Please report the problems you run into on our GitHub bug tracker. For general questions you can also use the comment section on any page on this website. Security bugs are taken seriously, please email them to firstname.lastname@example.org
Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in
/etc/firejail directory with the files from GitHub.
- in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
- in a text editor, open the file with the same name in
sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
- cut&paste from the web page into the text editor
Frequently Asked Questions
Why on earth should I use Firejail?
Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.
For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.
We use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.
How does it compare with Docker, LXC, nspawn?
Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.
Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.
What is the overhead of the sandbox?
The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.
Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance
By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.
How do I run two instances of Firefox?
Start the first Firefox instance as usual:
$ firejail firefox
Then, start the second sandbox:
$ firejail --private firefox -no-remote
How do I run VLC in a sandbox without network access?
–net=none command line switch installs a new TCP/IP stack in your sandbox. The stack is not connected to any external interface. For the programs running inside, the sandbox looks like a computer without any Ethernet interface.
$ firejail --net=none vlc
The best way to handle the command line switch is to place it in a custom profile in ~/.config/firejail file in your home directory. Create a vlc.profile text file in this directory, with the following content:
$ cat ~/.config/firejail/vlc.profile include /etc/firejail/vlc.profile net none
Can you sandbox Steam games and Skype?
Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.
Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.
PulseAudio 7.0/8.0 issue
The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Arch, Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. Run “firecfg –fix” in a terminal or apply the following configuration to mask the problem:
$ mkdir -p ~/.config/pulse $ cd ~/.config/pulse $ cp /etc/pulse/client.conf . $ echo "enable-shm = no" >> client.conf
A logout/login is required for the changes to take effect.
If you have problems with PulseAudio 9.x use the previous fix, or configure “enable-memfd = yes” in /etc/pulse/daemon.conf.
Firefox 60 problems
Firefox 60 doesn’t work with Firejail version 0.9.52 or older. Patched security profiles for are available for Firejail versions 0.9.38.x (LST) and 0.9.52. You can find them in our profile fixes section. Another option is to install Firejail 0.9.54.
LibreOffice on Ubuntu 18.04
LibreOffice crashes when sandboxed with Firejail version 0.9.52 in Ubuntu 18.04. A patched security profile for Firejail 0.9.52 is available in our profile fixes section. Another option is to install Firejail 0.9.54.
Cannot install new software while Firejail is running
File blacklisted in a running jail cannot be removed from outside of jail. This causes serious inconvenience when using Firejail with long time running processes. For example, preventing user from updating system normally, as files like /bin/su, /bin/mount, /usr/bin/sudo are blacklisted by default. Also, admin commands for adding users and groups will fail.
Firejail implements blacklisting by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system.
The problem is fixed in Linux kernels 3.18 or newer. This is the commit: vfs: Lazily remove mounts on unlinked files and directories
Cannot connect to ibus-daemon in a new network namespace
ibus-daemon is used to change the system language, for example to switch between English (US) input and Japanese inputs. In a sandbox using a new network namespace ibus-daemon socket is disabled and keyboard switching capability is lost.
Firefox crashing on Netflix, AMDGPU PRO, Nvidia closed source drivers
We are still working on these problems. From what we’ve seen so far, these programs make liberal use of system calls such as chroot and ptrace. These syscalls have no place in regular, well behaved programs, and seccomp kills the application immediately. Workarounds involve disabling seccomp and allowing ptrace utility. Example:
$ firejail --allow-debuggers --ignore=seccomp --ignore=protocol firefox -no-remote
I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?
The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.
The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258