Support

 

Please report the problems you run into on our GitHub bug tracker. For general questions you can also use the comment section on any page on this website. Security bugs are taken seriously, please email them to netblue30@yahoo.com

 

Profile fixes

Fixed security profile fixes are available for various Firejail versions in this GitHub directory. The fixes cover applications such as Firefox browser (version 60 is breaking badly!), LibreOffice (crashes on Ubuntu 18.04), gedit. Manually overwrite the files in /etc/firejail directory with the files from GitHub.

Firefox example:

  1. in your browser, open the GitHub page corresponding to your Firejail version (0.9.38, 0.9.52)
  2. in a text editor, open the file with the same name in /etc/firejail directory (“sudo /usr/bin/gedit /etc/firejail/firefox.profile“)
  3. cut&paste from the web page into the text editor
 

Frequently Asked Questions

 
 

Technology

Why on earth should I use Firejail?

Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.

For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.

We use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.

 

How does it compare with Docker, LXC, nspawn?

Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.

Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.

 

What is the overhead of the sandbox?

The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.

 

Applications

 

Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance

By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

 

How do I run two instances of Firefox?

Start the first Firefox instance as usual:

$ firejail firefox

Then, start the second sandbox:

$ firejail --private firefox -no-remote
 

How do I run VLC in a sandbox without network access?

–net=none command line switch installs a new TCP/IP stack in your sandbox. The stack is not connected to any external interface. For the programs running inside, the sandbox looks like a computer without any Ethernet interface.

$ firejail --net=none vlc

The best way to handle the command line switch is to place it in a custom profile in ~/.config/firejail file in your home directory. Create a vlc.profile text file in this directory, with the following content:

$ cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

 

Can you sandbox Steam games and Skype?

Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.

Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.

 

Known Problems

 

PulseAudio 7.0/8.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Arch, Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. Run “firecfg –fix” in a terminal or apply the following configuration to mask the problem:

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

A logout/login is required for the changes to take effect.

If you have problems with PulseAudio 9.x use the previous fix, or configure “enable-memfd = yes” in /etc/pulse/daemon.conf.

 

Firefox 60 problems

Firefox 60 doesn’t work with Firejail version 0.9.52 or older. Patched security profiles for are available for Firejail versions 0.9.38.x (LST) and 0.9.52. You can find them in our profile fixes section. Another option is to install Firejail 0.9.54.

 

LibreOffice on Ubuntu 18.04

LibreOffice crashes when sandboxed with Firejail version 0.9.52 in Ubuntu 18.04. A patched security profile for Firejail 0.9.52 is available in our profile fixes section. Another option is to install Firejail 0.9.54.

 

Cannot install new software while Firejail is running

File blacklisted in a running jail cannot be removed from outside of jail. This causes serious inconvenience when using Firejail with long time running processes. For example, preventing user from updating system normally, as files like /bin/su, /bin/mount, /usr/bin/sudo are blacklisted by default. Also, admin commands for adding users and groups will fail.

Firejail implements blacklisting by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system.

The problem is fixed in Linux kernels 3.18 or newer. This is the commit: vfs: Lazily remove mounts on unlinked files and directories

 

Cannot connect to ibus-daemon in a new network namespace

ibus-daemon is used to change the system language, for example to switch between English (US) input and Japanese inputs. In a sandbox using a new network namespace ibus-daemon socket is disabled and keyboard switching capability is lost.

 

Firefox crashing on Netflix, AMDGPU PRO, Nvidia closed source drivers

We are still working on these problems. From what we’ve seen so far, these programs make liberal use of system calls such as chroot and ptrace. These syscalls have no place in regular, well behaved programs, and seccomp kills the application immediately. Workarounds involve disabling seccomp and allowing ptrace utility. Example:

$ firejail --allow-debuggers --ignore=seccomp --ignore=protocol firefox -no-remote
 

I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?

The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.

The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258

Advertisements

234 thoughts on “Support

  1. Nonnya

    Ever since I ran sudo firecfg, my browsers won’t launch. I have to uninstall firejail completely to get them to work. Any workaround for this?

    Like

    Reply
  2. JoeJoe

    Ever since I ran sudo firecfg, my browsers won’t launch. I have to uninstall firejail completely to get them to work. Any workaround for this?

    Like

    Reply
  3. Simon

    Why is it the case that if I run a new terminal window from firejail, none of the sandbox features seem to work? Specifically, if I run firejail –noroot id, I see that I’m a member of groups 1000 and 65534 (nogroup). But if I run firejail –noroot xfce4-terminal, and in that new terminal run id, I see that I’m a member of groups 1000, 4, 27 and so on, i.e. it seems as if the new terminal window isn’t constrained by the sandbox. I see the same thing in brwap (bubblewrap), so I assume it’s something I’m not understanding about how the sandboxes work, so would appreciate any clarification of what’s actually going on here. And firejail is great, by the way, the documentation is very good compared to bwrap.

    Like

    Reply
  4. lin

    i read you removed all –private & –overlay options from firejail with > v0.9.56 (okt’18) 😦 really? have i misunderstood something? how do i get back the important security features i used to use?

    Like

    Reply
  5. Deniz

    Are colons and parentheses in directory names supported? If so, how would one use those characters? I know spaces are not to be escaped, but whether I escape colons and parentheses or not, I can’t seem to stop getting the error “Error: blabla is an invalid filename” (without the quotes). I’m using firejail 0.9.56-2 in Debian testing/buster.

    Like

    Reply
  6. Alice

    Devs, thank for such a great app! Could u help me please with a desctop shortcut for firefox. I’ve done an executable file with this script but I think it doesn’t execute “–seccomp” and “&” commands:
    [Desktop Entry]
    Name=FirefoxREGULAR
    Exec=firejail –seccomp firefox -no-remote &
    Terminal=true
    Type=Application
    Icon=/usr/share/icons/Mint-Y/apps/64/firefox.png

    Like

    Reply
    1. netblue30 Post author

      In your desktop file replace Exec line as follows:

      Exec=firejail firefox –no-remote

      You don’t need to add a &, also –seccomp is done by default for firefox.

      Like

      Reply
  7. mr

    Hi.im having the probablam..cannot find profile,might be missing or inaccesable ,in firefox,I can open firefox normally without firejail,Ive made a new profile for firefox but makes no difference.I had previously tryed to install fire jail and was having trouble getting it up and running,so i sys restore,,,now i have this problam.can you please help

    Like

    Reply
  8. Sao Wo

    First, thanks for making available this wonderful tool!
    I’ve using “firejail thunderbird” successfully for quite sometime. Everything works, except for one addon — “latexit”, which allows users to insert pdf’s of snippets of latex-processed equations into email replies. The addon works only if I do not use firejail. Enclosed please find the output of messages shown on the terminal when I run “firejail thunderbird”. Thanks for your help!

    ——— (output of firejail thunderbird session) ———-

    [For your reference: This is running on 64 bit linux mint xfce 18.04.1
    There are five warning messages below:
    * the first two (including the `critical’ one) showed up after I issued the “firejail thunderbird” command
    * the third one showed up when I clicked “write” on thunderbird to compose a message
    * the fourth one showed up because I got a notification for a new email in my mbox (I had not yet started composing my message)
    * the fifth and last one showed up after I clicked the “latexit” button (note: there was no warning when I typed the (text) message/latex texts)
    Feel free to let me know if you have any questions/need more info]

    xterm 101: firejail thunderbird
    Reading profile /usr/local/etc/firejail/thunderbird.profile
    Reading profile /usr/local/etc/firejail/firefox.profile
    Reading profile /usr/local/etc/firejail/firefox-common.profile
    Reading profile /usr/local/etc/firejail/disable-common.inc
    Reading profile /usr/local/etc/firejail/disable-devel.inc
    Reading profile /usr/local/etc/firejail/disable-interpreters.inc
    Reading profile /usr/local/etc/firejail/disable-programs.inc
    Reading profile /usr/local/etc/firejail/whitelist-common.inc
    Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
    Parent pid 4049, child pid 4050
    Warning: An abstract unix socket for session D-BUS might still be available. Use –net or remove unix from –protocol set.
    Post-exec seccomp protector enabled
    Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,

    firejail thunderbird
    Child process initialized in 104.87 ms
    [calBackendLoader] Using Thunderbird’s builtin libical backend

    (thunderbird:9): libunity-CRITICAL **: 08:20:22.509: unity-launcher.vala:157: Unable to connect to session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    ** (thunderbird:9): WARNING **: 08:20:22.552: unable to connect to session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): LIBDBUSMENU-GLIB-WARNING **: 08:20:25.599: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): LIBDBUSMENU-GLIB-WARNING **: 08:20:36.137: Unable to get session bus: Unknown or unsupported transport “DBUS_SESSION_BUS_ADDRESS=unix” for address “DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus”

    (thunderbird:9): libnotify-WARNING **: 08:20:40.676: Failed to connect to proxy
    This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/Debian) (preloaded format=latex)
    restricted \write18 enabled.

    kpathsea: Running mktexfmt latex.fmt
    /usr/bin/env: ‘perl’: Permission denied
    I can’t find the format file `latex.fmt’!
    [Exception… “Component returned failure code: 0x80520006 (NS_ERROR_FILE_TARGET_DOES_NOT_EXIST) [nsIFile.remove]” nsresult: “0x80520006 (NS_ERROR_FILE_TARGET_DOES_NOT_EXIST)” location: “JS frame :: chrome://tblatex/content/main.js :: run_latex/< :: line 191" data: no]
    run_latex/<@chrome://tblatex/content/main.js:191:11
    run_latex@chrome://tblatex/content/main.js:188:7
    replace_latex_nodes/<@chrome://tblatex/content/main.js:330:28
    replace_latex_nodes@chrome://tblatex/content/main.js:325:45
    tblatex.on_latexit@chrome://tblatex/content/main.js:386:7
    oncommand@chrome://messenger/content/messengercompose/messengercompose.xul:1:1

    Parent is shutting down, bye…

    Like

    Reply
  9. Steve

    My understanding of Sandbox tech and usage is from using SandboxIE. I’m having trouble understanding how to get Firejail to function the way I understand SandboxIE.
    In SandboxIE, everything is (Firejail language) –Private, but with persistence within the sandbox container until the user chooses the option to delete the contents of the sandbox or recover individual files from the protected environment.
    In Firejail’s non –private usage, browser malware can persist in the associated folders, cookies persist in the associated folders. If I use the available options in Firejail to create a proper isolated environment with no persistence then I lose my browser customizations or I lose the ability to recover selected files.
    How do I get Firejail to achieve the type of functionality available in SandboxIE, complete isolation while all browser customizations carry into the sandbox, and the ability to recover from the sandbox any file I choose which was introduced during a Firejail session?

    Like

    Reply
  10. wognath

    Vivaldi browser (Linux) plays Netflix videos, but when run in firejail it does not. The message says to visit chrome://components and update WidevineCdm, but Widevine is up to date.

    iBecause there is a copy of widevinecdm.so in each of these directories, I added this to vivaldi.local:
    noblacklist ${HOME}/.local/lib/vivaldi
    whitelist ${HOME}/.local/lib/vivaldi
    noblacklist /var/opt/vivaldi
    whitelist /var/opt/vivaldi
    Netflix videos still fail to play. I would appreciate any suggestions. Thanks.
    MX-Linux 18.1 Vivaldi 2.3.1440.60 firejail 0.9.58.2

    Like

    Reply
    1. wognath

      Resolved by running sudo /opt/vivaldi/update-widevine. Script reports widevine is already up to date but creates a link which permits its use in firejail vivaldi.

      Like

      Reply
  11. Jane

    I just set up my laptop with a fresh iintall of ubuntu 18.04
    When installing firejail thru the app centre all went fine
    Later i found out there was a update (firejail_0.9.56-LTS_1_amd64.deb) which i installed and than things went wrong.
    I can open firefox but there is no internet i even can’t open my FF extensions
    I’m no good in technical stuff so please step by step please.
    I love FJ and FT and i definatly want to keep using, but righ now im lost.
    Please help

    Like

    Reply
  12. Paul

    For some reason Firejail is blocking downloads. They go into my /TMP folder (.mozilla/.palemoon) and vanish once the Pale Moon session is closed i.e they do not get to the Downloads folder despite that folder being designated.

    Seems to be a conflict which has only just appeared. Any ideas on this please? Using 0.9.58.2-1

    Like

    Reply
  13. bash64

    The default orage.profile file has NOSOUND set.
    Orgae is a calendar and ALARM application.
    It must be able to play sound to wake you up.
    It took me a bit to figure out why my alarm was not going off.

    Like

    Reply
    1. netblue30 Post author

      It is legit. However, the version they have is very very old. I would suggest you grab the latest version from this site (look in Downloads page).

      Like

      Reply
  14. ELG

    Used Firejail for past three years.
    Loved it !
    Was forced to upgrade to newer Linux Mint Mate OS.
    I’m a newbie in using the terminal and text editor combination..
    Really want to get Firejail back on my CPUs, but don’t have enough info to do “Profile Fix”..
    My “text editor” is called just that.
    Do I have to put this name after “sudo” ?
    Do the old text-files then appear in the terminal after I enter the sudo path command?
    Would I “cut them out,” or just “paste over them” from the GitHub page?
    On the GitHub page, would I do anything other than “copy the lines of code?”
    What are the “save” and “exit” commands after “pasteing”?
    (Package Manager says that 0.9.52-2 Firejail is “Installed,” so guess I just need to get “Profiles” working?.. )
    Really appreciate any help !!
    Thanks ! !

    Like

    Reply
    1. kiwilinux

      hi mate…do you use fire tools? can you just use in terminal “firejail (name)”
      did you get the deb version of fire jail?
      excuse me if ive understood wrong…im not overly an expert .

      Liked by 1 person

      Reply
  15. gnomek

    I run Firefox on Linux in firejail –private. It can’t connect to keepassxc database.

    Is it possible to do something about it?

    I found this topic
    https://github.com/keepassxreboot/keepassxc/issues/1820

    but it is closed and all they say is to not use private.

    I run keepassxc in the same –private as Firefox but firefox extension can’t connect to keepassxc database even if it is moved to the same path (private home)
    firejail –private=/path/ /usr/bin/keepassxc

    Is using firefox without –private but with custom profile less secure?

    Like

    Reply
  16. Rosika Schreck

    Hello,

    from what I´ve learnt from https://distrowatch.com/weekly.php?issue=20190617#news it seems that the Ubuntu team is looking at replacing their current Chromium deb package with a snap package.
    So in future Chromium should exclusively be available as snap.
    That´s bad news. As firejail dropped support of snaps this means that I won´t be able to use Chromium any more.
    Is there really nothing that can be done about this?

    Greetings.
    Rosika

    Like

    Reply

Leave a Reply to Jane Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s