Support

Please report the problems you run into on our GitHub bug tracker. For general questions, discussions, and from time to time announcements, use our forum on GitHub.

Profile fixes

Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in /etc/firejail directory with the files from GitHub.

Firefox example:

  1. in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
  2. in a text editor, open the file with the same name in /etc/firejail directory (“sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
  3. cut&paste from the web page into the text editor

Frequently Asked Questions

We keep this section on our GitHub wiki here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions

303 thoughts on “Support

      1. FJedjit

        This. . .
        Firejail Tricks and Tips, 2021 Edition
        by netblue30
        came into my inbox but I cannot find it anywhere on this site. It lists these,
        Well, mostly Tor and DNS becase this is what we’ve been doing lately.
        Cleanup

        Before we start, do you have a firewall setup on your computer? Why not? It is one of the most basic security tools in the Linux arsenal. Among other things, it deals with those cases when the perpetrator tries to open a TCP server on your machine, in order to access your computer remotely.

        Here is a simple firewall script:

        IPTABLES=”/sbin/iptables”

        # loopback and ICMP traffic
        $IPTABLES -A INPUT -i lo -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

        # established connections
        $IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

        # comment out the next line if you are running a SSH server on your computer
        # $IPTABLES -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT

        # reject on input, accept on output and forwarding
        $IPTABLES -A INPUT -j REJECT
        $IPTABLES -A OUTPUT -j ACCEPT
        $IPTABLES -A FORWARD -j ACCEPT

        Dump the code in /etc/rc.local file, and it will run every time you start your computer. Or use the tools provided by your distro – every distro does it in a different way! I usually go for rc.local, as I jump from one computer/distro to another. A sample copy of /etc/rc.local in Appendix 1.

        Something else I have in my rc.local file:

        rm -fr /home/netblue/.cache

        .cache directory is the place where people find copies of all the webpages you visited, torrent trackers you connected to, and all that emails you thought you deleted – all 3 GB of them! You want this directory cleaned up every time you start the computer.

        After that, take a look at /etc/machine-id. This is a world-readable file containing a huge random number:

        $ cat /etc/machine-id
        0b46feb27a20469da0ee62baaeb51c5c

        The file is used to uniquely identify Linux computers by government/corporate programs. You definitely don’t need it on your home computer. So make the world a better place and delete it:

        $ sudo rm /etc/machine-id

        Next time you start your computer systemd will cry “OMG A PONY!”. Just disregard it and proceed with Tor Browser installation.
        Installing Tor Browser

        Make sure you grab the browser from the original equipment manufacturer, and do check the signature (see Appendix 2). It comes as a .tar.xz software archive, and you unpack it in your home directory:

        $ tar -xJvf ~/Downloads/tor-browser-linux64-10.0.8_en-US.tar.xz

        The software is extracted in a new directory, ~/tor-browser-linux64-10.0.8_en-US. This directory is mounted by Firejail on top of your home directory using –private flag:

        $ firejail –name=tor –private=~/tor-browser_en-US ./start-tor-browser.desktop

        The browser starts in a container filesystem created on-the-fly by Firejail. Take a look around, no personally identifiable information should be available in the process space: home directory with only the files from the software archive, virtually empty /tmp, small subset of system files in /dev and /etc, most of everything else is re-mounted read-only after some basic cleanup:

        images here
        Network namespace

        Use a network namespace for additional fun and glory. This is basically a new TCP/IP stack in kernel space: an unused IP address is obtained by ARP-probing your network, the MAC address allocated by kernel is random by default, brand new interfaces and routing table, and a firewall similar with the one above. You do need to find the name of your Ethernet interface though:

        $ ip link show
        1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        2: eth0: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether e0:3f:44:7a:1s:09 brd ff:ff:ff:ff:ff:ff

        Your interface is eth0, start tor as follows:

        $ firejail –name=tor –net=eth0 –private=~/tor-browser_en-US ./start-tor-browser.desktop
        Where can I find this blog item or is it legit?

        Like

    1. firejailisgreat

      I agree. If creating a full fledged forum for Firejail is not possible at least create we should have a sub reddit and its very important that devs like netblue30 participate in that sub reddit otherwise it will be useless.

      Like

      Reply
      1. firejailisgreat

        That’s good news. I am going to sign up to this GitHub’s new forum today & ask further questions there. Thanks.

        Like

    1. netblue30 Post author

      in man page: “firejail –audit=test-program” will run your test audit program instead of the default one. I will prepare some examples and add them to the man page.

      Like

      Reply
  1. Cyllarus

    I want to use a browser to display various html files in various subdirectories of my (real) /home/, but block network access to prevent leakage outside of my computer. I see how to block the network (–net=none), but can’t find the way to allow access to my (real) /home/ and its subdirectories.

    Like

    Reply
    1. netblue30 Post author

      By default the only directory visible in your browser is /home/username/Downloads. If you want to access files in a different directory, add it using –whitelist flag on command line:

      $ firejail –whitelist=/home/username/somedirectory –net=none firefox

      Like

      Reply
      1. Cyllarus

        There is no way, then, to allow the whole of /home/ (or any subtree thereof) to be accessible? I just want to prevent the browser from communicating with the internet.

        Like

  2. Schlingel

    Hi there!
    I don’t manage to switch between languages on a zoom session through the firejail tool. Everytime I try to, it closes the software; when I launch it again, language remains unchanged. How can i get around this?
    Thank you very much for the great too you put us at disposable, keep up!
    Best regards ~

    Like

    Reply
  3. Kidzilla

    Hi there and thanks for making firejail!
    Can someone help me with opening firefox via firejail?
    I downloaded Firefox and deployed it in /opt/firefox.
    In my .zshrc I defined export PATH=”/opt/firefox:$PATH”
    sudo firecfg
    … firefox.profile created

    But when I execute firefox it doesnt run /usr/local/bin/firefox, it runs from /opt/firefox instead.
    I could just run firejail firefox to make it work, but I wanted to make it run without the firejail prefix.
    I could just make an “alias” but I wanted to make it run out of the box, so I can script this into ansible.
    Thanks forward for any help.

    peace

    Like

    Reply
  4. MJ

    Hi Netblue30,

    I have a question, I’m trying to implement this script for Firefox for Brave:
    #Firefox version
    cp -a ~/.mozilla ~/Scripts/FireJail/tmpfirefox
    firejail –private=~/Scripts/FireJail/tmpfirefox firefox

    The closest I can find that would work is to copy the whole .config folder.

    #Brave version
    cp -a ~/.config ~/Scripts/FireJail/tmpBrave
    firejail –private=~/Scripts/FireJail/tmpBrave brave-browser-stable

    Is there a way to do everything in the Firefox version but for Brave that doesn’t require copying the whole .config folder?

    P.S. Thank you for you for all your hard work on Firejail!

    Like

    Reply
  5. mrherlocksholmes

    Hi, all. I am trying to run qbittorrent in firejail on a Manjaro KDE Plasma desktop, but I’m having some problems. Is there a place where a user can post technical questions, such as a support forum? Thanks

    Like

    Reply
  6. Deniz

    Hello.

    I made a profile and local file for virt-manager (by modifying what firejail –build created).

    When I do firejail –list after running firejail virt-manager and entering the root password to be able to connect to the VMs, I get
    353617:user::firejail virt-manager

    , as expected.

    Then, when I close virt-manager, ps -e | grep -i virt shows that libvirtd (and sometimes also virtlogd) are running, but firejail –list doesn’t show anything.

    So, I’m wondering, is it only the GUI that’s being sandboxed (and not the processes that do the actual virtualizing)?

    If so, why isn’t the libvirtd (and possibly also virtlogd) being sandboxed?

    If not, then why is firejail –list not showing that firejail virt-manager is still running or that a child process of it is?

    It seems to me like libvirtd and virtlogd are sibling processes or something and that they’re not part of the sandbox.

    Does anyone have an explanation as to what is happening?

    Is this a bug?

    Any input would be greatly appreciated!

    Like

    Reply
  7. firejailisgreat

    Hi,
    What I want is whenever I right click on a video or audio file which is on my hard drive and select vlc or smplayer I want vlc or smplayer depending on which one I want to watch the video or listen to a song to open inside firejail with “–net=none”. I can do this by launching smplayer/vlc from the command line with “firejail –net=none smplayer” but this is not really user friendly. How can I configure smplayer/vlc to always launch inside firejail with the –net=none feature ?

    Like

    Reply
    1. netblue30 Post author

      Create a ~/.config/firejail directory ($ mkdir ~/.config/firejail) and add a smplayer.profile file with the following content

      $ cat ~/.config/firejail/smplayer.profile
      include /etc/firejail/smplayer.profile
      net none

      The first line includes the regular smplayer profile, and in the second line you disable networking. Now, when you start smplayer ($ firejail smplayer) the sandbox is using your new profile and disables networking.

      Do the same for vlc, or any other program you have.

      Like

      Reply
      1. firejailisgreat

        I have edited the profiles of Smplayer & VLC which are located in /etc/firejail and added “net none”. Is this acceptable ?

        Like

      2. netblue30 Post author

        Yes, that’s fine also. Just remember next time you update firejail to add the modifs again in case your package manager overwrites them.

        Like

  8. Art Dev

    hello guys
    have some troubles
    cant run postman appimage correctly with firejail.
    I use
    “`firejail –appimage postmanAppimage“`

    then
    i cant show desktop postman application
    i havent any output in my terminal
    but i see running process postman in all my processes.
    What does it mean and how to run postman with firejail ?

    Like

    Reply
  9. firejailisgreat

    When I do $ firejail –private firefox ….. firefox is 100% isolated meaning that even the /home/username/Downloads folder is not accessible but the issue is the –private option starts firefox in default factory settings. No added addons are loaded. I want to to utilize this –private options for sites that I don’t trust at all but with addons like uBlock Origin & Noscript. Is this possible ?

    Like

    Reply
    1. netblue30 Post author

      Create a directory under your home:

      $ mkdir firefoxhome

      Then, start firefox in this directory:

      $ firejail –private=~/firefoxhome firefox

      firejail will use your new directory as your new home. Firefox configuration will be preserved.

      Like

      Reply
      1. firejailisgreat

        Not working.
        ****Note another instance of Firefox inside firejail is running.***

        $ firejail –private=/home/home/firefoxhome/
        Reading profile /etc/firejail/default.profile
        Reading profile /etc/firejail/disable-common.inc
        Reading profile /etc/firejail/disable-passwdmgr.inc
        Reading profile /etc/firejail/disable-programs.inc
        Warning: networking feature is disabled in Firejail configuration file

        ** Note: you can use –noprofile to disable default.profile **

        Parent pid 19451, child pid 19452
        Warning: cleaning all supplementary groups
        Warning: cleaning all supplementary groups
        Warning: cleaning all supplementary groups
        Child process initialized in 31.09 ms

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s