Firefox Sandboxing Guide

 
 

In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home. More advanced sandbox configurations blocked everything else.

This document describes some of the most common Firefox sandbox setups. We start with the default setup, recommended for entertainment and casual browsing.

 

Starting Firefox

The easiest way to start a sandbox is to prefix the command with “firejail”:

$ firejail firefox

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

$ firejail firefox -no-remote

Sandbox description

The filesystem container is created when the sandbox is started and destroyed when the sandbox is closed. It is based on the current filesystem installed on users computers. We strongly recommend updating the operating system on a regular basis. The sandbox allows Firefox to access only a small set of files and directories. All private user information has been removed.

Whitelisting home files and directories for Firefox browser.

Whitelisting home files and directories for Firefox browser.

This is how the rest of the filesystem looks like:

  • /boot – blacklisted
  • /bin – read-only
  • /etc – read-only; /etc/passwd and /etc/group reference only the current user
  • /home – only the current user is visible
  • /lib, /lib32, /lib64 – read-only
  • /proc, /sys – re-mounted to reflect the new PID namespace
  • /sbin – blacklisted
  • /selinux – blacklisted
  • /usr – read-only; /usr/sbin blacklisted
  • /var – read-only; tmpfs mounted on /var/lock, /var/log, /var/tmp, and several directories under /var/lib and /var/cache

Password files, encryption keys and development tools are removed from the sandbox. If Firefox tries to access a blacklisted file, log messages are sent to syslog. Example:

Dec  3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
Dec  3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot

The following security filters are enabled by default. The purpose of these filters is to reduce the attack surface of the kernel, and to protect the filesystem container:

  • seccomp-bpf – we use a large blacklist seccomp filter. It is a dual 32-bit/64-bit filter.
  • protocol – this seccomp-based filter checks the first argument of socket system call. It allows IPv4, IPv6, UNIX and netlink.
  • noroot user namespace – it installs a namespace with only the current user.
  • capabilities – the sandbox disables all Linux capabilities, restricting what a root user can do in the sandbox.

seccomp configuration enforces the rules by killing the browser process. Log messages are sent to syslog. Example:

Dec  8 09:48:21 debian kernel: [ 4315.656379] audit: type=1326 audit(1449586101.336:8): auid=1000 uid=1000 gid=1000 ses=1 pid=22006 comm="chmod" exe="/bin/chmod" sig=31 arch=c000003e syscall=268 compat=0 ip=0x7f027999f6b9 code=0x0
Dec  8 12:53:57 debian kernel: [17261.662738] audit: type=1326 audit(1450461237.367:2): auid=1000 uid=1000 gid=1000 ses=1 pid=4750 comm="strace" exe="/usr/bin/strace" sig=31 arch=c000003e syscall=101 compat=0 ip=0x7ff42f8cdc6c code=0x0

For most users, the default “firejail firefox” setup is enough. The following are some special cases:

High security browser setup

Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.

Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote

The two DNS servers above belong to Google, and at least one national security agency has access to logging information. Don’t use them for anything else than banking. We also add -no-remote so we don’t end up by mistake in an already running “entertainment” browser.

 

Work setup

In this setup we use /home/username/work directory for work, email and related Internet browsing. This is how we start all up:

$ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &

Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed.

 

Network setup

Assuming eth0 is the main Ethernet interface, we create a new TCP/IP stack, we connect it to the wired Ethernet network, and we start the browser:

$ firejail --net=eth0 firefox
Network namespace configured in a Firejail sandbox

Network namespace configured in a Firejail sandbox

To assign an IP address, Firejail ARP-scans the network and picks up a random address not already in use. Of course, we can be as explicit as we need to be:

$ firejail --net=eth0 --ip=192.168.1.207 firefox

Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use –dns option to configure an external DNS server:

$ firejail --net=eth0 --dns=8.8.8.8 firefox

By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter. This is a setup example, where no access to the local network is allowed:

$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox

X11 sandbox

Firejail replaces the regular X11 server with Xpra or Xephyr servers (apt-get install xpra xserver-xephyr on Debian/Ubuntu), preventing X11 keyboard loggers and screenshot utilities from accessing the main X11 server.

The commands is as follows:

$ firejail --x11 --net=eth0 program-and-arguments

A network namespace initialized with –net is necessary in order to disable the abstract X11 socket. If for any reasons you cannot use a network namespace, the socket will still be visible inside the sandbox, and hackers can attach keylogger and screenshot programs to this socket.

72 thoughts on “Firefox Sandboxing Guide

  1. Pingback: Weekendowa Lektura 2016-01-23 – bierzcie i czytajcie | Zaufana Trzecia Strona

  2. crying angel

    I ‘m trying to isolate Firefox resources reader, in order to avoid this bug of privacity

    The resource:// URI scheme is used by Firefox to call on-disk resources from internal modules and extensions, but some of these resources may also be included to any web page and executed via script tag.
    https://www.browserleaks.com/firefox

    I’ ve tried at this manner

    firejail –caps.drop=all –seccomp –netfilter=/etc/firejail/nolocal.net /opt/firefox/firefox

    but not results effective. Please, could you help me?

    Thank ‘s a lot in advance

    Like

    Reply
  3. Pingback: 如何设置并使用Firefox沙盒? | 邪恶十六进制

  4. kevin

    I am familiar with sandboxie in windows, if you run firefox within sandboxie and make a change to firefox such as add a new add on or add a new bookmark it isnt kept when you start up firefor again. You need to add these via a normal firefox session which will then be reflected in the sandboxie version. Does firejail work the same way or does it retain changes made to firefox when it has been running in firejail?

    Thanks

    Like

    Reply
      1. kevin

        Thanks for confirming it retains the changes, can you give a little more detail why this isnt a risk as would this be out of the sandbox? Sorry if this is a silly question.

        Like

    1. netblue30 Post author

      This is how Firejail works:

      System directories and directories belonging to another application are mounted read-only and cannot be modified by the application.

      Application directories are mounted read-write. It is the application business to protect its own directories. For example, saving a bookmark will modify Firefox’s application directory. Hopefully Firefox knows what is doing, and is not messing up its own bookmark file. However, Firefox cannot modify directories belonging to another application.

      Note: Firejail also has a private mode, where it always start with a factory default set of application directories. In this mode, modifications to app directories are not saved on the hard drive.

      Like

      Reply
  5. openvpnuser

    can this work when someone has the host configured and iptabled to only communicate through an openvpn connection, and wishes the sandboxed application to only communicate through that very same openvpn connection?

    Like

    Reply
    1. netblue30 Post author

      When you start the sandbox, if you don’t use any networking features, the sandbox will not modify the network. So, if you have a vpn setup, when you run “firejail firefox” the traffic will still go through vpn.

      Like

      Reply
  6. johnny4

    Hi, I just wanted to say hi, I found about firejail on distrowatch weekly, and I *really* want to thank you for the great security work you’re doing, I’m amazed at how firefox sandboxing works effortlessly…

    Sent from Linux Mint 17.2 MATE x64

    Linux kenny 4.2.0-30-generic #36~14.04.1-Ubuntu SMP Fri Feb 26 18:49:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

    Like

    Reply
  7. Pingback: 如何设置并使用Firefox沙盒? | 安全渗透军火库|SHENTOU.ORG

  8. Vesa-Matti J. kari

    For the past 15 years, I have been scared when running web browsers. Firejail has made everyday life so much more secure. Amazing! Thanks!

    Like

    Reply
  9. Amnesiac

    An amnesiac Tor Browser:

    # Firejail profile for Tor Browser Bundle
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    include /etc/firejail/disable-devel.inc
    caps.drop all
    seccomp
    protocol unix,inet,inet6,netlink
    netfilter
    tracelog
    noroot
    private
    private-tmp

    Like

    Reply
  10. twinkled

    Hi!
    I wanted to ask if it’s possible to create both firefox and openvpn sandboxes, which will result in something like virtual network among them:
    1. The only network that firefox sees is vpn and
    2. No other apps sees vpn network.
    I guess that could be handled with –net option but I need guidance.
    Thanks for your ingenious work!

    Like

    Reply
  11. Steven

    Awesome write up 😉 as I was very excited when I stumbled upon firejail 🙂 and to come across your post was icing to the fox. Thank You.

    Like

    Reply
  12. Laurent

    Hi,
    I need your help
    Here is the step i did :
    > I launch iceweasel with this command “firejail iceweasel”
    > I surf on the web and add a torrent link : Iceweasel launch automatically transmission-gtk
    The problem is that iceweasel don’t know the main directory of transmission-gtk and restart it as if it didn’t know the existing transmission profile > Is it possible that iceweasel launch a know configuration of transmission-gtk in the sandbox ?
    Thanks
    Laurent.

    Like

    Reply
    1. netblue30 Post author

      Copy /etc/firejail/iceweasel.profile in ~/.config/firejail directory:

      $ mkdir ~/.config/firejail
      $ cp /etc/firejail/iceweasel.profile in ~/.config/firejail/.
      

      Edit the file:

      $ cat ~/.config/firejail/iceweasel.profile
      noblacklist ${HOME}/.config/transmission
      noblacklist ${HOME}/.cache/transmission
      include /etc/firejail/firefox.profile
      whitelist ${HOME}/.config/transmission
      whitelist ${HOME}/.cache/transmission
      

      Important: make sure transmission-gtk is configured to store the downloads in ~/Downloads directory, otherwise you’ll loose them when you close the browser. ~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem. You’ll find the transmission setting in Edit/Preferences menu.

      Like

      Reply
      1. Laurent

        Hi netblue
        Sorry for my response delay. I just have a look today of your reply and it works fine ! Thank you. You did a great job with firejail. Now i can firejail iceweasel and launch Transmission in it with the existing transmission profile.
        I am a fan user of your solution
        Laurent :):)

        Like

      2. Hung

        “~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem.”.
        What do you mean “configuration directories”, i thought ${HOME} and all its subdirectories (except blacklist in “disable-common.inc” and “disable-programs.inc”) are persistent. I can make new directory and file in ${HOME} (“firejail mkdir ~/newDir” and “firejail touch ~/newFile”). My OS is Linux Mint 17.3. Is it a bug or it support to work like that?

        Like

      3. netblue30 Post author

        Each program uses a different security profile. For firefox it uses /etc/firejail/firefox.profile, and for mkdir and touch it uses /etc/firejail/default.profile. You and open these files in a text editor and take a look.

        Like

  13. DC Wall

    First, thank you very much for Firejail…It seems easy for someone new to Linux.

    I want to use Midori and Qupzilla browsers except from what I understand, these webkit browsers aren’t updated in Debian stable and because of that are not secure. But, with Firejail maybe they are. I want to open them up to Flash and then when I close them down, have potentially damaging changes wiped out. So, it would be the not-up-to-date Midori version in Debian stable, through Firejail. $ firejail Midori It that safe for browsing?

    Like

    Reply
    1. netblue30 Post author

      Firejail will make your Midori security better, however, there are some very good reasons Debian people removed Midori form their repository. I would use strictly what Debian supports.

      Like

      Reply
  14. Richard

    Hi. I am new to Firejail and am attempting to get ‘firejail firefox’ working. My issues seem to be similar to these:
    https://github.com/netblue30/firejail/issues/287
    I have things like ~/.cache , ~/.adobe , ~/.macromedia as symbolic links all pointing to a sub-directory of /tmp (and /tmp itself is a symbolic link to /dev/shm)

    The end of ‘firejail forefox’ is:
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 11015, child pid 11016
    Error: invalid whitelist path /home/webuserr/Downloads
    Error: cannot establish communication with the parent, exiting…

    I have been testing with the bash environment given by ‘firejail’.
    I can not access /tmp/cache (although it is owned by me.) However,
    just before I run ‘firejail’, if I ‘cp -a /tmp/cache /tmp/cache2′, I have
    read/write access to /tmp/cache2 in the default firejail bash environment.
    Why dont’ I have access to the original /tmp/cache ? (Ok, I see that
    firejail changes the owner and group to 65534:65534, but not for
    cache2.)

    Like

    Reply
    1. netblue30 Post author

      In the version you have, symbolic links pointing outside the directory are not supported. This is already fixed in the development version, so your setup with links going into /tmp/cache will work.

      Like

      Reply
  15. Adam F

    I just upgraded firejail from 0.9.28 to 0.9.38 (on Ubuntu) and the –private.keep option has disappeared. I had been using that to load a Firefox profile but not allow any permanent modifications:
    firejail –private.keep=.mozilla/firefox/profiles.ini,.mozilla/firefox/jqxorhq3.empty firefox -no-remote -P empty
    How can I do that now?
    Thanks.

    Like

    Reply
  16. Gladiator

    I have two questions.
    1. Can you please tell me about the license of Firejail? Is it GPLv3?
    2. When other packages (like kernels) are updated, does firejail need to be updated also immediately? I mean does it need to be updated frequently or only when very very big changes are made?

    Like

    Reply
  17. QwertyGuy

    If I choose to run Firefox from the .tar.bz2 file Mozilla provides, how to Firejail it?
    $cd path_to_extracted_folder
    $firejail ./x
    (x is the name of the file/script that needs to be run)
    Like this? Will the sandbox work properly?

    Is it a must to Firejail something by typing
    $firejail some_program
    always from the home directory?

    Like

    Reply
  18. John A. Lastra

    I tried to use the private option typing “firejail private firefox” as shown on the first
    edition of the docs but when I “enter” I was connected to a PORNO site with all kind of kinky images. I never typed any web site address in the URL. I am very concerned since apparently this is a “security hole” perhaps in the new Firefox. Is a patch availabe to fix that?
    I appreciate your answer A.S.A.P.
    Thanks,
    John A. Lastra

    Like

    Reply
    1. netblue30 Post author

      You just add a –blacklist=path_to_your_partition on the command line. For example, if you have your windows partition mounted on /mnt/wind, you would start Firejail like this:

      $ firejail –blacklist=/mnt/wind firefox

      Like

      Reply
  19. leopold

    Hello.

    Thanks, this is a great project.

    I would like to block my firefox so that it can only access a socks proxy (on 127.0.0.1, could be listening on another interface if better).

    I tried different things with the –net option with no success so far. Is there any easy way to limit the jail network to a socks proxy running on lo interface, and forbid all other internet access?

    Thanks

    Like

    Reply
  20. ljones

    Hello,

    Is it possible to use firejail with icecat (similar to firefox) to prevent any access to the original home directory completely?

    My idea is to try the following:
    – have the icecat binary and profile in a compressed file (eg zip, tar.gz, etc)
    – when “icecat” is run;
    – decompress the profile and icecat binary to a ram disk;
    – use firejail to run icecat out of the ram disk and not touch the original home.

    To test this for now I tried copying icecat and the profile it uses to a ram disk. I then tried the following:

    firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat

    But icecat dosen’t look in the new home directory (set with the –private= option). It looks like it is trying to look at the original home instead. Can I prevent this or am I doing something wrong?

    thanks
    ljones

    Like

    Reply
    1. netblue30 Post author

      Add –no-remote to the command line:

      firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat –no-remote

      Without it, the browser will connect to an existing instance of the browser instead of starting a new one. Firefox allows only one browser to run at a time, but with –no-remote you force it to start a second one.

      Like

      Reply
  21. Jordan

    Hello,

    First, I thank you for dedicating your precious time towards helping users like
    myself improve our security posture in Ubuntu.

    I have a few questions about firejailing firefox: Since firejail blocks access to
    Sudo and the root account, will a malicious tab be prevented from infecting
    firefox itself, so that if I were to close the tab and restart firefox, the
    infection will not have persisted?

    Also, can I improve my system’s security by opening firefox in separate,
    firejailed processes according to the sites I wish to visit in them (using
    firejail firefox -no-remote), so that I will have one process for banking,
    another for email, and yet another process for untrusted sites?

    Lastly, do you have any other suggestions whereby I may improve my
    security with firejail?

    Jordan

    Like

    Reply
    1. netblue30 Post author

      > will a malicious tab be prevented from infecting
      firefox itself

      It can infect only firefox configuration, firefox executable cannot be modified.

      > so that I will have one process for banking,
      another for email, and yet another process for untrusted sites?

      You can have as many as you want, but I would keep it simple. At some point you’ll make a mistake and start browsing untrusted sites in your banking browser or the other way around.

      Like

      Reply
  22. james gordon

    What do you mean by:

    “Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed”

    ?

    Aren’t all settings change in a sandbox via –private discarded? The man page says:

    ” Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed.”

    Like

    Reply
    1. netblue30 Post author

      If you use –private everything will be discarded, but without it your configuration is persistent.

      Do like this: start firefox in a sandbox (“firejail firefox”), and in url field type “/home/username”. Firefox will give you the list of the files it finds in your home directory. In this case only ~/Downloads and ~/.mozilla is persistent, everything else will be discarded. The regular “firejail firefox” is a combination of private and persistent.

      Like

      Reply
  23. james gordon

    “By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter.”

    Will it still use the iptable rules established by ufw that I’ve configured if I use “–net=eth0”, for example (i.e. will my firewall settings apply to the sandboxes as well using this setting out-of-the-box or do I have to change it)?

    Like

    Reply
    1. netblue30 Post author

      No, it is a different filter.

      You can specify with –netfilter=filename a specific filter, so try to find ufw file (it should be somewhere in /etc) and pass it down to firejail.

      Like

      Reply
      1. james gordon

        One more noob question if you don’t mind:

        Can you describe the purpose of the general filter? I see the exact filter itself in the man page, but unfortunately I don’t really understand ip tables. With ufw, my only rules are:

        1. ufw default deny
        2 ufw allow ssh

        So I’m not sure if I should stick to the default filter provided by firejail or use my own. I’m guessing firejail’s default ip filter is much more strict than my rules and my rules are way too general so I should stick with firejail’s defaults for firefox? What should filter should I use for other applications, such as for mail (mutt), and torrenting applications–also the default filter provided by firejail (which seems to be specifically for a web browser)?

        Like

      2. netblue30 Post author

        The filter installed by firejail is a very general filter, tailored to desktop applications. I keep an updated listing of the filter in “man firejail” under –netfilter entry. The filter drops all incoming connections, including ssh, and also drops outgoing WebRTC connections.

        Note: iptables filters are installed by firejail only if a –net option was requested. If you run your sandbox without –net, the application will use your ufw filter.

        Like

  24. Charles Lewis

    I’m running Firejail 0.9.38.10 and have been wondering about something. After starting Firefox I see the following related processes:

    USER PID COMMAND
    root 1819 /usr/bin/firejail /usr/bin/firefox
    root 1820 /usr/bin/firejail /usr/bin/firefox
    clewis 1824 /usr/lib/firefox/firefox
    clewis 1880 /usr/lib/firefox/plugin-container

    What concerns me are the two processes running as root. Is this correct? and can I be sure that Firefox is not running with root privileges on my machine?

    Like

    Reply
    1. netblue30 Post author

      root 1819 root 1820 are the sandbox processes. After the application was started, these processes just monitor the sandbox.

      clewis 1824 and clewis 1880 are the application, Firefox in your case.

      Firejail runs as root, however, the application always runs as a regular user.

      Like

      Reply
  25. Avatar

    Any offhand ideas why launching uget from a jailed copy of firefox with flashgot addon would cause it to not save the files in ~/Downloads and where it might be putting them? Do i need to add something to the whitelisted directories?

    Nice Program 🙂

    Like

    Reply
    1. netblue30 Post author

      > Do i need to add something to the whitelisted directories?

      Probably yes. Maybe flashgot addon has a specific directory where it saves the files. This directory needs to be whitelisted in firefox profile.

      Look in /etc/firejail/firefox.profile file, and add a whitelist line for that directory, similar to the line for dwhelper (dwhelper is another download addon for firefox).

      Like

      Reply
      1. avatar

        Got it. Thanks…

        # for uget needs –whitelist=/tmp/flashgot.blahblahblah.default in
        # launcher didnt seem right to put it here
        mkdir ~/.config/uGet
        whitelist ~/.config/uGet

        Like

  26. Jim

    I installed firejail and being quite new to Linux (Mint 18.1) it took me a fair bit of digging to find out how to get sound out of VLC after the installation. Now I cannot get Transmission to work. When I hit a torrent download icon a new instance of Transmission is opened and it doesn’t work. Although I have done a lot of searching on this and other sites I seem to not have sufficient experience to understand what exactly people are talking about. What I need are a few lines of code to help me set up Transmission to work, if that is possible.

    Like

    Reply
    1. netblue30 Post author

      You would start the browser (“firejail firefox”), and in a different sandbox start transmission (“firejail transmission-gtk”). In the browser you go to your torrent page, grab with the mouse the magnet icon, and drop it in transmission window. That’s basically the easiest way.

      If the site doesn’t have a magnet link, and instead has torrent files, save the torrent file in ~/Downloads directory, and open it transmission-gtk.

      Like

      Reply
  27. heatdeath

    Hi, I have been using firejail for a while now and I really dig it. I have one question that has been bothering me though. Every time I want to run firejail I type into my terminal ” $ firejail firefox “, is there a way of making firejail the default so I don’t have to open the terminal everytime I want to launch the browser? It would be ideal that I just click the firefox icon on my desktop and it opens firejail firefox

    Like

    Reply
    1. netblue30 Post author

      You can use firecfg utility (man firecfg) distributed with firejail. It should solve the problem for most programs. Run it as “sudo firecfg”. What disto are you using?

      Like

      Reply
  28. Pingback: 如何设置并使用Firefox沙盒?-安全路透社

  29. LinAdmin

    Thanks for developping firejail, I am convinced that this really improves security!

    I have installed Xpra and latest firejail on my Debian Jessie. When starting firefox using “firejail –x11 –net=eth0 …” the basic functions are ok. Of course imwheel is deactivated and the mapping of the two thumb switches to PgUp/Dwn no longer works. The Swiss keyboard is correctly handled by evdev.
    I do not have a xorg.conf and searching quite some time I could not find a solution.

    Any hints?

    Like

    Reply
      1. netblue30 Post author

        I still have no idea how imwheel is working. From what I read on Arch Linux wiki, imwheel is a demon monitoring and talking to the main X server, and your sandboxed program runs in a different X server. My guess is it will never work, unless you start a new instance of imwheel inside the sandbox so it can talk to the second X server – just a guess.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s