Support

 

Please report the problems you run into on our GitHub bug tracker. For general questions you can also use the comment section on any page on this website. Security bugs are taken seriously, please email them to netblue30@yahoo.com

 

Profile fixes

Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in /etc/firejail directory with the files from GitHub.

Firefox example:

  1. in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
  2. in a text editor, open the file with the same name in /etc/firejail directory (“sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
  3. cut&paste from the web page into the text editor
 

Frequently Asked Questions

 
 

Technology

Why on earth should I use Firejail?

Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.

For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.

We use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.

 

How does it compare with Docker, LXC, nspawn?

Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.

Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.

 

What is the overhead of the sandbox?

The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.

 

Applications

 

Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance

By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

 

How do I run two instances of Firefox?

Start the first Firefox instance as usual:

$ firejail firefox

Then, start the second sandbox:

$ firejail --private firefox -no-remote
 

How do I run VLC in a sandbox without network access?

–net=none command line switch installs a new TCP/IP stack in your sandbox. The stack is not connected to any external interface. For the programs running inside, the sandbox looks like a computer without any Ethernet interface.

$ firejail --net=none vlc

The best way to handle the command line switch is to place it in a custom profile in ~/.config/firejail file in your home directory. Create a vlc.profile text file in this directory, with the following content:

$ cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

 

Can you sandbox Steam games and Skype?

Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.

Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.

 

Known Problems

 

PulseAudio 7.0/8.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Arch, Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. Run “firecfg –fix” in a terminal or apply the following configuration to mask the problem:

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

A logout/login is required for the changes to take effect.

If you have problems with PulseAudio 9.x use the previous fix, or configure “enable-memfd = yes” in /etc/pulse/daemon.conf.

 

Firefox 60 problems

Firefox 60 doesn’t work with Firejail version 0.9.52 or older. Patched security profiles for are available for Firejail versions 0.9.38.x (LST) and 0.9.52. You can find them in our profile fixes section. Another option is to install Firejail 0.9.54.

 

LibreOffice on Ubuntu 18.04

LibreOffice crashes when sandboxed with Firejail version 0.9.52 in Ubuntu 18.04. A patched security profile for Firejail 0.9.52 is available in our profile fixes section. Another option is to install Firejail 0.9.54.

 

Cannot install new software while Firejail is running

File blacklisted in a running jail cannot be removed from outside of jail. This causes serious inconvenience when using Firejail with long time running processes. For example, preventing user from updating system normally, as files like /bin/su, /bin/mount, /usr/bin/sudo are blacklisted by default. Also, admin commands for adding users and groups will fail.

Firejail implements blacklisting by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system.

The problem is fixed in Linux kernels 3.18 or newer. This is the commit: vfs: Lazily remove mounts on unlinked files and directories

 

Cannot connect to ibus-daemon in a new network namespace

ibus-daemon is used to change the system language, for example to switch between English (US) input and Japanese inputs. In a sandbox using a new network namespace ibus-daemon socket is disabled and keyboard switching capability is lost.

 

Firefox crashing on Netflix, AMDGPU PRO, Nvidia closed source drivers

We are still working on these problems. From what we’ve seen so far, these programs make liberal use of system calls such as chroot and ptrace. These syscalls have no place in regular, well behaved programs, and seccomp kills the application immediately. Workarounds involve disabling seccomp and allowing ptrace utility. Example:

$ firejail --allow-debuggers --ignore=seccomp --ignore=protocol firefox -no-remote
 

I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?

The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.

The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258

Advertisements

173 thoughts on “Support

  1. Jules

    Following the update to Firejail 0.9.46, I can’t use Quiterss with Firejail. I’m on Arch and using Quiterss 0.18.4. Quiterss runs fine when not under Firejail – and before the update, it ran successfully under Firejail.

    Here’s the error message I now get:
    ====
    Reading profile /etc/firejail/quiterss.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Reading profile /etc/firejail/disable-devel.inc
    Warning: noroot option is not available
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 8087, child pid 8088
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted
    Blacklist violations are logged to syslog
    Child process initialized in 250.57 ms
    terminate called after throwing an instance of ‘std::bad_alloc’
    what(): std::bad_alloc

    Parent is shutting down, bye…
    ====
    Any thoughts, assistance, advice would be most appreciated.

    Cheers,
    Jules

    Like

    Reply
  2. totalizator

    I have been using firejail just for the sake of –interface=tun0 –defaultgw=10.1.1.2 –dns=8.8.8.8 (badvpn/tuntap) and after the last update (0.9.46-1 I believe) my app stopped working, complaining about access permissions. When I launch it with –noprofile it works as expected – I have my app using separate, socks based network interface. Can I know what has changed regarding this “issue”?

    Like

    Reply
    1. netblue30 Post author

      Could be something in the profile for your application. The best way to debug it is to go in /etc/firejail/app.profile (the specific application profile file there) and comment out the lines one by one. I assume one of the m is creating the problem, probably “protocol” line.

      Liked by 1 person

      Reply
  3. Jens

    Hi!

    I want to supply a solution to a strange problem with sound not working in Firefox. I have been searching for days on this problem which I get in Apparmor when using Firejail and Apparmor at the same time (no problem if I only use Firejail or only use Apparmor):

    apparmor=”DENIED” operation=”connect” info=”Failed name lookup – disconnected path” error=-13 profile=”/usr/lib/firefox/firefox{,*[^s][^h]}” name=”run/user/1000/pulse/native” pid=4636 comm=4D65646961506C7E6261636B202333 requested_mask=”wr” denied_mask=”wr” fsuid=1000 ouid=1000

    I have followed the modifications on this site and tried both older and newer versions of Firejail without any luck. The solution was to change the Firefox Apparmor profile from:

    /usr/lib/firefox/firefox{,*[^s][^h]} {

    to:

    /usr/lib/firefox/firefox{,*[^s][^h]} flags=(attach_disconnected) {

    I don’t understand what this is doing but I found it from a similar problem here:

    https://github.com/netblue30/firejail/issues/1015

    I hope this can help someone.

    /Jens

    Like

    Reply
  4. Mario

    Hi,

    I am using firejail for sandboxing dolphin and found an interresting problem with that, because it works the first time dolphin is started, but not anymore if I try to start dolphin again (while the first instance of the program is still running; if the first process ends, it’s possible to again start a new dolphin). That’s the messages printed to Konsole when dolphin fails to start:
    ————————-
    firejail /usr/bin/dolphin
    Reading profile /etc/firejail/dolphin.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Warning: noroot option is not available
    Parent pid 4745, child pid 4746
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted
    Child process initialized in 66.40 ms
    “Couldn’t register name ‘org.kde.dolphin-3’ with DBUS – another process owns it already!”

    Parent is shutting down, bye…
    ————————-
    What does work is to navigate dolphin to /usr/bin and to click the dolphin executable.

    I tried to change dolphin.profile but without success. Is there away to make firejail reuse the sandbox if an instance of a program is already running?

    Thank you for your work

    Regards

    Like

    Reply
    1. netblue30 Post author

      > Couldn’t register name ‘org.kde.dolphin-3’ with DBUS – another process owns it already!

      First time you start Dolphin, even if you close the window, Dolphin remains running in the background. The second time you start it, the new instance detects the first instance and it sends a message to it, after that the second instance shuts down, and the first instance should open the file manager window.

      Like

      Reply
  5. Mario

    Excuse me, I just discovered that my reply has not been published.

    However I had a second look into the problem. Dolphin is not a single process application her and it always creates a new name ord.kde.dolphin-, e.g. org.kde.dolphin-17554

    Inside firejail PIDs seem to have another namespace starting again with 3. Thats the problem… My solution for now is to not firejail dolphin.

    Any ideas?

    Like

    Reply
    1. netblue30 Post author

      Indeed, you seem to be right. I just installed a Kubuntu 17.04 and put Firejail on it. Then I integrate Firejail into the desktop by running “sudo firecfg”. I go to KDE menu and click on Dolphin. It is sandboxed automatically, however it seems to start some other processes in the background. These processes are running outside the sandbox and are not closed when you close Dolophin. I believe they are started by systemd or a similar mechanism.

      In Kubuntu 17.04 I don’t get the error you mentioned (Couldn’t register name ‘org.kde.dolphin-3’ with DBUS). What distribution are you using?

      Like

      Reply
      1. Mario

        Oh, many thanks for your effort… I didn’t expect you to install a new distribution for this problem…

        May I ask you to try to run 2 instances of dolphin at the same time using Konsole? When you try to start the first instance everything should work. When trying the second instance (while the first is still running!), no new window should appear (at least that’s the problem here on my systems), and the error message above should be printed to stdout (or stderr, I don’t know) on Konsole…

        To answer your questions: I am using Manjaro Linux (arch-based, rolling release) with all patches applied.

        What I have here as well, is a process file.so which seems to implement the KIO file protocol for local file access and is started by kdeinit5, which itself is started by systemd. None of these processes is firejailed. I consider this another problem, I think the only solution would be to also firejail kdeinit5…?

        Like

  6. Mario

    Corrections: 2nd paragraph, 2nd sentence should be:

    Dolphin is not a single process application here and it always creates a new name ord.kde.dolphin-PID, e.g. org.kde.dolphin-17554

    Regards

    Like

    Reply
  7. Guido Gonzato

    Hello, I’d like to report that firejail somehow interferes with LXD (https://linuxcontainers.org/lxd/) initial configuration. I ran “lxd init”, entered default values, and LXD initialization failed when it tried to create the default network bridge.
    I fiddled around to try and fix the problem; no results. Eventually, I uninstalled firejail, re-ran “lxd init”, and voila: it worked. I then reinstalled firejail and everything works fine.
    I suggest that you document and/or fix this strange problem. Thanks a lot for firejail!

    Like

    Reply
    1. netblue30 Post author

      All Firejail’s security features are in the Linux kernel, so you need a kernel with spectre/meltdown fixes.

      For firejail executable itself we will bring in the fixes in the next release.

      Like

      Reply
  8. wony

    How-to solve a strange problem with execvp on Fedora-26?:

    firejail –noprofile –private-bin=bash bash
    Parent pid 3090, child pid 3091
    Child process initialized in 12.06 ms
    execvp: No such file or directory

    Parent is shutting down, bye…

    Like

    Reply
  9. Bruce

    I just upgraded to the latest bleeding edge openSuSSE tumbleweed version and suddenly started getting errors that sandboxed programs couldn’t access :0 X11 display and therefore crashed. I know that this is probably not a firejail problem but I was wondering if you have any suggestions on anything to try. Currently I am just running “xhost +” which allows programs to run but obviously has security issues.

    Like

    Reply
  10. Martin

    I’ve installed firejail on Lubuntu both latest versions, when I run either firefox or chromium using firejail they load but neither will browse the net, just says page can’t be displayed or server can’t be reached. Both browser work perfectly without firejail.

    Any ideas what I might be missing?

    Like

    Reply
    1. netblue30 Post author

      What graphics card do you have, and what drivers are using for it? We do have some problems on some Nvidia and Radeon cards running with the closed sourced drivers from the manufacturer.

      Like

      Reply
  11. Phillip Orleans

    I created 100 new users, not system users, regular users, each one with their own directory. I need to jail them so they cannot look at the contents of /usr/sbin/ /usr/src/ etc. How can I transparently jail any user belonging to a specific group?
    Is it possible?

    Like

    Reply
  12. MMM

    I would like one of the existing profiles to enable the application I am running to be able to read a script in /usr/sbin to force a light-theme on the application in an otherwise dark-themed DE.
    I copied the existing profile to ~/.config/firejail/ & amended the profile by adding in the second paragraph (see below). Although this works, is it because the whole /usr/sbin directory is un-blacklisted or is it as I hope that just the /usr/sbin/firefox script file is & the rest of the /usr/sbin is then subsequently re-blacklisted?

    # Firejail profile for firefox
    # This file is overwritten after every install/update
    # Persistent local customizations
    include /etc/firejail/firefox.local
    # Persistent global definitions
    include /etc/firejail/globals.local

    # Allow access to /usr/sbin/firefox for light-theme
    noblacklist /usr/sbin
    noblacklist /usr/sbin/firefox
    blacklist /usr/sbin/*

    noblacklist ${HOME}/.cache/mozilla
    ………………….

    Like

    Reply
    1. netblue30 Post author

      It is fine, in your /usr/sbin only firefox script is available, everything else is blacklisted. You can check it easily by running something like:

      $ firejail –noblacklist=/usr/sbin –noblacklist=/usr/sbin/firefox –blacklist /usr/sbin/*
      Reading profile /etc/firejail/default.profile
      Reading profile /etc/firejail/disable-common.inc
      Reading profile /etc/firejail/disable-passwdmgr.inc
      Reading profile /etc/firejail/disable-programs.inc

      ** Note: you can use –noprofile to disable default.profile **

      Parent pid 1836, child pid 1837
      Child process initialized in 38.84 ms
      $ ls -l /usr/sbin

      Like

      Reply
  13. Kate

    Could you explain the difference between:
    1) $ firejail –private=~/browser-home firefox with UBlock/NoScript/HttpsEverywhere/etc and switched off safebrowsing/telemetry/etc in config
    2) regurlar $ firejail firefox with the same add-ons & browser configuring
    Thanks a lot for such a great tool! We’ll obviously donate, our company has planned it in may.

    Like

    Reply
    1. netblue30 Post author

      1) It will trick Firefox into thinking /home/username/browser-home is your home directory. Inside it, Firefox will build it’s configuration (/home/username/browser-home/.mozilla) and Downloads directory.

      2) In this case, Firefox will use your regular home directory using its regular Download and configuration from /home/username/.mozilla.

      Like

      Reply
  14. MMM

    I made a post here at the end of last week regarding blacklisting in a Firefox profile – last I seen it was awaiting moderation – is that still the case because it hasn’t appeared yet
    TIA
    MMM

    Like

    Reply
  15. Jordan

    netblue30,

    I would like to use the whitelist and blacklist filters from firejail 0.9.38-1,
    to improve the security of the apparmor profiles installed with Ubuntu. As such,
    I have created a file containing apparmor rules that I believe represents these
    filters; however, I am unsure about how accurately they are represented, being
    fairly new to apparmor. May I have your feedback on my apparmor rules, posted
    here: https://paste.ubuntu.com/p/3QxCbkBF35/

    Also, I am very new to the concept of git, and “git cloning” a repo. If I were
    to install firejail from source, in order to enable apparmor support, then how
    can I verify the cloned repo’s integrity; and that it was not maliciously
    altered in-transit? Through checksums? Signed files?

    Jordan

    Like

    Reply
    1. netblue30 Post author

      Your rules look fine. I would suggest you move to the latest firejail version from git. It comes with its own apparmor profile if you compile it with apparmor support in.

      Git does by default the integrity check during clone. You can be sure whatever was on github.com it will be replicated exactly on you computer. I don’t know how they do it, but it is heavy duty integrity check.

      Like

      Reply
  16. Henk van het Internet (Henky!!)

    I am struggling with getting coredump functionality to run when firejail is being used.
    The application I use (SRCDS) can automatically dump a core file when a segmentation fault occurs and its script then analyses the dump and saves it into the debug.log. I made sure ulimit -c is properly setup and can also confirm the setting is correct within the jail. I also use the –allow-debuggers parameter but the core file does not appear in the directory.

    The behavior also happens if I only have some whitelist rules. Can someone assist me with the right addition to the profile so core files can be dumped?

    Like

    Reply
  17. FJedjit

    new version of Firefox (60.0) no longer launches via firejail. Can this be fixed?

    [@localhost ~]$ firejail firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Reading profile /etc/firejail/whitelist-var-common.inc
    Parent pid 9971, child pid 9972
    Blacklist violations are logged to syslog
    Child process initialized in 29.84 ms
    Gtk-Message: 19:55:54.605: (for origin information, set GTK_DEBUG): failed to retrieve property `gtk-primary-button-warps-slider’ of type `gboolean’ from rc file value “((GString*) 0x7fd00cd12120)” of type `gboolean’
    [Parent 7, Gecko_IOThread] WARNING: pipe error (94): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
    ExceptionHandler::GenerateDump cloned child 132
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    [Parent 7, Main Thread] ###!!! ABORT: file /builds/worker/workspace/build/src/ipc/glue/CrashReporterHost.cpp, line 189
    [Parent 7, Main Thread] ###!!! ABORT: file /builds/worker/workspace/build/src/ipc/glue/CrashReporterHost.cpp, line 189
    ExceptionHandler::GenerateDump cloned child 136
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    2018-05-09 19:57:03: minidump.cc:4808: ERROR: ReadBytes: read 0/32
    2018-05-09 19:57:03: minidump.cc:4453: ERROR: Minidump cannot read header
    Failed to open curl lib from binary, use libcurl.so instead

    Parent is shutting down, bye…
    [@localhost ~]$

    Logged

    Like

    Reply
    1. netblue30 Post author

      Thank you for reporting it. We are aware of the problem and a fix is in the works: https://github.com/netblue30/firejail/pull/1935

      This is how the fix looks so far:

      Go in /etc/firejail directory and as root user open in a text editor one of the following files: firefox.profile for firejail versions up to 0.9.52 or firefox-common.profile for version 0.9.54.

      In this file comment out “tracelog” line. For this, you need to add a “#” in front of the line, like this:

      shell none
      # tracelog
      disable-mnt
      private-dev

      Please let me know if this solves the problem. Thanks!

      Like

      Reply
      1. MMM

        Good Afternoon
        I too was having the same issue with FF60 under firejail on Peppermint OS 8 (Ubuntu based). I tried your suggestion above, which was unsuccessfull however the I found was this:
        “We had to take out chroot from the seccomp filter to get Firefox working. If you replace seccomp with the following long line it should work again:
        …………….”

        from here:
        https://github.com/netblue30/firejail/issues/1939#issuecomment-388358648

        Hope this helps.

        Like

  18. John

    Commenting out tracelog works if I start firefox with firejail firefox but if I try to run firefox through an alternate home directory it’s non functional for me

    For example if I run
    firejail –private=~/work/ –dns=91.239.100.100 –dns=89.233.43.71 firefox -no-remote

    Firefox loads and it won’t load any tabs or bookmarked pages, it just loads blank pages. Then eventually the browser crashes and generates a crash report.

    my terminal output
    $ firejail –private=~/work –dns=91.239.100.100 –dns=89.233.43.71 firefox -no-remote
    Reading profile /home/john/.config/firejail/firefox.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Reading profile /etc/firejail/whitelist-var-common.inc
    Parent pid 3921, child pid 3922

    DNS server 91.239.100.100
    DNS server 89.233.43.71

    Blacklist violations are logged to syslog
    Child process initialized in 69.49 ms

    (firefox:3): IBUS-WARNING **: 13:16:13.404: Unable to connect to ibus: Could not connect: Connection refused
    ExceptionHandler::GenerateDump cloned child 141
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child
    ExceptionHandler::GenerateDump cloned child 143
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child
    ExceptionHandler::GenerateDump cloned child 144
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    [Parent 3, Main Thread] ###!!! ABORT: file /build/firefox-c3U081/firefox-60.0+build2/ipc/glue/CrashReporterHost.cpp, line 189
    [Parent 3, Main Thread] ###!!! ABORT: file /build/firefox-c3U081/firefox-60.0+build2/ipc/glue/CrashReporterHost.cpp, line 189
    ExceptionHandler::GenerateDump cloned child 147
    ExceptionHandler::WaitForContinueSignal waiting for continue signal…
    ExceptionHandler::SendContinueSignalToChild sent continue signal to child

    (crashreporter:148): IBUS-WARNING **: 13:17:38.304: Unable to connect to ibus: Could not connect: Connection refused
    Failed to open curl lib from binary, use libcurl.so instead

    Parent is shutting down, bye…
    ———————————————————————————-
    This setup has worked fine for years until Ubuntu 18.04 lts did an auto update to firefox 60 last night. Now it’s non functional.

    I actually have a bunch of alternate firefox firejail home directories that I use to keep all my affairs separate and now I can’t use any of them.

    Any ideas guys?

    Like

    Reply
  19. John

    Also
    firejail –private –dns=8.8.8.8 –dns=8.8.4.4 firefox -no-remote

    Just loads a non functional browser for me as well.

    Like

    Reply
  20. FJedjit

    For all the problems I’ve had with FJ this is the first time one of them has ever been resolved. Nice. This very long string works for me. It’s from github:
    replace seccomp in /etc/firejail/firefox.profile with the following,

    seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice

    Like

    Reply
  21. John

    That seccomp string worked for me, cheers FJedjit! and whoever posted it on github

    @netblue30
    The sourceforge page wouldn’t work for me, the download just keeps failing. I had to switch to a different mirror to get the file. I don’t have time to test it right now,

    Thanks guys!

    Like

    Reply
  22. g

    hey!

    I can’t open any links in a firejailed slack-desktop. It does nothing… I would like to open the links in a firejailed firefox, which is the system’s default browser.

    Any advices?

    Like

    Reply
  23. FJedjit

    While all this fixing and testing is going on and netblue30 and FredB et al. are very busy these days, I’d still like to remind ‘et al’ that this issue is still an issue: see my March 24th post.
    I should add that it’s not only Add Books that brings up that exact error, Save to Disk does as well.

    FJedjit
    March 24, 2018 at 12:46 am

    Still having the problem when Calibre is launched from within firetools, and use ‘Add Books’ function. I get: Error. Unable to create io-slave. Cannot create socket for launching io-slave for protocol ‘file’.

    netblue30′ response then was:
    https://firejail.wordpress.com/frequently-asked-questions/

    Anyway, it would be nice to have a fix for this as I use Calibre day.

    Thx.

    Like

    Reply
  24. gaofei

    I executed flameshot command inside sandboxed Xephyr, and flameshot caught a screenshot in my main x11 server .Perhaps you should blacklist flameshot while using Xephyr ?
    I’m using ibus-daemon input method. I switched to French keyboard, sometimes switch back to English keyboard and Xephyr caught my mouse. I pressed ctrl + alt + f3 and kill Xephyr with root user,then my keyboard didn’t work normally.

    Like

    Reply
  25. gnomek

    running chromium as snap in Firejail
    So far I used chromium installed from deb (on Ubuntu 14.04) and snadboxed it fith firejail. Chromium is not available from repositories as deb anymore. So, I installed chromium snap package.

    So far I used firejail profile:

    firejail –profile=/media/data/backup/jailkonf/.config/jail.profile –seccomp –private=/media/data/backup/jail/ chromium-browser

    After installing chromium I noticed that it has a long entry in startmenu:

    env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U

    Combining those two like that:

    firejail –profile=/media/data/backup/jailkonf/.config/jail.profile –seccomp –private=/media/data/backup/jail/ env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /snap/bin/chromium %U

    doesn’t work.

    I want to be able to use my old chromium profile with this snap version. How to do it?

    How can I run chromium with firejail?

    The second issue: isn’t chromium as snap sandboxed anyway? Would running it with firejail make sense?

    Like

    Reply
    1. netblue30 Post author

      > I want to be able to use my old chromium profile with this snap version. How to do it?

      I think is broken. Back in 2016 we used to be able to run snaps in firejail.

      Snaps have their own sandbox. Running this sandbox in a firejail snadbox creates some problems. Go without firejail until we figure out what’s going on.

      Like

      Reply
  26. tuga247

    Just noticed that Firetools’ last version (0.9.52_1, at least the amd64 deb install version) is missing or has some problem with the panel icon: if I start it minimized (firetools –minimize) I get no icon and the error “libpng warning: iCCP: known incorrect sRGB profile”. Tested both in Ubuntu MATE 18.04 and Kubuntu 18.04.
    Thank you very much for the good work and specially for the Firefox fix!
    Cheers!

    Like

    Reply
  27. gnomek

    Can you tell me please, what is the proper way of using whitelist and blacklist for folders. Let’s say I have a folder and subfolder. Can I blacklist folder and whitelist subfolder? For example:
    blacklist /media/data
    whitelist /media/data/Download

    Like

    Reply
    1. netblue30 Post author

      The whitelist will bring in only /media/data/Download directory, so you don’t need to do the blacklist.

      If you do both of them, the software will bring in /media/data/Download but it will make it inaccessible.

      Like

      Reply
  28. FJedjit

    upgraded to 0.9.54 on PCLOS but not able to launch any apps. see partial ouputs from su firecfg and firejail opera

    # su firecfg
    Removing all firejail symlinks:
    removes a bunch of apps I think. . .

    Configuring symlinks in /usr/local/bin based on firecfg.config
    added a bunch of apps. . .
    Error: cannot detect login user in order to set desktop files in ~/.local/share/applications
    ————————————————————————————————–
    Then tried firejailing Opera anyway and got this
    firejail opera
    Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running “sudo firecfg”, or by editing the file directly.
    See “man firejail-users” for more details.

    only firejail.config in that /etc/firejail. . . path

    added user and is now there but still getting the same two errors and still cannot launch from FJ

    Like

    Reply
    1. netblue30 Post author

      The correct command is “sudo firecfg”. “su firecfg” will not work.

      Run “sudo firecfg –add-users username” where you replace username with your user account name. After that you can start your sandbox, for example “firejail firefox”.

      Another option is to run “sudo rm /etc/firejail/firejail.users”. This will disable the user checking when you start the sandbox.

      Like

      Reply
  29. FJedjit

    Please do not delete my post. I just need some help.
    # firecfg
    Removing all firejail symlinks:
    kcalc removed
    palemoon removed
    dropbox removed
    baloo_file removed
    firefox removed
    etc., etc.,
    Configuring symlinks in /usr/local/bin based on firecfg.config
    akonadi_control created
    ark created
    baloo_file created
    Error: cannot detect login user in order to set desktop files in ~/.local/share/applications

    $ firejail firefox
    Error: the user is not allowed to use Firejail. Please add the user in /etc/firejail/firejail.users file, either by running “sudo firecfg”, or by editing the file directly.
    See “man firejail-users” for more details.
    The user is in the /etc. . ./firejail.users file.

    Like

    Reply
  30. Orti

    Hi!
    I have firefox running in a firejail (firejail firefox %u), but passwordmanager enpass is not able to recognize it then. When using FF without firejail, everything runs smooth with enpass.

    I am wondering if this problem is connected to firejail or to enpass.
    Maybe a kind of firejail-whitelist issue inside the firefox.profile?

    whitelist ${$any_enpass_folder} ?

    Please help.

    using: Arch, 4.17 kernel, firejail 0.9.52.1, enpass 5.6.9.1 and standard profiles/configs

    Like

    Reply
  31. roger lawhorn

    hello,
    firefox quantum 60.0.2 64bit.
    cannot open webpages at all. all tabs recover, but pages do not.
    cannot use at this time.

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID: LinuxMint
    Description: Linux Mint 19 Tara
    Release: 19
    Codename: tara

    $ inxi -Fx
    System: Host: xxxxxxxxxx Kernel: 4.8.17-040817-generic x86_64 bits: 64 gcc: 6.2.0
    Desktop: Cinnamon 3.8.4 (Gtk 3.22.30) Distro: Linux Mint 19 Tara
    Machine: Device: laptop System: Micro-Star product: GT70 2PE v: REV:0.C serial: N/A
    Mobo: Micro-Star model: MS-1763 v: REV:0.C serial: N/A
    UEFI: American Megatrends v: E1763IMS.51B date: 01/29/2015
    CPU: Quad core Intel Core i7-4940MX (-MT-MCP-) arch: Haswell rev.3 cache: 8192 KB
    flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 26339
    clock speeds: max: 3301 MHz 1: 3100 MHz 2: 3100 MHz 3: 3100 MHz 4: 3100 MHz 5: 3100 MHz 6: 3100 MHz
    7: 3100 MHz 8: 3100 MHz

    Like

    Reply
  32. uli

    I am having problems with firefox60 with firejail 0.9.52. I have changed the profile as described further up in the support page. The command firejail firefox gives the following error message:
    Warning fseccomp: syscall “ni_syscall” not available on this platform
    Warning fseccomp: syscall “umount” not available on this platform
    Seccomp list in: @clock,….. vhangup,vmsplice,
    Child process initialized in 41.43 ms
    Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
    No protocol specified
    No protocol specified
    Unable to init server: Could not connect: Connection refused
    Error: cannot open display: :0

    Parent is shutting down, bye…
    Any ideas?

    Like

    Reply
    1. netblue30 Post author

      You need to move to version 0.9.54. The new features introduced by Firefox 60 broke any security framework in existence, including Firejail and AppArmor.

      Like

      Reply
  33. gaofei

    Are there any stable releases? I looked at the release note and found the string “baseline; urgency=low”, the first beta version is 0.9, and the version number is less than 1.0. A mature software’s version number is at least 1.0.

    Like

    Reply
    1. netblue30 Post author

      The most stable release is LTS version, it was in maintenance mode for about 2 years. For us 1.0 means feature complete. We are still missing some features.

      Like

      Reply
      1. gaofei

        Will it support multiple sandboxes? The only way to run multiple browsers is to add suffix -no-remote. Will it support multiple sandboxes without the suffix? Every Firefox in its own sandbox cannot detect another Firefox, but the current solution may allow it to detect another Firefox.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s