Support

 

Please report the problems you run into on our GitHub bug tracker. For general questions you can also use the comment section on any page on this website. Security bugs are taken seriously, please email them to netblue30@yahoo.com

 

Profile fixes

Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in /etc/firejail directory with the files from GitHub.

Firefox example:

  1. in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
  2. in a text editor, open the file with the same name in /etc/firejail directory (“sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
  3. cut&paste from the web page into the text editor
 

Frequently Asked Questions

We keep this section on our GitHub wiki here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions

274 thoughts on “Support

  1. Nonnya

    Ever since I ran sudo firecfg, my browsers won’t launch. I have to uninstall firejail completely to get them to work. Any workaround for this?

    Like

    Reply
  2. JoeJoe

    Ever since I ran sudo firecfg, my browsers won’t launch. I have to uninstall firejail completely to get them to work. Any workaround for this?

    Like

    Reply
  3. Simon

    Why is it the case that if I run a new terminal window from firejail, none of the sandbox features seem to work? Specifically, if I run firejail –noroot id, I see that I’m a member of groups 1000 and 65534 (nogroup). But if I run firejail –noroot xfce4-terminal, and in that new terminal run id, I see that I’m a member of groups 1000, 4, 27 and so on, i.e. it seems as if the new terminal window isn’t constrained by the sandbox. I see the same thing in brwap (bubblewrap), so I assume it’s something I’m not understanding about how the sandboxes work, so would appreciate any clarification of what’s actually going on here. And firejail is great, by the way, the documentation is very good compared to bwrap.

    Like

    Reply
  4. lin

    i read you removed all –private & –overlay options from firejail with > v0.9.56 (okt’18) 😦 really? have i misunderstood something? how do i get back the important security features i used to use?

    Like

    Reply
  5. Deniz

    Are colons and parentheses in directory names supported? If so, how would one use those characters? I know spaces are not to be escaped, but whether I escape colons and parentheses or not, I can’t seem to stop getting the error “Error: blabla is an invalid filename” (without the quotes). I’m using firejail 0.9.56-2 in Debian testing/buster.

    Like

    Reply
  6. Alice

    Devs, thank for such a great app! Could u help me please with a desctop shortcut for firefox. I’ve done an executable file with this script but I think it doesn’t execute “–seccomp” and “&” commands:
    [Desktop Entry]
    Name=FirefoxREGULAR
    Exec=firejail –seccomp firefox -no-remote &
    Terminal=true
    Type=Application
    Icon=/usr/share/icons/Mint-Y/apps/64/firefox.png

    Like

    Reply
    1. netblue30 Post author

      In your desktop file replace Exec line as follows:

      Exec=firejail firefox –no-remote

      You don’t need to add a &, also –seccomp is done by default for firefox.

      Like

      Reply
  7. mr

    Hi.im having the probablam..cannot find profile,might be missing or inaccesable ,in firefox,I can open firefox normally without firejail,Ive made a new profile for firefox but makes no difference.I had previously tryed to install fire jail and was having trouble getting it up and running,so i sys restore,,,now i have this problam.can you please help

    Like

    Reply
  8. Sao Wo

    First, thanks for making available this wonderful tool!
    I’ve using “firejail thunderbird” successfully for quite sometime. Everything works, except for one addon — “latexit”, which allows users to insert pdf’s of snippets of latex-processed equations into email replies. The addon works only if I do not use firejail. Enclosed please find the output of messages shown on the terminal when I run “firejail thunderbird”. Thanks for your help!

    ——— (output of firejail thunderbird session) ———-

    [For your reference: This is running on 64 bit linux mint xfce 18.04.1
    There are five warning messages below:
    * the first two (including the `critical’ one) showed up after I issued the “firejail thunderbird” command
    * the third one showed up when I clicked “write” on thunderbird to compose a message
    * the fourth one showed up because I got a notification for a new email in my mbox (I had not yet started composing my message)
    * the fifth and last one showed up after I clicked the “latexit” button (note: there was no warning when I typed the (text) message/latex texts)
    Feel free to let me know if you have any questions/need more info]

    xterm 101: firejail thunderbird
    Reading profile /usr/local/etc/firejail/thunderbird.profile
    Reading profile /usr/local/etc/firejail/firefox.profile
    Reading profile /usr/local/etc/firejail/firefox-common.profile
    Reading profile /usr/local/etc/firejail/disable-common.inc
    Reading profile /usr/local/etc/firejail/disable-devel.inc
    Reading profile /usr/local/etc/firejail/disable-interpreters.inc
    Reading profile /usr/local/etc/firejail/disable-programs.inc
    Reading profile /usr/local/etc/firejail/whitelist-common.inc
    Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
    Parent pid 4049, child pid 4050
    Warning: An abstract unix socket for session D-BUS might still be available. Use –net or remove unix from –protocol set.
    Post-exec seccomp protector enabled
    Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,

    firejail thunderbird
    Child process initialized in 104.87 ms
    [calBackendLoader] Using Thunderbird’s builtin libical backend

    (thunderbird:9): libunity-CRITICAL **: 08:20:22.509: unity-launcher.vala:157: Unable to connect to session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    ** (thunderbird:9): WARNING **: 08:20:22.552: unable to connect to session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): LIBDBUSMENU-GLIB-WARNING **: 08:20:25.599: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): LIBDBUSMENU-GLIB-WARNING **: 08:20:36.137: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): libnotify-WARNING **: 08:20:40.676: Failed to connect to proxy
    This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=latex)
    restricted \write18 enabled.

    kpathsea: Running mktexfmt latex.fmt
    /usr/bin/env: ‘perl’: Permission denied
    I can’t find the format file `latex.fmt’!
    [Exception… “Component returned failure code: 0x80520006 (NS_ERROR_FILE_TARGET_DOES_NOT_EXIST) [nsIFile.remove]” nsresult: “0x80520006 (NS_ERROR_FILE_TARGET_DOES_NOT_EXIST)” location: “JS frame :: chrome://tblatex/content/main.js :: run_latex/< :: line 191" data: no]
    run_latex/<@chrome://tblatex/content/main.js:191:11
    run_latex@chrome://tblatex/content/main.js:188:7
    replace_latex_nodes/<@chrome://tblatex/content/main.js:330:28
    replace_latex_nodes@chrome://tblatex/content/main.js:325:45
    tblatex.on_latexit@chrome://tblatex/content/main.js:386:7
    oncommand@chrome://messenger/content/messengercompose/messengercompose.xul:1:1

    Parent is shutting down, bye…

    Like

    Reply
  9. Steve

    My understanding of Sandbox tech and usage is from using SandboxIE. I’m having trouble understanding how to get Firejail to function the way I understand SandboxIE.
    In SandboxIE, everything is (Firejail language) –Private, but with persistence within the sandbox container until the user chooses the option to delete the contents of the sandbox or recover individual files from the protected environment.
    In Firejail’s non –private usage, browser malware can persist in the associated folders, cookies persist in the associated folders. If I use the available options in Firejail to create a proper isolated environment with no persistence then I lose my browser customizations or I lose the ability to recover selected files.
    How do I get Firejail to achieve the type of functionality available in SandboxIE, complete isolation while all browser customizations carry into the sandbox, and the ability to recover from the sandbox any file I choose which was introduced during a Firejail session?

    Like

    Reply
    1. virtualizado

      Steve, in Windows SandboxIE, nothing was private. It can see all your system files. A trojan can get all your passwords and send it on the web.
      Second, you also needed to “clean the sandboxie”, delete all inside, or the malware persisted there too. That includes to delete all your customizations made inside. What you want it to customize your browser OUTSIDE sandboxIE or outside firejail. We need firejail isolation, so you must copy the firefox profile with your customizations out of firejail, OR you can make a sync firefox account, what is better.
      Third, remember, sandboIE works making DLL INJECTION in processes. It is not safe as firejail.

      Like

      Reply
  10. wognath

    Vivaldi browser (Linux) plays Netflix videos, but when run in firejail it does not. The message says to visit chrome://components and update WidevineCdm, but Widevine is up to date.

    iBecause there is a copy of widevinecdm.so in each of these directories, I added this to vivaldi.local:
    noblacklist ${HOME}/.local/lib/vivaldi
    whitelist ${HOME}/.local/lib/vivaldi
    noblacklist /var/opt/vivaldi
    whitelist /var/opt/vivaldi
    Netflix videos still fail to play. I would appreciate any suggestions. Thanks.
    MX-Linux 18.1 Vivaldi 2.3.1440.60 firejail 0.9.58.2

    Like

    Reply
    1. wognath

      Resolved by running sudo /opt/vivaldi/update-widevine. Script reports widevine is already up to date but creates a link which permits its use in firejail vivaldi.

      Like

      Reply
  11. Jane

    I just set up my laptop with a fresh iintall of ubuntu 18.04
    When installing firejail thru the app centre all went fine
    Later i found out there was a update (firejail_0.9.56-LTS_1_amd64.deb) which i installed and than things went wrong.
    I can open firefox but there is no internet i even can’t open my FF extensions
    I’m no good in technical stuff so please step by step please.
    I love FJ and FT and i definatly want to keep using, but righ now im lost.
    Please help

    Like

    Reply
  12. Paul

    For some reason Firejail is blocking downloads. They go into my /TMP folder (.mozilla/.palemoon) and vanish once the Pale Moon session is closed i.e they do not get to the Downloads folder despite that folder being designated.

    Seems to be a conflict which has only just appeared. Any ideas on this please? Using 0.9.58.2-1

    Like

    Reply
  13. bash64

    The default orage.profile file has NOSOUND set.
    Orgae is a calendar and ALARM application.
    It must be able to play sound to wake you up.
    It took me a bit to figure out why my alarm was not going off.

    Like

    Reply
    1. netblue30 Post author

      It is legit. However, the version they have is very very old. I would suggest you grab the latest version from this site (look in Downloads page).

      Like

      Reply
  14. ELG

    Used Firejail for past three years.
    Loved it !
    Was forced to upgrade to newer Linux Mint Mate OS.
    I’m a newbie in using the terminal and text editor combination..
    Really want to get Firejail back on my CPUs, but don’t have enough info to do “Profile Fix”..
    My “text editor” is called just that.
    Do I have to put this name after “sudo” ?
    Do the old text-files then appear in the terminal after I enter the sudo path command?
    Would I “cut them out,” or just “paste over them” from the GitHub page?
    On the GitHub page, would I do anything other than “copy the lines of code?”
    What are the “save” and “exit” commands after “pasteing”?
    (Package Manager says that 0.9.52-2 Firejail is “Installed,” so guess I just need to get “Profiles” working?.. )
    Really appreciate any help !!
    Thanks ! !

    Like

    Reply
    1. kiwilinux

      hi mate…do you use fire tools? can you just use in terminal “firejail (name)”
      did you get the deb version of fire jail?
      excuse me if ive understood wrong…im not overly an expert .

      Liked by 1 person

      Reply
  15. gnomek

    I run Firefox on Linux in firejail –private. It can’t connect to keepassxc database.

    Is it possible to do something about it?

    I found this topic
    https://github.com/keepassxreboot/keepassxc/issues/1820

    but it is closed and all they say is to not use private.

    I run keepassxc in the same –private as Firefox but firefox extension can’t connect to keepassxc database even if it is moved to the same path (private home)
    firejail –private=/path/ /usr/bin/keepassxc

    Is using firefox without –private but with custom profile less secure?

    Like

    Reply
  16. Rosika Schreck

    Hello,

    from what I´ve learnt from https://distrowatch.com/weekly.php?issue=20190617#news it seems that the Ubuntu team is looking at replacing their current Chromium deb package with a snap package.
    So in future Chromium should exclusively be available as snap.
    That´s bad news. As firejail dropped support of snaps this means that I won´t be able to use Chromium any more.
    Is there really nothing that can be done about this?

    Greetings.
    Rosika

    Like

    Reply
  17. Shawn

    Help please, I am having huge issues with Thunderbird on MXLInux 18.3 and file permissions with Firejail. Thunderbird works fine without firejail removed or set to –noprofile. But if I launch it with firejail thunderbird, then I am asked to set a new profile. Yet when I attemt to do this, I get a permission issue. If launch fron terminal

    user@sanctuary:~$ firejail –noprofile thunderbird
    Parent pid 14138, child pid 14139
    Child process initialized in 13.73 ms
    Warning: an existing sandbox was detected. /usr/bin/thunderbird will run without any additional sandboxing features
    [calBackendLoader] Using Thunderbird’s builtin libical backend.

    No issues, but not in sandbox.
    Trying to launch as user.
    firejail thunderbird
    Reading profile /home/user/.config/firejail/thunderbird.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Reading profile /etc/firejail/disable-programs.inc
    Parent pid 14339, child pid 14340
    Child process initialized in 64.54 ms
    Warning: an existing sandbox was detected. /usr/bin/thunderbird will run without any additional sandboxing features
    find: ‘/home/user/.thunderbird/’: Permission denied
    INFO -> No fix up for /home/shawn/.config/mimeapps.list needed.
    INFO -> No fix up for /home/shawn/.local/share/applications/mimeapps.list needed.
    /usr/lib/thunderbird/thunderbird-wrapper-helper.sh: line 122: /home/user/.thunderbird/.migrated: Permission denied

    I am running firejail 0.9.56.1 and standard profiles, but have had same issue with different versions.

    Any suggestions as have been using firejail for last 18 months with generally no issues.

    Like

    Reply
  18. Roger Lawhorn

    I have made several attempts at making a profile for shutter but cannot get it right. I made a private bash shell, but it does not show all of the folders that shutter tries to access. Can you support this app? It is one of the best screenshot programs around.

    https://launchpad.net/shutter

    Like

    Reply
  19. A55

    Hello – I have problems opening an Appimage in Firejail – trying Appimage ‘Onlyoffice – Desktop editors’ – please see error output below; I am on Linux Mint 19.1
    any suggestions? thx

    $ firejail –appimage DesktopEditors-x86_64.AppImage
    Mounting appimage type 2
    Reading profile /etc/firejail/default.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Reading profile /etc/firejail/disable-programs.inc
    Warning: networking feature is disabled in Firejail configuration file

    ** Note: you can use –noprofile to disable default.profile **

    Parent pid 6969, child pid 6972

    ** Warning: dropping all Linux capabilities **
    Child process initialized in 169.02 ms
    [0803/230148.200359:ERROR:address_tracker_linux.cc(155)] Could not create NETLINK socket: Operation not supported (95)
    libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported

    Parent is shutting down, bye…
    AppImage unmounted

    Liked by 1 person

    Reply
  20. Steve

    Had Firejail 0.9.60 installed on Ubuntu 18.04 with FF – worked beautifully. HD failed. After replacing it, reinstalling/upgrading to 18.04.03 and FF69 am now unable to use it again. If I start it with just “firejail firefox”, FF will start but the start page says FF thinks it was upgraded in the background and needs to be restarted. Clicking restart brings me back to the same page. What can I do to fix my install?

    Like

    Reply
  21. schmeg

    with –disable-mnt, the firejailed prcess can’t read or write to mounts, but it can still see the mount info in /proc/mounts, which can contain things like usernames in pathnames of /run/media/…. Is there any way firejail can obscure /proc/mounts info?

    Like

    Reply
  22. virtualizado

    Netblue, please, i ditched linux several times this year and had to reinstall the system after kernel updates a few times until i discover that the problem was firejail. Libreoffice or Virtualbox, for example, coudnt work or reinstall correctly if i had firejail installed. I have mint 19.2 installed.
    Paste a visible warning…
    The KNOWN ISSUES warning should be INSIDE PROGRAM with a “dont show again” warning.
    Plus, you should make a tab inside firejail to show system errors or warnings of every process inside firejail program.

    Plus, the “known issues” of netflix or nvidia doing obscure things like those you mentioned should be published in a visible way and they should give an answer about what is going on for them to use those functions like chroot or ptrace.

    Like

    Reply
  23. imschmeg

    I noticed that firecfg, by using firecfg.config, avoids integration of some profiles in /etc/firejail. Was the list in firecfg.config meant to be a proper subset of the profiles in /etc/firejail for some specific reason, such as the profiles in firecfg.config are deemed safe for use while others are risky? Or is firecfg.config just of of date with respect to /etc/firejail/*.profile?

    Like

    Reply
  24. DaveW

    I’m running Firejail v. 0.9.60.2 on Antix 17 linux (32 bit). After recent upgrades of kernel (to 4.9.200), Firefox-esr (to 68.2.0) and Thunderbird (to 68.2.2), email links from ThunderBird (inside Firejail) open Firefox outside of Firejail, even when Firefox is running in Firejail. The browser and email programs are in separate Firejail sandboxes. (All upgrades were from the appropriate Antix stable repository.)

    However, if Thunderbird is run from outside of the sandbox, email links open a new tab in the sandboxed Firefox. Prior to the upgrades, email links acted in this way from Thunderbird in a separate sandbox.

    Your suggestions would be appreciated. Thank you.

    Like

    Reply
  25. davetbw

    Well… It appears that posts are not answered often at this “support” site. The preferred site is: https://github.com/netblue30/firejail/issues

    After wasting a lot of time trying to fix my problem (posted above)… and after scanning the github site for similar problems, it appears that this is a very common issue, which can arise after almost any upgrade, for various difficult to find reasons. Therefore, as suggested on some of the posts (on the github site), it is better not to click email links, and instead, copy and paste the URL from the link into the browser.

    Like

    Reply
  26. Jo

    Hello, I have two questions:
    – First: Is there a way to verify the integrity of a sandboxed application using Firejail?
    – Second: Is it possible to limit the resource consume, similar to cgroups? Or is it possible to combine cgroup with Firejail?

    Thanks!

    Like

    Reply
    1. netblue30 Post author

      To check the integrity of the programs you have installed you can use AIDE (Advanced Intrusion Detection Environment). You should have it already in your package manager, or download it from https://aide.github.io/

      Second: in the man page, look for –rlimit-* command line options. We also support cgroups (–cgroup).

      Like

      Reply
  27. Mangolinux804

    I need to be able to analyze Phishing emails in a sandbox environment, will FireJail allow me to run Chrome, Evolution, and Gedit at the same time and interact with each other?
    Example:
    Open email, then open the link in Chrome or
    Download file via Chrome then open the file via Evolution

    Like

    Reply
    1. netblue30 Post author

      The download part should work. The ~/Downloads directory is the real one, and is common for all applications. The click in Evolution to open Chrome, you will have to try it. Make sure you have both of them already open when you click.

      Like

      Reply
  28. fjuser

    When run from a shell (running in an rxvt with Xorg), firejail works fine, e.g. “firejail xterm”.

    But when run from a menu entry in the window manager (fvwm in this case), it erases the DISPLAY variable so that xterm complains:

    xterm: Xt error: Can’t open display:
    xterm: DISPLAY is not set

    Of course DISPLAY is set proper. I’m really stuck here. Why does firejail erase the DISPLAY, how can this be prevented. Using “–env=DISPLAY=…” does not help.

    — Linux Devuan 2, firejail-0.9.62 compiled manually and installed in /usr/local.

    Like

    Reply
  29. Mike

    Can FireJail be configured to jail 2 apps together and allow both apps to interact with each other and access the internet?
    Evolution->-Folder->Chrome->Internet

    Like

    Reply
    1. netblue30 Post author

      Sorry for delay. Yes, you can do that. It is already implemented for Firefox and Thunderbird. You would click on a link in an email, it will open the browser and load the link. To get this running, we had to relax Thunderbird profile to allow the browser to start.

      Usually, we try to keep each application sandboxed separately for security reasons. But if you really need it, it can be done.

      Like

      Reply
  30. Michael Campbell

    If I run “firejail –noprofile firefox” it disables default profile. But is it still secured? If so how secured? What does it do with regards to security? I see information very lacken on the use of –noprofile. Thanks.

    Like

    Reply
  31. rolf

    Hello,
    I cannot run any DVD under Linux Mint 19.2 Cinnamon Smplayer or VLC, have tried uninstalling, reinstalling, installing codecs, still will not play a dvd & this used to work.
    How can I start smplayer without firejail running or I have not found disable firejail or run without firejail option while looking at man firejail doc.
    Regards,
    please send me an email & why are you asking for a url I do not have one .

    Like

    Reply
    1. netblue30 Post author

      > why are you asking for a url I do not have one

      That’s done automatically by wordpress.com. You can start smplayer or vlc directly from the command line:

      $ /usr/bin/smplayer

      Try to see if you can access the dvd this way, without firejail. Also try “/usr/sbin/smplayer /dev/sr0”. On most systems /dev/sr0 is the dvd driver. If this is working you move to “firejail smplayer /dev/sr0”.

      Like

      Reply
  32. simpleUser

    Hello!
    I think I’m missing something but there’s no good explanation for running Firejail with Wine.
    Is it just ‘firejail wine program.exe’? Which prefixes can I use to enhance a sandbox’s security? For example, would ‘firejail –private=~/my_wine_bottle WINEARCH=win64 WINEPREFIX=~/my_wine_bottle wine ~/my_wine_bottle/drive_c/program.exe’ work?
    Thank you in advance for your response!

    Like

    Reply
    1. netblue30 Post author

      It comes by default with a very good profile (in /etc/firejail/wine.profile). When you start it as “firejail wine program.exe” it will use this profile. If you add “–private=~/my-wine-bottle”, it will add it on top of the default profile. All other command line options you specify will be added on top of the default profile. “–private=directory” is probably the best one you can add. Another interesting one is “–net=none”, this disables network access for the sandbox.

      Like

      Reply
  33. Jon

    Greetings,

    I’m wondering how the following behavior of `mbox` described here [1] of could be achieved through firejail:

    “Mbox introduces a novel sandbox usage model; when executing a program in the sandbox, Mbox prevents programs from modifying the host filesystem while giving them the impression that they are in fact making those modifications. Mbox achieves this by providing a layered sandbox filesystem and by interposing on system calls with ptrace and seccomp/BPF. At the end of program execution, the user can examine changes in the sandbox filesystem, and selectively commit them back to the host filesystem.”

    Do you have any pointers?

    [1] https://pdos.csail.mit.edu/archive/mbox/#what-sandbox-are-you-talking-about

    Like

    Reply
      1. Jon

        Thanks. So would it be possible to nest processes all in the same sandboxed tree of processes then? If I install packages while firejailing the package manager command, then all of those packages would only be installed in the overlain filesystem, and then all of the data files created by those installed packages too would only exist in the overlain filesystem?

        For example, if I ran:

        $ firejail -overlay bash
        $ pacman -S firefox
        $ firefox

        Then firefox would only be installed in the overlayfs space and it would only create its profile folder in the overlayfs space?

        Like

  34. Vasiliy

    how to run group of apps?

    for example:
    tabbed -cr2 surf -pe x ~/.config/surf/homepage.html
    run surf browser with tabbed interface.
    also, surf can be run wget for download files and run text editor for reading sourcecode.

    surf,tabbed,wget and $EDITOR is the parts of one system

    Like

    Reply
  35. Nudin

    I use ‘liferea’ in firejal. For some feeds I need to open them in a real browser (firefox). This starts a new isolated firefox – what is exactly what I want. But since everything except for the changes in the liferea-config directory are discarded when the sandbox is closed, I always get the “new to firefox” page and can’t make any changes to firefox configs, since they would be lost.
    Is it possible to configure firejail in a way, that Firefox continues to run in the liferea container (isolated with my normal firefox instance) but that changes to the browsers files (~/.mozilla) are keept when restarting liferea? I haven’t managed to do so.

    Like

    Reply
  36. david v

    hey there. firejail looks great and I have installed it and it does what I need (blocks internet access for one program via the firejail –net=none program” syntax) but it breaks other things (keepassx won’t save the name of the key file among others) so how do I disable ALL the profiles so firejail only runs when I invoke it in the terminal or add it to my menu shortcuts? using debian Linux buster. I have tried firecfg –clear but that didn’t do it. I end up having to uninstall it.

    Like

    Reply
  37. TheTKS

    I tried to upgrade from firejail 0.9.62 to 0.9.62.4 on Xubuntu 20.04, got the following error:

    # dpkg -i firejail_0.9.62.4_1_amd64.deb
    (Reading database … 250632 files and directories currently installed.)
    Preparing to unpack firejail_0.9.62.4_1_amd64.deb …
    Unpacking firejail (0.9.62.4-1) over (0.9.62-3) …
    dpkg: error processing archive firejail_0.9.62.4_1_amd64.deb (–install):
    trying to overwrite ‘/etc/firejail/tor-browser_en.profile’, which is also in package firejail-profiles 0.9.62-3
    dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
    Errors were encountered while processing:
    firejail_0.9.62.4_1_amd64.deb

    I did a web search for the error, then renamed /etc/firejail/tor-browser_en.profile to /etc/firejail/tor-browser_en.profile.bak, tried upgrading again with the same result, and even /etc/firejail/tor-browser-en.profile to /etc/firejail/tor-browser-en.profile.bak, and again with the same result.

    Any ideas – am I just doing something dumb, or is there a problem with Xubuntu 20.04 or with dpkg or with firejail that’s stopping this?

    Thanks,

    TKS

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s