Frequently Asked Questions

 

Contents:
     Why on earth should I use Firejail?
     How much does this cost?
     Why Firejail is not packaged by XYZ Linux distribution?
     How does it compare with Docker, LXC, nspawn?
     Can I use Firejail as a container engine?
     Firefox doesn’t open in a new sandbox.
     What’s the advantage of using Firejail instead of SELinux?
     Can you sandbox Steam games and Skype?

 

Why on earth should I use Firejail?

Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.

For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.

If you are running Linux in a business setting, you are not forgotten. Firejail won’t put a major dent in your IT budget and doesn’t require much in the way of new staff or skills either.

Also, we use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.

 

How much does this cost?

Firejail is 100% free, you don’t have to pay anything. We publish the program under GPL v2 license. You are in control of the software, and you are in control of your data.

 

Why Firejail is not packaged by XYZ Linux distribution?

Firejail is a young project. As the project matures, Linux distros will package it if there is enough user interest. Currently, Firejail is included in Arch, Debian, Gentoo, NixOS, and Ubuntu – if you find another one, please let me know.

 

How does it compare with Docker, LXC, nspawn?

Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.

Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.

 

Can I use Firejail as a container engine?

Yes, Firejail can run Docker, LXC and OpenVZ containers. It can also run root filesystems built with regular Linux distribution tools such as debootstrap.

 

Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance

By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

 

I recently heard of the sandbox command (it uses SELinux I believe). What’s the advantage of using firejail instead of that?

As the attacks become more and more sophisticated, new security features are added to the Linux kernel. A nice description is available here. Firejail uses a combination of these technologies and closely tracks the new kernel developments.

 

Can you sandbox Steam games and Skype?

Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.

Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.

112 thoughts on “Frequently Asked Questions

  1. Don Smith

    Where is the best place to leave questions/comments/possible bug reports if I dont have a github account? I just started using firejail and am having an issue with firejail –overlay. Without –overlay it all works fine. Also in the profile files, spaces in paths cannot have a backslash escape — not an issue, but it fooled me at first — see “util.c” line 598 or so — maybe a mention in the firejail-profile man page?

    Like

    Reply
  2. Torsten

    In debian 8.3 placing /usr/bin/firejail in /etc/passwd shell produces “Error: cannot find the program in the path” during login via ssh on the client. This seems to be related to a symlink check even no symlinks are involved afaik.

    Like

    Reply
    1. netblue30 Post author

      You can control the protocol using –protocol option. It supports both IPv4 (inet) and IPv6 (inet6). If you leave out inet6, the sandbox will not be able to open a IPv6 connection.

      Like

      Reply
      1. Torsten

        I tried but even when IPv6 is disabled on the host (and due not assigned) inside the sandbox an IPv6 address is assigned to eth0 so apt-get update wants to connect via IPv6 which cannot be opened as you replied. Disabling IPv6 inside the sandbox cannot work as it would require write access to /proc/sys/net (or /sys/net).

        Like

      2. netblue30 Post author

        There is only one /proc/sys/net or /sys/net in the box, common to all namespaces. I don’t think you can disable it for a particular namespace.

        Like

      3. yukam

        /proc inside netns and outside are completely unjoined (and you, as “root” inside userns/netns is allowed to modify it). You can happily disable ipv6 inside netns, while it is running outside, and opposite. Try yourself (as user):
        $ unshare -rn # this is unprivileged userns (and cannot affect system)
        # ip li set lo up
        # ip ad|grep inet6 # present
        # /sbin/sysctl -w net/ipv6/conf/all/disable_ipv6=1 # notice this is permitted!
        # ip ad|grep inet6 # disappeared; notice that ipv6 still works nice outside netns
        (e.g. try ping6 -I eth0 -n ip6-allnodes outside netns)
        # /sbin/sysctl -w net/ipv6/conf/all/disable_ipv6=0
        # ip ad|grep inet6 # re-appeared

        Like

      4. yukam

        1) –protocol does not (currently) work on i386 (multiplexed socket syscall is not currently handled).
        2)
        /proc/sys/net inside netns and outside are unjoined (and you, as “root”
        inside userns/netns is allowed to modify it). You can happily disable ipv6
        inside netns, while it is running outside, and opposite. Try yourself (as
        user):
        $ unshare -rn # this is unprivileged userns (and cannot affect system)
        # ip li set lo up
        # ip ad|grep inet6 # present
        # /sbin/sysctl -w net/ipv6/conf/all/disable_ipv6=1 # notice this is
        permitted!
        # ip ad|grep inet6 # disappeared; notice that ipv6 still works nice outside
        netns (e.g. try ping6 -I eth0 -n ip6-allnodes outside netns)
        # /sbin/sysctl -w net/ipv6/conf/all/disable_ipv6=0
        # ip ad|grep inet6 # re-appeared

        Like

      5. netblue30 Post author

        > multiplexed socket syscall

        Yes, I don’t have support in seccomp-bpf to extract the parameter. The second argument is a pointer to an array of params. I guess I’ll have to document it in the man page. Thanks!

        Like

  3. m3nda

    Hi.

    I’ve tried to open a bitcoin daemon with this and it works. The problem is that the process is being killed asap and Firejail stops. If i open a new Firejail shell then run the program does work.

    How can i run that program and let it run as daemon?
    I assume that creating a service may circumvent, but still wanna know how to let the program running.

    Like

    Reply
  4. srinsriv

    Hi,

    I am exploring the use of firejail for one of my projects. I have a couple of questions which am pondering on.

    1. Can firejail be also used on system daemons like dbus-daemon, xinetd, rsyslogd, systemd (am not referring to daemons initialized by systemd). ?
    2. How do I structure firejail profiles with daemons spawning child processes ? Do you have any examples I can use ?
    3. Does it make sense to use firejail alongwith the system daemons or would it make sense to use it with Grsecurity/other-kernel-hardening techniques ? Have you tested it with any system processes ?

    Thanks in advance.

    Like

    Reply
    1. netblue30 Post author

      1. Yes, you can use firejail on system daemons, but I don’t know if it makes sense. The sandbox is usually used on external entry points in the system, such as web browsers and web servers.

      2. A web server would be an example (firejail /etc/init.d/apache2 start).

      3. Go for grsecurity

      Like

      Reply
  5. a_user

    Hello,

    First off, thanks for this awesome program. I’ve been looking for something that would do this in Linux for over a decade. I always ended up using some painful process to accomplish what firejail does so easily.

    One problem, though. When I have an encrypted folder mounted using cryptkeeper (which uses EncFS), when I blacklist the mount point for a specific program, the program can see into the directory anyway. The process works fine using the .profile files in HOME$/.config/firejail/firefox.profile for any other folder, it is just ineffective on the mounted path of the encrypted volume, and lets the program see right in there and access all contents. I have tested this every way and there must be a solution somewhere.

    Thanks for any ideas,
    A_User

    Like

    Reply
  6. jeb@ponderworthy

    Amazing tool! One question. I have a bridge set up br0, and a firejailed ‘bash’ shell running with –net=br0. I cannot ping outside the host, though I can ping within the host. What is needed to give the container full Internet access, in addition to –dns ?

    Like

    Reply
  7. chac

    Hi, if I want to run a server using the port 80 and I see that I need CAP_NET_BIND_SERVICE, but I also want to run it under a non-root user, how can I make firejail allow that capability to that program?

    For example:
    root@srv1#firejail –noprofile –caps.keep=net_bind_service,net_admin –user=webserver — ./myWebServer

    I get a socker bind error. Invalid permission. I guess because I am setting the user a webserver firejail running as root is not inheriting its capabilities to the child webserver.

    Like

    Reply
  8. anoosh

    I use linx mint rosa with latest updates and firejail . i had a trip to china recently and noticed the following changes to my system.
    1 – firefox would not play flash anymore. the addons were noscript, cookie monster, privacy badger, https everywhere. fixed by creating new profile and reinstalling addons.
    2 – sound configuration on the panel would exit/crash the settings applet. fixed by removing .config, .cache, .local directories and rebooting. please cantact me if you need infected .config directory

    Like

    Reply
  9. djh

    You say “By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.”

    To make Firefox start a new process, try firefox -no-remote

    Like

    Reply
  10. marinecomm

    I submitted this to the github page but I will post it hear just in case. When I use firejail to open thunderbird, thunderbird refuses to open links in the default web browser. The process shows in the task manager, however. I’ve looked all over the internet but haven’t found much information on this issue.

    Like

    Reply
  11. ian

    Thanks for the great work.

    I’m an enthusiastic amateur at this stuff and just banged my head against a wall of firefox is already running error messages trying to get a neat and tidy .desktop launcher sitting in unity that actually works sensibly. I was relieved after much trial and error to finally have the new window actions and private window actions of my customized .desktop launcher working instead of popping up errors. Then I closed firefox, reopened it and then it stopped working. I have no idea why. While it was working I was able to click my launcher, which would:
    Exec=firejail firefox -no-remote %u
    and then also right click my launcher and click new window, which would run
    Exec=firejail firefox -new-window
    Which worked! After hours of trying! A second sandboxed window!
    I could also right click my launcher and click new private window which would:
    Exec=firejail –private firefox -no-remote
    And that worked too.

    The problem with the new window action is it could trick you in to thinking you were getting a safe browser but if you already had a non sandboxed firefox open then you would get a non sandboxed window.. So I deleted that action as I can live without it although I don’t understand why I can’t find a command that will successfully open a new firejail’d firefox window when I already have a firejail’d firefox window open. Or why it worked once then stopped. I assume it’s me not being smart enough as I know that it’s possible to have that second window open – you get it if you drag a tab from your firejail’d firefox window away from that window and it turns into it’s own window.

    Also painful is that I can’t click links to website in emails in thunderbird as I get the dreaded firefox is already running error. It’s very frustrating as I know I had it working at one point – I had firejail’d firefox open, opened a new window via right clicking my launcher and also managed to get a link from an email to open in a new tab in my main window. I tested at each and every step by looking at file:/// to check it was in the sandbox and it was. Now it no longer works. Can anyone tell me what I’m doing wrong?

    And example of a .desktop file that I can put in /usr/share/applications and works like the default firefox launcher but with firejail at every step would be amazing.

    Like

    Reply
    1. netblue30 Post author

      Yes, –new-window is tricky, use –no-remote. If you are running version 0.9.40, you can also look into firecfg (man firecfg). This is a small utility provided with firejail, that allows you to integrate the sandbox with the desktop, usually without the need to modify .desktop files.

      Like

      Reply
      1. Ian

        FYI my libreoffice wasn’t being sandboxed after $firecfg. I could run $lowriter and it would be, but clicking and running it either using the main LO launcher or the specific e.g., writer launcher wouldn’t put me in a sandbox as that .desktop launcher actually runs EXEC=libreoffice –writer

        Like

      2. netblue30 Post author

        Yes, it was a bug in firecfg. In the next version libreoffice should be handled correctly – it is already fixed in the development version.

        Like

  12. Michael Hill

    Very interesting; I heard of it via Linux Format. When I run the firejail command (with or without arguments, as a regular user or as root, I get the following error right after the “Reading profile” messages:

    Error clone:main(2050): Invalid argument

    Running strace, I see a couple calls to setresuid(-1,0,-1) which fail, then a message is written to fd 2, “Error: cannot switch euid to root”. Finally, there’s a call to geteuid() which returns my UID, then a message to fd 2, “Error: the sandbox is not setuid root”. Curiously, neither of those messages from write() is displayed.

    The binary is setuid root (-rws–x–x), and besides, that shouldn’t cause failure when run as root. My only other guess as to the cause is missing kernel support, as I compile my own kernel; I haven’t found any mention so far of which features/parameters are required by firejail.

    Thanks for any help you can provide.

    Like

    Reply
    1. netblue30 Post author

      Check if you have namespaces compiled in the kernel:

      CONFIG_NAMESPACES=y
      CONFIG_UTS_NS=y
      CONFIG_IPC_NS=y
      CONFIG_USER_NS=y
      CONFIG_PID_NS=y
      CONFIG_NET_NS=y

      Also, make sure you have seccomp:

      CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
      CONFIG_SECCOMP_FILTER=y

      Like

      Reply
  13. Richard

    netblue30: Thanks for the namespace kernel requirements you posted. I was receiving:
    “Error clone:main(1471): Invalid argument”
    When trying to start firejail. I was missing UTS namespace.

    Like

    Reply
      1. Ian

        FYI I had to remove the protocol line from the default profile to stop it segfaulting. Also whitelisted ~/.kodi

        I then uninstalled kodi because I’m sick of how it’s the only program I use that regularly freezes irrecoverably. (not firejail’s fault)

        Like

      1. netblue30 Post author

        I don’t know what is the procedure, probably you’ll have to request it on Mint website. I was under the impression they grab automatically everything there is in Ubuntu.

        Like

  14. Ian

    Does anyone know how I can get printing to work in evince? I have a network printer that I can print to using i.e., firejailed firefox or non-firejailed evince, but when I firejail evince the printer doesn’t show up in the list. It would be nice if it’s as simple as allowing a certain private IP?

    Like

    Reply
      1. Ian

        I assume that would allow it to make any connection it wants; is there a way to limit it to only private IPs or even restrict it to a single IP/subnet? This would be useful functionality for a few programs I imagine. It reminds me of the Qubes suggested method of setting up an appVM for internet banking that is firewall’d so the only IP it can ever connect to is the bank’s IP.

        Like

      2. netblue30 Post author

        You would need to configure a network namespace (–net=eth0) and add a netfilter/iptable filter (–netfilter=filename). Something like this:

        $ firejail –net=eth0 –netfilter=filename evince

        Like

  15. Tom

    Just noticed that 0.9.42~rc2 doesn’t run firefox with the shipped profile:

    $ firejail firefox
    Reading profile /usr/local/etc/firejail/firefox.profile
    Reading profile /usr/local/etc/firejail/disable-common.inc
    Reading profile /usr/local/etc/firejail/disable-programs.inc
    Reading profile /usr/local/etc/firejail/disable-devel.inc
    Reading profile /usr/local/etc/firejail/whitelist-common.inc
    Parent pid 9236, child pid 9237
    ***
    *** Warning: cannot whitelist Downloads directory
    *** Any file saved will be lost when the sandbox is closed.
    *** Please create a proper Downloads directory for your application.
    ***
    Error mount bind:fs_whitelist(501): No such file or directory
    Error: cannot establish communication with the parent, exiting…
    $

    The warning about “Downloads” is also wrong — I do have a
    ~/Downloads. If I interpret the source correctly, this should be implicitly
    found…

    Like

    Reply
      1. Tom

        Nope, it’s /disk0/home/$USER (as per passwd entry), with /disk0/home symlinked to /home.
        I tried on Debian 8 (Jessie), i386.

        Like

  16. Eric

    Hello,
    I tried firejail version 0.9.40 on debian. Somehow it does NOT work, I get no access to my home directory. I tried for example
    1) tried firejail –noprofile mupdf pdffile.pdf
    yields error: “pdffile.pdf” file not found and bye etc.
    I thought maybe gnome – problem. So, next I tried
    2) firejail /home/user/mybashscript.sh works not either !
    gives: /bin/bash: /home/user/mybashscript.sh : No such file or directory

    Any hint available?

    Like

    Reply
    1. netblue30 Post author

      How is your home directory setup? Are you mounting it on a different partition, are you mounting it over the network, are you using any kind of home directory encryption?

      Try to start a simple sandbox – in a terminal run “firejail”. When inside the sandbox, do you see your files?

      Like

      Reply
  17. Gladiator2

    I have a suggestion. You should say about the license used (GPLv2) somewhere at the beginning of homepage and on github too. 🙂

    Like

    Reply
  18. FireJail User

    Love Firejail but can’t use it any more since I upgraded my graphics card. Where do we report bugs? Firefox segfaults when started with firejail if the system uses the AMDGPU PRO driver. Error message: “audit: type=1326 audit(1472897475.402:22): auid=1000 uid=1000 gid=1000 ses=3 pid=5039 comm=”firefox” exe=”/usr/lib/firefox/firefox” sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f975fe29923 code=0x0″

    Have you considered enabling Issues in Soureforge or moving the project to a more user friendly site like GitHub or GitLab?

    Like

    Reply
  19. QwertyGuy

    Can Firejail be used as a snap package (assuming it is available in that way)? I do not think so from what I know about snap. What about appimage? If any of these is possible, please provide it. Thanks. 🙂

    Like

    Reply
    1. netblue30 Post author

      Firejail is a SUID binary, you’ll have to install it on your system. However, starting from version 0.9.42 you’ll be able to run snaps and appimages in Firejail.

      Like

      Reply
  20. Alice

    Older Ubuntu versions do not have all of their packages updated to their latest versions officially. If I always want to use the latest version of Firejail, what do I need to check? Only the kernel version? So it will also work on a very minimal installation of any distribution if the Linux kernel version is appropriate?

    Like

    Reply
  21. Phantom

    1. How are we supposed to use Firejail with Firefox now that it has multi-process (electrolysis/e10s) support? E.g. I have some things blacklisted but that’s only respected by the UI (firefox) and not by the content (plugin-container). I can for example not access the directory using Ctrl+O but if I go to a website where you can upload file the directory is accessible. Is it possible to make the child process either load a profile matching its name, or if it doesn’t exist, inherit the parent’s Firejail profile?

    2. Would it be possible to completely hide blacklisted items instead of just denying access? Right not even if a program can’t access the item, it will still know that it exists. Maybe a new option called ‘hide’?

    Like

    Reply
    1. netblue30 Post author

      1. There is a single configuration for all processes running in the sandbox. You will have to make that configuration permissive enough to accommodate all processes.

      2. This is implemented by –whitelist and –private* options.

      Like

      Reply
  22. Rosika Schreck

    Hello,

    I´ve got a problem with firejail.
    In principle this sandbox works quite well. I can start a browser (firefox/midori) and other applications as well (like rhythmbox).
    What I want to do now is use the overlay-functionality: firejail –overlay firefox.
    Yet that doesn´t work. Firefox itself produces the following message: ” Your Firefox profile cannot be loaded. It may be missing or inaccessible”. Yet that can´t be. Without firejail there´s no problem and even “firejail firefox” works well.
    The following message is taken from the terminal:

    rosika@rosika-Lenovo-H520e ~> firejail –overlay firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Warning: –overlay and –noroot are mutually exclusive, noroot disabled
    Parent pid 2362, child pid 2363
    OverlayFS configured in /home/rosika/.firejail/2362 directory
    Warning: cannot find home directory
    ***
    *** Warning: cannot whitelist Downloads directory
    *** Any file saved will be lost when the sandbox is closed.
    *** Please create a proper Downloads directory for your application.
    ***
    Blacklist violations are logged to syslog
    Warning: failed to unmount /sys

    Child process initialized
    parent is shutting down, bye..

    As far as I know –overlay has been working as of kernel version 3.18. As I have 4.4.0-45-generic x86_64 there shouldn´t be any problems.
    Can anyone help me?
    Thanks a lot in advance.
    Rosika

    P.S.:
    System: Linux/Lubuntu 16.04 LTS (64 bit)

    Like

    Reply
    1. netblue30 Post author

      Sorry for the late response. “firejail –overlay firefox” runs fine on my Ubuntu 16.04 (amd64) computer, I have a 4.4.0-22-generic kernel here. Also, it works fine on 4.7 kernel on Debian. There have been some problems with kernel 4.5, where overlayfs was totally broken. But since you are on 4.4, you shouldn’t run into them.

      I do see a problem with your setup. You need to create a Downloads directory in your home. Run “mkdir ~/Downloads”, you will get rid of the “*** Warning: cannot whitelist Downloads directory”. This is quite unusual, your Download directory should already be there on Ubuntu. Where is your home directory located?

      Like

      Reply
  23. Rosika Schreck

    Hello. Thanks a lot for your reply.
    As to your question: I dont´t understand the ” “*** Warning: cannot whitelist Downloads directory”-warning either. My downloads-directory is located within my /home directory (as it should be, I suppose). Here´s the path: /home/rosika/Downloads.
    So there´s no point in runnung “mkdir ~/Downloads” I think??????
    I´m not quite sure what to do now.
    Greetings. Rosika

    Like

    Reply
  24. Rosika Schreck

    Hello again. Thanks for your answer.
    No, my home directory isn´t encrypted. But it´s on a separate partition. I´ve got two partitions:
    root and home. That´s all.
    The installation of the kernel was done by a regular update of the system. So nothing unusual there.

    update:
    I don´t know whether this is of any help but here are the output messges of midori and rhythmbox when trying to use firejail –overlay:
    1.) Reading profile /etc/firejail/midori.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Parent pid 2456, child pid 2457
    OverlayFS configured in /home/rosika/.firejail/2456 directory
    Warning: cannot find home directory
    Warning: failed to unmount /sys
    2.) Reading profile /etc/firejail/rhythmbox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Warning: –overlay and –noroot are mutually exclusive, noroot disabled
    Parent pid 3022, child pid 3023
    OverlayFS configured in /home/rosika/.firejail/3022 directory
    Warning: cannot find home directory
    Warning: failed to unmount /sys

    One thing in common: “Warning: cannot find home directory”.
    BUT: gedit, leafpad, nano are working with the overlay-option

    Greetings. Rosika

    Like

    Reply
  25. anonymous1

    How do I use firecfg? when I simply enter “firecfg” in terminal it says command not found. I tried to find it in synaptic package manager but I can’t find this program either, help?

    Like

    Reply
  26. luri

    Hello!

    When i ran
    $ firejail –net=eth0 firefox
    , I couldn’t open any web page.
    But when i ran the following command which i found in the manual
    $ firejail –net=eth0 –dns=8.8.8.8 firefox
    ,everyhting worked.

    Maybe it’s interesting for someone.

    Like

    Reply
    1. netblue30 Post author

      Yes, this is always the case for Ubuntu-based distribution. They are running by default a local DNS proxy. This proxy is disabled by the network namespace, users have to come up with a different arrangement for DNS in this kind of sandboxes.

      Like

      Reply
  27. Bijay

    Dear developers

    I am interested in Firejail. But I can’t even try it. Firejail is not in the ofiicial repo of Trusty(14.04) whereas stable version already out there for Wily Werewolf, Xenial Xerus, Yakkety Yak.

    why this discrimination between Distros?
    why this injustice to those users of Trusty? why?
    can anyone tell me?

    Like

    Reply
  28. Henrik Holmström

    Running wheezy and trying to get a restricted shell configured. The following config line:
    private-bin echo,ls
    or any other attempt like:
    private-bin ${HOME}/cin
    all result in the same error message:
    execvp: No such file or directory
    It might be me not understanding the configuration but I saw a similar bug report which was fixed in June and since I’m stuck, I’m posting here.

    Like

    Reply
      1. Henrik Holmström

        Great, thanks, that worked. My aim is to create a sandbox where I can run untrusted scripts. They are allowed to download files but I don’t want them to execute any binary which wasn’t preinstalled, not sure that’s possible though.

        Like

  29. kess

    It would be nice to have the option in firecfg to create links for specified applications instead of all application that are installed. I don’t want firejail to be used by all the applications firecfg created links for.

    Also it would be nict to have profiles for wireshark, tshark and tcpdump

    Thanks for your work

    Like

    Reply
  30. Bruce

    In some of the supplied profiles, the directories ~/.config (or ${HOME}/.config) and ~/.kde4 are explicitly defined. On my system, I have more than one distribution loaded but use the same home directory for them all, so I specify the config and kde directories I want to use in the $XDG_CONFIG_HOME and $KDEHOME environment variables as defined in the XDG Base Directory spec and the KDE spec.

    Is there a way to use these variables in a firejail profile rather than the hard coded default values so the correct files are white- and blacklisted?

    Thanks for a great tool.

    Like

    Reply
    1. netblue30 Post author

      I didn’t try it yet. The default profile should work until a more specific profile is developed. All you need to do is to start the application in the sandbox: run “firejail application-name” in a terminal.

      Like

      Reply
  31. alan

    Is necessary to be root to install firejail? I tried to install the program in a folder inside my home directory. The installation appears to be successful. However when trying to execute the application I got the error “Error mkdir: util.c:706 create_empty_dir_as_root: Permission denied”

    Like

    Reply
  32. Name

    Simple profile doesnt work 😦

    Linux pc 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux

    firejail version 0.9.44
    Compile time support:
    – AppArmor support is enabled
    – AppImage support is enabled
    – bind support is enabled
    – chroot support is enabled
    – file and directory whitelisting support is enabled
    – file transfer support is enabled
    – networking support is enabled
    – overlayfs support is enabled
    – private-home support is enabled
    – seccomp-bpf support is enabled
    – user namespace support is enabled
    – X11 sandboxing support is enabled

    one.profile:
    noblacklist /bin/bash
    blacklist /bin

    user@pc:~$ firejail –debug –profile=/etc/firejail/one.profile bash

    Reading profile /etc/firejail/one.profile
    Autoselecting /bin/bash as shell
    Command name #bash#
    DISPLAY :0.0, 0
    Using the local network stack
    Parent pid 3436, child pid 3437
    Initializing child process
    Host network configured
    PID namespace installed
    Mounting tmpfs on /run/firejail/mnt directory
    Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
    Mounting tmpfs on /var/lock
    Mounting tmpfs on /var/tmp
    Mounting tmpfs on /var/log
    Mounting tmpfs on /var/lib/dhcp
    Mounting tmpfs on /var/lib/sudo
    Create the new utmp file
    Mount the new utmp file
    Cleaning /home directory
    Sanitizing /etc/passwd, UID_MIN 1000
    Sanitizing /etc/group, GID_MIN 1000
    Disable /run/firejail/network
    Disable /run/firejail/bandwidth
    Disable /run/firejail/name
    Disable /run/firejail/x11
    Remounting /proc and /proc/sys filesystems
    Remounting /sys directory
    Disable /sys/firmware
    Disable /sys/hypervisor
    Disable /sys/module
    Disable /sys/power
    Disable /sys/kernel/debug
    Disable /sys/kernel/vmcoreinfo
    Disable /sys/kernel/uevent_helper
    Disable /proc/sys/fs/binfmt_misc
    Disable /proc/sys/kernel/core_pattern
    Disable /proc/sys/kernel/modprobe
    Disable /proc/sysrq-trigger
    Disable /proc/sys/kernel/hotplug
    Disable /proc/sys/vm/panic_on_oom
    Disable /proc/irq
    Disable /proc/bus
    Disable /proc/sched_debug
    Disable /proc/timer_list
    Disable /proc/timer_stats
    Disable /proc/kcore
    Disable /proc/kallsyms
    Disable /lib/modules
    Disable /boot
    Disable /dev/port
    Disable /dev/kmsg
    Disable /proc/kmsg
    Disable /
    Disable /bin
    Disable /sys/fs
    DISPLAY :0.0, 0
    Username user, groups 1000
    Running ‘bash’ command through /bin/bash
    execvp argument 0: /bin/bash
    execvp argument 1: -c
    execvp argument 2: ‘bash’
    Child process initialized
    execvp: Permission denied
    monitoring pid 2

    Sandbox monitor: waitpid 2 retval 2 status 256

    Parent is shutting down, bye..

    Any ideas? Thank you.

    Like

    Reply
    1. netblue30 Post author

      –noblacklist=dirname_or_filename disables blackling for dirname_or_filename.
      You are blacklisting on file (/bin) and unblacklisting another file (/bin/bash). A better solution would be using something like this:

      firejail --private-bin=bash,ls
      

      Like

      Reply
  33. user

    Hi, it seems /bin/ip is not blacklisted by default. You blacklist ifconfig and other commands, so it would be nice /bin/ip is also blacklisted by default. Thank you.

    Like

    Reply
  34. Bruce

    I came upon an interesting interaction issue between Firefox and LibreOffice. I have Firefox running in a sandbox with severe limitations on what files it has access to, but LibreOffice is running without restrictions. If Firefox is started before LibreOffice, when I go to open a file, the file chooser in LibreOffice shows only the files which Firefox is allowed to see. On the other hand, if LibreOffice is opened before Firefox and then you open a file in Firefox, all of the files are shown in the file chooser even though they may be blacklisted in the Firefox sandbox. Fortunately this does not affect what files can be actually opened by the application itself (i.e. Firefox can not open any file which is blacklisted even though you can see it in the dialog box and LibreOffice can open any file even if you have to type in the full path name manually to do it).

    I assume this is because the file chooser is in a shared library which is loaded into whatever sandbox uses it first and therefore inherits the restrictions from that sandbox even when executed from another application. This doesn’t seem to violate any security restrictions in this example but is certainly an annoyance when using it in the less restrictive application. I can’t help wondering however if there are other cases of things in shared libraries that might actually be able to violate security rules.

    Like

    Reply
  35. Andy

    Greetings… appreciate firejail, wanted to report an issue. Running Mint Cinnamon 17.3 and launching firejail via firetools. After a period of time, Firefox 50.1.0 freezes, and have to force quit. Then unable to restart FIrefox either in FJ or w/o – says it’s already running. Hope this is helpful… don’t have a log file to send.

    Like

    Reply
  36. Andy

    One more detail… running a Panasonic Toughbook CF52 1.8 Duo… about 12 years old. Don’t know if having the same issue on desktop… will advise.

    Like

    Reply
  37. sums

    hey there,

    xenial still only supports the LTS firejail version. i’d like to update manually but cant seem to find sums for the latest .deb package anywhere. sourceforge isnt exactly the most trustworthy source, can you confirm these sums?

    md5sum firejail_0.9.44.4_1_amd64.deb
    2e03c243574c2f7c80dc633e60f3ec40 firejail_0.9.44.4_1_amd64.deb

    sha1sum firejail_0.9.44.4_1_amd64.deb
    40aa5736f367fb03aeb6b8320b52ce28f5a6e5ce firejail_0.9.44.4_1_amd64.deb

    sha256sum firejail_0.9.44.4_1_amd64.deb
    cb95e50a628d176ee601640d339c0ba37d5aadb8b49da9418a9335fbd36f4d86 firejail_0.9.44.4_1_amd64.deb

    Like

    Reply
  38. Hell

    Some weeks ago I installed firejail_0.9.38.4_1_amd64.deb. Now I did an update to Version 0.9.38.8-1. “dpkg -l firejail” says 0.9.38.8-1 amd64, but “firejail –version” says firejail version 0.9.38.4. Even after restart no changes. So what version is installed and running?

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s