejail – W3btr0tt3ur
Would it be possible to have an –exec option, just like –no-exec? Ideally both –exec and –no-exec can be combined, for instance:
firejail –no-exec=${HOME} –exec=${HOME}/bin/
Just like you can already do with –read-only and –read-write:
firejail –read-only=${HOME} –read-write=${HOME}/test/
Or am I the only person that would see the use for this?
LikeLike
Pingback: Securely Run Untrusted Applications in Linux | Tech News One
I install and run games from GOG.com using Firejail, I usually start with default.profile, in isolated / home, for example
$ firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/start.sh’
I want to launch the game not through the command line, but through a button in the application menu, in order for the sandbox to work with the game I need automatically. But I have difficulty with this implementation.
I thought that the right way is to create Whitelisted Profiles for a particular game, then edit file.desktop, specifying the necessary launch command in the Exec = line, for example:
firejail The Coma Recut
But this will not work, because in file.desktop, in Exec, instead of the name of the application, the full path to the start.sh script is specified. Thus, Firejail does not understand exactly which name of the game, despite the fact that the file desktop is filled correctly (probably).
I can’t write firejail –net=none –private=/home/tom/.sandbox ‘/home/tom/GOG Games/The Coma Recut/start.sh’
to the desktop file in the Exec = line because this the line is forbidden to use commands with the symbol “=”. similarly with the firejail –profile=filename ‘/home/tom/GOG Games/The Coma Recut/start.sh’
I am at a dead end, and I don’t know how to be, I need help, or at least a hint. You can ask me for the distribution of the game from GOG.сom for tests.
LikeLike
Sorry, was wrong. The command firejail –net=none –profile=name_profile “/home/tom/GOG Games/The Coma Recut/start.sh” works great, including from the desktop file. Request moderator to remove my previous stupid message. And this message too.
LikeLike
I need to write in profile Firejail, the path to the directory which contains spaces, how can I do this correctly?
LikeLike
Please help me with creation profile for popular ssh client Putty.
LikeLike
Pingback: Firejail, un sandbox para Linux para ejecutar programas de forma segura
Pingback: Выпуск системы изоляции приложений Firejail 0.9.62 |
Pingback: Linux Security Hardening and Other Tweaks - ZoStore
Pingback: Firejail - безопасный запуск потенциально уязвимых приложений
Pingback: Linux Security Hardening and Other Tweaks | صحافة حرة FREE PRESS
Pingback: Firejail – Securely Run Untrusted Applications in Linux – Tech Blog
I have to say as a brand new user coming to this thing, the most confusing thing is that _anything_ is permitted by a default, empty profile, whereas general security wisdom is to permit nothing until it is granted.
So I had naturally assumed that making an empty profile and running that against my build script, that my build script _should_ initially fail, telling me what file it had tried writing to, which would allow me to writelist the writable locations one by one. But what _actually_ happens is that the build works, all the tests pass, and I’m left here scratching my head, wondering whether the sandbox is even working. (The only evidence is one message I get if I Ctrl-C, where the sandbox declares that it’s shutting down.)
LikeLike
> whereas general security wisdom is to permit nothing until it is granted
That’s not exactly true. Take for example, iptables/netfilter: it is up an running when you start your box, and it allows by default all the network traffic. Same deal with SELinux and Apparmor. Although the security software is fully running, if you don’t configure it nothing is restricted.
If you force firejail with no profile, only a handful of files and directories are restricted by default. In a terminal run “firejail –noprofile –debug”, it will give you a list with all the default actions. Add “–debug” when your start your sandboxes to get an idea what is restricted, and then you add more files to is using “–blacklist”.
LikeLike