It would be a great feature if there was a build option to specify which dir it uses instead of the default “/run/firejail”. Trying to use it on systems which have a read only / dir does not work.
First of all congratulations on your excellent work!
I’m trying sandboxes for the very first time so I know close to nothing about it. I just tried to run Kodi Media Center in Firejail but it just won’t start. I ran the command in terminal:
firestart kodi
Also tried with the private prefix but still no luck.
Is there a way to run Kodi on Firejail?
Let me know if you need details/info/logs but for what it looks like, it’s not a matter of config but rather not being able to run at all. Tried both the 38 and 44 versions of Firejail, my OS is a Linux distro based on Ubuntu 16.04.1.
Thank you very much in advance. Keep up with the good work!
** Note: you can use –noprofile to disable generic.profile **
Parent pid 15563, child pid 15564
Child process initialized
/bin/bash: –noprofile: command not found
parent is shutting down, bye…”
If you can make Kodi fully working on Firejail and spread the word I believe many will get Firejail just based on that. Kodi is becoming more and more popular everyday and since it uses online connections from various sources, it’s a security hazard for the system.
Once again thank you very much and keep up with the good work!
Hi. I’m trying to restrict Irssi to be only able to connect to localhost and deny all connections to LAN or the internet (to stop ip leaks). I’ve looked through the firejail man page and I haven’t found anything relating to the restriction of networks, other than net, which only allows networking altogether or disables it. Is there a way to do this that I haven’t thought of?
–net creates a new network namespace. From this namespace you cannot connect to the local host – it basically creates a different local host. I’m afraid it cannot be done.
Kodi (xmbc) is Microsoft seed in concept even if they went open source. Stick to Kodi boxes controlled by manufacturer or MITM. It is the same as taken on the big news propaganda. Blue does not have the resources to fight these guys. Don’t waste his resources!
Shouldn’t the profile for KODI be more restrictive? I think for people who use KODI to play internet streams (like sports live events and such) it shouldn’t have any “read” access to files on the home partition. Maybe a whitelist kinda thing. Any thoughts?
I’ll add KODI support in the next release. It will probably be a simple blackilst-based profile. Once the release is out, we’ll figure out some whitelisting for it.
Out of curiosity, if Kodi was being used with Firejail, would Firejail protect it from getting hacked in that subtitle bug which was called “hacked in translation”?
Hello, im run 8steams at firejail. All working correctly, i run Counter-Strike Global:Offensive and this work. If im run more than 5 csgo clients(5clients work perfectly), more cant start.. for some second im see window of cs go, and this close. In console im dont see some errors. Steam clients work correctly. Somebody know to fix?
im running with command
firejail –private=nameofbox steam
System is Ubuntu 16.04,installed latest nvidia drivers(im try too with old versions), firejail latest version, specs of pc; i7 6700hq 32gb ram, gtx960m 4gb gddr5
Hello! I want to prevent all apps on my machine from keylogging Firefox so I can be safe. Is this possible with Firejail? I want to be safe from malware that may run without me noticing.
It will stop malicious code you might pick up while running Firefox, so a keylogger will not be able to escape the sandbox. However, it will not stop keyloggers running outside the sandbox.
I’m using 0.9.44.8 on Ubuntu 16.10. I have a problem where some applications aren’t remembering settings. Cherrytree forgets that I enlarged the UI because I have a high dpi screen and also doesn’t open the last used file like it used to (with an older version of firejail). Transmission forgets that I set it to always use encryption instead of the default of “prefer encryption”. I’ve made sure that the profiles allow those specific applications to read the relevant .config/ files and have double checked, e.g., that transmission’s settings.json has the desired encryption setting. It seems these applications are starting up using default settings for some reason?
Thanks. It turns out I left an old cherrytree profile in ~/.config/firejail/
As for Transmission, those issues are caused by it being launched within the firefox sandbox. I tried whitelisting Transmission’s configuration file in the firefox profile but that didn’t seem to work so I’m just pasting any magnet links in to Transmission manually until I work out the correct firefox profile changes
I also use magnet links for transmission. The idea is to have the browser and the bittorrent client, each one of them sandboxed independently as strongly as possible.
I just stumbled over this promising little program of yours. What I do not understand is the difference to SElinux, AppArmor and other MAC systems. I never used any of these, but recently they found ransomware even for Linux. Thats why i was thinking of chroot or a MAC system like yours.
I really appreciate your efforts on this highly important subject.
Firstly, great application. Usingl firejail_0.9.44.8_1_amd64.deb and Palemoon 27.1.2. However I have one issue when using Pale Moon on Linux Mint-Mate 18.1 with the default configuration.. In the title bar it states that I am running as a super user and obviously this is not something to advise. If I look at the hierarchy it looks as if I am running a user. I do not have this issue in Firefox.
Terminal states:
shawn@HPLaptop ~ $ firejail –tree palemoon
6199:shawn:/usr/bin/firejail /usr/bin/palemoon
6202:shawn:/usr/bin/firejail /usr/bin/palemoon
6209:shawn:/usr/bin/palemoon
I took screen print of browser, but do not know how to attach.
It’s fine, some window managers have this problem. The best way to check is to run “ps aux | grep palemon” in a new terminal. It will tell you palemoon runs as a regular user (shawn). It is a window manager bug.
Can you please elaborate if there is a recommended way to make sure that a specific application (like Firefox) is only started via Firejail when starting (a) from the shell (without the need to specify “firejail” explicitely) and (b) from the desktop environment of choice (xfce, Gnome, KDE, …)?
I can imagine multiple ways but did not start to evaluate them: shell-alias, correctly placed desktop-file which overrides the default ones, modifying the application menu entry (xfce, Gnome, KDE, …) with a modified one, …
Whatever works for you. We have a tool in firejail package that will make a symbolic link from /usr/local/bin/firefox to firejail executable. As a result, when you run “firefox” in a bash terminal it will actually run “firejail firefox”. In some cases, the same trick seems to be taking care of applications started from desktop manager menu. To set the links run “sudo firecfg” (also see “man firecfg”).
Desktop files also work, but when you update firefox, the desktop file will be overwritten.
Another way to do it is to set icons on you desktop.
I just now tried firejail with firefox:
$ firejail firefox
and it is working nicely. However, a thing that greatly disturbs me is the fact that the title bar of firefox now says that it is running as root. Do you know anything about that?
Thanks so much for this great addition to the linux ecosystem. I’m running Ubuntu and trying to use firejail with Wire (https://wire.com) but get an error that says:
Hello everyone, hey netblue,
I need help with running multiple instances of steam using firejail.
Another user already asked for this but he got another problem.
I can perfectly run a single instance of steam+game using firejail steam, but even if I use –private=steam1 steam or something it logs in but the game (in this case csgo) won’t run because it detects that it already running.
Also I don’t want to have the game stored in another folder for each instance, just 1 game folder but different instances of steam and csgo.
If this is possible with firejail I’d love to get some help I think it might be useful for a lot of people.
“firefox –new-instance” can be used to open a new firefox in a separate sandbox. I often run multiple instances in parallel using that. Without –new-instance firefox opens in a new tab or new window of some existing sandboxed and running firefox.
“Firejail steam” works completely fine, but how can I start it again in a new sandbox not accessing the current sandbox. My goal is to run multiple instances of steam and also of the source game csgo. But I can’t even run steam correctly.
I see that Firejail works manually, say by typing: firejail /etc/init.d/lighttpd start
But how can you bake it into an init script so that it starts automatically at boot? I have no idea what I’m doing, but here’s what I tried. First, I just replaced “exec /usr/sbin/lighttpd” with “exec /usr/bin/firejail /usr/sbin/lighttpd”, which failed spectacularly. Well, not spectacularly. But it did fail to background properly, and no amount of ampersanding would help.
So next I made a quick Bash script (firejail /usr/sbin/lighttpd $@ &) and used the path to that for the exec line in the init script. That worked great to start the server. But it doesn’t work to stop it or restart it. I clearly have no idea what I’m doing.
Hello,
I am a relatively newcomer on Linux (moving from a dozen years on macintoshes), and I landed here searching, initially, an app that would control outgoing accesses to internet on a per-application basis, like ‘Little Snitch’ does on OSX.
I now am very interested in Firejail, and will certainly install it on our two machines over the week-end (laptops from the German Tuxedo that come preconfigurated with Ubuntu Mate 16.04).
But because of my sensitivity to outgoing network accesses, and seeing there already is a generic network control in Firejail, I’d like to know
– if there are intentions to develop this particular area (e. g. learn modes à la Little Snitch which for instance will trigger a window first time an app tries to connext url xx, allowing to deny or allow, this time or forever, jus this url/this domain/any address)
– if otherwise Firejail would be compatible from other such network control apps. In this area any advice would be extremely welcome!
Thank you very much, and congratulations for Firejail as it is already!
Hervé
On Ubuntu 16.04.2 LTS, firefox crashes immediately using my launcher icon (with: firejail –private-home=.mozilla firefox %u). The mozzila crash dialogue opens, and offers to close or restart firefox. If I choose restart, it runs fine, and according to the commands (firejail –private-home=.mozilla firefox %u), but never on first try, only when it crashes and is restarted from the mozzila crash dialogue window.
Worked without problems prior to updating from 0.9.44.
I can live with it, but perhaps there is a simple fix for this irritation? (using firejail 0.9.46)
Minor typo found in Firejail Configuration Wizard Step 1:
“Choose an application form the menus below” should be
“Choose an application from the menus below” (change form to from)
Hallo if I try to run firefox in the sandbox, it crashes, followed by the Mozilla Crash Reporter. If I press the “restart” button on the crash reporter it works fine.
This only happens if run via firejail. I use latest arch with latest ff.
Hi again, I saw this and thought I could add that making the changes you specified did not fix the problem. I have exactly the same behaviour.
The ouput from “firejail firefox in my case (assuming it helps somehow)”:
p:~$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 854, child pid 855
Blacklist violations are logged to syslog
Child process initialized in 76.19 ms
[7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
[7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
ExceptionHandler::GenerateDump cloned child 58
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal…
…to this point, all that has happened is the mozilla crash window opening. If I press “restart firefox” here is the rest of the output (firefox now running):
(crashreporter:63): IBUS-WARNING **: Unable to connect to ibus: Timeout was reached
(crashreporter:59): Gdk-WARNING **: crashreporter: Fatal IO error 11 (Resource temporarily unavailable) on X server :0
Hello,
is it possible to start Tor Browser by Firetools? I tried with Version 0.9.46 browsing file system and choosing “start-tor-browser.desktop”, but this didn’t work. Is there a simple way to implement Tor Browser in Firejail and can it be done by Firetools?
Thanks for reply.
In a terminal, go into tor-browser_en-US directory and start it like this:
$ cd tor-browser_en-US/
$ firejail ./start-tor-browser.desktop
Reading profile /etc/firejail/start-tor-browser.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 3937, child pid 3938
Blacklist violations are logged to syslog
Child process initialized in 104.55 ms
Launching './Browser/start-tor-browser --detach'...
[...]
Firejail will recognize it and pick up /etc/firejail/start-tor-browser.profile file for security settings. You can play around with this file and customize it. Firetools launcher will not recognize it by default (there is no way to tell where the browser is installed), but you can right-click on an empty spot in the launcher and edit the program in.
When you start the server as a regular user, the kernel will not allow it bind to port 80. It doesn’t matter if you are in a sandbox or not, the kernel does its own checking.
What you need to do is to start the sandbox as root (seccomp and everything else still applies), inside the sandbox start the server also as root, and in the server code drop privileges and become a regular user after binding to port 80.
…runs on any Linux computer with a 3.x kernel version or newer. A lot of 2.6.32 kernels are still out there, does firejail not fully support 2.6 kernels?
Q: As of today, 2017-07-18, for the now-current Xubuntu 16.04.2 LTS release, the firejail version 0.9.38.10 appears to be available from the main ubuntu repository, while 0.9.48 seems to be the latest current firejail program version.
If I would like to keep using an older program version 0.9.38.10 on my system, is it safe to use the newest default app profile files, included with the latest program version 0.9.48?
Will these newer profiles be fully understandable by the older firejail 0.9.38.10? If not: what I need to avoid, when editing them manually? Is there any way, how to check if my older version of program fully understands any particular app profile file?
Many thanks for all the work on the firejail software!
Just found an answer to one of my questions:
– Is there any way, how to check if my older version of program fully understands any particular app profile file?
I guess this should work too:
in a terminal run a simple sandbox with your profile:
$ firejail –profile=path_to_your_profile_file
It will complain if it finds a problem with the profile file.
Thank you for this excellent tool.
I’d like to mention the following issue: using the firejail command a user/process can execute files without having the necessary access rights to do so.
A test using firejail 0.9.48:
user@debian:~$ ls -l /usr/bin/mousepad
-rwx—— 1 root root 223256 mei 22 2013 /usr/bin/mousepad
user@debian:~$ firejail /usr/bin/mousepad
Reading profile /etc/firejail/mousepad.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 18801, child pid 18802
Blacklist violations are logged to syslog
Child process initialized in 41.23 ms
… and the mousepad window opens
One could see this as an advantage because, setting these access rights, the user can’t mistakingly execute the given program without using the firejail sandbox. Nevertheless it leaves an uncomfortable feeling knowing I (or a script I execute) could execute a file even if I removed my access rights to it.
This is definitely a bug, thank you for reporting it. I put a fix in git, it will go live in the next release sometime in August. Any other problems, just let me know!
Hello, I just installed the latest 0.9.48-1 on Linux Mint 18.1 Cinnamon, and was impressed with the extra security measures, but unfortunately have had to remove it as it blocked dropbox. My dropbox folder was still there, but the dropbox installer immediately started up, but then reported it could not install, querying if there was no internet etc. There was no panel icon for dropbox and no way to transfer between ipad/pc. I’d love to use firejail again, and thank you for developing it. A poster on the LM forum kindly advised I post here and that it could be a profile issue, so if I may ask further. Thank you for your time.
Just to update further, what has just provided a fix was replacing the dropbox.profile with one that a poster on the Linux Mint forum kindly uploaded. At no stage would any terminal commands work regarding trying to copy that over, or alter settings in the dropbox.profile, and Xed is opening windows separately, both before and after the issue fixing. After overwriting dropbox.profile, running –version showed all firejail functions running except AppArmor, and –tree showed it working with both dropbox and opera. Hope this is helpful.
i’m on ubuntu and installed through their package-management (firetools 0.9.44-1) and manually created a entry for a programm which is installed inside my $HOME.
Because no Icon is created inside the firetools: how to manually add a icon for that entry ?
You need to put an icon file (png, jpg or svg) with the same name as your application in ~/.config/firetools. For example, if you create an entry with the name “app22”, you then add a app22.png file in ~/.config/firetools.
Sorry, I had this under ‘Documentation’ but moved it to Support -hope that’s okay.
I’m using PCLOS KDE5. Firejail came with several apps already firejailed and I totally loved that. Now I’d like to firejail seamonkey and trying to do so in the terminal brings:
[xxx@localhost ~]$ firejail seamonkey
Reading profile /etc/firejail/seamonkey.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 14600, child pid 14601
Blacklist violations are logged to syslog
Child process initialized in 26.07 ms
/bin/bash: seamonkey: command not found
Parent is shutting down, bye…
[xxx@localhost ~]$
I tried the configuration wizard -couldn’t figure out how -everything in the sandbox seems to be in /usr/bin but seamonkey is in /usr/lib64/seamonkey/seamonkey %u
I’ll stop now as I don’t know the devil what I’m saying -hope someone can shed some light on how to get seamonkey in the sandbox. thx
I should have added that I firejailed it the easy ‘old-fashion?’ way instead:
firejail /usr/lib64/seamonkey/seamonkey %u
It worked but I’d love to see it in Firelauncher.
> The setup is fast, typically several milliseconds.
I just installed FireJail 0.9.48 and XPRA 2.0.3 on a new Debian Stretch system. Even when everything is cached in memory, I’m finding it takes a full 5 seconds to launch an instance of FireFox-ESR (–x11=xpra –net=br0). Is there any way to “instrument” the setup process so that I can see what the time consuming pieces are (and how I might improve them) ? By way of comparison, I can launch a VirtualBox snapshot to a FireFox browser in less than 3 seconds … Thanks !
Is it possible that a firefox add-on will require changes to the default firejail profile of firefox? (I do not fully know what add-ons are capable of) In other words, is the firejail profile of firefox wriiten without add-ons in mind? Are some good add-ons like HTTPS Everywhere, uBlock origin OK to be used with firejail?
1. Is multiprocess firefox OK with firejail?
2. If I use firefox and ufw (uncomplicated firewall) on Ubuntu, and then use –net=eth0 in firejail command line, can ufw be bypassed if there is a chance? (I am a newbie,sorry if it is stupid 😦 ) If ufw can be bypassed then how to fix it?
1. It should be fine, we’ve seen it running on several distros. If you run into problems, please let us know.
2. ufw doesn’t have support for network namespaces. Whenever we start a new network namespace, we also install a new network filter. You’ll find the filter documented in “man firejail” in –netfillter section. It is a very restrictive filter, basically it doesn’t allow any incoming connections. You can also customize this filter and replace it with your own.
–private-home shows a home folder with a small number of files & folders inside the firejail & all changes made to home are temporary. But what about changes made to any place outside of home (if possible)? Any change made to any place (including outside of home) is temporary, right? If not, then how to do this?
Thanks for making firejail!
“With few exceptions such as /tmp, /var/tmp, /media, /mnt, the rest of the system is mounted read-only, not even root can modify them.”
Does it mean that directories not mounted read-only are mounted as read-write and the changes will persist? Or the changes will vanish after the sandbox is closed? Just trying to get rid of my confusion
Yes. Some directories will be mounted read-write. You can also create a top level directory, change the ownership to your regular user and use it to store files visible in all sandboxes:
If
$firejail –overlay-tmpfs –private-home=/path/to/dir firefox
is used instead of
$firejail –private-home=/path/to/dir firefox
then read-write directories because of –private-home will not store their changes, am I right?
If I want to store the changes, I can use
$firejail –overlay-named=name –private-home=/path/to/dir firefox
Is this OK?
–private-home is not supported in overlay, there will be full access to your real home directory. You will get a warning like this when you start the sandbox:
Warning: private-home= feature is disabled in overlay
However, because of the overlay, all the changes will go in overlay and not in your real home directory.
“firejail –-overlay-named=name –-private-home=/path/to/dir” should store the changes. For the home directory the changes
Is –private-home as secure as –private where the only difference is that when –private-home is used the home folder’s contents and location are different?
> Is –private-home as secure as –private where the only difference is that when –private-home is used the home folder’s contents and location are different?
If you run –private=directory, directory becomes your new home and any changes are preserved when you exit the sandbox.
If you run –private-home=list-of-files, a new home directory is build out of the files and directories you’ve listed. Changes to these files are not preserved when you exit the sandbox.
I think –private-home will not store changes made to the real home and to the path specified as the value of –private-home (according to man page), correct?
How to use firejail with firefox-*.tar.bz2? After extracting if I do this
$ firejail –private ./firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 7906, child pid 7907
Warning fseccomp: –protocol not supported on this platform
Blacklist violations are logged to syslog
Child process initialized in 55.81 ms
Error: no suitable ./firefox executable found
Parent is shutting down, bye…
What is the proper method?
How come you don’t have seccomp in your kernel? What distribution are you using? The sandbox will work without secomp, but it would be nice to have.
> firejail –private ./firefox
This will not work. –private will replace your home directory with an empty, temporary filesystem and firefox will disappear inside the sandbox.
One way to do it is to unpack firefox-*.tar.bz2 in /opt directory. This way, when you say –private, firefox will not disappear. /opt directory was specially built for installing additional software.
Is it OK to extract the files in home first and then “sudo cp -r” them to /opt ?
Any problem with file permissions, ownership etc. (because it was extracted by a non root user and then copied using sudo to be used by a non root user) ?
And “Warning fseccomp: –protocol not supported on this platform” maybe means that it was on i386 32 bit pc, do I need to manually enable it in amd64 or it will be auto enabled in amd64 64 bit pc?
If a sandboxed program tries to do something that is blocked, I think there should be a visual alert instead of just logging it (for all types of breakout attempts).
Think like this:
I open a sandboxed firefox and then decide to bank related stuff. First I decide to stay on the bank’s website for a while. While doing that, firefox gets attacked from outside somehow.
Now if I get a visual alert that something bad is trying to happen, I can decide if I want to take the risk of entering my private information on the bank’s login page. The other option is to close the sandbox and find out what is happening.
But if the breakout attempt is only logged, I will not know that something bad was out there and it will be a great risk to enter my personal details. I will not know that because I will be looking at firefox. Producing warning text on terminal will also fail.
So every blocked event should produce a visual alert when there is a breakout attempt.
Also if a complete error report is created, I can just post it here or on github. 🙂
You are right, we need some sort of visual alert on the desktop, maybe using the current notification system already implemented by all desktop managers. I’ll look into it.
Just a GUI pop up will be fine
Also you will be sure that a program is running perfectly inside firejail if it is not trying to do anything weird (instead of just checking that you got your job done to make sure that the program is running perfectly)
Can I pause a sandbox or take a snapshot (like Virtualbox)? I know it is a sandbox, it focuses on security but as I can store overlays, I want to take snapshots. Will copying the overlay folder do the trick?
Hi, I’m having a lot of trouble after running firecfg, mainly with gnome programs and their back-ends. For example, I use gnome-ring as a Skype alternative which requires dring. By default firejail uses it’s restrictive profile on dring which breaks gnome-ring entirely (you cannot access your account at all).
Likewise the new Gnome calender (California) does not work under firejail. It uses evolution-data-server (specifically evolution-calender-factory) as a back-end. When firejail uses it’s restrictive profile it breaks California (no calender dates are displayed or saved).
I’m a little out of my depth trying to figure this out. To fix this all I need to do is allow gnome-ring to access dring and likewise allow California to access evolution-calender-factory. How would I do this?
If this is fixed, it will also help in experimenting with programs and getting out of dependency hell caused by open source trusted programs. Different persistent overlays for different programs. Not every program is available as snap/flatpak/appimage right now and appimages are not officially made by the program authors most of the time.
Another feature will be great-the ablility of having a folder which can be accessed read-write by all firejails and the host (or selected firejails and the host if that is better), I mean a common shared folder. This will make file transfer easier. Being able to do it in a GUI way will be the best option.
Sandboxes like firejail are programs which try to restrict or control other programs in every possible way
And containers like LXD,LXC,docker just try do some minimum things to control or restrict a program
This is what I think about sandboxes and containers, I came up with it myself.
So firejail is better than LXD,LXC,docker, or are there ways in which those are better?
Hi – having problems getting firecfg to work on a minimal lubuntu (xenial) VM running lxde.
very simply, this happens:
me@machine:/$ sudo firecfg
[sudo] password for me:
sudo: firecfg: command not found
Incidentally, I had an installation of firejail that just didn’t seem to want to work (i.e. ‘firejail [option]’ returned ‘command not found’), although directories were there (e.g. /etc/firejail). I purged and reinstalled via APT.
Happily, firejail [option] now seems to work, (at least on Firefox). But firecfg still does nothing. (Would a restart work??)
This works for me – I just need the browser on this VM – but still… what’s going on? Is it a dependency issue on lubuntu minimal (but then, why not solved by APT?), or something else beyond my understanding?
They usually don’t update it. Most of the software in Ubuntu remains at the version it was when the distro was released. We keep in the downloads section up to date Debian/Ubuntu packages.
I love the new firejail launcher but since the last two updated Calibre would launch but I cannot use ‘Add Books’ function. I get: Error. Unable to create io-slave. Cannot create socket for launching io-slave for protocol ‘file’.
If I launch Calibre outside of the firejail launcher without it being firejailed, the ‘Add Books’ function works fine.
How to fix this please? Using PCLOS KDE5
I just updated firejail to v. 0.9.52-1 amd64. Now I can make use of appimages.
I downloaded Audacity-2.1.2.glibc2.15-x86_64.AppImage and wanted to run it with “firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage”.
Once it worked. Yet when trying it a second time I got the following message:
———————————————————————–
firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use –noprofile to disable default.profile **
Parent pid 10752, child pid 10755
Dropping all Linux capabilities and enforcing default seccomp filter
Child process initialized in 5970168119296.00 ms
/run/firejail/appimage/.appimage-10752/usr/bin/audacity.wrapper
Parent is shutting down, bye…
AppImage unmounted
————————————————————————
So it didn´t work any more. Yet when using the generic.profile: “firejail –profile=/etc/firejail/generic.profile –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage”
it works.
Can you tell my why that is? Obviuosly “firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage ” should work.
Thanks for a great program. A newbie question: How to run “jailed” program as a member of a group?
I have a setup (on Ubuntu) where iptables block all Internet access except for members of the “internet” group. For example, I will not have Internet access, if I run:
$ firefox
I will have Internet access, if I run:
$ sudo -g internet -s
$ firefox
I will not have Internet access (but I would like to have), if I run:
$ sudo -g internet -s
$ firejail firefox
Removing “nogroups” from firefox.profile does not resolve the issue.
Thanks for the response. This did not work (Firefox did not start):
$ sudo -g internet -s
$ firejail –ignore=noroot –ignore=nogroups firefox
(…)
/bin/bash: –ignore=noroot: command not found
Parent is shutting down, bye…
Firefox startes (but still no Internet access), after I removed “noroot” and “nogroups” from firefox.profile, and run:
$ sudo -g internet -s
$ firejail firefox
After updating firejail from version 9.50_3 currently available in Ubuntu repos to the newest version 9.52_1 available at sourceforge.net everything is working great.
Hardware Rock64 (arm64), 4GB ram.
OS: Ubuntu bionic.
Firejail version 0.9.52 and firejail-profiles.
Get the following error when I try to use “Firejail Firefox” and “Firejail Chromium-browser”.
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Error clone: main.c:2517 main: Invalid argument
I just downloaded firejail 9.52 and tried to run firejail firefox from the command line and got the following error:
Parent pid 3725, child pid 3726
***
*** Error: Downloads directory was not found in user home.
*** Any files saved by the program, will be lost when the sandbox is closed.
***
***
*** Warning: cannot whitelist Downloads directory
*** Any file saved will be lost when the sandbox is closed.
*** Please create a proper Downloads directory for your application.
I think I’m getting this error because my ~/Downloads is a symbolic link that points to my data drive at /media/…/…/Downloads. Is there a workaround for this?
First you need to allow the sandbox to access /media. By default this access is denied. Create a file /etc/firejail/firefox.local with a single text line “ignore disable-mnt”:
Then, you shut down all your current Firefox instances and restart Firefox. In Firefox configuration (look for Preferences in the menus), in General tab you configure Firefox Downloads directory to point directly to /media/… on your data drive.
Hey there, huge fan of this program. I’m sort of new to this and I was wondering what is the most restrictive I could possibly get for anyone particular app? I take it the generic.profile is not the most restrictive it gets.
Love your program. I’m wondering just how restrict can you get a certain app though. In other words how restrict could you make say, a browser. I’m sure you can do a lot more then what the generic profile offers.
No, for each application firejail picks up a specific profile. When you run it from command line it lists all the profile files it brings in, for example:
It would be a great feature if there was a build option to specify which dir it uses instead of the default “/run/firejail”. Trying to use it on systems which have a read only / dir does not work.
LikeLike
I’ll look into it.
LikeLike
First, thanks for your work!
I just learned that the latest version of the chrome browser has a new API that exposes the users’ bluetooth info
https://www.theregister.co.uk/2017/02/05/chrome_56_quietly_added_bluetooth_snitch_api/
Can I use firejail to block that? Right now I simply use
firejail /usr/bin/google-chrome-stable –incognito
Many thanks!
LikeLike
Support for it was just introduced in Chrome. It would take some time for us to come with a way to stop it. Thanks for letting us know.
LikeLike
Hi,
First of all congratulations on your excellent work!
I’m trying sandboxes for the very first time so I know close to nothing about it. I just tried to run Kodi Media Center in Firejail but it just won’t start. I ran the command in terminal:
firestart kodi
Also tried with the private prefix but still no luck.
Is there a way to run Kodi on Firejail?
Let me know if you need details/info/logs but for what it looks like, it’s not a matter of config but rather not being able to run at all. Tried both the 38 and 44 versions of Firejail, my OS is a Linux distro based on Ubuntu 16.04.1.
Thank you very much in advance. Keep up with the good work!
LikeLike
I don’t think anybody tried kodi. I’ll try to bring it up in the next release.
Run “firejail –noprofile kodi”, if this is working it would be easy to build a profile for it.
LikeLike
Thank you very much for getting back to me and for your help.
Unfortunately it didn’t work:
“$ firejail –noprofile kodi
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use –noprofile to disable generic.profile **
Parent pid 15563, child pid 15564
Child process initialized
/bin/bash: –noprofile: command not found
parent is shutting down, bye…”
If you can make Kodi fully working on Firejail and spread the word I believe many will get Firejail just based on that. Kodi is becoming more and more popular everyday and since it uses online connections from various sources, it’s a security hazard for the system.
Once again thank you very much and keep up with the good work!
LikeLike
Use –noprofile. I think you have a single -, this is why is complaining. Cut and paste form here:
firejail –noprofile kodi
LikeLike
Hi. I’m trying to restrict Irssi to be only able to connect to localhost and deny all connections to LAN or the internet (to stop ip leaks). I’ve looked through the firejail man page and I haven’t found anything relating to the restriction of networks, other than net, which only allows networking altogether or disables it. Is there a way to do this that I haven’t thought of?
LikeLike
–net creates a new network namespace. From this namespace you cannot connect to the local host – it basically creates a different local host. I’m afraid it cannot be done.
LikeLike
Kodi (xmbc) is Microsoft seed in concept even if they went open source. Stick to Kodi boxes controlled by manufacturer or MITM. It is the same as taken on the big news propaganda. Blue does not have the resources to fight these guys. Don’t waste his resources!
LikeLike
create file:
~/.config/firejail/kodi.profile
with following content:
noblacklist ~/.kodi
caps.drop all
nonewprivs
nogroups
noroot
seccomp
protocol unix,inet,inet6,netlink
shell none
private-dev
run:
firejail kodi
LikeLike
Yes, the profile looks fine. I’ll add “official” support for kodi in the next release.
LikeLike
Shouldn’t the profile for KODI be more restrictive? I think for people who use KODI to play internet streams (like sports live events and such) it shouldn’t have any “read” access to files on the home partition. Maybe a whitelist kinda thing. Any thoughts?
LikeLike
I’ll add KODI support in the next release. It will probably be a simple blackilst-based profile. Once the release is out, we’ll figure out some whitelisting for it.
LikeLiked by 1 person
Out of curiosity, if Kodi was being used with Firejail, would Firejail protect it from getting hacked in that subtitle bug which was called “hacked in translation”?
LikeLike
Yes, it would restrict the attacker.
LikeLike
Hello, im run 8steams at firejail. All working correctly, i run Counter-Strike Global:Offensive and this work. If im run more than 5 csgo clients(5clients work perfectly), more cant start.. for some second im see window of cs go, and this close. In console im dont see some errors. Steam clients work correctly. Somebody know to fix?
im running with command
firejail –private=nameofbox steam
System is Ubuntu 16.04,installed latest nvidia drivers(im try too with old versions), firejail latest version, specs of pc; i7 6700hq 32gb ram, gtx960m 4gb gddr5
Somebody can help me?
LikeLike
I would try without –private, like this: “firejail steam”. Maybe it expects some common file under home directory and –private clears it out.
LikeLike
hey could u tell me how u opened the new instanced of steam? Because i cant get it to work properly with more than 1 instance.
LikeLike
Steam imposes a single instance running in the system at one time.
LikeLike
Hello! I want to prevent all apps on my machine from keylogging Firefox so I can be safe. Is this possible with Firejail? I want to be safe from malware that may run without me noticing.
LikeLike
For keyloggers you would need to use –x11 options: https://firejail.wordpress.com/documentation-2/x11-guide/
It will stop malicious code you might pick up while running Firefox, so a keylogger will not be able to escape the sandbox. However, it will not stop keyloggers running outside the sandbox.
LikeLike
I’m using 0.9.44.8 on Ubuntu 16.10. I have a problem where some applications aren’t remembering settings. Cherrytree forgets that I enlarged the UI because I have a high dpi screen and also doesn’t open the last used file like it used to (with an older version of firejail). Transmission forgets that I set it to always use encryption instead of the default of “prefer encryption”. I’ve made sure that the profiles allow those specific applications to read the relevant .config/ files and have double checked, e.g., that transmission’s settings.json has the desired encryption setting. It seems these applications are starting up using default settings for some reason?
LikeLike
To make sure what profile your app is using, start it from the command line. It will list all the profiles as they are loaded:
netblue@debian:~$ firejail transmission-gtk
Reading profile /home/netblue/.config/firejail/transmission-gtk.profile
Reading profile /etc/firejail/transmission-gtk.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3633, child pid 3634
LikeLike
Thanks. It turns out I left an old cherrytree profile in ~/.config/firejail/
As for Transmission, those issues are caused by it being launched within the firefox sandbox. I tried whitelisting Transmission’s configuration file in the firefox profile but that didn’t seem to work so I’m just pasting any magnet links in to Transmission manually until I work out the correct firefox profile changes
LikeLike
I also use magnet links for transmission. The idea is to have the browser and the bittorrent client, each one of them sandboxed independently as strongly as possible.
LikeLike
Hi!
I just stumbled over this promising little program of yours. What I do not understand is the difference to SElinux, AppArmor and other MAC systems. I never used any of these, but recently they found ransomware even for Linux. Thats why i was thinking of chroot or a MAC system like yours.
I really appreciate your efforts on this highly important subject.
Many thanks!
LikeLike
You’re welcome.
LikeLike
Firstly, great application. Usingl firejail_0.9.44.8_1_amd64.deb and Palemoon 27.1.2. However I have one issue when using Pale Moon on Linux Mint-Mate 18.1 with the default configuration.. In the title bar it states that I am running as a super user and obviously this is not something to advise. If I look at the hierarchy it looks as if I am running a user. I do not have this issue in Firefox.
Terminal states:
shawn@HPLaptop ~ $ firejail –tree palemoon
6199:shawn:/usr/bin/firejail /usr/bin/palemoon
6202:shawn:/usr/bin/firejail /usr/bin/palemoon
6209:shawn:/usr/bin/palemoon
I took screen print of browser, but do not know how to attach.
Have you any ideas or am I being paranoid?
LikeLike
It’s fine, some window managers have this problem. The best way to check is to run “ps aux | grep palemon” in a new terminal. It will tell you palemoon runs as a regular user (shawn). It is a window manager bug.
LikeLike
Awesome tool, thanks!
Can you please elaborate if there is a recommended way to make sure that a specific application (like Firefox) is only started via Firejail when starting (a) from the shell (without the need to specify “firejail” explicitely) and (b) from the desktop environment of choice (xfce, Gnome, KDE, …)?
I can imagine multiple ways but did not start to evaluate them: shell-alias, correctly placed desktop-file which overrides the default ones, modifying the application menu entry (xfce, Gnome, KDE, …) with a modified one, …
Thanks!
LikeLike
Whatever works for you. We have a tool in firejail package that will make a symbolic link from /usr/local/bin/firefox to firejail executable. As a result, when you run “firefox” in a bash terminal it will actually run “firejail firefox”. In some cases, the same trick seems to be taking care of applications started from desktop manager menu. To set the links run “sudo firecfg” (also see “man firecfg”).
Desktop files also work, but when you update firefox, the desktop file will be overwritten.
Another way to do it is to set icons on you desktop.
LikeLike
I just now tried firejail with firefox:
$ firejail firefox
and it is working nicely. However, a thing that greatly disturbs me is the fact that the title bar of firefox now says that it is running as root. Do you know anything about that?
Thanks!
LikeLike
Actually yes: https://github.com/netblue30/firejail/issues/258
LikeLike
Thanks so much for this great addition to the linux ecosystem. I’m running Ubuntu and trying to use firejail with Wire (https://wire.com) but get an error that says:
~~~~~~~~~~~~~~~
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
** Note: you can use –noprofile to disable generic.profile **
Parent pid 7523, child pid 7524
Child process initialized
[2:0331/112642:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e
#1 0x000001e6e25b
#2 0x000000cbe6a6
#3 0x000001248602
#4 0x000001e59226
#5 0x000001e74755
#6 0x000001e74a48
#7 0x000001e74e9b
#8 0x000001e4e669
#9 0x000001e8d41e
#10 0x000001eac40a
#11 0x000002707e36
#12 0x00000270803e
#13 0x000001eac4ce
#14 0x000001ea8a53
#15 0x7f8142e336ba start_thread
#16 0x7f813c8c182d clone
parent is shutting down, bye…
~~~~~~~~~~~~~~~~~~~~~~~
Any suggestions that might get me around this?
Thank you.
LikeLike
Dow it work with –noprofile?
$ firejail –noprofile wine application
LikeLike
Yes it works with –noprofile. Is that sufficient?
LikeLike
That’s good, it means we can build a proper profile for wire. Try this one, it is supposed to be available in the next version of firejail:
https://github.com/netblue30/firejail/blob/master/etc/wire.profile
Save it in a file in your home directory as wire.profile, and start the sandbox:
LikeLike
Thank you so much!
LikeLike
Hello everyone, hey netblue,
I need help with running multiple instances of steam using firejail.
Another user already asked for this but he got another problem.
I can perfectly run a single instance of steam+game using firejail steam, but even if I use –private=steam1 steam or something it logs in but the game (in this case csgo) won’t run because it detects that it already running.
Also I don’t want to have the game stored in another folder for each instance, just 1 game folder but different instances of steam and csgo.
If this is possible with firejail I’d love to get some help I think it might be useful for a lot of people.
Kind regards
Daniel
LikeLike
“firefox –new-instance” can be used to open a new firefox in a separate sandbox. I often run multiple instances in parallel using that. Without –new-instance firefox opens in a new tab or new window of some existing sandboxed and running firefox.
LikeLike
Yes, new-instance will also do it. According to this people here https://developer.mozilla.org/en-US/docs/Mozilla/Command_Line_Options -no-remote also implies -new-instance
LikeLike
“Firejail steam” works completely fine, but how can I start it again in a new sandbox not accessing the current sandbox. My goal is to run multiple instances of steam and also of the source game csgo. But I can’t even run steam correctly.
LikeLike
Hi!
I see that Firejail works manually, say by typing: firejail /etc/init.d/lighttpd start
But how can you bake it into an init script so that it starts automatically at boot? I have no idea what I’m doing, but here’s what I tried. First, I just replaced “exec /usr/sbin/lighttpd” with “exec /usr/bin/firejail /usr/sbin/lighttpd”, which failed spectacularly. Well, not spectacularly. But it did fail to background properly, and no amount of ampersanding would help.
So next I made a quick Bash script (firejail /usr/sbin/lighttpd $@ &) and used the path to that for the exec line in the init script. That worked great to start the server. But it doesn’t work to stop it or restart it. I clearly have no idea what I’m doing.
Does anybody have an init script example?
LikeLike
Hello,
I am a relatively newcomer on Linux (moving from a dozen years on macintoshes), and I landed here searching, initially, an app that would control outgoing accesses to internet on a per-application basis, like ‘Little Snitch’ does on OSX.
I now am very interested in Firejail, and will certainly install it on our two machines over the week-end (laptops from the German Tuxedo that come preconfigurated with Ubuntu Mate 16.04).
But because of my sensitivity to outgoing network accesses, and seeing there already is a generic network control in Firejail, I’d like to know
– if there are intentions to develop this particular area (e. g. learn modes à la Little Snitch which for instance will trigger a window first time an app tries to connext url xx, allowing to deny or allow, this time or forever, jus this url/this domain/any address)
– if otherwise Firejail would be compatible from other such network control apps. In this area any advice would be extremely welcome!
Thank you very much, and congratulations for Firejail as it is already!
Hervé
LikeLike
Yes, we plan to have this kind of functionality implemented in a future release.
LikeLiked by 1 person
Hello, I got an update for firejail while using Linux Mint 18 today.
$ firejail –version
firejail version 0.9.46
All of my profiles got deleted, here is what is left:
-rw-r–r– 1 root root 287 May 18 23:12 cherrytree.profile.dpkg-bak
-rw-r–r– 1 root root 628 May 21 05:44 default.profile
-rw-r–r– 1 root root 8779 May 21 05:44 disable-common.inc
-rw-r–r– 1 root root 1865 May 21 05:44 disable-devel.inc
-rw-r–r– 1 root root 519 May 21 05:44 disable-passwdmgr.inc
-rw-r–r– 1 root root 13447 May 21 05:44 disable-programs.inc
-rw-r–r– 1 root root 4034 May 21 05:44 firejail.config
-rw-r–r– 1 root root 494 May 21 05:44 login.users
-rw-r–r– 1 root root 774 Mar 27 13:22 nolocal.net
-rw-r–r– 1 root root 500 May 21 05:44 server.profile
-rw-r–r– 1 root root 992 Mar 27 13:22 webserver.net
-rw-r–r– 1 root root 972 May 21 05:44 whitelist-common.inc
Everything else is gone. Including any custom profiles.
Firefox, Thunderbird. All gone.
LikeLike
What command did you use to update it? Is firejail in Mint?
Anyway, the standard install will overwrite all the profiles in /etc/firejail directories. When you customize it, put your modified profiles in ~/.config/firejail. I have a description of the process here: https://firejail.wordpress.com/documentation-2/building-custom-profiles/
LikeLike
On Ubuntu 16.04.2 LTS, firefox crashes immediately using my launcher icon (with: firejail –private-home=.mozilla firefox %u). The mozzila crash dialogue opens, and offers to close or restart firefox. If I choose restart, it runs fine, and according to the commands (firejail –private-home=.mozilla firefox %u), but never on first try, only when it crashes and is restarted from the mozzila crash dialogue window.
Worked without problems prior to updating from 0.9.44.
I can live with it, but perhaps there is a simple fix for this irritation? (using firejail 0.9.46)
LikeLike
Try “firejail –private-home=~/.mozilla firefox %u”. Could be because you forgot ~/ in private-home.
LikeLike
Minor typo found in Firejail Configuration Wizard Step 1:
“Choose an application form the menus below” should be
“Choose an application from the menus below” (change form to from)
LikeLike
Thanks, will fix!
LikeLike
Hallo if I try to run firefox in the sandbox, it crashes, followed by the Mozilla Crash Reporter. If I press the “restart” button on the crash reporter it works fine.
This only happens if run via firejail. I use latest arch with latest ff.
LikeLike
Run “firejail firefox” and put the output here.
LikeLike
Hi again, I saw this and thought I could add that making the changes you specified did not fix the problem. I have exactly the same behaviour.
The ouput from “firejail firefox in my case (assuming it helps somehow)”:
p:~$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 854, child pid 855
Blacklist violations are logged to syslog
Child process initialized in 76.19 ms
[7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
[7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
ExceptionHandler::GenerateDump cloned child 58
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal…
…to this point, all that has happened is the mozilla crash window opening. If I press “restart firefox” here is the rest of the output (firefox now running):
(crashreporter:63): IBUS-WARNING **: Unable to connect to ibus: Timeout was reached
(crashreporter:59): Gdk-WARNING **: crashreporter: Fatal IO error 11 (Resource temporarily unavailable) on X server :0
LikeLike
I just released a new version, 0.9.48. Let me know if you still have the problem.
LikeLike
Hello,
is it possible to start Tor Browser by Firetools? I tried with Version 0.9.46 browsing file system and choosing “start-tor-browser.desktop”, but this didn’t work. Is there a simple way to implement Tor Browser in Firejail and can it be done by Firetools?
Thanks for reply.
LikeLike
In a terminal, go into tor-browser_en-US directory and start it like this:
Firejail will recognize it and pick up /etc/firejail/start-tor-browser.profile file for security settings. You can play around with this file and customize it. Firetools launcher will not recognize it by default (there is no way to tell where the browser is installed), but you can right-click on an empty spot in the launcher and edit the program in.
LikeLike
Hello, I am trying to set up firejail to allow non-root users bind TCP ports setcap cap_net_bind_service+ep /usr/bin/python
(non-chroot)
>firejail –debug –noprofile –caps.keep=setgid,setuid,net_bind_service,chown –net=br1 –ip=10.10.20.2
>firejail@knote05:~$ python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 …
(chrooted)
>firejail –noprofile –caps.keep=setgid,setuid,net_bind_service,chown –net=br1 –ip=10.10.20.2 –chroot=firejail-root-dir/
>I have no name!@knote05:~$ python -m SimpleHTTPServer 80 bash:
>/usr/bin/python: Operation not permitted
LikeLiked by 1 person
When you start the server as a regular user, the kernel will not allow it bind to port 80. It doesn’t matter if you are in a sandbox or not, the kernel does its own checking.
What you need to do is to start the sandbox as root (seccomp and everything else still applies), inside the sandbox start the server also as root, and in the server code drop privileges and become a regular user after binding to port 80.
LikeLike
…runs on any Linux computer with a 3.x kernel version or newer. A lot of 2.6.32 kernels are still out there, does firejail not fully support 2.6 kernels?
LikeLike
No, the namespaces implementation in 2.6 kernel is too old.
LikeLike
Q: As of today, 2017-07-18, for the now-current Xubuntu 16.04.2 LTS release, the firejail version 0.9.38.10 appears to be available from the main ubuntu repository, while 0.9.48 seems to be the latest current firejail program version.
If I would like to keep using an older program version 0.9.38.10 on my system, is it safe to use the newest default app profile files, included with the latest program version 0.9.48?
Will these newer profiles be fully understandable by the older firejail 0.9.38.10? If not: what I need to avoid, when editing them manually? Is there any way, how to check if my older version of program fully understands any particular app profile file?
Many thanks for all the work on the firejail software!
LikeLike
Just found an answer to one of my questions:
– Is there any way, how to check if my older version of program fully understands any particular app profile file?
I guess this should work too:
in a terminal run a simple sandbox with your profile:
$ firejail –profile=path_to_your_profile_file
It will complain if it finds a problem with the profile file.
LikeLike
Thank you for this excellent tool.
I’d like to mention the following issue: using the firejail command a user/process can execute files without having the necessary access rights to do so.
A test using firejail 0.9.48:
user@debian:~$ ls -l /usr/bin/mousepad
-rwx—— 1 root root 223256 mei 22 2013 /usr/bin/mousepad
user@debian:~$ /usr/bin/mousepad
bash: /usr/bin/mousepad: Permission denied
user@debian:~$ firejail /usr/bin/mousepad
Reading profile /etc/firejail/mousepad.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 18801, child pid 18802
Blacklist violations are logged to syslog
Child process initialized in 41.23 ms
… and the mousepad window opens
One could see this as an advantage because, setting these access rights, the user can’t mistakingly execute the given program without using the firejail sandbox. Nevertheless it leaves an uncomfortable feeling knowing I (or a script I execute) could execute a file even if I removed my access rights to it.
LikeLike
This is definitely a bug, thank you for reporting it. I put a fix in git, it will go live in the next release sometime in August. Any other problems, just let me know!
LikeLike
Hello, I just installed the latest 0.9.48-1 on Linux Mint 18.1 Cinnamon, and was impressed with the extra security measures, but unfortunately have had to remove it as it blocked dropbox. My dropbox folder was still there, but the dropbox installer immediately started up, but then reported it could not install, querying if there was no internet etc. There was no panel icon for dropbox and no way to transfer between ipad/pc. I’d love to use firejail again, and thank you for developing it. A poster on the LM forum kindly advised I post here and that it could be a profile issue, so if I may ask further. Thank you for your time.
LikeLike
This is definitely a bug, I’ll try to find out what’s going on.
LikeLike
Thank you very much.
LikeLike
Just to update further, what has just provided a fix was replacing the dropbox.profile with one that a poster on the Linux Mint forum kindly uploaded. At no stage would any terminal commands work regarding trying to copy that over, or alter settings in the dropbox.profile, and Xed is opening windows separately, both before and after the issue fixing. After overwriting dropbox.profile, running –version showed all firejail functions running except AppArmor, and –tree showed it working with both dropbox and opera. Hope this is helpful.
LikeLike
Does firecfg fully support Unity? What about Ubuntu 16.04.3 LTS?
LikeLike
Unity and Ubuntu 16.04 are partially supported.
LikeLike
What will firecfg do if a program is installed as a snap or flatpak? Will there be any difference?
LikeLike
It needs to be tried out! Probably it will not work.
LikeLike
i’m on ubuntu and installed through their package-management (firetools 0.9.44-1) and manually created a entry for a programm which is installed inside my $HOME.
Because no Icon is created inside the firetools: how to manually add a icon for that entry ?
LikeLike
You need to put an icon file (png, jpg or svg) with the same name as your application in ~/.config/firetools. For example, if you create an entry with the name “app22”, you then add a app22.png file in ~/.config/firetools.
LikeLike
Sorry, I had this under ‘Documentation’ but moved it to Support -hope that’s okay.
I’m using PCLOS KDE5. Firejail came with several apps already firejailed and I totally loved that. Now I’d like to firejail seamonkey and trying to do so in the terminal brings:
[xxx@localhost ~]$ firejail seamonkey
Reading profile /etc/firejail/seamonkey.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 14600, child pid 14601
Blacklist violations are logged to syslog
Child process initialized in 26.07 ms
/bin/bash: seamonkey: command not found
Parent is shutting down, bye…
[xxx@localhost ~]$
I tried the configuration wizard -couldn’t figure out how -everything in the sandbox seems to be in /usr/bin but seamonkey is in /usr/lib64/seamonkey/seamonkey %u
I’ll stop now as I don’t know the devil what I’m saying -hope someone can shed some light on how to get seamonkey in the sandbox. thx
LikeLike
Do you have a seamonkey file in /usr/bin? Add a symbolic link to seamonkey in /usr/bin:
sudo ln -s /usr/lib64/seamonkey/seamonkey /usr/bin
LikeLike
No. There isn’t a seamonkey file in /usr/bin. Will the command you wrote put it there?
LikeLike
Yes, try it out.
LikeLike
I should have added that I firejailed it the easy ‘old-fashion?’ way instead:
firejail /usr/lib64/seamonkey/seamonkey %u
It worked but I’d love to see it in Firelauncher.
LikeLike
I’ll add support for seamonkey in the launcher in the next release of firetools.
You can also add it there yourself. Right-click with your mouse on en empty palce in the launcher and press Edit.
LikeLike
> The setup is fast, typically several milliseconds.
I just installed FireJail 0.9.48 and XPRA 2.0.3 on a new Debian Stretch system. Even when everything is cached in memory, I’m finding it takes a full 5 seconds to launch an instance of FireFox-ESR (–x11=xpra –net=br0). Is there any way to “instrument” the setup process so that I can see what the time consuming pieces are (and how I might improve them) ? By way of comparison, I can launch a VirtualBox snapshot to a FireFox browser in less than 3 seconds … Thanks !
LikeLike
Moved to https://github.com/netblue30/firejail/issues/1539
We’ll try to find out what’s going on, thanks.
LikeLike
Is it possible that a firefox add-on will require changes to the default firejail profile of firefox? (I do not fully know what add-ons are capable of) In other words, is the firejail profile of firefox wriiten without add-ons in mind? Are some good add-ons like HTTPS Everywhere, uBlock origin OK to be used with firejail?
LikeLike
A small number of addons require profile modifications. HTTPS Everywhere and uBlock origin should work fine.
LikeLike
1. Is multiprocess firefox OK with firejail?
2. If I use firefox and ufw (uncomplicated firewall) on Ubuntu, and then use –net=eth0 in firejail command line, can ufw be bypassed if there is a chance? (I am a newbie,sorry if it is stupid 😦 ) If ufw can be bypassed then how to fix it?
LikeLike
1. It should be fine, we’ve seen it running on several distros. If you run into problems, please let us know.
2. ufw doesn’t have support for network namespaces. Whenever we start a new network namespace, we also install a new network filter. You’ll find the filter documented in “man firejail” in –netfillter section. It is a very restrictive filter, basically it doesn’t allow any incoming connections. You can also customize this filter and replace it with your own.
LikeLike
–private-home shows a home folder with a small number of files & folders inside the firejail & all changes made to home are temporary. But what about changes made to any place outside of home (if possible)? Any change made to any place (including outside of home) is temporary, right? If not, then how to do this?
Thanks for making firejail!
LikeLike
> Any change made to any place (including outside of home) is temporary, right?
With few exceptions such as /tmp, /var/tmp, /media, /mnt, the rest of the system is mounted read-only, not even root can modify them.
Also, you can also use the other private-* command options to make the other directories behave as private-home.
LikeLike
You wrote:
“With few exceptions such as /tmp, /var/tmp, /media, /mnt, the rest of the system is mounted read-only, not even root can modify them.”
Does it mean that directories not mounted read-only are mounted as read-write and the changes will persist? Or the changes will vanish after the sandbox is closed? Just trying to get rid of my confusion
LikeLike
Yes. Some directories will be mounted read-write. You can also create a top level directory, change the ownership to your regular user and use it to store files visible in all sandboxes:
$ sudo mkdir /common
$ sudo chown username:username /common
LikeLike
If
$firejail –overlay-tmpfs –private-home=/path/to/dir firefox
is used instead of
$firejail –private-home=/path/to/dir firefox
then read-write directories because of –private-home will not store their changes, am I right?
If I want to store the changes, I can use
$firejail –overlay-named=name –private-home=/path/to/dir firefox
Is this OK?
LikeLike
–private-home is not supported in overlay, there will be full access to your real home directory. You will get a warning like this when you start the sandbox:
Warning: private-home= feature is disabled in overlay
However, because of the overlay, all the changes will go in overlay and not in your real home directory.
“firejail –-overlay-named=name –-private-home=/path/to/dir” should store the changes. For the home directory the changes
LikeLike
overlayroot can be used in Ubuntu, but its scope is bigger
https://spin.atomicobject.com/2015/03/10/protecting-ubuntu-root-filesystem/
LikeLike
Thanks for the info, I’ve never played with it. I’ll take a look.
LikeLike
Is –private-home as secure as –private where the only difference is that when –private-home is used the home folder’s contents and location are different?
LikeLike
Edited! The previous response was wrong!
> Is –private-home as secure as –private where the only difference is that when –private-home is used the home folder’s contents and location are different?
If you run –private=directory, directory becomes your new home and any changes are preserved when you exit the sandbox.
If you run –private-home=list-of-files, a new home directory is build out of the files and directories you’ve listed. Changes to these files are not preserved when you exit the sandbox.
LikeLike
I think –private-home will not store changes made to the real home and to the path specified as the value of –private-home (according to man page), correct?
LikeLike
You are right, my bad! I’ll edit the previous answer.
LikeLike
How to use firejail with firefox-*.tar.bz2? After extracting if I do this
$ firejail –private ./firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 7906, child pid 7907
Warning fseccomp: –protocol not supported on this platform
Blacklist violations are logged to syslog
Child process initialized in 55.81 ms
Error: no suitable ./firefox executable found
Parent is shutting down, bye…
What is the proper method?
LikeLike
How come you don’t have seccomp in your kernel? What distribution are you using? The sandbox will work without secomp, but it would be nice to have.
> firejail –private ./firefox
This will not work. –private will replace your home directory with an empty, temporary filesystem and firefox will disappear inside the sandbox.
One way to do it is to unpack firefox-*.tar.bz2 in /opt directory. This way, when you say –private, firefox will not disappear. /opt directory was specially built for installing additional software.
LikeLike
Is it OK to extract the files in home first and then “sudo cp -r” them to /opt ?
Any problem with file permissions, ownership etc. (because it was extracted by a non root user and then copied using sudo to be used by a non root user) ?
And “Warning fseccomp: –protocol not supported on this platform” maybe means that it was on i386 32 bit pc, do I need to manually enable it in amd64 or it will be auto enabled in amd64 64 bit pc?
LikeLike
> Is it OK to extract the files in home first and then “sudo cp -r” them to /opt ?
I guess is the same thing as extracting them directly under opt. I would say go for it.
> “Warning fseccomp: –protocol not supported on this platform”
It is auto detected by the sandbox, so if you on amd64 it will be there by default.
LikeLike
If a sandboxed program tries to do something that is blocked, I think there should be a visual alert instead of just logging it (for all types of breakout attempts).
Think like this:
I open a sandboxed firefox and then decide to bank related stuff. First I decide to stay on the bank’s website for a while. While doing that, firefox gets attacked from outside somehow.
Now if I get a visual alert that something bad is trying to happen, I can decide if I want to take the risk of entering my private information on the bank’s login page. The other option is to close the sandbox and find out what is happening.
But if the breakout attempt is only logged, I will not know that something bad was out there and it will be a great risk to enter my personal details. I will not know that because I will be looking at firefox. Producing warning text on terminal will also fail.
So every blocked event should produce a visual alert when there is a breakout attempt.
Also if a complete error report is created, I can just post it here or on github. 🙂
LikeLike
By visual I meant GUI alert 🙂
LikeLike
You are right, we need some sort of visual alert on the desktop, maybe using the current notification system already implemented by all desktop managers. I’ll look into it.
LikeLike
Just a GUI pop up will be fine
Also you will be sure that a program is running perfectly inside firejail if it is not trying to do anything weird (instead of just checking that you got your job done to make sure that the program is running perfectly)
Can I pause a sandbox or take a snapshot (like Virtualbox)? I know it is a sandbox, it focuses on security but as I can store overlays, I want to take snapshots. Will copying the overlay folder do the trick?
LikeLike
Hi, I’m having a lot of trouble after running firecfg, mainly with gnome programs and their back-ends. For example, I use gnome-ring as a Skype alternative which requires dring. By default firejail uses it’s restrictive profile on dring which breaks gnome-ring entirely (you cannot access your account at all).
Likewise the new Gnome calender (California) does not work under firejail. It uses evolution-data-server (specifically evolution-calender-factory) as a back-end. When firejail uses it’s restrictive profile it breaks California (no calender dates are displayed or saved).
I’m a little out of my depth trying to figure this out. To fix this all I need to do is allow gnome-ring to access dring and likewise allow California to access evolution-calender-factory. How would I do this?
LikeLike
We are bringing support for gnome-ring in the next release. You can try the version on GitHub, it will be released in the next few weeks.
I have to look at gnome calendar.
LikeLike
I know, I wrote the profile for gnome-ring :). No idea what caused the issue but it went away on its own. I might look into California soon.
LikeLike
github.com/netblue30/firejail/issues/1491
If this is fixed, it will also help in experimenting with programs and getting out of dependency hell caused by open source trusted programs. Different persistent overlays for different programs. Not every program is available as snap/flatpak/appimage right now and appimages are not officially made by the program authors most of the time.
Another feature will be great-the ablility of having a folder which can be accessed read-write by all firejails and the host (or selected firejails and the host if that is better), I mean a common shared folder. This will make file transfer easier. Being able to do it in a GUI way will be the best option.
Cheers 🙂
LikeLike
Thanks for suggestions.
> Another feature will be great-the ablility of having a folder which can be accessed read-write by all firejails
In this moment Downloads directory in your home is shared by all sandboxes, unless you use –private that hides everything.
You can also create a top level directory and change the owner to your regular user:
Change username above with your user name.
LikeLike
Sandboxes like firejail are programs which try to restrict or control other programs in every possible way
And containers like LXD,LXC,docker just try do some minimum things to control or restrict a program
This is what I think about sandboxes and containers, I came up with it myself.
So firejail is better than LXD,LXC,docker, or are there ways in which those are better?
LikeLike
hi bro , Firejail no work
,
kernel > Unknown 999.999.999 x86_64 GNU/Linux
Firefox //
root@GX6G0Q73ZTT4:~# firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3917, child pid 3918
The new log directory is /proc/3918/root/var/log
Blacklist violations are logged to syslog
Child process initialized
Parent is shutting down, bye…
please add more plataforms
LikeLike
It is a common problem: firefox allows only one instance of the browser running on a system. See here:
https://firejail.wordpress.com/support/frequently-asked-questions/#firefox
LikeLike
Hi – having problems getting firecfg to work on a minimal lubuntu (xenial) VM running lxde.
very simply, this happens:
me@machine:/$ sudo firecfg
[sudo] password for me:
sudo: firecfg: command not found
Incidentally, I had an installation of firejail that just didn’t seem to want to work (i.e. ‘firejail [option]’ returned ‘command not found’), although directories were there (e.g. /etc/firejail). I purged and reinstalled via APT.
Happily, firejail [option] now seems to work, (at least on Firefox). But firecfg still does nothing. (Would a restart work??)
This works for me – I just need the browser on this VM – but still… what’s going on? Is it a dependency issue on lubuntu minimal (but then, why not solved by APT?), or something else beyond my understanding?
Cheers
LikeLike
> firecfg: command not found
Probably you are running an old version of firejail software. Currently we are at 0.9.50. In a regular terminal run “firejail –version”.
We keep on our download page .deb packages for Ubuntu, grab the last one.
LikeLike
Yup, working fine (after a restart). Respository was way behind.
Thanks again!
LikeLike
No problem.
LikeLike
Any news on whether Ubuntu is gonna update any time soon? It’s pathetic the repo is 2 versions behind!
LikeLike
They usually don’t update it. Most of the software in Ubuntu remains at the version it was when the distro was released. We keep in the downloads section up to date Debian/Ubuntu packages.
LikeLike
Then add an option in firejail to check for updates weekly or whenever the user wants
LikeLike
I love the new firejail launcher but since the last two updated Calibre would launch but I cannot use ‘Add Books’ function. I get: Error. Unable to create io-slave. Cannot create socket for launching io-slave for protocol ‘file’.
If I launch Calibre outside of the firejail launcher without it being firejailed, the ‘Add Books’ function works fine.
How to fix this please? Using PCLOS KDE5
LikeLike
I’ll have to try it out, thanks for the bug.
LikeLike
That would be most welcome. Thank you
LikeLike
Hi,
I just updated firejail to v. 0.9.52-1 amd64. Now I can make use of appimages.
I downloaded Audacity-2.1.2.glibc2.15-x86_64.AppImage and wanted to run it with “firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage”.
Once it worked. Yet when trying it a second time I got the following message:
———————————————————————–
firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use –noprofile to disable default.profile **
Parent pid 10752, child pid 10755
Dropping all Linux capabilities and enforcing default seccomp filter
Child process initialized in 5970168119296.00 ms
/run/firejail/appimage/.appimage-10752/usr/bin/audacity.wrapper
Parent is shutting down, bye…
AppImage unmounted
————————————————————————
So it didn´t work any more. Yet when using the generic.profile: “firejail –profile=/etc/firejail/generic.profile –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage”
it works.
Can you tell my why that is? Obviuosly “firejail –appimage Audacity-2.1.2.glibc2.15-x86_64.AppImage ” should work.
Thanks in advance.
Greetings.
Rosika Schreck
LikeLike
Thanks for a great program. A newbie question: How to run “jailed” program as a member of a group?
I have a setup (on Ubuntu) where iptables block all Internet access except for members of the “internet” group. For example, I will not have Internet access, if I run:
$ firefox
I will have Internet access, if I run:
$ sudo -g internet -s
$ firefox
I will not have Internet access (but I would like to have), if I run:
$ sudo -g internet -s
$ firejail firefox
Removing “nogroups” from firefox.profile does not resolve the issue.
LikeLike
Yes, you need to remove “nogroups” from firefox.profile. I think you also need to remove “noroot” in the same file. Try this from command line
$ sudo -g internet -s
$ firejail –ignore=noroot –ignore=nogroups firefox
LikeLike
Thanks for the response. This did not work (Firefox did not start):
$ sudo -g internet -s
$ firejail –ignore=noroot –ignore=nogroups firefox
(…)
/bin/bash: –ignore=noroot: command not found
Parent is shutting down, bye…
Firefox startes (but still no Internet access), after I removed “noroot” and “nogroups” from firefox.profile, and run:
$ sudo -g internet -s
$ firejail firefox
Any advise what else I should try?
LikeLike
I researched it some more: it appears that my problem resembles one reported here:
https://github.com/netblue30/firejail/issues/785
After updating firejail from version 9.50_3 currently available in Ubuntu repos to the newest version 9.52_1 available at sourceforge.net everything is working great.
Thank you for a wonderful program!
LikeLike
Error clone: main.c:2517 main: Invalid argument
Hardware Rock64 (arm64), 4GB ram.
OS: Ubuntu bionic.
Firejail version 0.9.52 and firejail-profiles.
Get the following error when I try to use “Firejail Firefox” and “Firejail Chromium-browser”.
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Error clone: main.c:2517 main: Invalid argument
What is wrong and how to fix it ?
LikeLike
I just downloaded firejail 9.52 and tried to run firejail firefox from the command line and got the following error:
Parent pid 3725, child pid 3726
***
*** Error: Downloads directory was not found in user home.
*** Any files saved by the program, will be lost when the sandbox is closed.
***
***
*** Warning: cannot whitelist Downloads directory
*** Any file saved will be lost when the sandbox is closed.
*** Please create a proper Downloads directory for your application.
I think I’m getting this error because my ~/Downloads is a symbolic link that points to my data drive at /media/…/…/Downloads. Is there a workaround for this?
LikeLike
It shouldn’t be too difficult to set it up.
First you need to allow the sandbox to access /media. By default this access is denied. Create a file /etc/firejail/firefox.local with a single text line “ignore disable-mnt”:
(as root)
# echo “ignore disable-mnt” > /etc/firejail/firefox.local
Then, you shut down all your current Firefox instances and restart Firefox. In Firefox configuration (look for Preferences in the menus), in General tab you configure Firefox Downloads directory to point directly to /media/… on your data drive.
LikeLike
It works! Thank you very much.
LikeLike
Hey there, huge fan of this program. I’m sort of new to this and I was wondering what is the most restrictive I could possibly get for anyone particular app? I take it the generic.profile is not the most restrictive it gets.
LikeLike
It picks up automatically a profile from /etc/firejail/ directory.
LikeLike
Love your program. I’m wondering just how restrict can you get a certain app though. In other words how restrict could you make say, a browser. I’m sure you can do a lot more then what the generic profile offers.
LikeLike
No, for each application firejail picks up a specific profile. When you run it from command line it lists all the profile files it brings in, for example:
$ firejail openshot
Reading profile /etc/firejail/openshot.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 12936, child pid 12937
Child process initialized in 105.42 ms
LikeLike