Support

 

If you run into problems, leave your questions anywhere on this site, or on our GitHub bug tracker. Also check our Frequently Asked Questions and Known Problems pages.

 

Get involved

Firejail is a project developed by volunteers from all around the world. You are welcome to join us on GitHub. All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints.

 

Bug reports

Bug reports are vital for making Firejail a robust and capable application. Please use the comment section on any page on this site, or the facilities provided by GitHub.

All security bugs in Firejail are taken seriously and should be reported by emailing netblue30@yahoo.com

85 thoughts on “Support

  1. Nick

    Hello
    I have a problem with firejail and pulseaudio.
    Everytime when i start firefox with firejail, i can only hear sound in firefox, but nothing more in the rest of the system. When i start vlc player, i receive a warning message thats pulseaudio didnt work. After closing firejail, a complete pc restart is needed for pulseaudio to work again. The same problem comes up with chromium too.
    I work with Debian Testing and Cinnamon 2.8.
    Sorry for my english, i am not a native speaker.

    Like

    Reply
  2. Nick

    Hello

    Thanks for the reply. Problem is solved.

    I have another question about desktop notifications for blacklist violations.
    Can this be set up something like that like this up here? I think that would be a good thing.

    #! /bin/bash
    # firejail desktop notification

    while true
    do
    JAIL=$(grep “blacklist violation” /var/log/syslog)
    if [ -z “$JAIL” ]
    then
    sleep 2
    else
    zenity –warning –title “FIREJAIL” –text “$JAIL” &
    sed -i “/blacklist violation/d” /var/log/syslog
    fi
    done

    Thanks and keep up the good work. Firejail is an very nice project.

    Like

    Reply
  3. Scott Gulland

    I have a process that is launched in a predefined network namespace using ip that I want to firejail. Does firejail provide any way to launch a process using an existing network namespace? If not, I’d like to put in an enhancement request.

    Like

    Reply
    1. netblue30 Post author

      Chaining network namespaces is supported by default. Firejail has no idea what network namespace is starting with, and it will install a new one on top of the existing one.

      Like

      Reply
  4. Scott Gulland

    We have a root process that needs to modify files on /etc and or /var. However, when we firejail the process using the –debug option, we see firejail mounts these directories as read-only causing the process to fail. Is there any way to force firejail not to mount a directory as read-only? If not, is it possible to enhance firejail to add control over what directories firejail automatically mounts as read-only?

    Like

    Reply
  5. Nick

    Hello

    I have an curious problem with Firejail and Firefox. On Debian i can’t start Firefox via Firejail anymore, after der last upgrade.

    Firejail 0.9.38-1
    Firefox-ESR 45.0.2esr-1
    Debian Testing with Cinnamon 2.8

    Trace and Debugging didn’t show any usefull information about the start problem.

    xxxx@010011110010:~$ firejail firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 14185, child pid 14186
    Blacklist violations are logged to syslog

    Child process initialized

    parent is shutting down, bye…

    Like

    Reply
    1. netblue30 Post author

      I’ve found it. It is a problem with libselinux1 library. It looks like they fixed it in Debian unstable, I assume it will come to testing in a few days. This is the bug: https://github.com/netblue30/firejail/issues/494

      As a workaround you can disable seccomp in /etc/firejail/firefox profile. Add a # in front of seccomp line:

      $ cat /etc/firejail/firefox.profile
      […]
      # seccomp
      […]

      Like

      Reply
  6. Nick

    Thanks

    Its the regular Firefox. And yes in Debian Unstable there is no problem, but Unstable is mostly unusable. So Testing is a good middleway between stable and more updated software.

    Hm.. i didnt really understand what this had to do with libselinux1? I didnt use selinux.
    Thanks for the workaround, but i not really like workarounds. The browser must be isolated completely all the time, and when its not possible with firefox i use chromium temporarily.

    I have a further question: Can firejail isolate applications under wayland? Is there any major difference for firejail?

    Like

    Reply
    1. netblue30 Post author

      > i didnt really understand what this had to do with libselinux1
      The library is linked in by various programs such as ls, mv, iceweasel, icedove etc.. You’ll have to wait until they bring into testing the new version of libselinux1.

      I didn’t try it under wayland yet. I’ll bring in support once wayland makes its way into Debian. I don’t think there will be major differences.

      Like

      Reply
  7. anewuser

    Thank you very much for your work on this application, and especially for the –net=none parameter. I wasted hours looking for something like that. The other solutions are all too complicated or flawed.

    Like

    Reply
  8. gnomek

    Recently I started experiencing problems. I use Cherrytree to store weblinks. In Kde when I have just firefox as default application it opens weblinks correctly. But when I have as default:
    firejail –profile=/media/user/backup/jailkonf/.config/jail.profile –seccomp –private=/media/user/backup/jail/ firefox
    I can’t open properly. For example instead
    https://forum.kde.org/viewtopic.php?f=285&t=123259
    it opens only
    https://forum.kde.org/viewtopic.php?f=285
    Actually this is when in cherrytree links settings (Enable custom web link clicked action) I have firefox %s &. When I disable it, it doesn’t open links at all.

    The same when I try to open from Libreoffice writer. It doesn’t open links at all.

    I deleted .mozilla in /media/user/backup/jail/ but new profile didn’t helped. In /jail .config I didn’t changed anything since a year or longer so I don’t expect it is a problem.

    It shows:
    QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.

    Like

    Reply
  9. Spencer

    While I strongly suspect that the thing I am trying to do would introduce holes that should not be present, I feel like I should go ahead and ask anyway. My ~/Downloads folder is actually a symlink to /tmp/downloads, where /tmp is mounted as tmpfs.

    The way firejail works with Firefox complains about ~/Downloads because of this, so in the profile I commented that out and whitelisted /tmp/downloads instead. This worked fine… until I tried to download something, at which point I discovered that my downloads are no longer actually being put anywhere I can find them.

    It is pretty easy to suspect that following symbolic links like this has security implications and the answer is to not have my (admittedly needlessly complicated) setup in the first place, but in case that was not the answer I thought I would go ahead and check if this is intentional or if this is actually a bug/missing capability?

    Like

    Reply
    1. netblue30 Post author

      In the new version (0.9.42), symlinks outside home directory (~/Downloads -> /tmp/Downloads in your case) are allowed if the real directory (tmp/Downloads) is owned by the user. I have a 0.9.42~rc1 test release out, but I am still keeping an eye on possible security problems.

      Like

      Reply
  10. sam

    Do you have checksums/hashes for the downloads?? Are they published somewhere? Thanks btw for firejail. It’s much appreciated!! Also: is it possible to add the xpra feature to the version of firejail that’s in the ubuntu repository? Maybe that’s a dumb question. Hence my question about checksums/hashes 😉

    Like

    Reply
  11. reddit

    I’m currently trying to accomplish two things with firejail’s netfilter flag but my skill with iptables is limited.

    – My qbittorrent app doesn’t work when netfilter is enabled. The application opens, I’m able to add new torrent trackers but files don’t actually start downloading, as if there’s no internet access. Even if I remove “netfilter” from the qbittorrent.profile, downloads don’t start. Not sure what could be causing this or how to debug.

    – Some applications (e.g. Geary, Gradio, Plex) don’t have built-in support for proxy configurations. Is it possible to use –netfilter to forward sandboxed traffic to a proxy port like 127.0.0.1:9050? And if so, how?

    Like

    Reply
  12. reddit

    Thanks for your response. The command used:

    $ firejail qbittorrent

    I simply copied the generic.profile and renamed it:

    ################################
    # Qbittorrent GUI application profile
    ################################
    include /etc/firejail/disable-mgmt.inc
    include /etc/firejail/disable-secret.inc
    include /etc/firejail/disable-common.inc
    blacklist ${HOME}/.pki/nssdb
    blacklist ${HOME}/.lastpass
    blacklist ${HOME}/.keepassx
    blacklist ${HOME}/.password-store
    caps.drop all
    seccomp
    protocol unix,inet
    netfilter
    noroot

    noblacklist /path/to/downloads

    Like

    Reply
    1. netblue30 Post author

      No, it’s not gonna work this way, the sandbox will not replace netfilter configuration unless you create a new network namespace. For this run “/sbin/ifconfig” to find out the name of your ethernet interface, something like this:

      $ /sbin/ifconfig
      eth0      Link encap:Ethernet  HWaddr e0:3f:49:7b:14:09  
               inet addr:192.168.1.60  Bcast:192.168.1.255  Mask:255.255.255.0
      [...]
      lo        Link encap:Local Loopback  
                inet addr:127.0.0.1  Mask:255.0.0.0
      [...]
      

      I have eth0 as my interface, and I start the sandbox:

      $ firejail --net=eth0 qbittorrent
      

      By default Firejail will install a very strict netfilter configuration suitable for network clients such as browsers, mail, bittorrent, etc. You can bring in your own like this:

      $ firejail --net=eth0 --netfilter=filename qbittorrent
      

      The format of the file is the format used by iptables-save and iptables-restore commands.

      Like

      Reply
  13. Wesley

    Hi, I’m expanding the Spotify profile because I added local files to my libraries. These files are located on an NTFS volume mounted to /mnt/Data. However if I add an “whitelist /mnt/Data/Spotify-local” entry to the profile and I try to run it, I get the following error message:
    Error: invalid whitelist path /mnt/Data/Spotify-local
    What is the cause of this?
    Thanks in advance!

    Like

    Reply
  14. Wesley

    Hi, Over the years I’ve added some local files to Spotify, but they are located on a NTFS volume. I edited the profile for Spotify to whitelist this directory, but when I launch it using Firejail it gives me the following error message:

    $ firejail spotify
    Reading profile /etc/firejail/spotify.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Warning: user namespaces not available in the current kernel.
    Parent pid 1257, child pid 1258
    Error: invalid whitelist path /mnt/Data/Spotify-local
    Error: cannot establish communication with the parent, exiting…

    Do you have any idea what might be the cause of this?

    Like

    Reply
  15. sam

    I’m confused: you say “Firejail can work in a SELinux or AppArmor environment” but then it appears from comments here https://recordnotfound.com/firejail-netblue30-6510 that apparmor is not supported by default. I’m using firejail 0.9.38 from the ubuntu repos (ubuntu studio 16.04). Could you please calrify??

    Also I have a problem unrelated to that: in one account in this machine whenever I create a firefox profile by setting preferences, add-ons, etc then try to start that in a firejail sandbox instead the firefox that starts is a default, non-configured firefox. DO you know why this is? In two other accounts it wasn’t a problem. Configuring firefox first then starting it in the sandbox worked just fine. I don’t get it.

    Thanks for firejail btw!!!

    Like

    Reply
    1. netblue30 Post author

      If you run firejail without –apparmor, AppArmor will pick up the profile distributed by your Linux distro. If you put in –apparmor, AppArmor will pick up the profile distributed by Firejail.

      > whenever I create a firefox profile by setting preferences, add-ons, etc then try to start that in a firejail sandbox instead the firefox that starts is a default, non-configured firefox.

      The default profile blacklists ~/.mozilla directory. This is where Firefox configuration is kept. When you build your own profile, make sure you don’t blacklist this directory.

      Like

      Reply
      1. sam

        Thanks for your answer. I don’t have an apparmor profile from firejail. The only references to firejail at all are in the firefox profile:
        /etc/apparmor.d/usr.bin.firefox: /run/firejail/mnt/fslogger rw,
        /etc/apparmor.d/usr.bin.firefox: /run/firejail/mnt/pulse/client.conf r,
        and there’s no profile with firejail in the name. Do I need to be running a later version of firejail?? And may I also ask whether you have published somewhere checksums or hashes for the downloads, like for the latest version?

        Like

  16. sam

    Thanks again, and especially for firejail – a fabulous program!!! I checked a few months ago for checksums but I guess I missed those, sorry. I’ll go get the latest release. Thanks again.

    Like

    Reply
  17. firejail user

    Some applications may call on other programs (like firefox) to open links and such. How can I ensure firejail is always enabled even when firefox is executed by other programs?

    Like

    Reply
      1. firejail user

        Thanks for your reply and answer. What if I don’t start a program in firejail (or forget) and it calls firefox? Is it possible to force firejail on a binary level maybe?

        Like

      2. netblue30 Post author

        No, this would require support directly in the kernel.

        We have an utility program, firecfg (see man firecfg), that would insert symbolic links for a number of programs under /usr/local/bin, but this will only work for clicking on icons or window manager menus.

        Like

  18. John W

    Hi netblue30,

    I would like to script using firejail (for example, to use `firejail –list` or `firejail –tree` to find the PID of a process in order to close it). However, I noticed during experimentation that those commands are truncated by the terminal width, so that the output is inconsistent (grepping the output in a full-sized terminal would find extra values compared to a half-size terminal!). To facilitate scripting, could you please prevent truncation of those commands’ outputs? Or, if there is some other method I should be using instead, please let me know!

    Thank you,
    John

    P.S. I noticed that a firejail tree has at least three levels, two above the actual process, all with their own PIDs. Is the correct approach to closing a process+sandbox to use `kill` command on the lowest one (the actual program) the highest one (the sandbox) or something else? Or is there a cleaner way to close a sandbox?

    Like

    Reply
    1. netblue30 Post author

      It is easy to implement, I marked it as an enhancement, you can track it here: https://github.com/netblue30/firejail/issues/792

      For shutting down the sandbox, use the PID of the sandbox. Another way to do it is to give a name to the sandbox and use this name in shutdown:

      (from man firejail):
      –shutdown=name|PID
      Shutdown the sandbox identified by name or PID.

      Example:
      $ firejail –name=mygame –caps.drop=all warzone2100 &
      $ firejail –shutdown=mygame

      Example:
      $ firejail –list
      3272:netblue:firejail –private firefox
      $ firejail –shutdown=3272

      Like

      Reply
  19. another qbit user

    $ cat /home/user/.config/firejail/qbittorrent.filter

    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    COMMIT

    $ firefail –netfilter=/home/user/.config/firejail/qbittorrent.filter quittorrent

    i want the sandbox to see and use only tun0. is this proper usage of iptables and firejail? i’m not sure how to properly test for dns leaks.

    Like

    Reply
  20. FirejailNinja

    If I open $ firejail firefox, then open $ firejail thunderbird — are they in the same sandbox? Can the applications *see* each other in anyway? If yes, how do I make it so they’re completely isolated from eachother?

    Like

    Reply
    1. netblue30 Post author

      If you open them separately as you describe, each application works in a separate sandbox. Firefox and Thunderbird have a mechanism to communicate, for example if you click on a URL in Thunderbird, a new tab is opened automatically in Firefox. So far we couldn’t find a way to shut down this mechanism.

      Like

      Reply
  21. Adam

    hello,
    firejail rocks, thank you for this wonderful sandboxing tool!

    here’s my openvpn.profile

    caps.drop all
    seccomp
    protocol unix,inet
    tracelog

    not much to it. from a root terminal: $(firejail –debug –profile=/path/to/openvpn.profile openvpn –config /path/to/some.ovpn)

    Child process initialized
    ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
    Exiting due to fatal error
    Sandbox monitor: waitpid 2 retval 2 status 256

    it connects to the vpn server but crashes at the last step; it’s unable to create the virtual tun0 interface. is it possible to use firejail to harden an application like openvpn? does it even make sense to use with programs that always need root privs?

    Like

    Reply
  22. happyuser

    Hi, thanks again for firejail :-). I’m still having issues with firejail 0.9.38 on ubuntu 16.04, installed from the repos. Specifically there are a few users on this computer and for one user (who has an encrypted home) anytime I try to make a mozilla/firefox profile if I make it first then invoke that with firejail prepended the profile is not used (preferences, add-ons, etc). Meanwhile if I try to make the mozilla/firefox profile with firejail running it won’t let that be created; it seems all traces of the .mozilla/firefox profile are erased. If you have any idea why this would be I’d appreciate it. With the other users it was possible to create the mozilla/firefox profile first then to make launchers that run that in firejail.

    Like

    Reply
  23. stefan

    Hi, unfortunately I completely fail to set up access to a download
    directory for firefox. Admittedly, it’s a little bit exotic:
    Downloads should go into directory `~/grabber`, which goes through two
    symlinks.

    The main idea is that every user can use his own
    `/usr/local/nobackup/${USER}/` that is persistent between reebots, but
    not included in backups.

    me@host:~$ namei -l ~/grabber
    f: /home/me/grabber
    drwxr-xr-x root users /
    drwxr-xr-x root root home
    drwx—— me users me
    lrwxrwxrwx me users grabber -> .nobackup/grabber
    lrwxrwxrwx me users .nobackup -> /usr/local/nobackup/me/
    drwxr-xr-x root users /
    drwxr-xr-x root root usr
    drwxr-xr-x root root local
    drwxr-xr-x root root nobackup
    drwx—— me users me
    drwxr-xr-x me users grabber

    me@host:~$ groups me
    http audio users

    me@host:~$ firejail –version
    firejail version 0.9.44

    How would I set this up?

    Thank you!
    Stefan

    Like

    Reply
    1. netblue30 Post author

      ~/Downloads is whitelisted in /etc/firejail/firefox.profile. If ~/Downloads is a symbolic link, the link and the real directory should be owned by the user. In your case, I think /usr/local/nobackup/me/Downloads directory should be owned by you – probably you have it owned by root.

      Like

      Reply
  24. Adam Smith

    Hi, thanks for the program! Sorry this might be a dumb question but I haven’t seen it asked; whenever I launch Chrome with Firejail I receive the message that it is not the default browser. Without using Firejail, it recognises itself as the default browser. I’m not sure how to check but perhaps Chrome is seeing Firejail as the default browser? I can easily just ignore it but wondering is there a known workaround I’ve not thought of. I’m using the latest kernel, Chrome & Firejail versions.

    Like

    Reply
    1. netblue30 Post author

      The blacklist/whitelist subsystem disables one of the files where the information regarding default browser is stored. It is a Firejail problem, hopefully it will get fixed. We never figured this one out.

      Like

      Reply
      1. Adam Smith

        OK, thanks for getting back to me and so quick too! I’ll look into it some more and update if I find a solution.

        Like

  25. stefan

    Hi, unfortunately I completely fail to set up access to a download
    directory for firefox. Admittedly, it’s a little bit exotic:
    Downloads should go into directory `~/grabber`, which goes through two
    symlinks.

    The main idea is that every user can use his own
    `/usr/local/nobackup/${USER}/` that is persistent between reebots, but
    not included in backups.

    me@host:~$ namei -l ~/grabber
    f: /home/me/grabber
    drwxr-xr-x root users /
    drwxr-xr-x root root home
    drwx—— me users me
    lrwxrwxrwx me users grabber -> .nobackup/grabber
    lrwxrwxrwx me users .nobackup -> /usr/local/nobackup/me/
    drwxr-xr-x root users /
    drwxr-xr-x root root usr
    drwxr-xr-x root root local
    drwxr-xr-x root root nobackup
    drwx—— me users me
    drwxr-xr-x me users grabber

    me@host:~$ groups me
    http audio users

    me@host:~$ firejail –version
    firejail version 0.9.44

    How would I set this up?

    Thank you!
    Stefan

    Like

    Reply
  26. Bulla

    Hi,

    I’m unable to use Firejail for Firefox as it causes SSL certificates to stop working. Every certificate issuer becomes unknown.

    Do you have any advice? I’m using the copr build on Fedora 24.

    Like

    Reply
  27. Chas Belfield

    I’m using Arch and Firejail and I’ve noticed something of an irregularity however that I wonder if anyone has encounter before. In order to monitor my email, I have the Mail Watcher panel item on my XFCE panel with the command

    firejail thunderbird

    set to execute upon clicking on it. When I do this, however, Thunderbird acts as if it is it’s first time being opened, wanting to run the “System Integration” check on startup, asking me what I want Thunderbird to be the default for. When run from the terminal, it produces this:

    [chas@UX31e ~]$ firejail thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 4267, child pid 4268 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized [calBackendLoader] Using libical backend at /home/chas/.thunderbird/pj74pyg8.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libical-manifest Warning: Use of getPrefSafe() is deprecated and will be removed with the next release. Use Preferences.get() instead. 1: [chrome://calendar/content/calUtils.js:471] getPrefSafe 2: [chrome://lightningcalendartabs/content/multiweek_tabs.js:39] LightningCalendarTabs.multiWeekTabs 3: [chrome://lightningcalendartabs/content/tabs.js:100] LightningCalendarTabs.tabsController.prototype.initializeTabControllers 4: [chrome://lightningcalendartabs/content/tabs.js:77] LightningCalendarTabs.tabsController.prototype.startup 5: [chrome://lightningcalendartabs/content/tabs.js:243] null

    Now suppose I set Email, Newsgroups, and Feeds as defaults for Thunderbird, then click “Set Default.” The following occurs:

     ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (mailto): Failed to rename file ‘/home/chas/.config/mimeapps.list.WXR9QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy
    ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (news): Failed to rename file ‘/home/chas/.config/mimeapps.list.J6H8QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy
    ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (feed): Failed to rename file ‘/home/chas/.config/mimeapps.list.IKQ7QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy

    and the popup will remain having failed to set anything as the default. Clicking cancel allows the program to run as it normally would.
    The only time this does not occur is when I open XFCE’s “Mail Reader” app to launch Thunderbird as opposed to the actual application. However, I suspect that is because I do not know how to use Firejail in conjunction with that or the “Web Browser” XFCE app (which I hope I can figure out soon, as it means that hyperlinks in Thunderbird open in unsecured Firefox browsers).
    I have not found anything within the wiki or Firejail’s main page that gives some insight into this, nor did opening the existing profiles for the apps in question reveal anything that jumped out at me as a solution. I’m wondering if anyone else has encountered this before – a minor annoyance more than anything else, but I like it when things run properly.
    Thanks!

    Like

    Reply
  28. Chas

    Running Arch and XFCE, I’ve noticed something of an irregularity however that I wonder if anyone has encounter before. In order to monitor my email, I have the Mail Watcher panel item on my XFCE panel with the command

    firejail thunderbird

    set to execute upon clicking on it. When I do this, however, Thunderbird acts as if it is it’s first time being opened, wanting to run the “System Integration” check on startup, asking me what I want Thunderbird to be the default for. When run from the terminal, it produces this:

    [chas@UX31e ~]$ firejail thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 4267, child pid 4268 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Child process initialized [calBackendLoader] Using libical backend at /home/chas/.thunderbird/pj74pyg8.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libical-manifest Warning: Use of getPrefSafe() is deprecated and will be removed with the next release. Use Preferences.get() instead. 1: [chrome://calendar/content/calUtils.js:471] getPrefSafe 2: [chrome://lightningcalendartabs/content/multiweek_tabs.js:39] LightningCalendarTabs.multiWeekTabs 3: [chrome://lightningcalendartabs/content/tabs.js:100] LightningCalendarTabs.tabsController.prototype.initializeTabControllers 4: [chrome://lightningcalendartabs/content/tabs.js:77] LightningCalendarTabs.tabsController.prototype.startup 5: [chrome://lightningcalendartabs/content/tabs.js:243] null

    Now suppose I set Email, Newsgroups, and Feeds as defaults for Thunderbird, then click “Set Default.” The following occurs:

     ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (mailto): Failed to rename file ‘/home/chas/.config/mimeapps.list.WXR9QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy
    
    ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (news): Failed to rename file ‘/home/chas/.config/mimeapps.list.J6H8QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy
    
    ** (thunderbird:2): WARNING **: Cannot set application as default for URI scheme (feed): Failed to rename file ‘/home/chas/.config/mimeapps.list.IKQ7QY’ to ‘/home/chas/.config/mimeapps.list’: g_rename() failed: Device or resource busy

    and the popup will remain having failed to set anything as the default. Clicking cancel allows the program to run as it normally would.

    The only time this does not occur is when I open XFCE’s “Mail Reader” app to launch Thunderbird as opposed to the actual application. However, I suspect that is because I do not know how to use Firejail in conjunction with that or the “Web Browser” XFCE app (which I hope I can figure out soon, as it means that hyperlinks in Thunderbird open in unsecured Firefox browsers).

    I have not found anything within the wiki or Firejail’s main page that gives some insight into this, nor did opening the existing profiles for the apps in question reveal anything that jumped out at me as a solution. I’m wondering if anyone else has encountered this before – a minor annoyance more than anything else, but I like it when things run properly.

    Thanks!

    Like

    Reply
  29. Caver1

    I have tried starting the version of Firefox that I use by editing the .desktop file.
    ex- Exec=/home/caver1/firefox45esr/firejail firefox %u
    the problem is with this edit Firefox will not open. Other browsers that I have installed do open with this edit.
    If I try to open this version of Firefox with the terminal command-firejail firefox- it opens.
    How can i get it to open in the Firejail sandbox with the .desktop file?
    Thank you.

    Like

    Reply
  30. S Axel

    NB. dnscrypt-proxy as dns inside firejail ? Have it working outside of firejail yet need some pointers on getting it working from inside. Ideas ?

    Like

    Reply
    1. netblue30 Post author

      You have to start the sandbox as root, start the server, then switch back to your regular user (su) and start the application. Probably you’ll end up running a copy of dnscrypt-proxy in in every sandbox. It will be ugly!

      Like

      Reply
  31. Jules

    I’ve been running Firejail for quite a while with no problems on Arch Linux. But I’ve recently installed Opera (having always exclusively used Firefox) and now Thunderbird (under Firejail) keeps trying to open Opera instead of Firefox.

    I want Thunderbird to use Firefox as its browser – not Opera.

    If I run Thunderbird outside of Firejail, Thunderbird opens Firefox. What I want.

    All settings in Thunderbird are set to use Firefox. And I believe I’ve got my Xfce settings using Firefox as the default browser.

    So, I don’t understand why Thunderbird under Firejail wants to open Opera. (When I say that Firejail wants to open Opera, this is by checking in a terminal with top – because if I click on a link in Thunderbird under Firejail nothing seems to happen but top shows me it’s trying open Opera.

    I’m using the default profile for Thunderbird.

    Any ideas/assistance would be most appreciated.

    Cheers,
    Jules

    Like

    Reply
    1. netblue30 Post author

      > But I’ve recently installed Opera (having always exclusively used Firefox) and now Thunderbird (under Firejail) keeps trying to open Opera instead of Firefox.

      It happens to me on Debian also, every time I install a new browser Thunderbird configuration switches to the new browser, and is kind of painful to go in Thunderbird config to switch it back. Browsers you install from outside your package managers are also modifying the configuration.

      There is a thunderbird config file under /etc, another one in your home directory, and your desktop manager might place a third one in some other place. It is a total mess.

      Like

      Reply
      1. Jules

        Many thanks – took it from the top – and went through the motions of confirming that firefox was the default browser – clicking okay when it already said firefox – and that seems to have done the trick! Many thanks again for the assistance – much appreciated.

        Like

  32. Phil

    Hello! I would like to use several different profiles for one program, allowing for different configurations/application data/etc.

    So I basically need to make firejail prepare the chroot appropriately – not only white-/blacklisting files and directories as usual, but replacing certain files in the filesystem (the necessary configfiles) with the right version.

    Yet the program should not run as root. As a result, –bind is not an option in this case. Theoretically, I could use –chroot or –overlay, but that would mean to copy large portions of the host filesystem to the directory and to have the whole filesystem rw, which is an idea I do not like at all.

    Do you have any ideas about how I could achieve what I want? Many thanks for any hints!

    Phil

    Like

    Reply
  33. Phil

    I’ve already posted this one, but it did not appear. So, second attempt goes here.

    Hello folks! I would like to use several different firejail profiles for one program, allowing for different configurations/application data and the like.

    So I basically need to make firejail prepare the chroot appropriately – not only white-/blacklisting files and directories as usual, but replacing certain files in the filesystem (the necessary config and data files) with the right version.

    Yet the program should not run as root. As a result, ‘–bind’ is not an option in this case. Theoretically, I could use ‘–chroot’ or ‘–overlay’, but that would mean to copy large portions of the host filesystem to the directory and to have the whole filesystem rw, which is an idea I do not like at all.

    Do you have any ideas about how I could achieve what I want? Many thanks for any hints!

    Phil

    Like

    Reply
    1. netblue30 Post author

      > I’ve already posted this one, but it did not appear.

      Sorry for the trouble, I have no idea what happened, somehow it got lost.

      Unfortunately I cannot allow –bind as user, so your best bet would be go for a chroot – yes, it will duplicate large portions of your filesystem. Anyway, the default profiles will blacklist /sbin and /usr/sbin.

      You can also use a different directory as home directory with –private=directory. For GUI programs the configuration files are in /home/user anyway, so this could be an easier way to go.

      Like

      Reply
  34. no name

    If I tell my apparmor firefox profile that /etc/passwd is read-only:

    /etc/passwd r,

    then tell firefjail it’s blacklisted:

    blacklist /etc/passwd

    Which will take precedent? And should there be a undiscovered vulnerability in firejail, would the apparmor read-only setting protect /etc/passwd from modification?

    I guess I’d like to better understand how apparmor and firejail work together.

    Like

    Reply
  35. Robert

    FYI, the firejail-config man page seems to have been omitted from version 0.9.44.8 of the .deb build:

    man -k firejail
    firejail (1) – Linux namespaces sandbox program
    firecfg (1) – Desktop configuration program for Firejail software.
    firejail-login (5) – Login file syntax for Firejail
    firejail-profile (5) – Security profile file syntax for Firejail
    firemon (1) – Monitoring program for processes started in a Firejail sandbox.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s