Firefox Sandboxing Guide


In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home. More advanced sandbox configurations blocked everything else.

This document describes some of the most common Firefox sandbox setups. We start with the default setup, recommended for entertainment and casual browsing.


Starting Firefox

The easiest way to start a sandbox is to prefix the command with “firejail”:

$ firejail firefox

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

$ firejail firefox -no-remote

Sandbox description

The filesystem container is created when the sandbox is started and destroyed when the sandbox is closed. It is based on the current filesystem installed on users computers. We strongly recommend updating the operating system on a regular basis. The sandbox allows Firefox to access only a small set of files and directories. All private user information has been removed.

Whitelisting home files and directories for Firefox browser.

Whitelisting home files and directories for Firefox browser.

This is how the rest of the filesystem looks like:

  • /boot – blacklisted
  • /bin – read-only
  • /etc – read-only; /etc/passwd and /etc/group reference only the current user
  • /home – only the current user is visible
  • /lib, /lib32, /lib64 – read-only
  • /proc, /sys – re-mounted to reflect the new PID namespace
  • /sbin – blacklisted
  • /selinux – blacklisted
  • /usr – read-only; /usr/sbin blacklisted
  • /var – read-only; tmpfs mounted on /var/lock, /var/log, /var/tmp, and several directories under /var/lib and /var/cache

Password files, encryption keys and development tools are removed from the sandbox. If Firefox tries to access a blacklisted file, log messages are sent to syslog. Example:

Dec  3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
Dec  3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot

The following security filters are enabled by default. The purpose of these filters is to reduce the attack surface of the kernel, and to protect the filesystem container:

  • seccomp-bpf – we use a large blacklist seccomp filter. It is a dual 32-bit/64-bit filter.
  • protocol – this seccomp-based filter checks the first argument of socket system call. It allows IPv4, IPv6, UNIX and netlink.
  • noroot user namespace – it installs a namespace with only the current user.
  • capabilities – the sandbox disables all Linux capabilities, restricting what a root user can do in the sandbox.

seccomp configuration enforces the rules by killing the browser process. Log messages are sent to syslog. Example:

Dec  8 09:48:21 debian kernel: [ 4315.656379] audit: type=1326 audit(1449586101.336:8): auid=1000 uid=1000 gid=1000 ses=1 pid=22006 comm="chmod" exe="/bin/chmod" sig=31 arch=c000003e syscall=268 compat=0 ip=0x7f027999f6b9 code=0x0
Dec  8 12:53:57 debian kernel: [17261.662738] audit: type=1326 audit(1450461237.367:2): auid=1000 uid=1000 gid=1000 ses=1 pid=4750 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7ff42f8cdc6c code=0x0

For most users, the default “firejail firefox” setup is enough. The following are some special cases:

High security browser setup

Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.

Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:

$ firejail --private --dns= --dns= firefox -no-remote

The two DNS servers above belong to Google, and at least one national security agency has access to logging information. Don’t use them for anything else than banking. We also add -no-remote so we don’t end up by mistake in an already running “entertainment” browser.


Work setup

In this setup we use /home/username/work directory for work, email and related Internet browsing. This is how we start all up:

$ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &

Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed.


Network setup

Assuming eth0 is the main Ethernet interface, we create a new TCP/IP stack, we connect it to the wired Ethernet network, and we start the browser:

$ firejail --net=eth0 firefox
Network namespace configured in a Firejail sandbox

Network namespace configured in a Firejail sandbox

To assign an IP address, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:

$ firejail --net=eth0 --ip= firefox

Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use –dns option to configure an external DNS server:

$ firejail --net=eth0 --dns= firefox

By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter. This is a setup example, where no access to the local network is allowed:

$ firejail --net=eth0 --netfilter=/etc/firejail/ firefox

X11 sandbox

Firejail replaces the regular X11 server with Xpra or Xephyr servers (apt-get install xpra xserver-xephyr on Debian/Ubuntu), preventing X11 keyboard loggers and screenshot utilities from accessing the main X11 server.

The commands is as follows:

$ firejail --x11 --net=eth0 program-and-arguments

A network namespace initialized with –net is necessary in order to disable the abstract X11 socket. If for any reasons you cannot use a network namespace, the socket will still be visible inside the sandbox, and hackers can attach keylogger and screenshot programs to this socket.


86 thoughts on “Firefox Sandboxing Guide

  1. Pingback: Weekendowa Lektura 2016-01-23 – bierzcie i czytajcie | Zaufana Trzecia Strona

  2. crying angel

    I ‘m trying to isolate Firefox resources reader, in order to avoid this bug of privacity

    The resource:// URI scheme is used by Firefox to call on-disk resources from internal modules and extensions, but some of these resources may also be included to any web page and executed via script tag.

    I’ ve tried at this manner

    firejail –caps.drop=all –seccomp –netfilter=/etc/firejail/ /opt/firefox/firefox

    but not results effective. Please, could you help me?

    Thank ‘s a lot in advance


  3. Pingback: 如何设置并使用Firefox沙盒? | 邪恶十六进制

  4. kevin

    I am familiar with sandboxie in windows, if you run firefox within sandboxie and make a change to firefox such as add a new add on or add a new bookmark it isnt kept when you start up firefor again. You need to add these via a normal firefox session which will then be reflected in the sandboxie version. Does firejail work the same way or does it retain changes made to firefox when it has been running in firejail?



      1. kevin

        Thanks for confirming it retains the changes, can you give a little more detail why this isnt a risk as would this be out of the sandbox? Sorry if this is a silly question.


    1. netblue30 Post author

      This is how Firejail works:

      System directories and directories belonging to another application are mounted read-only and cannot be modified by the application.

      Application directories are mounted read-write. It is the application business to protect its own directories. For example, saving a bookmark will modify Firefox’s application directory. Hopefully Firefox knows what is doing, and is not messing up its own bookmark file. However, Firefox cannot modify directories belonging to another application.

      Note: Firejail also has a private mode, where it always start with a factory default set of application directories. In this mode, modifications to app directories are not saved on the hard drive.


  5. openvpnuser

    can this work when someone has the host configured and iptabled to only communicate through an openvpn connection, and wishes the sandboxed application to only communicate through that very same openvpn connection?


    1. netblue30 Post author

      When you start the sandbox, if you don’t use any networking features, the sandbox will not modify the network. So, if you have a vpn setup, when you run “firejail firefox” the traffic will still go through vpn.


  6. johnny4

    Hi, I just wanted to say hi, I found about firejail on distrowatch weekly, and I *really* want to thank you for the great security work you’re doing, I’m amazed at how firefox sandboxing works effortlessly…

    Sent from Linux Mint 17.2 MATE x64

    Linux kenny 4.2.0-30-generic #36~14.04.1-Ubuntu SMP Fri Feb 26 18:49:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


  7. Pingback: 如何设置并使用Firefox沙盒? | 安全渗透军火库|SHENTOU.ORG

  8. Vesa-Matti J. kari

    For the past 15 years, I have been scared when running web browsers. Firejail has made everyday life so much more secure. Amazing! Thanks!


  9. Amnesiac

    An amnesiac Tor Browser:

    # Firejail profile for Tor Browser Bundle
    include /etc/firejail/
    include /etc/firejail/
    include /etc/firejail/
    include /etc/firejail/
    caps.drop all
    protocol unix,inet,inet6,netlink


  10. twinkled

    I wanted to ask if it’s possible to create both firefox and openvpn sandboxes, which will result in something like virtual network among them:
    1. The only network that firefox sees is vpn and
    2. No other apps sees vpn network.
    I guess that could be handled with –net option but I need guidance.
    Thanks for your ingenious work!


  11. Steven

    Awesome write up 😉 as I was very excited when I stumbled upon firejail 🙂 and to come across your post was icing to the fox. Thank You.


  12. Laurent

    I need your help
    Here is the step i did :
    > I launch iceweasel with this command “firejail iceweasel”
    > I surf on the web and add a torrent link : Iceweasel launch automatically transmission-gtk
    The problem is that iceweasel don’t know the main directory of transmission-gtk and restart it as if it didn’t know the existing transmission profile > Is it possible that iceweasel launch a know configuration of transmission-gtk in the sandbox ?


    1. netblue30 Post author

      Copy /etc/firejail/iceweasel.profile in ~/.config/firejail directory:

      $ mkdir ~/.config/firejail
      $ cp /etc/firejail/iceweasel.profile in ~/.config/firejail/.

      Edit the file:

      $ cat ~/.config/firejail/iceweasel.profile
      noblacklist ${HOME}/.config/transmission
      noblacklist ${HOME}/.cache/transmission
      include /etc/firejail/firefox.profile
      whitelist ${HOME}/.config/transmission
      whitelist ${HOME}/.cache/transmission

      Important: make sure transmission-gtk is configured to store the downloads in ~/Downloads directory, otherwise you’ll loose them when you close the browser. ~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem. You’ll find the transmission setting in Edit/Preferences menu.


      1. Laurent

        Hi netblue
        Sorry for my response delay. I just have a look today of your reply and it works fine ! Thank you. You did a great job with firejail. Now i can firejail iceweasel and launch Transmission in it with the existing transmission profile.
        I am a fan user of your solution
        Laurent :):)


      2. Hung

        “~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem.”.
        What do you mean “configuration directories”, i thought ${HOME} and all its subdirectories (except blacklist in “” and “”) are persistent. I can make new directory and file in ${HOME} (“firejail mkdir ~/newDir” and “firejail touch ~/newFile”). My OS is Linux Mint 17.3. Is it a bug or it support to work like that?


      3. netblue30 Post author

        Each program uses a different security profile. For firefox it uses /etc/firejail/firefox.profile, and for mkdir and touch it uses /etc/firejail/default.profile. You and open these files in a text editor and take a look.


  13. DC Wall

    First, thank you very much for Firejail…It seems easy for someone new to Linux.

    I want to use Midori and Qupzilla browsers except from what I understand, these webkit browsers aren’t updated in Debian stable and because of that are not secure. But, with Firejail maybe they are. I want to open them up to Flash and then when I close them down, have potentially damaging changes wiped out. So, it would be the not-up-to-date Midori version in Debian stable, through Firejail. $ firejail Midori It that safe for browsing?


    1. netblue30 Post author

      Firejail will make your Midori security better, however, there are some very good reasons Debian people removed Midori form their repository. I would use strictly what Debian supports.


  14. Richard

    Hi. I am new to Firejail and am attempting to get ‘firejail firefox’ working. My issues seem to be similar to these:
    I have things like ~/.cache , ~/.adobe , ~/.macromedia as symbolic links all pointing to a sub-directory of /tmp (and /tmp itself is a symbolic link to /dev/shm)

    The end of ‘firejail forefox’ is:
    Reading profile /etc/firejail/
    Parent pid 11015, child pid 11016
    Error: invalid whitelist path /home/webuserr/Downloads
    Error: cannot establish communication with the parent, exiting…

    I have been testing with the bash environment given by ‘firejail’.
    I can not access /tmp/cache (although it is owned by me.) However,
    just before I run ‘firejail’, if I ‘cp -a /tmp/cache /tmp/cache2′, I have
    read/write access to /tmp/cache2 in the default firejail bash environment.
    Why dont’ I have access to the original /tmp/cache ? (Ok, I see that
    firejail changes the owner and group to 65534:65534, but not for


    1. netblue30 Post author

      In the version you have, symbolic links pointing outside the directory are not supported. This is already fixed in the development version, so your setup with links going into /tmp/cache will work.


  15. Adam F

    I just upgraded firejail from 0.9.28 to 0.9.38 (on Ubuntu) and the –private.keep option has disappeared. I had been using that to load a Firefox profile but not allow any permanent modifications:
    firejail –private.keep=.mozilla/firefox/profiles.ini,.mozilla/firefox/jqxorhq3.empty firefox -no-remote -P empty
    How can I do that now?


  16. Gladiator

    I have two questions.
    1. Can you please tell me about the license of Firejail? Is it GPLv3?
    2. When other packages (like kernels) are updated, does firejail need to be updated also immediately? I mean does it need to be updated frequently or only when very very big changes are made?


  17. QwertyGuy

    If I choose to run Firefox from the .tar.bz2 file Mozilla provides, how to Firejail it?
    $cd path_to_extracted_folder
    $firejail ./x
    (x is the name of the file/script that needs to be run)
    Like this? Will the sandbox work properly?

    Is it a must to Firejail something by typing
    $firejail some_program
    always from the home directory?


  18. John A. Lastra

    I tried to use the private option typing “firejail private firefox” as shown on the first
    edition of the docs but when I “enter” I was connected to a PORNO site with all kind of kinky images. I never typed any web site address in the URL. I am very concerned since apparently this is a “security hole” perhaps in the new Firefox. Is a patch availabe to fix that?
    I appreciate your answer A.S.A.P.
    John A. Lastra


    1. netblue30 Post author

      You just add a –blacklist=path_to_your_partition on the command line. For example, if you have your windows partition mounted on /mnt/wind, you would start Firejail like this:

      $ firejail –blacklist=/mnt/wind firefox


  19. leopold


    Thanks, this is a great project.

    I would like to block my firefox so that it can only access a socks proxy (on, could be listening on another interface if better).

    I tried different things with the –net option with no success so far. Is there any easy way to limit the jail network to a socks proxy running on lo interface, and forbid all other internet access?



  20. ljones


    Is it possible to use firejail with icecat (similar to firefox) to prevent any access to the original home directory completely?

    My idea is to try the following:
    – have the icecat binary and profile in a compressed file (eg zip, tar.gz, etc)
    – when “icecat” is run;
    – decompress the profile and icecat binary to a ram disk;
    – use firejail to run icecat out of the ram disk and not touch the original home.

    To test this for now I tried copying icecat and the profile it uses to a ram disk. I then tried the following:

    firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat

    But icecat dosen’t look in the new home directory (set with the –private= option). It looks like it is trying to look at the original home instead. Can I prevent this or am I doing something wrong?



    1. netblue30 Post author

      Add –no-remote to the command line:

      firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat –no-remote

      Without it, the browser will connect to an existing instance of the browser instead of starting a new one. Firefox allows only one browser to run at a time, but with –no-remote you force it to start a second one.


  21. Jordan


    First, I thank you for dedicating your precious time towards helping users like
    myself improve our security posture in Ubuntu.

    I have a few questions about firejailing firefox: Since firejail blocks access to
    Sudo and the root account, will a malicious tab be prevented from infecting
    firefox itself, so that if I were to close the tab and restart firefox, the
    infection will not have persisted?

    Also, can I improve my system’s security by opening firefox in separate,
    firejailed processes according to the sites I wish to visit in them (using
    firejail firefox -no-remote), so that I will have one process for banking,
    another for email, and yet another process for untrusted sites?

    Lastly, do you have any other suggestions whereby I may improve my
    security with firejail?



    1. netblue30 Post author

      > will a malicious tab be prevented from infecting
      firefox itself

      It can infect only firefox configuration, firefox executable cannot be modified.

      > so that I will have one process for banking,
      another for email, and yet another process for untrusted sites?

      You can have as many as you want, but I would keep it simple. At some point you’ll make a mistake and start browsing untrusted sites in your banking browser or the other way around.


  22. james gordon

    What do you mean by:

    “Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed”


    Aren’t all settings change in a sandbox via –private discarded? The man page says:

    ” Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed.”


    1. netblue30 Post author

      If you use –private everything will be discarded, but without it your configuration is persistent.

      Do like this: start firefox in a sandbox (“firejail firefox”), and in url field type “/home/username”. Firefox will give you the list of the files it finds in your home directory. In this case only ~/Downloads and ~/.mozilla is persistent, everything else will be discarded. The regular “firejail firefox” is a combination of private and persistent.


  23. james gordon

    “By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter.”

    Will it still use the iptable rules established by ufw that I’ve configured if I use “–net=eth0”, for example (i.e. will my firewall settings apply to the sandboxes as well using this setting out-of-the-box or do I have to change it)?


    1. netblue30 Post author

      No, it is a different filter.

      You can specify with –netfilter=filename a specific filter, so try to find ufw file (it should be somewhere in /etc) and pass it down to firejail.


      1. james gordon

        One more noob question if you don’t mind:

        Can you describe the purpose of the general filter? I see the exact filter itself in the man page, but unfortunately I don’t really understand ip tables. With ufw, my only rules are:

        1. ufw default deny
        2 ufw allow ssh

        So I’m not sure if I should stick to the default filter provided by firejail or use my own. I’m guessing firejail’s default ip filter is much more strict than my rules and my rules are way too general so I should stick with firejail’s defaults for firefox? What should filter should I use for other applications, such as for mail (mutt), and torrenting applications–also the default filter provided by firejail (which seems to be specifically for a web browser)?


      2. netblue30 Post author

        The filter installed by firejail is a very general filter, tailored to desktop applications. I keep an updated listing of the filter in “man firejail” under –netfilter entry. The filter drops all incoming connections, including ssh, and also drops outgoing WebRTC connections.

        Note: iptables filters are installed by firejail only if a –net option was requested. If you run your sandbox without –net, the application will use your ufw filter.


  24. Charles Lewis

    I’m running Firejail and have been wondering about something. After starting Firefox I see the following related processes:

    root 1819 /usr/bin/firejail /usr/bin/firefox
    root 1820 /usr/bin/firejail /usr/bin/firefox
    clewis 1824 /usr/lib/firefox/firefox
    clewis 1880 /usr/lib/firefox/plugin-container

    What concerns me are the two processes running as root. Is this correct? and can I be sure that Firefox is not running with root privileges on my machine?


    1. netblue30 Post author

      root 1819 root 1820 are the sandbox processes. After the application was started, these processes just monitor the sandbox.

      clewis 1824 and clewis 1880 are the application, Firefox in your case.

      Firejail runs as root, however, the application always runs as a regular user.


  25. Avatar

    Any offhand ideas why launching uget from a jailed copy of firefox with flashgot addon would cause it to not save the files in ~/Downloads and where it might be putting them? Do i need to add something to the whitelisted directories?

    Nice Program 🙂


    1. netblue30 Post author

      > Do i need to add something to the whitelisted directories?

      Probably yes. Maybe flashgot addon has a specific directory where it saves the files. This directory needs to be whitelisted in firefox profile.

      Look in /etc/firejail/firefox.profile file, and add a whitelist line for that directory, similar to the line for dwhelper (dwhelper is another download addon for firefox).


      1. avatar

        Got it. Thanks…

        # for uget needs –whitelist=/tmp/flashgot.blahblahblah.default in
        # launcher didnt seem right to put it here
        mkdir ~/.config/uGet
        whitelist ~/.config/uGet


  26. Jim

    I installed firejail and being quite new to Linux (Mint 18.1) it took me a fair bit of digging to find out how to get sound out of VLC after the installation. Now I cannot get Transmission to work. When I hit a torrent download icon a new instance of Transmission is opened and it doesn’t work. Although I have done a lot of searching on this and other sites I seem to not have sufficient experience to understand what exactly people are talking about. What I need are a few lines of code to help me set up Transmission to work, if that is possible.


    1. netblue30 Post author

      You would start the browser (“firejail firefox”), and in a different sandbox start transmission (“firejail transmission-gtk”). In the browser you go to your torrent page, grab with the mouse the magnet icon, and drop it in transmission window. That’s basically the easiest way.

      If the site doesn’t have a magnet link, and instead has torrent files, save the torrent file in ~/Downloads directory, and open it transmission-gtk.


  27. heatdeath

    Hi, I have been using firejail for a while now and I really dig it. I have one question that has been bothering me though. Every time I want to run firejail I type into my terminal ” $ firejail firefox “, is there a way of making firejail the default so I don’t have to open the terminal everytime I want to launch the browser? It would be ideal that I just click the firefox icon on my desktop and it opens firejail firefox


    1. netblue30 Post author

      You can use firecfg utility (man firecfg) distributed with firejail. It should solve the problem for most programs. Run it as “sudo firecfg”. What disto are you using?


  28. Pingback: 如何设置并使用Firefox沙盒?-安全路透社

  29. LinAdmin

    Thanks for developping firejail, I am convinced that this really improves security!

    I have installed Xpra and latest firejail on my Debian Jessie. When starting firefox using “firejail –x11 –net=eth0 …” the basic functions are ok. Of course imwheel is deactivated and the mapping of the two thumb switches to PgUp/Dwn no longer works. The Swiss keyboard is correctly handled by evdev.
    I do not have a xorg.conf and searching quite some time I could not find a solution.

    Any hints?


      1. netblue30 Post author

        I still have no idea how imwheel is working. From what I read on Arch Linux wiki, imwheel is a demon monitoring and talking to the main X server, and your sandboxed program runs in a different X server. My guess is it will never work, unless you start a new instance of imwheel inside the sandbox so it can talk to the second X server – just a guess.


  30. John

    So you said “There are no complicated configuration” …… 😦
    Sorry, still way too complicated. Dont get me wrong, it is great piece of software, but safe configuration is still pain in the… you know where. Easier than apparmor but still way too complicated.
    I would love to see such software easy to run and configure, and working out of the box on every Linux distro, but it is too complicated for that 😦 I would love to see absolutely every option to be configurable by clicking and using wizzards, maybe a bit lame, but that would make such software more usable and popular.
    I want to make a decent profile for Dropbox client, to allow it do only what it really needs to do, but when i read the configuration description I start to feel headake, sorry 😦


  31. Ben


    Firstly, thankyou. Firejail is great.

    Secondly, however, I need a bit of help.

    The Goal: examine and open the contents of an untrusted usb stick.

    Means: I thought I could use firejail to run a –private instance of caja, un/mount and read/write the USB drive. However:

    “(caja:8): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported”

    My technical understanding is limited, but I guess I am right in thinking this is something that is too fundamental to the Ubuntu Mate 16.04LTS system to be changed (feasibly, anyway, by me).

    Is there another way to do this with firejail?


    1. netblue30 Post author

      You would need to go in command line. Run “firejail” then “cd /media/usb” or wherever your system mounts your drive, and then run the regular ls and cut commands.

      The reason you have problems with caja is because caja was already started when you logged in. The instance you are trying to start in the sandbox detects another caja instance in the system and tries to connect to it. The sandbox will prevent it – it would be a sandbox escape.

      Another thing you can do is to install a second file manager such as pcmanfm (from LXDE desktop). It does the same thing as caja, but it will stay in the sandbox if this is the only pcmanfm running.


  32. Ben

    No, I’m sorry I haven’t made myself clear.

    I want to insert the thumb drive, start a sandbox, and from within that sandbox mount and read/write the drive’s contents. I don’t want the rest of the system to be exposed to whatever is on there.

    Incidentally, I tried the pcmanfm trick. I had wondered about that before, but unfortunately it did as I thought. Once mounted, the drive was visible in other parts of the system e.g. caja.

    I confess I am struggling with some of the concepts firejail is built upon, so forgive these clumsy questions. I notice there are options to ‘nominate’ (my word; I’m tired) particular directories or /dev/, and the private seems to isolate temporary directories analogous to webbrowsers’ private modes. I guess what I am really after is similar to firejail –private firefox –no-remote. Is mounting a thumb drive so basal to the machine that is simply cannot be hidden from the rest of the system?


    1. netblue30 Post author

      > I want to insert the thumb drive, start a sandbox, and from within that sandbox mount and read/write the drive’s contents.

      The sandbox will prevent you from mounting or unmounting any drive. This is done by default. I’ll look to see if I can find a way around it, but this is exactly the kind of functionality the sanbox is supposed to deny. There have been in the past quite a number of kernel exploits based on mounting/unmounting.


  33. Ben

    I see. I’d heard about them, (I think – this is BADUSB, etc, yes?) and that’s exactly what I was looking to firejail to solve for me, initially.

    (everything else is great, by the way – just need to learn it).

    I’d welcome hearing what you find. From my first pass at understanding mounting, I think maybe what I’m asking for is for firejail to act as a VM.


    1. netblue30 Post author

      Look at –rlimit-* command line options. Also, –cpu will allow you to use a specific number of cpu cores in the sandbox. If this is not enough, you’ll have to set up control groups and pass them to firejail with –cgroup.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s