Introduction
In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server.
Several such exploits are discovered every year, and by the time they are reported, they’ve been in the wild for a while. The attacker gains full access to the file system, and he can run any program installed on the computer. He can even start a remote shell and run the commands manually.
The three main attacks we target with Firejail are ransomware, privilege escalations, and local network attacks. This is a short description of the technologies we use to prevent them, and some of the most common Firefox sandbox setups. We start with the default setup, recommended for entertainment and casual browsing.
Default Setup
The easiest way to start the sandbox is to prefix the command with firejail:
$ firejail firefox --no-remote
Note: By default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote
command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process.
You can also integrate Firejail with your desktop environment by running sudo firecfg as described on our Download page. Then, you just click the browser icon in your desktop environtment menus to start the program.
Another method is to configure a desktop launcher. This is a simple text file in Desktop directory with the following content:
$ cat ~/Desktop/firefox.desktop
[Desktop Entry]
Name=firefox
Icon=/opt/firefox/browser/chrome/icons/default/default48.png
Terminal=false
Type=Application
Exec=/usr/bin/firejail /opt/firefox/firefox -no-remote
In the example above I show a desktop launcher for a Firefox browser installed /opt directory.
Sandbox description
For privacy purposes we deploy a very restrictive Mandatory Access Control system. The sandbox allows Firefox to access only a small set of system files and directories. All private user information was removed from home directory. Please remember to save your downloaded files in Downloads, everything else will evaporate when you close the browser.
Note: The same home directory layout is imposed by Firejail for all networked applications and games. For email we bring in email folders, for media players we add Videos, Music etc. Usually, Documents directory is highly restricted, only few applications have access to it.
Password files, encryption keys and development tools are also removed from the sandbox. If Firefox tries to access such a file, log messages are sent to syslog. Example:
Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot
Privilege escalations are handled mainly by seccomp-bpf and nonewprivs. These are two Linux kernel technologies specifically designed for this purpose. A number of other kernel technologies are layered on top of them, such as capability sets, an user namespace without root user, and partitions and directories mounted using nosuid flag. If available, we also start AppArmor on top of everything. With all these kernel layers upon layers in place, it is hard to tell in a real scenario which layer triggered first and stopped the exploit.
In this video I describe a full hacking session from the perspective of the attacker. I simulate a remote shell into the browser, and try to get control of the system. I describe how the Mandatory Access Control system, seccomp-bpf, and a combination of network namespace and netfilter firewall are used to prevent further escalation.
Private browser setup
Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.
Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:
$ firejail --private --dns=1.1.1.1 --dns=9.9.9.9 firefox -no-remote
Work setup
Use this setup for remote office work, or when you have a number of programs employed for a specific purpose. Start by creating a new directory, let’s say /home/username/work, and segregate your applications in this directory. Pass this directory to –private when you start your apps:
$ firejail --private=/home/username/work thunderbird &
$ firejail --private=/home/username/work firefox -no-remote &
Both Mozilla Thunderbird and Firefox think ~/work is the user home. The configuration is preserved when the sandbox is closed.
Network Setup
Network attacks usually happen in enterprise settings. Failing a regular ransomware, and failing to rise privileges, the attacker tries to exploit servers running on the local network. Most likely the target was some very specific server on the local network to begin with.
Assuming eth0 is the main Ethernet interface, we create a new TCP/IP stack, and we connect it to the wired Ethernet interface. Then, we ARP-scan the network and pick up a random, unused IP address:
$ firejail --net=eth0 firefox
Note: Ubuntu runs a local DNS server in the host network namespace. The server is not visible inside the sandbox. Use --dns
option to configure an external DNS server:
$ firejail --net=eth0 --dns=9.9.9.9 firefox
By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter, you can customize it, or you can bring in your own.
$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
nolocal.net filter above allows only traffic from outside, all local traffic is dropped.
On top of that, you can add a hosts file implementing an adblocker:
$ firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net \
--hosts-file=~/adblock firefox
There are several scenarios where you would want to use the networking feature:
- Anonymity on a local network – by default we assign random IP and MAC addresses to your sandbox. Once the sandbox is closed, the addresses disappear. You can run in parallel multiple applications, each one with a different IP address.
- You have an SSH server running on your computer – this could provide an opportunity for your attacker to try a dictionary attack.
- Install an iptables firewall for your browser – mostly applicable in enterprise settings, where you need to protect various assets on your local network.
- Dynamic firewall – at startup, Firejail looks at the traffic and builds a firewall specific for your application. You might want to use this for Tor and VPN setups.
X11 sandbox
Firejail replaces the regular X11 server with Xpra or Xephyr servers (apt-get install xpra xserver-xephyr on Debian/Ubuntu), preventing X11 keyboard loggers and screenshot utilities from accessing the main X11 server.
The command is as follows:
$ firejail --x11 --net=eth0 firefox
A network namespace initialized with –net is necessary in order to disable the abstract X11 socket. If for any reasons you cannot use a network namespace, the socket will still be visible inside the sandbox, and hackers can attach keylogger and screenshot programs to this socket.
Tor Browser
Tor Browser is the ultimate tool for protecting privacy while browsing online. All Tor network traffic is encrypted, and it is virtually impossible to track the IP address back to its user.
These are our recommended steps to set up the browser in Firejail sandbox. The setup should work on all Linux distributions.
1. Download Tor Browser from https://torproject.org
2. Assuming the archive was downloaded in Downloads directory, extract the files:
$ cd ~
$ tar -xvf Downloads/tor-browser-linux64-X.Y.Z.tar.xz
3. Find the name of your Ethernet interface:
$ ip addr show
4. Create a desktop launcher in Desktop directory:
$ cat ~/Desktop/tor.desktop
[Desktop Entry]
Name=tor
Icon=/home/USERNAME/tor-browser_en-US/Browser/browser/chrome/icons/default/default128.png
Terminal=false
Type=Application
Exec=firejail --name=tor --private=~/tor-browser_en-US --net=INTERFACE ./start-tor-browser.desktop
Replace USERNAME with your user name, and INTERFACE with the name of your Ethernet interface you found in step 3.
5. Start the browser by clicking the tor icon on your desktop. This is the default setup, also available for older Firejail versions.
6. Optionally, lock down your network by adding –netlock on your exec line in the launcher. This will install a dynamic firewall that will allow only traffic to the Tor guard node. You’ll find more details in the video.
VPN
This is the simplest VPN setup ever: Linux workstation running Firefox browser under Firejail, and a virtual machine in the cloud running an SSH server.
By default all cloud VMs run an SSH server. The tunnel uses SOCKS5 feature of OpenSSH. This setup should work with any other network applications supporting SOCKS5 protocol.
It is one of the fastest VPN tunnels out there. Due to the large number of enterprise users using SSH in the cloud, you are very likely to go through a VPN blockade undetected. Fly under the radar and have fun!
More…
- Sakaki’s EFI Install Guide/Sandboxing the Firefox Browser with Firejail – probably the best X11 sandboxing guide out there!
- All About Tor – removing personally identifiable information, setup, network firewall, using Tor as a DNS proxy
- Firejail BitTorrent Sandboxing Guide – how to use a DNS over HTTPS proxy to stop DNS-based attacks for a browser/BitTorrent client setup
- A Survey of Public DNS over HTTPS Servers – how to choose a DoH service
Pingback: Weekendowa Lektura 2016-01-23 – bierzcie i czytajcie | Zaufana Trzecia Strona
I ‘m trying to isolate Firefox resources reader, in order to avoid this bug of privacity
The resource:// URI scheme is used by Firefox to call on-disk resources from internal modules and extensions, but some of these resources may also be included to any web page and executed via script tag.
https://www.browserleaks.com/firefox
I’ ve tried at this manner
firejail –caps.drop=all –seccomp –netfilter=/etc/firejail/nolocal.net /opt/firefox/firefox
but not results effective. Please, could you help me?
Thank ‘s a lot in advance
LikeLike
Sorry, you cannot disable the resources, Firefox will not work without them.
LikeLike
Pingback: 如何设置并使用Firefox沙盒? | 邪恶十六进制
I am familiar with sandboxie in windows, if you run firefox within sandboxie and make a change to firefox such as add a new add on or add a new bookmark it isnt kept when you start up firefor again. You need to add these via a normal firefox session which will then be reflected in the sandboxie version. Does firejail work the same way or does it retain changes made to firefox when it has been running in firejail?
Thanks
LikeLike
Firejail retains all your changes.
LikeLike
Thanks for confirming it retains the changes, can you give a little more detail why this isnt a risk as would this be out of the sandbox? Sorry if this is a silly question.
LikeLike
It is using the real mozilla directories, not a copy of them. When you close the sandbox, the directories remain on your hard drive
LikeLike
Ok thanks, if it is using the real directories though couldnt these be compromised if they arent protected by firejail?
LikeLike
This is how Firejail works:
System directories and directories belonging to another application are mounted read-only and cannot be modified by the application.
Application directories are mounted read-write. It is the application business to protect its own directories. For example, saving a bookmark will modify Firefox’s application directory. Hopefully Firefox knows what is doing, and is not messing up its own bookmark file. However, Firefox cannot modify directories belonging to another application.
Note: Firejail also has a private mode, where it always start with a factory default set of application directories. In this mode, modifications to app directories are not saved on the hard drive.
LikeLike
Many thanks for explaining this for me, it makes it much clearer for a linux novice like myself.
LikeLike
can this work when someone has the host configured and iptabled to only communicate through an openvpn connection, and wishes the sandboxed application to only communicate through that very same openvpn connection?
LikeLike
When you start the sandbox, if you don’t use any networking features, the sandbox will not modify the network. So, if you have a vpn setup, when you run “firejail firefox” the traffic will still go through vpn.
LikeLike
Hi, I just wanted to say hi, I found about firejail on distrowatch weekly, and I *really* want to thank you for the great security work you’re doing, I’m amazed at how firefox sandboxing works effortlessly…
Sent from Linux Mint 17.2 MATE x64
Linux kenny 4.2.0-30-generic #36~14.04.1-Ubuntu SMP Fri Feb 26 18:49:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
LikeLike
You’re welcome!
LikeLike
Pingback: 如何设置并使用Firefox沙盒? | 安全渗透军火库|SHENTOU.ORG
For the past 15 years, I have been scared when running web browsers. Firejail has made everyday life so much more secure. Amazing! Thanks!
LikeLike
You’re welcome!
LikeLike
An amnesiac Tor Browser:
# Firejail profile for Tor Browser Bundle
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
tracelog
noroot
private
private-tmp
LikeLike
Hi!
I wanted to ask if it’s possible to create both firefox and openvpn sandboxes, which will result in something like virtual network among them:
1. The only network that firefox sees is vpn and
2. No other apps sees vpn network.
I guess that could be handled with –net option but I need guidance.
Thanks for your ingenious work!
LikeLike
OpenVPN support as you describe it is still under development. It will come in a future version.
LikeLike
Thanks, I’ll be waiting for this.
LikeLike
Awesome write up 😉 as I was very excited when I stumbled upon firejail 🙂 and to come across your post was icing to the fox. Thank You.
LikeLike
Hi,
I need your help
Here is the step i did :
> I launch iceweasel with this command “firejail iceweasel”
> I surf on the web and add a torrent link : Iceweasel launch automatically transmission-gtk
The problem is that iceweasel don’t know the main directory of transmission-gtk and restart it as if it didn’t know the existing transmission profile > Is it possible that iceweasel launch a know configuration of transmission-gtk in the sandbox ?
Thanks
Laurent.
LikeLike
Copy /etc/firejail/iceweasel.profile in ~/.config/firejail directory:
Edit the file:
Important: make sure transmission-gtk is configured to store the downloads in ~/Downloads directory, otherwise you’ll loose them when you close the browser. ~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem. You’ll find the transmission setting in Edit/Preferences menu.
LikeLike
Hi netblue
Sorry for my response delay. I just have a look today of your reply and it works fine ! Thank you. You did a great job with firejail. Now i can firejail iceweasel and launch Transmission in it with the existing transmission profile.
I am a fan user of your solution
Laurent :):)
LikeLike
“~/Downloads and the configuration directories are the only directories persistent, everything else is build in a temporary filesystem.”.
What do you mean “configuration directories”, i thought ${HOME} and all its subdirectories (except blacklist in “disable-common.inc” and “disable-programs.inc”) are persistent. I can make new directory and file in ${HOME} (“firejail mkdir ~/newDir” and “firejail touch ~/newFile”). My OS is Linux Mint 17.3. Is it a bug or it support to work like that?
LikeLike
Each program uses a different security profile. For firefox it uses /etc/firejail/firefox.profile, and for mkdir and touch it uses /etc/firejail/default.profile. You and open these files in a text editor and take a look.
LikeLike
First, thank you very much for Firejail…It seems easy for someone new to Linux.
I want to use Midori and Qupzilla browsers except from what I understand, these webkit browsers aren’t updated in Debian stable and because of that are not secure. But, with Firejail maybe they are. I want to open them up to Flash and then when I close them down, have potentially damaging changes wiped out. So, it would be the not-up-to-date Midori version in Debian stable, through Firejail. $ firejail Midori It that safe for browsing?
LikeLike
Firejail will make your Midori security better, however, there are some very good reasons Debian people removed Midori form their repository. I would use strictly what Debian supports.
LikeLike
Hi. I am new to Firejail and am attempting to get ‘firejail firefox’ working. My issues seem to be similar to these:
https://github.com/netblue30/firejail/issues/287
I have things like ~/.cache , ~/.adobe , ~/.macromedia as symbolic links all pointing to a sub-directory of /tmp (and /tmp itself is a symbolic link to /dev/shm)
The end of ‘firejail forefox’ is:
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 11015, child pid 11016
Error: invalid whitelist path /home/webuserr/Downloads
Error: cannot establish communication with the parent, exiting…
I have been testing with the bash environment given by ‘firejail’.
I can not access /tmp/cache (although it is owned by me.) However,
just before I run ‘firejail’, if I ‘cp -a /tmp/cache /tmp/cache2′, I have
read/write access to /tmp/cache2 in the default firejail bash environment.
Why dont’ I have access to the original /tmp/cache ? (Ok, I see that
firejail changes the owner and group to 65534:65534, but not for
cache2.)
LikeLike
In the version you have, symbolic links pointing outside the directory are not supported. This is already fixed in the development version, so your setup with links going into /tmp/cache will work.
LikeLike
I just upgraded firejail from 0.9.28 to 0.9.38 (on Ubuntu) and the –private.keep option has disappeared. I had been using that to load a Firefox profile but not allow any permanent modifications:
firejail –private.keep=.mozilla/firefox/profiles.ini,.mozilla/firefox/jqxorhq3.empty firefox -no-remote -P empty
How can I do that now?
Thanks.
LikeLike
The feature was first renamed and later deprecated due to some problem. It will be brought back under the name –private-home in version 0.9.42. There is a work-around posted here: https://firejail.wordpress.com/support/frequently-asked-questions/#private-home
LikeLike
Wow, thanks for the quick answer! That works for me (with slight modifications).
LikeLike
I have two questions.
1. Can you please tell me about the license of Firejail? Is it GPLv3?
2. When other packages (like kernels) are updated, does firejail need to be updated also immediately? I mean does it need to be updated frequently or only when very very big changes are made?
LikeLike
The license is GPL v2. And yes, you should update it – all kind of fixes are going in, including security fixes.
LikeLike
If I choose to run Firefox from the .tar.bz2 file Mozilla provides, how to Firejail it?
$cd path_to_extracted_folder
$firejail ./x
(x is the name of the file/script that needs to be run)
Like this? Will the sandbox work properly?
Is it a must to Firejail something by typing
$firejail some_program
always from the home directory?
LikeLike
I would do:
LikeLike
I tried to use the private option typing “firejail private firefox” as shown on the first
edition of the docs but when I “enter” I was connected to a PORNO site with all kind of kinky images. I never typed any web site address in the URL. I am very concerned since apparently this is a “security hole” perhaps in the new Firefox. Is a patch availabe to fix that?
I appreciate your answer A.S.A.P.
Thanks,
John A. Lastra
LikeLike
“firejail –private firefox” runs firefox with factory default configuration. You should probably contact Mozilla.
LikeLike
The firejail firefox exposes the dual boot partition as well as other disk drives on my computer. How do you blacklist those?
LikeLike
You just add a –blacklist=path_to_your_partition on the command line. For example, if you have your windows partition mounted on /mnt/wind, you would start Firejail like this:
$ firejail –blacklist=/mnt/wind firefox
LikeLike
Hello.
Thanks, this is a great project.
I would like to block my firefox so that it can only access a socks proxy (on 127.0.0.1, could be listening on another interface if better).
I tried different things with the –net option with no success so far. Is there any easy way to limit the jail network to a socks proxy running on lo interface, and forbid all other internet access?
Thanks
LikeLike
I plan to add support for this type of use case. For now, the only thing you can do is to try to start both the proxy and browser in the same sandbox.
LikeLike
Hello,
Is it possible to use firejail with icecat (similar to firefox) to prevent any access to the original home directory completely?
My idea is to try the following:
– have the icecat binary and profile in a compressed file (eg zip, tar.gz, etc)
– when “icecat” is run;
– decompress the profile and icecat binary to a ram disk;
– use firejail to run icecat out of the ram disk and not touch the original home.
To test this for now I tried copying icecat and the profile it uses to a ram disk. I then tried the following:
firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat
But icecat dosen’t look in the new home directory (set with the –private= option). It looks like it is trying to look at the original home instead. Can I prevent this or am I doing something wrong?
thanks
ljones
LikeLike
Add –no-remote to the command line:
firejail –blacklist=/media/aaaaa/downloads –blacklist=/home/ –blacklist=/media/aaaaa/nfs –noroot –blacklist=/media/aaaaa/emulators –caps.drop=all –seccomp –caps –private –private=/media/ramdisk /media/ramdisk/icecat/icecat –no-remote
Without it, the browser will connect to an existing instance of the browser instead of starting a new one. Firefox allows only one browser to run at a time, but with –no-remote you force it to start a second one.
LikeLike
Hello,
First, I thank you for dedicating your precious time towards helping users like
myself improve our security posture in Ubuntu.
I have a few questions about firejailing firefox: Since firejail blocks access to
Sudo and the root account, will a malicious tab be prevented from infecting
firefox itself, so that if I were to close the tab and restart firefox, the
infection will not have persisted?
Also, can I improve my system’s security by opening firefox in separate,
firejailed processes according to the sites I wish to visit in them (using
firejail firefox -no-remote), so that I will have one process for banking,
another for email, and yet another process for untrusted sites?
Lastly, do you have any other suggestions whereby I may improve my
security with firejail?
Jordan
LikeLike
> will a malicious tab be prevented from infecting
firefox itself
It can infect only firefox configuration, firefox executable cannot be modified.
> so that I will have one process for banking,
another for email, and yet another process for untrusted sites?
You can have as many as you want, but I would keep it simple. At some point you’ll make a mistake and start browsing untrusted sites in your banking browser or the other way around.
LikeLike
What do you mean by:
“Both Mozilla Thunderbird and Firefox think ~/work is the user home directory. The configuration is preserved when the sandbox is closed”
?
Aren’t all settings change in a sandbox via –private discarded? The man page says:
” Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed.”
LikeLike
If you use –private everything will be discarded, but without it your configuration is persistent.
Do like this: start firefox in a sandbox (“firejail firefox”), and in url field type “/home/username”. Firefox will give you the list of the files it finds in your home directory. In this case only ~/Downloads and ~/.mozilla is persistent, everything else will be discarded. The regular “firejail firefox” is a combination of private and persistent.
LikeLike
“By default, if a network namespace is requested, Firejail installs a network filter customized for regular Internet browsing. It is a regular iptable filter.”
Will it still use the iptable rules established by ufw that I’ve configured if I use “–net=eth0”, for example (i.e. will my firewall settings apply to the sandboxes as well using this setting out-of-the-box or do I have to change it)?
LikeLike
No, it is a different filter.
You can specify with –netfilter=filename a specific filter, so try to find ufw file (it should be somewhere in /etc) and pass it down to firejail.
LikeLike
One more noob question if you don’t mind:
Can you describe the purpose of the general filter? I see the exact filter itself in the man page, but unfortunately I don’t really understand ip tables. With ufw, my only rules are:
1. ufw default deny
2 ufw allow ssh
So I’m not sure if I should stick to the default filter provided by firejail or use my own. I’m guessing firejail’s default ip filter is much more strict than my rules and my rules are way too general so I should stick with firejail’s defaults for firefox? What should filter should I use for other applications, such as for mail (mutt), and torrenting applications–also the default filter provided by firejail (which seems to be specifically for a web browser)?
LikeLike
The filter installed by firejail is a very general filter, tailored to desktop applications. I keep an updated listing of the filter in “man firejail” under –netfilter entry. The filter drops all incoming connections, including ssh, and also drops outgoing WebRTC connections.
Note: iptables filters are installed by firejail only if a –net option was requested. If you run your sandbox without –net, the application will use your ufw filter.
LikeLike
I’m running Firejail 0.9.38.10 and have been wondering about something. After starting Firefox I see the following related processes:
USER PID COMMAND
root 1819 /usr/bin/firejail /usr/bin/firefox
root 1820 /usr/bin/firejail /usr/bin/firefox
clewis 1824 /usr/lib/firefox/firefox
clewis 1880 /usr/lib/firefox/plugin-container
What concerns me are the two processes running as root. Is this correct? and can I be sure that Firefox is not running with root privileges on my machine?
LikeLike
root 1819 root 1820 are the sandbox processes. After the application was started, these processes just monitor the sandbox.
clewis 1824 and clewis 1880 are the application, Firefox in your case.
Firejail runs as root, however, the application always runs as a regular user.
LikeLike
hi guys
Example;
–net=eth0/eth1/eth/2
how to add multiple network interface to command
LikeLike
$ firejail –net=eth0 –net=eth1 –net=eth2 appname
LikeLike
Any offhand ideas why launching uget from a jailed copy of firefox with flashgot addon would cause it to not save the files in ~/Downloads and where it might be putting them? Do i need to add something to the whitelisted directories?
Nice Program 🙂
LikeLike
> Do i need to add something to the whitelisted directories?
Probably yes. Maybe flashgot addon has a specific directory where it saves the files. This directory needs to be whitelisted in firefox profile.
Look in /etc/firejail/firefox.profile file, and add a whitelist line for that directory, similar to the line for dwhelper (dwhelper is another download addon for firefox).
LikeLike
Got it. Thanks…
# for uget needs –whitelist=/tmp/flashgot.blahblahblah.default in
# launcher didnt seem right to put it here
mkdir ~/.config/uGet
whitelist ~/.config/uGet
LikeLike
I installed firejail and being quite new to Linux (Mint 18.1) it took me a fair bit of digging to find out how to get sound out of VLC after the installation. Now I cannot get Transmission to work. When I hit a torrent download icon a new instance of Transmission is opened and it doesn’t work. Although I have done a lot of searching on this and other sites I seem to not have sufficient experience to understand what exactly people are talking about. What I need are a few lines of code to help me set up Transmission to work, if that is possible.
LikeLike
You would start the browser (“firejail firefox”), and in a different sandbox start transmission (“firejail transmission-gtk”). In the browser you go to your torrent page, grab with the mouse the magnet icon, and drop it in transmission window. That’s basically the easiest way.
If the site doesn’t have a magnet link, and instead has torrent files, save the torrent file in ~/Downloads directory, and open it transmission-gtk.
LikeLike
Hi, I have been using firejail for a while now and I really dig it. I have one question that has been bothering me though. Every time I want to run firejail I type into my terminal ” $ firejail firefox “, is there a way of making firejail the default so I don’t have to open the terminal everytime I want to launch the browser? It would be ideal that I just click the firefox icon on my desktop and it opens firejail firefox
LikeLike
You can use firecfg utility (man firecfg) distributed with firejail. It should solve the problem for most programs. Run it as “sudo firecfg”. What disto are you using?
LikeLike
I want to start my local application in firejail as different new user.Plz tell how to do it. ty 🙂
LikeLike
You would need to have sudo access to switch the user:
$ sudo -u username firejail …
LikeLike
Pingback: 如何设置并使用Firefox沙盒?-安全路透社
Thanks for developping firejail, I am convinced that this really improves security!
I have installed Xpra and latest firejail on my Debian Jessie. When starting firefox using “firejail –x11 –net=eth0 …” the basic functions are ok. Of course imwheel is deactivated and the mapping of the two thumb switches to PgUp/Dwn no longer works. The Swiss keyboard is correctly handled by evdev.
I do not have a xorg.conf and searching quite some time I could not find a solution.
Any hints?
LikeLike
I am sure this is a common problem and wonder why I do not get any hints how to solve it???
LikeLike
I still have no idea how imwheel is working. From what I read on Arch Linux wiki, imwheel is a demon monitoring and talking to the main X server, and your sandboxed program runs in a different X server. My guess is it will never work, unless you start a new instance of imwheel inside the sandbox so it can talk to the second X server – just a guess.
LikeLike
So you said “There are no complicated configuration” …… 😦
Sorry, still way too complicated. Dont get me wrong, it is great piece of software, but safe configuration is still pain in the… you know where. Easier than apparmor but still way too complicated.
I would love to see such software easy to run and configure, and working out of the box on every Linux distro, but it is too complicated for that 😦 I would love to see absolutely every option to be configurable by clicking and using wizzards, maybe a bit lame, but that would make such software more usable and popular.
I want to make a decent profile for Dropbox client, to allow it do only what it really needs to do, but when i read the configuration description I start to feel headake, sorry 😦
LikeLike
It is working fine out of the box for most applications. The security profiles are quite good, and are getting better with each release.
LikeLike
What would you recommend for i2p router and Java applications.
LikeLiked by 1 person
I don’t think anybody tried i2p under Firejail. In my opinion it should work. Java should applications are running fine.
LikeLike
Hi
Firstly, thankyou. Firejail is great.
Secondly, however, I need a bit of help.
The Goal: examine and open the contents of an untrusted usb stick.
Means: I thought I could use firejail to run a –private instance of caja, un/mount and read/write the USB drive. However:
“(caja:8): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported”
My technical understanding is limited, but I guess I am right in thinking this is something that is too fundamental to the Ubuntu Mate 16.04LTS system to be changed (feasibly, anyway, by me).
Is there another way to do this with firejail?
LikeLike
You would need to go in command line. Run “firejail” then “cd /media/usb” or wherever your system mounts your drive, and then run the regular ls and cut commands.
The reason you have problems with caja is because caja was already started when you logged in. The instance you are trying to start in the sandbox detects another caja instance in the system and tries to connect to it. The sandbox will prevent it – it would be a sandbox escape.
Another thing you can do is to install a second file manager such as pcmanfm (from LXDE desktop). It does the same thing as caja, but it will stay in the sandbox if this is the only pcmanfm running.
LikeLike
No, I’m sorry I haven’t made myself clear.
I want to insert the thumb drive, start a sandbox, and from within that sandbox mount and read/write the drive’s contents. I don’t want the rest of the system to be exposed to whatever is on there.
Incidentally, I tried the pcmanfm trick. I had wondered about that before, but unfortunately it did as I thought. Once mounted, the drive was visible in other parts of the system e.g. caja.
I confess I am struggling with some of the concepts firejail is built upon, so forgive these clumsy questions. I notice there are options to ‘nominate’ (my word; I’m tired) particular directories or /dev/, and the private seems to isolate temporary directories analogous to webbrowsers’ private modes. I guess what I am really after is similar to firejail –private firefox –no-remote. Is mounting a thumb drive so basal to the machine that is simply cannot be hidden from the rest of the system?
LikeLike
> I want to insert the thumb drive, start a sandbox, and from within that sandbox mount and read/write the drive’s contents.
The sandbox will prevent you from mounting or unmounting any drive. This is done by default. I’ll look to see if I can find a way around it, but this is exactly the kind of functionality the sanbox is supposed to deny. There have been in the past quite a number of kernel exploits based on mounting/unmounting.
LikeLike
I see. I’d heard about them, (I think – this is BADUSB, etc, yes?) and that’s exactly what I was looking to firejail to solve for me, initially.
(everything else is great, by the way – just need to learn it).
I’d welcome hearing what you find. From my first pass at understanding mounting, I think maybe what I’m asking for is for firejail to act as a VM.
LikeLike
Can firejail also limit resources available? ie to say 50% of cpu and memory?
LikeLike
Look at –rlimit-* command line options. Also, –cpu will allow you to use a specific number of cpu cores in the sandbox. If this is not enough, you’ll have to set up control groups and pass them to firejail with –cgroup.
LikeLike
Thanks
LikeLike
Could you please tell me how to change, and save the start page on Firefox using Firejail?
LikeLike
The regular way, firejail shouldn’t make any difference.
LikeLike
quasimoto@esmerelda:~$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 5435, child pid 5437
Blacklist violations are logged to syslog
Child process initialized in 70.15 ms
(firefox:5): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /run/user/1000/bus: Permission denied
(firefox:5): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Could not connect: Permission denied
(firefox:5): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /run/user/1000/bus: Permission denied
(firefox:5): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /run/user/1000/bus: Permission denied
(firefox:5): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /run/user/1000/bus: Permission denied
Does the forum have an idea of what this might affect, and how to fix the errors?
LikeLike
What distribution are you on, and what version of Firejail are you running? Do a “fireajail –version”.
A firejaild firefox should work fine without dbus present. Some people go as far as disabling it on purpose – it is viewed as a potential security problem.
LikeLike
“firejail firefox” renders the “Server Not Found”. Running firefox withouth firejail works.
What settings do I need to change. I ran `ifconfig -a` and shows the wireless network I’m using. I tried running `firejail –net=mywirelessnet firefox`. This still does not work.
LikeLike
Found your fix here: https://github.com/netblue30/firejail/issues/1611issuecomment-338497309
And it works! Thanks netblue30!
BTW, I am on Lubuntu 17.10 for any future reference and I installed firejail through default apt-get repositories.
LikeLike
Oops. Correct link is:
https://github.com/netblue30/firejail/issues/1611#issuecomment-338497309
LikeLike
Currently, wireless device drivers are not supported by –net option.
LikeLike
Hi,
I changed midori.profile in order to access .html-files that reside in “/home/rosika/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag”.
The normal midori.profile wouldn´t grant me any access to it when using the command “firejail –net=none midori”.
So I inserted “noblacklist ${HOME}/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag” and “whitelist ${HOME}/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag” in the profile.
Now it works as desired but there´s a message in the terminal which says:
“TESTING warning: noblacklist /home/rosika/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag not matched by a proper blacklist command in disable*.inc
Blacklist violations are logged to syslog.”
As I said, it works fine but why is there a blacklist violation? I mean I changed my profile in order to avoid this.
Anyway here´s my complete profile for information:
———————————————–
# Firejail profile for midori
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/midori.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/.config/midori
noblacklist ${HOME}/.local/share/midori
# noblacklist ${HOME}/.local/share/webkit
# noblacklist ${HOME}/.local/share/webkitgtk
noblacklist ${HOME}/.pki
noblacklist ${HOME}/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
mkdir ${HOME}/.cache/midori
mkdir ${HOME}/.config/midori
mkdir ${HOME}/.local/share/midori
mkdir ${HOME}/.local/share/webkit
mkdir ${HOME}/.local/share/webkitgtk
mkdir ${HOME}/.pki
whitelist ${DOWNLOADS}
whitelist ${HOME}/.cache/gnome-mplayer/plugin
whitelist ${HOME}/.cache/midori
whitelist ${HOME}/.config/gnome-mplayer
whitelist ${HOME}/.config/midori
whitelist ${HOME}/.lastpass
whitelist ${HOME}/.local/share/midori
whitelist ${HOME}/.local/share/webkit
whitelist ${HOME}/.local/share/webkitgtk
whitelist ${HOME}/.pki
whitelist ${HOME}/Dokumente/Lubuntu_Anleitungen/rheinwerk-Verlag
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nodvd
nonewprivs
# noroot – problems on Ubuntu 14.04
notv
protocol unix,inet,inet6,netlink
seccomp
tracelog
disable-mnt
——————————————————————-
Thanks in advance.
Greetings.
Rosika
LikeLike
Can firejail block spectre and meltdown?
LikeLike
The next version will have full support. The fix is in gcc compiler, so it depends on how new is your distribution.
LikeLike
Thanks. I run mint 18.3 (ubuntu 16.04) right now, but mint 19 is coming out soon.
LikeLike
Hi, complete 100% noob here so please dont flame. When ever I run any browser through firejail. Ie firejail firefox or firejail chromium-browser. It always says in the title bar that its running as “super user”. Is this something I should be concerned about? I definitely dont want any browser to run as root.
LikeLike
It is believed to be a bug in your window manager/desktop environment. We used to get it a long time ago, it was fixed in newer versions of Linux distributions. Check this out: https://firejail.wordpress.com/support/#as-superuser
LikeLike
Using Ubuntu 18.04. Firefox 60.0 (64-bit). When I do
firejail firefox
no pages are loading. Chromium works fine.
Any ideas ?
LikeLike
We have just released a possible fix. Please install Firejail version 0.9.54~rc2 from our Download page.
LikeLike
Will this fix reach the Ubuntu repos anytime soon ?
LikeLike
Somebody will need to log a bug on Ubuntu site. Usually they don’t go to a new version of the software. In this case they might allow us to apply a patch to 0.9.52.
We started to track fixes for 0.9.52 here: https://github.com/netblue30/firejail/tree/master/etc-fixes/0.9.52
LikeLike
Hi,
same problem with firefox with me. Doesn´t work at all within firejail.
I installed 0.9.54~rc2, but it doesn´t help.
I get the following syslog-message:
——————————————————————————————————————————–
May 13 13:54:53 rosika-Lenovo-H520e kernel: [ 1466.661692] Web Content[6325]: segfault at 0 ip 00007fceb90a5f07 sp 00007ffd4a964c90 error 6 in libmozsandbox.so[7fceb9098000+1f000]
——————————————————————————————————————————-
Perhaps this helps for error-search?????
Greetings.
Rosika
LikeLike
latest version of firefox 60+ with Firejail now does not work. No internet access, child process also fails to shut down, Previous last couple of Firefox version updates were fine.
LikeLike
Greetings and thanks for your work.
I have the same problem as friend Bob. (latest version of firefox 60+ with Firejail now does not work. No internet access, child process also fails to shut down, Previous last couple of Firefox version updates were fine.)
Please greatly try to help us. I want to know if it’s my error or Mozilla’s friends try to sabotage our security. I sent an email the same day when I got the update but until today they did not respond. If there is any innovation from Mozilla I will change with another browser.
Thank you in advance. Be healthy.
LikeLike
We put a fix in 2 days ago. Go to Downloads page and install Firejail version 0.9.54~rc2. The final release will go out this week.
LikeLike
Finally got around to installing 0.9.54 and configured it as per your instructions with Linux Mint 18.3, all works AOK. Pulseaudio works with no conflict, Firefox works, have firejailed some other apps, no conflicts or bugs so far. Thanks for all your good work.
LikeLike
I am on mint 19 but there is no update from 9.52 to 9.54. i switched to arch linux and it has 9.54 so issue solved.
LikeLike
Hi again,
some other programmes won´t start at all with 0.9.54~rc2, like gedit.
Thunderbird does start but with a long message in terminal:
————————————————————-
firejail thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4227, child pid 4228
Warning: An abstract unix socket for session D-BUS might still be available. Use –net or remove unix from –protocol set.
Post-exec seccomp protector enabled
Warning fseccomp: syscall “bpf” not available on this platform
Warning fseccomp: syscall “kcmp” not available on this platform
Warning fseccomp: syscall “ni_syscall” not available on this platform
Warning fseccomp: syscall “umount” not available on this platform
Warning fseccomp: syscall “userfaultfd” not available on this platform
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice,
Child process initialized in 170.94 ms
(thunderbird:11): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[calBackendLoader] Using Thunderbird’s builtin libical backend
JavaScript warning: resource://bamboomodule/data/feed.js, line 318: unreachable code after return statement
JavaScript warning: resource://bamboomodule/data/searchfeed.js, line 96: unreachable code after return statement
(thunderbird:11): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
(thunderbird:11): LIBDBUSMENU-GLIB-WARNING **: Unable to get session bus: Unbekannter oder nicht unterstützter Transport »DBUS_SESSION_BUS_ADDRESS=unix« für Adresse »DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus«
JavaScript error: chrome://global/content/bindings/tree.xml, line 1257: TypeError: this.parentNode is null
(thunderbird:11): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
JavaScript error: chrome://messenger/content/mailWidgets.xml, line 2726: TypeError: this._parentMenupopup is null
JavaScript error: chrome://messenger/content/mailWidgets.xml, line 2731: TypeError: this._parentMenupopup is null
Parent is shutting down, bye…
LikeLike
Don’t worry about D-Bus. We disable it by default for browsers, mail clients, torrents and some other networked programs. D-Bus is a security headache. Without it the application should work fine. It only impacts the configuration related to the desktop.
For Gedit: in a text editor open /etc/firejail/gedit.profile file:
sudo /usr/bin/gedit /etc/firejial/gedit.profile
(if you start it this way it will bypass the sandbox and gedit will work).
In the profile file comment out private-lib line (add a ‘#’ in front of the line). I’ll put a real fix in release 0.9.54 going out this week. Also, let me know what other programs are creating problems.
LikeLike
Hi,
thanks a lot for yor reply.
I´ll try firejail (0.9.54). Of course I´ll let you know if I detect any other programmes which cause problems. Up an until now I haven´t encountered any problems other than already described.
Greetings.
Rosika
LikeLike
Pingback: firejail – official guide – W3btr0tt3ur