Support

 

Please report the problems you run into on our GitHub bug tracker. For general questions you can also use the comment section on any page on this website.

 

Profile fixes

Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in /etc/firejail directory with the files from GitHub.

Firefox example:

  1. in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
  2. in a text editor, open the file with the same name in /etc/firejail directory (“sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
  3. cut&paste from the web page into the text editor
 

Frequently Asked Questions

We keep this section on our GitHub wiki here: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions

287 thoughts on “Support

      1. FJedjit

        This. . .
        Firejail Tricks and Tips, 2021 Edition
        by netblue30
        came into my inbox but I cannot find it anywhere on this site. It lists these,
        Well, mostly Tor and DNS becase this is what we’ve been doing lately.
        Cleanup

        Before we start, do you have a firewall setup on your computer? Why not? It is one of the most basic security tools in the Linux arsenal. Among other things, it deals with those cases when the perpetrator tries to open a TCP server on your machine, in order to access your computer remotely.

        Here is a simple firewall script:

        IPTABLES=”/sbin/iptables”

        # loopback and ICMP traffic
        $IPTABLES -A INPUT -i lo -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
        $IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

        # established connections
        $IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

        # comment out the next line if you are running a SSH server on your computer
        # $IPTABLES -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT

        # reject on input, accept on output and forwarding
        $IPTABLES -A INPUT -j REJECT
        $IPTABLES -A OUTPUT -j ACCEPT
        $IPTABLES -A FORWARD -j ACCEPT

        Dump the code in /etc/rc.local file, and it will run every time you start your computer. Or use the tools provided by your distro – every distro does it in a different way! I usually go for rc.local, as I jump from one computer/distro to another. A sample copy of /etc/rc.local in Appendix 1.

        Something else I have in my rc.local file:

        rm -fr /home/netblue/.cache

        .cache directory is the place where people find copies of all the webpages you visited, torrent trackers you connected to, and all that emails you thought you deleted – all 3 GB of them! You want this directory cleaned up every time you start the computer.

        After that, take a look at /etc/machine-id. This is a world-readable file containing a huge random number:

        $ cat /etc/machine-id
        0b46feb27a20469da0ee62baaeb51c5c

        The file is used to uniquely identify Linux computers by government/corporate programs. You definitely don’t need it on your home computer. So make the world a better place and delete it:

        $ sudo rm /etc/machine-id

        Next time you start your computer systemd will cry “OMG A PONY!”. Just disregard it and proceed with Tor Browser installation.
        Installing Tor Browser

        Make sure you grab the browser from the original equipment manufacturer, and do check the signature (see Appendix 2). It comes as a .tar.xz software archive, and you unpack it in your home directory:

        $ tar -xJvf ~/Downloads/tor-browser-linux64-10.0.8_en-US.tar.xz

        The software is extracted in a new directory, ~/tor-browser-linux64-10.0.8_en-US. This directory is mounted by Firejail on top of your home directory using –private flag:

        $ firejail –name=tor –private=~/tor-browser_en-US ./start-tor-browser.desktop

        The browser starts in a container filesystem created on-the-fly by Firejail. Take a look around, no personally identifiable information should be available in the process space: home directory with only the files from the software archive, virtually empty /tmp, small subset of system files in /dev and /etc, most of everything else is re-mounted read-only after some basic cleanup:

        images here
        Network namespace

        Use a network namespace for additional fun and glory. This is basically a new TCP/IP stack in kernel space: an unused IP address is obtained by ARP-probing your network, the MAC address allocated by kernel is random by default, brand new interfaces and routing table, and a firewall similar with the one above. You do need to find the name of your Ethernet interface though:

        $ ip link show
        1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        2: eth0: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether e0:3f:44:7a:1s:09 brd ff:ff:ff:ff:ff:ff

        Your interface is eth0, start tor as follows:

        $ firejail –name=tor –net=eth0 –private=~/tor-browser_en-US ./start-tor-browser.desktop
        Where can I find this blog item or is it legit?

        Like

    1. netblue30 Post author

      in man page: “firejail –audit=test-program” will run your test audit program instead of the default one. I will prepare some examples and add them to the man page.

      Like

      Reply
  1. Cyllarus

    I want to use a browser to display various html files in various subdirectories of my (real) /home/, but block network access to prevent leakage outside of my computer. I see how to block the network (–net=none), but can’t find the way to allow access to my (real) /home/ and its subdirectories.

    Like

    Reply
    1. netblue30 Post author

      By default the only directory visible in your browser is /home/username/Downloads. If you want to access files in a different directory, add it using –whitelist flag on command line:

      $ firejail –whitelist=/home/username/somedirectory –net=none firefox

      Like

      Reply
      1. Cyllarus

        There is no way, then, to allow the whole of /home/ (or any subtree thereof) to be accessible? I just want to prevent the browser from communicating with the internet.

        Like

  2. Schlingel

    Hi there!
    I don’t manage to switch between languages on a zoom session through the firejail tool. Everytime I try to, it closes the software; when I launch it again, language remains unchanged. How can i get around this?
    Thank you very much for the great too you put us at disposable, keep up!
    Best regards ~

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s