Frequently Asked Questions

 
 

Why on earth should I use Firejail?

Some existing Linux security solutions are easily defeated from internal and/or external threats. Other solutions are just too difficult to put in place. Firejail’s approach is radically different.

For us, the user always comes first. We manage to keep the learning curve down. Actually, most of the time you don’t need to learn anything, just prefix your application with “firejail” and run it. This makes Firejail ideal for the regular, not-so-skilled home user.

We use the latest Linux kernel security features, such as namespaces and seccomp-bpf. In our view these features are mature, and have been extensively tested in the market place by products such as Google Chrome or Docker.

 

How does it compare with Docker, LXC, nspawn?

Docker, LXC and nspawn are container managers. A container is a separate root filesystem. The software runs in this new filesystem. Firejail is a security sandbox. It works on your existing filesystem. It is modeled after the security sandbox distributed with Google Chrome.

Containers and sandboxes use the same Linux kernel technology, Linux namespaces. The developer focus is different. Containers target the virtualization market, while sandboxes focus on application security.

 

What is the overhead of the sandbox?

The sandbox itself is a very small process. The setup is fast, typically several milliseconds. After the application is started, the sandbox process goes to sleep and doesn’t consume any resources. All the security features are implemented inside the kernel, and run at kernel speed.

 

Firefox doesn’t open in a new sandbox. Instead, it opens a new tab in an existing Firefox instance

By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

 

How do I run two instances of Firefox?

Start the first Firefox instance as usual:

$ firejail firefox

Then, start the second sandbox:

$ firejail --private firefox -no-remote
 

How do I run VLC in a sandbox without network access?

–net=none command line switch installs a new TCP/IP stack in your sandbox. The stack is not connected to any external interface. For the programs running inside, the sandbox looks like a computer without any Ethernet interface.

$ firejail --net=none vlc

The best way to handle the command line switch is to place it in a custom profile in ~/.config/firejail file in your home directory. Create a vlc.profile text file in this directory, with the following content:

$ cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

 

I’ve noticed the title bar in Firefox shows “(as superuser)”, is this normal?

The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. “ps aux | grep firefox” reports Firefox process running as a regular user.

The same problem was seen on other programs as well (VLC, Audacious, Transmission), and it is believed to be a bug in the window manager. You can find a very long discussion on the development site: https://github.com/netblue30/firejail/issues/258

 

Can you sandbox Steam games and Skype?

Support for Steam, Wine and Skype has been around since version 0.9.34. Quite a number of other closed-source programs are supported.

Running ls /etc/firejail/*.profile will list all the security profiles distributed with Firejail. Programs not listed there, are handled by a very restrictive /etc/firejail/default.profile.

 

How do I simulate the installation of a program using Firejail?

This is an example of installing OpenShot video editor in a Firejail sandbox:

In a terminal I start a overlayfs sandbox (a kernel 3.18 kernel or better is needed):

$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin

In a different terminal, I join the sandbox as root and install the program – I am using apt-get on Debian:

$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms
# apt-get install openshot
# exit

Back in the first terminal I run the new program:

$ openshot

Once the sandbox is closed, overlayfs is unmounted and openshot disappears.

 

What are the implications of missing user namespace feature in Arch Linux kernel?

Q: There is a debate going on in the Arch Linux community as to start enabling CONFIG_USER_NS for default kernels. Currently this setting is explicitly not applied to arch repo’s kernels (https://bugs.archlinux.org/task/36969). What are the implications when running firejail on a kernel that doesn’t have user namespaces, if any?

A: There are two different technologies you can use today to setup a sandbox: SUID and user namespaces. Quite funny, both of them are terribly insecure. User namespace has the advantage when things go wrong you can blame it on kernel people. For Firejail we use SUID, at least this one we can fix ourselves.

However, we do use user namespace for a different purpose: to prevent the user from becoming root. But for this purpose we also have seccomp and capabilities. These three technologies overlap quite well, in a real world scenario it is difficult to tell which one will trigger first. You need at least one to do the job.

If Arch developers keep user namespace disabled, the impact on Firejail user will be negligible.

Advertisements

218 thoughts on “Frequently Asked Questions

  1. Robert

    It would be a great feature if there was a build option to specify which dir it uses instead of the default “/run/firejail”. Trying to use it on systems which have a read only / dir does not work.

    Like

    Reply
  2. Paulo M.

    Hi,

    First of all congratulations on your excellent work!

    I’m trying sandboxes for the very first time so I know close to nothing about it. I just tried to run Kodi Media Center in Firejail but it just won’t start. I ran the command in terminal:
    firestart kodi
    Also tried with the private prefix but still no luck.

    Is there a way to run Kodi on Firejail?

    Let me know if you need details/info/logs but for what it looks like, it’s not a matter of config but rather not being able to run at all. Tried both the 38 and 44 versions of Firejail, my OS is a Linux distro based on Ubuntu 16.04.1.

    Thank you very much in advance. Keep up with the good work!

    Like

    Reply
    1. netblue30 Post author

      I don’t think anybody tried kodi. I’ll try to bring it up in the next release.

      Run “firejail –noprofile kodi”, if this is working it would be easy to build a profile for it.

      Like

      Reply
      1. Paulo M.

        Thank you very much for getting back to me and for your help.

        Unfortunately it didn’t work:

        “$ firejail –noprofile kodi
        Reading profile /etc/firejail/generic.profile
        Reading profile /etc/firejail/disable-mgmt.inc
        Reading profile /etc/firejail/disable-secret.inc
        Reading profile /etc/firejail/disable-common.inc

        ** Note: you can use –noprofile to disable generic.profile **

        Parent pid 15563, child pid 15564

        Child process initialized
        /bin/bash: –noprofile: command not found

        parent is shutting down, bye…”

        If you can make Kodi fully working on Firejail and spread the word I believe many will get Firejail just based on that. Kodi is becoming more and more popular everyday and since it uses online connections from various sources, it’s a security hazard for the system.

        Once again thank you very much and keep up with the good work!

        Like

    2. Rob

      Hi. I’m trying to restrict Irssi to be only able to connect to localhost and deny all connections to LAN or the internet (to stop ip leaks). I’ve looked through the firejail man page and I haven’t found anything relating to the restriction of networks, other than net, which only allows networking altogether or disables it. Is there a way to do this that I haven’t thought of?

      Like

      Reply
      1. netblue30 Post author

        –net creates a new network namespace. From this namespace you cannot connect to the local host – it basically creates a different local host. I’m afraid it cannot be done.

        Like

    3. Idok

      Kodi (xmbc) is Microsoft seed in concept even if they went open source. Stick to Kodi boxes controlled by manufacturer or MITM. It is the same as taken on the big news propaganda. Blue does not have the resources to fight these guys. Don’t waste his resources!

      Like

      Reply
  3. pytaoxlfak

    create file:
    ~/.config/firejail/kodi.profile

    with following content:
    noblacklist ~/.kodi
    caps.drop all
    nonewprivs
    nogroups
    noroot
    seccomp
    protocol unix,inet,inet6,netlink
    shell none
    private-dev

    run:
    firejail kodi

    Like

    Reply
      1. GNUser

        Shouldn’t the profile for KODI be more restrictive? I think for people who use KODI to play internet streams (like sports live events and such) it shouldn’t have any “read” access to files on the home partition. Maybe a whitelist kinda thing. Any thoughts?

        Like

      2. netblue30 Post author

        I’ll add KODI support in the next release. It will probably be a simple blackilst-based profile. Once the release is out, we’ll figure out some whitelisting for it.

        Liked by 1 person

      3. tuga247

        Out of curiosity, if Kodi was being used with Firejail, would Firejail protect it from getting hacked in that subtitle bug which was called “hacked in translation”?

        Like

  4. GlobalLover

    Hello, im run 8steams at firejail. All working correctly, i run Counter-Strike Global:Offensive and this work. If im run more than 5 csgo clients(5clients work perfectly), more cant start.. for some second im see window of cs go, and this close. In console im dont see some errors. Steam clients work correctly. Somebody know to fix?

    im running with command
    firejail –private=nameofbox steam

    System is Ubuntu 16.04,installed latest nvidia drivers(im try too with old versions), firejail latest version, specs of pc; i7 6700hq 32gb ram, gtx960m 4gb gddr5

    Somebody can help me?

    Like

    Reply
    1. daniel

      hey could u tell me how u opened the new instanced of steam? Because i cant get it to work properly with more than 1 instance.

      Like

      Reply
  5. Alex

    Hello! I want to prevent all apps on my machine from keylogging Firefox so I can be safe. Is this possible with Firejail? I want to be safe from malware that may run without me noticing.

    Like

    Reply
  6. Ian

    I’m using 0.9.44.8 on Ubuntu 16.10. I have a problem where some applications aren’t remembering settings. Cherrytree forgets that I enlarged the UI because I have a high dpi screen and also doesn’t open the last used file like it used to (with an older version of firejail). Transmission forgets that I set it to always use encryption instead of the default of “prefer encryption”. I’ve made sure that the profiles allow those specific applications to read the relevant .config/ files and have double checked, e.g., that transmission’s settings.json has the desired encryption setting. It seems these applications are starting up using default settings for some reason?

    Like

    Reply
    1. netblue30 Post author

      To make sure what profile your app is using, start it from the command line. It will list all the profiles as they are loaded:

      netblue@debian:~$ firejail transmission-gtk
      Reading profile /home/netblue/.config/firejail/transmission-gtk.profile
      Reading profile /etc/firejail/transmission-gtk.profile
      Reading profile /etc/firejail/disable-common.inc
      Reading profile /etc/firejail/disable-common.local
      Reading profile /etc/firejail/disable-programs.inc
      Reading profile /etc/firejail/disable-devel.inc
      Reading profile /etc/firejail/disable-passwdmgr.inc
      Reading profile /etc/firejail/whitelist-common.inc
      Parent pid 3633, child pid 3634

      Like

      Reply
      1. Ian

        Thanks. It turns out I left an old cherrytree profile in ~/.config/firejail/

        As for Transmission, those issues are caused by it being launched within the firefox sandbox. I tried whitelisting Transmission’s configuration file in the firefox profile but that didn’t seem to work so I’m just pasting any magnet links in to Transmission manually until I work out the correct firefox profile changes

        Like

      2. netblue30 Post author

        I also use magnet links for transmission. The idea is to have the browser and the bittorrent client, each one of them sandboxed independently as strongly as possible.

        Like

  7. wheezy

    Hi!

    I just stumbled over this promising little program of yours. What I do not understand is the difference to SElinux, AppArmor and other MAC systems. I never used any of these, but recently they found ransomware even for Linux. Thats why i was thinking of chroot or a MAC system like yours.

    I really appreciate your efforts on this highly important subject.

    Many thanks!

    Like

    Reply
  8. shawn

    Firstly, great application. Usingl firejail_0.9.44.8_1_amd64.deb and Palemoon 27.1.2. However I have one issue when using Pale Moon on Linux Mint-Mate 18.1 with the default configuration.. In the title bar it states that I am running as a super user and obviously this is not something to advise. If I look at the hierarchy it looks as if I am running a user. I do not have this issue in Firefox.
    Terminal states:
    shawn@HPLaptop ~ $ firejail –tree palemoon
    6199:shawn:/usr/bin/firejail /usr/bin/palemoon
    6202:shawn:/usr/bin/firejail /usr/bin/palemoon
    6209:shawn:/usr/bin/palemoon

    I took screen print of browser, but do not know how to attach.

    Have you any ideas or am I being paranoid?

    Like

    Reply
    1. netblue30 Post author

      It’s fine, some window managers have this problem. The best way to check is to run “ps aux | grep palemon” in a new terminal. It will tell you palemoon runs as a regular user (shawn). It is a window manager bug.

      Like

      Reply
  9. Karl

    Awesome tool, thanks!

    Can you please elaborate if there is a recommended way to make sure that a specific application (like Firefox) is only started via Firejail when starting (a) from the shell (without the need to specify “firejail” explicitely) and (b) from the desktop environment of choice (xfce, Gnome, KDE, …)?

    I can imagine multiple ways but did not start to evaluate them: shell-alias, correctly placed desktop-file which overrides the default ones, modifying the application menu entry (xfce, Gnome, KDE, …) with a modified one, …

    Thanks!

    Like

    Reply
    1. netblue30 Post author

      Whatever works for you. We have a tool in firejail package that will make a symbolic link from /usr/local/bin/firefox to firejail executable. As a result, when you run “firefox” in a bash terminal it will actually run “firejail firefox”. In some cases, the same trick seems to be taking care of applications started from desktop manager menu. To set the links run “sudo firecfg” (also see “man firecfg”).

      Desktop files also work, but when you update firefox, the desktop file will be overwritten.

      Another way to do it is to set icons on you desktop.

      Like

      Reply
  10. 1llusion

    I just now tried firejail with firefox:
    $ firejail firefox
    and it is working nicely. However, a thing that greatly disturbs me is the fact that the title bar of firefox now says that it is running as root. Do you know anything about that?

    Thanks!

    Like

    Reply
  11. Jeff

    Thanks so much for this great addition to the linux ecosystem. I’m running Ubuntu and trying to use firejail with Wire (https://wire.com) but get an error that says:

    ~~~~~~~~~~~~~~~

    Reading profile /etc/firejail/generic.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc

    ** Note: you can use –noprofile to disable generic.profile **

    Parent pid 7523, child pid 7524

    Child process initialized
    [2:0331/112642:FATAL:udev_linux.cc(20)] Check failed: monitor_.
    #0 0x000001e5855e
    #1 0x000001e6e25b
    #2 0x000000cbe6a6
    #3 0x000001248602
    #4 0x000001e59226
    #5 0x000001e74755
    #6 0x000001e74a48
    #7 0x000001e74e9b
    #8 0x000001e4e669
    #9 0x000001e8d41e
    #10 0x000001eac40a
    #11 0x000002707e36
    #12 0x00000270803e
    #13 0x000001eac4ce
    #14 0x000001ea8a53
    #15 0x7f8142e336ba start_thread
    #16 0x7f813c8c182d clone

    parent is shutting down, bye…

    ~~~~~~~~~~~~~~~~~~~~~~~

    Any suggestions that might get me around this?
    Thank you.

    Like

    Reply
  12. Daniel11609

    Hello everyone, hey netblue,
    I need help with running multiple instances of steam using firejail.
    Another user already asked for this but he got another problem.
    I can perfectly run a single instance of steam+game using firejail steam, but even if I use –private=steam1 steam or something it logs in but the game (in this case csgo) won’t run because it detects that it already running.
    Also I don’t want to have the game stored in another folder for each instance, just 1 game folder but different instances of steam and csgo.

    If this is possible with firejail I’d love to get some help I think it might be useful for a lot of people.

    Kind regards
    Daniel

    Like

    Reply
  13. harri

    “firefox –new-instance” can be used to open a new firefox in a separate sandbox. I often run multiple instances in parallel using that. Without –new-instance firefox opens in a new tab or new window of some existing sandboxed and running firefox.

    Like

    Reply
  14. Daniel11609

    “Firejail steam” works completely fine, but how can I start it again in a new sandbox not accessing the current sandbox. My goal is to run multiple instances of steam and also of the source game csgo. But I can’t even run steam correctly.

    Like

    Reply
  15. Phil

    Hi!

    I see that Firejail works manually, say by typing: firejail /etc/init.d/lighttpd start

    But how can you bake it into an init script so that it starts automatically at boot? I have no idea what I’m doing, but here’s what I tried. First, I just replaced “exec /usr/sbin/lighttpd” with “exec /usr/bin/firejail /usr/sbin/lighttpd”, which failed spectacularly. Well, not spectacularly. But it did fail to background properly, and no amount of ampersanding would help.

    So next I made a quick Bash script (firejail /usr/sbin/lighttpd $@ &) and used the path to that for the exec line in the init script. That worked great to start the server. But it doesn’t work to stop it or restart it. I clearly have no idea what I’m doing.

    Does anybody have an init script example?

    Like

    Reply
  16. Hervé S.

    Hello,
    I am a relatively newcomer on Linux (moving from a dozen years on macintoshes), and I landed here searching, initially, an app that would control outgoing accesses to internet on a per-application basis, like ‘Little Snitch’ does on OSX.

    I now am very interested in Firejail, and will certainly install it on our two machines over the week-end (laptops from the German Tuxedo that come preconfigurated with Ubuntu Mate 16.04).

    But because of my sensitivity to outgoing network accesses, and seeing there already is a generic network control in Firejail, I’d like to know
    – if there are intentions to develop this particular area (e. g. learn modes à la Little Snitch which for instance will trigger a window first time an app tries to connext url xx, allowing to deny or allow, this time or forever, jus this url/this domain/any address)
    – if otherwise Firejail would be compatible from other such network control apps. In this area any advice would be extremely welcome!

    Thank you very much, and congratulations for Firejail as it is already!
    Hervé

    Like

    Reply
  17. Roger

    Hello, I got an update for firejail while using Linux Mint 18 today.
    $ firejail –version
    firejail version 0.9.46

    All of my profiles got deleted, here is what is left:
    -rw-r–r– 1 root root 287 May 18 23:12 cherrytree.profile.dpkg-bak
    -rw-r–r– 1 root root 628 May 21 05:44 default.profile
    -rw-r–r– 1 root root 8779 May 21 05:44 disable-common.inc
    -rw-r–r– 1 root root 1865 May 21 05:44 disable-devel.inc
    -rw-r–r– 1 root root 519 May 21 05:44 disable-passwdmgr.inc
    -rw-r–r– 1 root root 13447 May 21 05:44 disable-programs.inc
    -rw-r–r– 1 root root 4034 May 21 05:44 firejail.config
    -rw-r–r– 1 root root 494 May 21 05:44 login.users
    -rw-r–r– 1 root root 774 Mar 27 13:22 nolocal.net
    -rw-r–r– 1 root root 500 May 21 05:44 server.profile
    -rw-r–r– 1 root root 992 Mar 27 13:22 webserver.net
    -rw-r–r– 1 root root 972 May 21 05:44 whitelist-common.inc

    Everything else is gone. Including any custom profiles.
    Firefox, Thunderbird. All gone.

    Like

    Reply
  18. Gordon Driver

    On Ubuntu 16.04.2 LTS, firefox crashes immediately using my launcher icon (with: firejail –private-home=.mozilla firefox %u). The mozzila crash dialogue opens, and offers to close or restart firefox. If I choose restart, it runs fine, and according to the commands (firejail –private-home=.mozilla firefox %u), but never on first try, only when it crashes and is restarted from the mozzila crash dialogue window.

    Worked without problems prior to updating from 0.9.44.

    I can live with it, but perhaps there is a simple fix for this irritation? (using firejail 0.9.46)

    Like

    Reply
  19. Kent

    Minor typo found in Firejail Configuration Wizard Step 1:
    “Choose an application form the menus below” should be
    “Choose an application from the menus below” (change form to from)

    Like

    Reply
  20. blub

    Hallo if I try to run firefox in the sandbox, it crashes, followed by the Mozilla Crash Reporter. If I press the “restart” button on the crash reporter it works fine.
    This only happens if run via firejail. I use latest arch with latest ff.

    Like

    Reply
      1. Gordon Driver

        Hi again, I saw this and thought I could add that making the changes you specified did not fix the problem. I have exactly the same behaviour.

        The ouput from “firejail firefox in my case (assuming it helps somehow)”:
        p:~$ firejail firefox
        Reading profile /etc/firejail/firefox.profile
        Reading profile /etc/firejail/disable-common.inc
        Reading profile /etc/firejail/disable-programs.inc
        Reading profile /etc/firejail/disable-devel.inc
        Reading profile /etc/firejail/whitelist-common.inc
        Parent pid 854, child pid 855
        Blacklist violations are logged to syslog
        Child process initialized in 76.19 ms
        [7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
        [7] ###!!! ABORT: X_ShmPutImage: BadValue (integer parameter out of range for operation); 3 requests ago: file /build/firefox-IKSm1A/firefox-53.0.3+build1/toolkit/xre/nsX11ErrorHandler.cpp, line 147
        ExceptionHandler::GenerateDump cloned child 58
        ExceptionHandler::SendContinueSignalToChild sent continue signal to child
        ExceptionHandler::WaitForContinueSignal waiting for continue signal…

        …to this point, all that has happened is the mozilla crash window opening. If I press “restart firefox” here is the rest of the output (firefox now running):

        (crashreporter:63): IBUS-WARNING **: Unable to connect to ibus: Timeout was reached

        (crashreporter:59): Gdk-WARNING **: crashreporter: Fatal IO error 11 (Resource temporarily unavailable) on X server :0

        Like

  21. herolt

    Hello,
    is it possible to start Tor Browser by Firetools? I tried with Version 0.9.46 browsing file system and choosing “start-tor-browser.desktop”, but this didn’t work. Is there a simple way to implement Tor Browser in Firejail and can it be done by Firetools?
    Thanks for reply.

    Like

    Reply
    1. netblue30 Post author

      In a terminal, go into tor-browser_en-US directory and start it like this:

      $ cd tor-browser_en-US/
      $ firejail ./start-tor-browser.desktop 
      Reading profile /etc/firejail/start-tor-browser.profile
      Reading profile /etc/firejail/disable-common.inc
      Reading profile /etc/firejail/disable-devel.inc
      Reading profile /etc/firejail/disable-passwdmgr.inc
      Reading profile /etc/firejail/disable-programs.inc
      Parent pid 3937, child pid 3938
      Blacklist violations are logged to syslog
      Child process initialized in 104.55 ms
      Launching './Browser/start-tor-browser --detach'...
      [...]
      

      Firejail will recognize it and pick up /etc/firejail/start-tor-browser.profile file for security settings. You can play around with this file and customize it. Firetools launcher will not recognize it by default (there is no way to tell where the browser is installed), but you can right-click on an empty spot in the launcher and edit the program in.

      Like

      Reply
  22. emanuel

    Hello, I am trying to set up firejail to allow non-root users bind TCP ports setcap cap_net_bind_service+ep /usr/bin/python

    (non-chroot)
    >firejail –debug –noprofile –caps.keep=setgid,setuid,net_bind_service,chown –net=br1 –ip=10.10.20.2

    >firejail@knote05:~$ python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 …

    (chrooted)
    >firejail –noprofile –caps.keep=setgid,setuid,net_bind_service,chown –net=br1 –ip=10.10.20.2 –chroot=firejail-root-dir/
    >I have no name!@knote05:~$ python -m SimpleHTTPServer 80 bash:
    >/usr/bin/python: Operation not permitted

    Liked by 1 person

    Reply
    1. netblue30 Post author

      When you start the server as a regular user, the kernel will not allow it bind to port 80. It doesn’t matter if you are in a sandbox or not, the kernel does its own checking.

      What you need to do is to start the sandbox as root (seccomp and everything else still applies), inside the sandbox start the server also as root, and in the server code drop privileges and become a regular user after binding to port 80.

      Like

      Reply
  23. Jason

    …runs on any Linux computer with a 3.x kernel version or newer. A lot of 2.6.32 kernels are still out there, does firejail not fully support 2.6 kernels?

    Like

    Reply
  24. xubuntu user

    Q: As of today, 2017-07-18, for the now-current Xubuntu 16.04.2 LTS release, the firejail version 0.9.38.10 appears to be available from the main ubuntu repository, while 0.9.48 seems to be the latest current firejail program version.

    If I would like to keep using an older program version 0.9.38.10 on my system, is it safe to use the newest default app profile files, included with the latest program version 0.9.48?

    Will these newer profiles be fully understandable by the older firejail 0.9.38.10? If not: what I need to avoid, when editing them manually? Is there any way, how to check if my older version of program fully understands any particular app profile file?

    Many thanks for all the work on the firejail software!

    Like

    Reply
    1. xubuntu user

      Just found an answer to one of my questions:
      – Is there any way, how to check if my older version of program fully understands any particular app profile file?

      I guess this should work too:

      in a terminal run a simple sandbox with your profile:
      $ firejail –profile=path_to_your_profile_file
      It will complain if it finds a problem with the profile file.

      Like

      Reply
  25. Patrick

    Thank you for this excellent tool.
    I’d like to mention the following issue: using the firejail command a user/process can execute files without having the necessary access rights to do so.
    A test using firejail 0.9.48:
    user@debian:~$ ls -l /usr/bin/mousepad
    -rwx—— 1 root root 223256 mei 22 2013 /usr/bin/mousepad

    user@debian:~$ /usr/bin/mousepad
    bash: /usr/bin/mousepad: Permission denied

    user@debian:~$ firejail /usr/bin/mousepad
    Reading profile /etc/firejail/mousepad.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Parent pid 18801, child pid 18802
    Blacklist violations are logged to syslog
    Child process initialized in 41.23 ms
    … and the mousepad window opens

    One could see this as an advantage because, setting these access rights, the user can’t mistakingly execute the given program without using the firejail sandbox. Nevertheless it leaves an uncomfortable feeling knowing I (or a script I execute) could execute a file even if I removed my access rights to it.

    Like

    Reply
    1. netblue30 Post author

      This is definitely a bug, thank you for reporting it. I put a fix in git, it will go live in the next release sometime in August. Any other problems, just let me know!

      Like

      Reply
  26. Cat

    Hello, I just installed the latest 0.9.48-1 on Linux Mint 18.1 Cinnamon, and was impressed with the extra security measures, but unfortunately have had to remove it as it blocked dropbox. My dropbox folder was still there, but the dropbox installer immediately started up, but then reported it could not install, querying if there was no internet etc. There was no panel icon for dropbox and no way to transfer between ipad/pc. I’d love to use firejail again, and thank you for developing it. A poster on the LM forum kindly advised I post here and that it could be a profile issue, so if I may ask further. Thank you for your time.

    Like

    Reply
  27. Cat

    Just to update further, what has just provided a fix was replacing the dropbox.profile with one that a poster on the Linux Mint forum kindly uploaded. At no stage would any terminal commands work regarding trying to copy that over, or alter settings in the dropbox.profile, and Xed is opening windows separately, both before and after the issue fixing. After overwriting dropbox.profile, running –version showed all firejail functions running except AppArmor, and –tree showed it working with both dropbox and opera. Hope this is helpful.

    Like

    Reply
  28. fred

    i’m on ubuntu and installed through their package-management (firetools 0.9.44-1) and manually created a entry for a programm which is installed inside my $HOME.
    Because no Icon is created inside the firetools: how to manually add a icon for that entry ?

    Like

    Reply
    1. netblue30 Post author

      You need to put an icon file (png, jpg or svg) with the same name as your application in ~/.config/firetools. For example, if you create an entry with the name “app22”, you then add a app22.png file in ~/.config/firetools.

      Like

      Reply
  29. FJedjit

    Sorry, I had this under ‘Documentation’ but moved it to Support -hope that’s okay.

    I’m using PCLOS KDE5. Firejail came with several apps already firejailed and I totally loved that. Now I’d like to firejail seamonkey and trying to do so in the terminal brings:

    [xxx@localhost ~]$ firejail seamonkey
    Reading profile /etc/firejail/seamonkey.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 14600, child pid 14601
    Blacklist violations are logged to syslog
    Child process initialized in 26.07 ms
    /bin/bash: seamonkey: command not found

    Parent is shutting down, bye…
    [xxx@localhost ~]$

    I tried the configuration wizard -couldn’t figure out how -everything in the sandbox seems to be in /usr/bin but seamonkey is in /usr/lib64/seamonkey/seamonkey %u

    I’ll stop now as I don’t know the devil what I’m saying -hope someone can shed some light on how to get seamonkey in the sandbox. thx

    Like

    Reply
      1. FJedjit

        I should have added that I firejailed it the easy ‘old-fashion?’ way instead:
        firejail /usr/lib64/seamonkey/seamonkey %u
        It worked but I’d love to see it in Firelauncher.

        Like

      2. netblue30 Post author

        I’ll add support for seamonkey in the launcher in the next release of firetools.

        You can also add it there yourself. Right-click with your mouse on en empty palce in the launcher and press Edit.

        Like

  30. alsauser

    > The setup is fast, typically several milliseconds.
    I just installed FireJail 0.9.48 and XPRA 2.0.3 on a new Debian Stretch system. Even when everything is cached in memory, I’m finding it takes a full 5 seconds to launch an instance of FireFox-ESR (–x11=xpra –net=br0). Is there any way to “instrument” the setup process so that I can see what the time consuming pieces are (and how I might improve them) ? By way of comparison, I can launch a VirtualBox snapshot to a FireFox browser in less than 3 seconds … Thanks !

    Like

    Reply
  31. FireCloud

    Is it possible that a firefox add-on will require changes to the default firejail profile of firefox? (I do not fully know what add-ons are capable of) In other words, is the firejail profile of firefox wriiten without add-ons in mind? Are some good add-ons like HTTPS Everywhere, uBlock origin OK to be used with firejail?

    Like

    Reply
  32. Flappy Dragon

    1. Is multiprocess firefox OK with firejail?
    2. If I use firefox and ufw (uncomplicated firewall) on Ubuntu, and then use –net=eth0 in firejail command line, can ufw be bypassed if there is a chance? (I am a newbie,sorry if it is stupid 😦 ) If ufw can be bypassed then how to fix it?

    Like

    Reply
    1. netblue30 Post author

      1. It should be fine, we’ve seen it running on several distros. If you run into problems, please let us know.

      2. ufw doesn’t have support for network namespaces. Whenever we start a new network namespace, we also install a new network filter. You’ll find the filter documented in “man firejail” in –netfillter section. It is a very restrictive filter, basically it doesn’t allow any incoming connections. You can also customize this filter and replace it with your own.

      Like

      Reply
  33. Dizzy Guy

    –private-home shows a home folder with a small number of files & folders inside the firejail & all changes made to home are temporary. But what about changes made to any place outside of home (if possible)? Any change made to any place (including outside of home) is temporary, right? If not, then how to do this?
    Thanks for making firejail!

    Like

    Reply
    1. netblue30 Post author

      > Any change made to any place (including outside of home) is temporary, right?

      With few exceptions such as /tmp, /var/tmp, /media, /mnt, the rest of the system is mounted read-only, not even root can modify them.

      Also, you can also use the other private-* command options to make the other directories behave as private-home.

      Like

      Reply
      1. Bot 2314

        You wrote:

        “With few exceptions such as /tmp, /var/tmp, /media, /mnt, the rest of the system is mounted read-only, not even root can modify them.”

        Does it mean that directories not mounted read-only are mounted as read-write and the changes will persist? Or the changes will vanish after the sandbox is closed? Just trying to get rid of my confusion

        Like

      2. netblue30 Post author

        Yes. Some directories will be mounted read-write. You can also create a top level directory, change the ownership to your regular user and use it to store files visible in all sandboxes:

        $ sudo mkdir /common
        $ sudo chown username:username /common

        Like

      3. M Jones

        If
        $firejail –overlay-tmpfs –private-home=/path/to/dir firefox
        is used instead of
        $firejail –private-home=/path/to/dir firefox
        then read-write directories because of –private-home will not store their changes, am I right?
        If I want to store the changes, I can use
        $firejail –overlay-named=name –private-home=/path/to/dir firefox
        Is this OK?

        Like

      4. netblue30 Post author

        –private-home is not supported in overlay, there will be full access to your real home directory. You will get a warning like this when you start the sandbox:

        Warning: private-home= feature is disabled in overlay

        However, because of the overlay, all the changes will go in overlay and not in your real home directory.

        “firejail –-overlay-named=name –-private-home=/path/to/dir” should store the changes. For the home directory the changes

        Like

  34. Lettuce

    How to use firejail with firefox-*.tar.bz2? After extracting if I do this
    $ firejail –private ./firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 7906, child pid 7907
    Warning fseccomp: –protocol not supported on this platform
    Blacklist violations are logged to syslog
    Child process initialized in 55.81 ms
    Error: no suitable ./firefox executable found

    Parent is shutting down, bye…
    What is the proper method?

    Like

    Reply
    1. netblue30 Post author

      How come you don’t have seccomp in your kernel? What distribution are you using? The sandbox will work without secomp, but it would be nice to have.

      > firejail –private ./firefox

      This will not work. –private will replace your home directory with an empty, temporary filesystem and firefox will disappear inside the sandbox.

      One way to do it is to unpack firefox-*.tar.bz2 in /opt directory. This way, when you say –private, firefox will not disappear. /opt directory was specially built for installing additional software.

      Like

      Reply
  35. Bot 2314

    If a sandboxed program tries to do something that is blocked, I think there should be a visual alert instead of just logging it (for all types of breakout attempts).

    Think like this:
    I open a sandboxed firefox and then decide to bank related stuff. First I decide to stay on the bank’s website for a while. While doing that, firefox gets attacked from outside somehow.

    Now if I get a visual alert that something bad is trying to happen, I can decide if I want to take the risk of entering my private information on the bank’s login page. The other option is to close the sandbox and find out what is happening.

    But if the breakout attempt is only logged, I will not know that something bad was out there and it will be a great risk to enter my personal details. I will not know that because I will be looking at firefox. Producing warning text on terminal will also fail.

    So every blocked event should produce a visual alert when there is a breakout attempt.

    Also if a complete error report is created, I can just post it here or on github. 🙂

    Like

    Reply
    1. netblue30 Post author

      You are right, we need some sort of visual alert on the desktop, maybe using the current notification system already implemented by all desktop managers. I’ll look into it.

      Like

      Reply
  36. ToffeeYogurtPots

    Hi, I’m having a lot of trouble after running firecfg, mainly with gnome programs and their back-ends. For example, I use gnome-ring as a Skype alternative which requires dring. By default firejail uses it’s restrictive profile on dring which breaks gnome-ring entirely (you cannot access your account at all).

    Likewise the new Gnome calender (California) does not work under firejail. It uses evolution-data-server (specifically evolution-calender-factory) as a back-end. When firejail uses it’s restrictive profile it breaks California (no calender dates are displayed or saved).

    I’m a little out of my depth trying to figure this out. To fix this all I need to do is allow gnome-ring to access dring and likewise allow California to access evolution-calender-factory. How would I do this?

    Like

    Reply
    1. netblue30 Post author

      We are bringing support for gnome-ring in the next release. You can try the version on GitHub, it will be released in the next few weeks.

      I have to look at gnome calendar.

      Like

      Reply
  37. Dragon

    github.com/netblue30/firejail/issues/1491

    If this is fixed, it will also help in experimenting with programs and getting out of dependency hell caused by open source trusted programs. Different persistent overlays for different programs. Not every program is available as snap/flatpak/appimage right now and appimages are not officially made by the program authors most of the time.

    Another feature will be great-the ablility of having a folder which can be accessed read-write by all firejails and the host (or selected firejails and the host if that is better), I mean a common shared folder. This will make file transfer easier. Being able to do it in a GUI way will be the best option.

    Cheers 🙂

    Like

    Reply
    1. netblue30 Post author

      Thanks for suggestions.

      > Another feature will be great-the ablility of having a folder which can be accessed read-write by all firejails

      In this moment Downloads directory in your home is shared by all sandboxes, unless you use –private that hides everything.

      You can also create a top level directory and change the owner to your regular user:

      $ sudo mkdir  /common
      $ sudo chwon username:username /common
      

      Change username above with your user name.

      Like

      Reply
  38. Lord of Lords of Rings

    Sandboxes like firejail are programs which try to restrict or control other programs in every possible way
    And containers like LXD,LXC,docker just try do some minimum things to control or restrict a program

    This is what I think about sandboxes and containers, I came up with it myself.

    So firejail is better than LXD,LXC,docker, or are there ways in which those are better?

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s