Please report the problems you run into on our GitHub bug tracker. For general questions, discussions, and from time to time announcements, use our forum on GitHub.
Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in
/etc/firejail directory with the files from GitHub.
- in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
- in a text editor, open the file with the same name in
sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
- cut&paste from the web page into the text editor
Frequently Asked Questions
We keep this section on our GitHub wiki here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions
To be honest I suggest you to open a sub on reddit to support people because comments page are not the best.
There was one there (https://www.reddit.com/r/firejail), but it went nowhere. I’ll added to the description above.
A very active place to ask questions is in the issues section on github: https://github.com/netblue30/firejail/issues
LikeLiked by 1 person
This. . .
Firejail Tricks and Tips, 2021 Edition
came into my inbox but I cannot find it anywhere on this site. It lists these,
Well, mostly Tor and DNS becase this is what we’ve been doing lately.
Before we start, do you have a firewall setup on your computer? Why not? It is one of the most basic security tools in the Linux arsenal. Among other things, it deals with those cases when the perpetrator tries to open a TCP server on your machine, in order to access your computer remotely.
Here is a simple firewall script:
# loopback and ICMP traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
# established connections
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# comment out the next line if you are running a SSH server on your computer
# $IPTABLES -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
# reject on input, accept on output and forwarding
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A FORWARD -j ACCEPT
Dump the code in /etc/rc.local file, and it will run every time you start your computer. Or use the tools provided by your distro – every distro does it in a different way! I usually go for rc.local, as I jump from one computer/distro to another. A sample copy of /etc/rc.local in Appendix 1.
Something else I have in my rc.local file:
rm -fr /home/netblue/.cache
.cache directory is the place where people find copies of all the webpages you visited, torrent trackers you connected to, and all that emails you thought you deleted – all 3 GB of them! You want this directory cleaned up every time you start the computer.
After that, take a look at /etc/machine-id. This is a world-readable file containing a huge random number:
$ cat /etc/machine-id
The file is used to uniquely identify Linux computers by government/corporate programs. You definitely don’t need it on your home computer. So make the world a better place and delete it:
$ sudo rm /etc/machine-id
Next time you start your computer systemd will cry “OMG A PONY!”. Just disregard it and proceed with Tor Browser installation.
Installing Tor Browser
Make sure you grab the browser from the original equipment manufacturer, and do check the signature (see Appendix 2). It comes as a .tar.xz software archive, and you unpack it in your home directory:
$ tar -xJvf ~/Downloads/tor-browser-linux64-10.0.8_en-US.tar.xz
The software is extracted in a new directory, ~/tor-browser-linux64-10.0.8_en-US. This directory is mounted by Firejail on top of your home directory using –private flag:
$ firejail –name=tor –private=~/tor-browser_en-US ./start-tor-browser.desktop
The browser starts in a container filesystem created on-the-fly by Firejail. Take a look around, no personally identifiable information should be available in the process space: home directory with only the files from the software archive, virtually empty /tmp, small subset of system files in /dev and /etc, most of everything else is re-mounted read-only after some basic cleanup:
Use a network namespace for additional fun and glory. This is basically a new TCP/IP stack in kernel space: an unused IP address is obtained by ARP-probing your network, the MAC address allocated by kernel is random by default, brand new interfaces and routing table, and a firewall similar with the one above. You do need to find the name of your Ethernet interface though:
$ ip link show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether e0:3f:44:7a:1s:09 brd ff:ff:ff:ff:ff:ff
Your interface is eth0, start tor as follows:
$ firejail –name=tor –net=eth0 –private=~/tor-browser_en-US ./start-tor-browser.desktop
Where can I find this blog item or is it legit?
Sorry, I had to pull it back, it will come in a few days!
I agree. If creating a full fledged forum for Firejail is not possible at least create we should have a sub reddit and its very important that devs like netblue30 participate in that sub reddit otherwise it will be useless.
There is the “discussions” feature introduced by GitHub earlier this year. It is similar to a forum.
That’s good news. I am going to sign up to this GitHub’s new forum today & ask further questions there. Thanks.
How can I customize faudit tests ? I’d like to see if my firejailed app can access some directory.
in man page: “firejail –audit=test-program” will run your test audit program instead of the default one. I will prepare some examples and add them to the man page.
I want to use a browser to display various html files in various subdirectories of my (real) /home/, but block network access to prevent leakage outside of my computer. I see how to block the network (–net=none), but can’t find the way to allow access to my (real) /home/ and its subdirectories.
By default the only directory visible in your browser is /home/username/Downloads. If you want to access files in a different directory, add it using –whitelist flag on command line:
$ firejail –whitelist=/home/username/somedirectory –net=none firefox
There is no way, then, to allow the whole of /home/ (or any subtree thereof) to be accessible? I just want to prevent the browser from communicating with the internet.
I don’t manage to switch between languages on a zoom session through the firejail tool. Everytime I try to, it closes the software; when I launch it again, language remains unchanged. How can i get around this?
Thank you very much for the great too you put us at disposable, keep up!
Best regards ~
Hi there and thanks for making firejail!
Can someone help me with opening firefox via firejail?
I downloaded Firefox and deployed it in /opt/firefox.
In my .zshrc I defined export PATH=”/opt/firefox:$PATH”
… firefox.profile created
But when I execute firefox it doesnt run /usr/local/bin/firefox, it runs from /opt/firefox instead.
I could just run firejail firefox to make it work, but I wanted to make it run without the firejail prefix.
I could just make an “alias” but I wanted to make it run out of the box, so I can script this into ansible.
Thanks forward for any help.
I have a question, I’m trying to implement this script for Firefox for Brave:
cp -a ~/.mozilla ~/Scripts/FireJail/tmpfirefox
firejail –private=~/Scripts/FireJail/tmpfirefox firefox
The closest I can find that would work is to copy the whole .config folder.
cp -a ~/.config ~/Scripts/FireJail/tmpBrave
firejail –private=~/Scripts/FireJail/tmpBrave brave-browser-stable
Is there a way to do everything in the Firefox version but for Brave that doesn’t require copying the whole .config folder?
P.S. Thank you for you for all your hard work on Firejail!
Hi, all. I am trying to run qbittorrent in firejail on a Manjaro KDE Plasma desktop, but I’m having some problems. Is there a place where a user can post technical questions, such as a support forum? Thanks
On GitHub: https://github.com/netblue30/firejail/issues
I made a profile and local file for virt-manager (by modifying what firejail –build created).
When I do firejail –list after running firejail virt-manager and entering the root password to be able to connect to the VMs, I get
, as expected.
Then, when I close virt-manager, ps -e | grep -i virt shows that libvirtd (and sometimes also virtlogd) are running, but firejail –list doesn’t show anything.
So, I’m wondering, is it only the GUI that’s being sandboxed (and not the processes that do the actual virtualizing)?
If so, why isn’t the libvirtd (and possibly also virtlogd) being sandboxed?
If not, then why is firejail –list not showing that firejail virt-manager is still running or that a child process of it is?
It seems to me like libvirtd and virtlogd are sibling processes or something and that they’re not part of the sandbox.
Does anyone have an explanation as to what is happening?
Is this a bug?
Any input would be greatly appreciated!
What I want is whenever I right click on a video or audio file which is on my hard drive and select vlc or smplayer I want vlc or smplayer depending on which one I want to watch the video or listen to a song to open inside firejail with “–net=none”. I can do this by launching smplayer/vlc from the command line with “firejail –net=none smplayer” but this is not really user friendly. How can I configure smplayer/vlc to always launch inside firejail with the –net=none feature ?
Create a ~/.config/firejail directory ($ mkdir ~/.config/firejail) and add a smplayer.profile file with the following content
$ cat ~/.config/firejail/smplayer.profile
The first line includes the regular smplayer profile, and in the second line you disable networking. Now, when you start smplayer ($ firejail smplayer) the sandbox is using your new profile and disables networking.
Do the same for vlc, or any other program you have.
I have edited the profiles of Smplayer & VLC which are located in /etc/firejail and added “net none”. Is this acceptable ?
Yes, that’s fine also. Just remember next time you update firejail to add the modifs again in case your package manager overwrites them.
have some troubles
cant run postman appimage correctly with firejail.
“`firejail –appimage postmanAppimage“`
i cant show desktop postman application
i havent any output in my terminal
but i see running process postman in all my processes.
What does it mean and how to run postman with firejail ?
When I do $ firejail –private firefox ….. firefox is 100% isolated meaning that even the /home/username/Downloads folder is not accessible but the issue is the –private option starts firefox in default factory settings. No added addons are loaded. I want to to utilize this –private options for sites that I don’t trust at all but with addons like uBlock Origin & Noscript. Is this possible ?
Create a directory under your home:
$ mkdir firefoxhome
Then, start firefox in this directory:
$ firejail –private=~/firefoxhome firefox
firejail will use your new directory as your new home. Firefox configuration will be preserved.
****Note another instance of Firefox inside firejail is running.***
$ firejail –private=/home/home/firefoxhome/
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
** Note: you can use –noprofile to disable default.profile **
Parent pid 19451, child pid 19452
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 31.09 ms
Is a profile for “threema desktop” (Linux/Debian) available?
Can it sandbox whole the desktop environment rather than single graphical apps? E.g., to sandbox whole the GNOME and run graphical apps in GNOME.
Unfortunately a full desktop env would require a very relaxed sandbox to cover most applications running there. Sandboxing each application independently is much much better.
I’m using Ubuntu 22.04 and firejail 0.9.69
when I try to run a command firejail firefox I receive this message:
“warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features
command ‘/usr/bin/firefox’ requires the firefox snap to be installed.”
how I can fix this issue?
Would you rewrite firejail or part of firejail in Rust?
We don’t have any plans to move to Rust for the moment.
Question 1: https://sourceforge.net/projects/firejail/files/firejail/ has filenames ending in different ways. my question is what is the difference between compiling, installing from firejail-0.9.70.tar.xz and installing firejail_0.9.70-apparmor_1_amd64.deb ? why is apparmor mentioned in the deb package’s filename? why is the filename not something like firejail_0.9.70_amd64.deb?
Question 2: can i use both apparmor and firejail for sandboxing firefox on ubuntu 20.04? if i install ubuntu, enable apparmor for firefox and then try to sandbox firefox using firejail – will it work? or do i have to disable apparmor for firefox and then use firejail with firefox? i am not talking about snap, flatpak, appimage versions of firefox, i am talking about firefox deb package
Question 3: https://sourceforge.net/projects/firejail/files/firejail/ filenames make me confused. firejail-0.9.70.tar.xz has two PGP signatures available – one inside firejail-0.9.70.tar.xz.asc and other inside firejail-0.9.70.asc — why are these PGP signatures different?
Question 4: firejail current version is 0.9.70 . can it be considered stable? when will version 1.0 get released?
Thank you for creating firejail project! 🙂 🙂 🙂
is using firejail on latest debian stable better than using firejail on latest ubuntu lts? or is it same thing? i want to use firejail on latest debian stable
Sorry to bother again .. I’ve some scripts running seamonkey and firefox in firejail and just moved to a new box. The new one has an USB audio adapter, and with that, the browsers produce no sound inside firejail. The scripts look like this:
exec firejail \
–dbus-user=none –shell=none –name=”firefox” \
–whitelist=~/.config/pulse –whitelist=~/firejail-home/.config/pulse \
How can I debug and fix this?