Firejail – A Security Sandbox for Mozilla Firefox, Part 1

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is available in AUR.

Mozilla Firefox

The command to start Firefox in a Firejail sandbox is:

$ firejail firefox
or
$ firejail --debug firefox
Firefox browser running in a Firejail sandbox

Firefox browser running in a Firejail sandbox

The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.

Firefox home directory.

Firefox home directory.

The way the filesystem is build is controlled from /etc/firejail/firefox.profile, modifying it is pretty straightforward.

Firejail uses a number of security filters to enforce the chroot:

  • Seccomp-bpf is a mechanism to reduce the range of operations available to a given process, by blacklisting specific system calls. It was introduced in Linux kernel 3.5. The filter implemented in Firejail currently disables a large number of system calls, reducing this way the kernel attack surface. Seccomp-bpf is enabled by default for Mozilla Firefox.
     
  • Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities (POSIX 1003.1e). The feature provides fine-grained control over superuser permissions. To further reduce the attack surface and enhance the security, Firejail disables all capabilities. The feature is enabled by default for Mozilla Firefox.

     
  • Firejail runs Firefox in an user namespace. The namespace has only one user defined, the current user. There is no root user account defined inside the namespace. The sandbox enables the namespace by default based on the version of the kernel running the system.

     
    • Although most security features are enabled by default, a number of features are only enabled using command line options:

      • In private mode Firejail mounts empty temporary filesystems (tmpfs) on top of user home directory and /tmp. Closing the sandbox will discard any new files created in these directories, including ~/.mozilla and ~/Downloads.

        Private mode always starts the browser with factory defaults, protecting it from malicious addons and plugins the user might have installed in the past. It is mainly used for accessing bank websites and alike:

        $ firejail --private firefox
        
         

        For more information about private mode and high security browser setups see part 3 of this series.

         
      • A network namespace is one of the most interesting security options provided by the Linux kernel. It is basically a brand new TCP/IP networking stack created for the sandbox, coming with its own routing table, set of network interfaces, and most important its own iptable/netfilter module. Attaching a network namespace to your browser sandbox is described in part 3 of this series.
         
      • Small home routers connecting us to our Internet service provider are ridiculously insecure. Bugs and backdors are actively exploited in these routers, the main target being the DNS server setup. Firejail provides a –dns option allowing the user to set its own DNS setting, without relaying on an external router:
        $ firejail --dns=8.8.8.8 firefox
        

      Chromium

      This is a Chromium web browser running inside a Firejail sandbox:

      $ firejail chromium-browser
      
      Chromium browser running in a Firejail sandbox

      Chromium browser running in a Firejail sandbox

      The chroot filesystem is similar to Mozilla Firefox, with only the configuration directory ~/.config/chromium and ~/Downloads imported form real home directory:

      Chromium home directory.

      Chromium home directory.

      The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.

      Midori

      There’s a new kitten on the block:

      $ firejail midori
      
      Midori browser running in a Firejail sandbox

      Midori browser running in a Firejail sandbox

      Midori is a very impressive browser build using WebKit and GTK+2/3. It is lightweight and fast, with a familiar interface. Compared to Firefox and Chromium, it will play your Donald & Daisy videos in less than half the memory.

      firejail --top

      Running Midori, Chromium and Firefox in firejail sandboxes, and using firejail –top command to print the resident memory size (RES) for each browser – measurements on Lubuntu 14.04

      Conclusion

      To conclude, it is important to mention Firejail was designed to be generic. It can run servers and GUI programs, or it can work as a login shell for SSH or telnet users. You can find more information about the sandbox on the project page. Also, Firejail was featured on Linux Action Show (LAS 333, at 0:10:15).

      Related Posts

      Advertisements

97 thoughts on “Firejail – A Security Sandbox for Mozilla Firefox, Part 1

  1. Pingback: Firejail – A Security Sandbox for Mozilla Firefox | SoftNews

  2. ajs124

    I maintain firejail in the arch user repository (it’s a bit behind, but I’ll update it soon) and really like it, but I have some problems with getting sound to work with pulseaudio and Firefox running inside a firejail. Is this a known issue and if not how should I debug it?

    Reply
    1. netblue30 Post author

      Thank you for building and maintaining fairejail packaged in Arch!

      Updated Sept 22:
      I think I have a fix for the problem. A new release is coming in the next few days. Thanks for letting me know!

      Reply
      1. ajs124

        I’ll sadly need a few weeks to test this, because I don’t have access to my main PC at the moment, but I’ll report back then.

  3. ppp

    I have modified /etc/chromium-browser/default

    CHROMIUM_FLAGS=”–disk-cache-dir=/dev/null –disk-cache-size=1 –incognito -start-maximized

    So when I try firejail chromium-browser I get:

    $ firejail chromium-browser
    Reading /etc/firejail/chromium-browser.profile
    Parent pid 3840, child pid 3841

    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    eth0 10.0.2.15 255.255.255.0 UP
    docker0 172.17.42.1 255.255.0.0 DOWN

    Child process initialized
    [1:29:0926/122128:ERROR:nss_util.cc(740)] Error initializing NSS with a persistent database (sql:/home/user/.pki/nssdb): NSS error code: -8174
    Created new window in existing browser session.

    parent is shutting down, bye…

    $

    It is still a nice tool, but may be you can elaborate a bit what does this mean.

    Reply
    1. netblue30 Post author

      > So when I try firejail chromium-browser I get:
      > …
      >Created new window in existing browser session.

      You already have Chromium running, the new process will create a new window in your old Chromium instance and shut down the new one. This is normal, it will happen with or without firejail.

      Both Chromium and Firefox try to keep only a single browser instance open. By default new instances are attached to the existing instance. There are some command line options to force multiple instances, if this is what you want.

      Reply
  4. Pingback: Links 26/9/2014: LibreOffice Celebrations, Betas of *buntu | Techrights

  5. aa

    I have some questions:

    1) I was trying firejail with dropbox, but somehow somehow firejail exists and dropbox does not start:

    $ firejail dropbox start
    Parent pid 2803, child pid 2804
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP

    Child process initialized
    Starting Dropbox…Done!

    parent is shutting down, bye…
    $

    Is it possible to use use firejail with dropbox?

    2) All applications started on same X session can see the events of other applications (keyboard, mouse). Is it possible to prevent this via firejail? For example, now if I start firejail xev -id 0x2a00003, where 0x2a00003 is the ID of some existing GUI window, I get all events happening in that window, within firejail started xev too.

    3) Ubuntu uses AppArmor. If some application is protected by AppArmor and I start it via firejail, do the restrictions of both programs apply?

    Thank you.

    Reply
    1. netblue30 Post author

      > 2) All applications started on same X session can see the events of other applications

      This is the biggest problem x11 has in this moment. The Unix socket where the communication takes place is a public socket, and can be accessed by anybody running in the box. They say upcoming Wayland will have better session security and it will fix this kind of problems.

      The only thing I can think of in this moment is to blacklist some of the outrageous x11 executables such as xinput (I am blacklisting it in firefox.profile). Or when running servers blacklisting x11 libraries. However, this is not a fix, is more like security through obscurity.

      > 3) Ubuntu uses AppArmor.

      I didn’t try it yet with AppArmor, I have it on my to do list. Theoretically it should work, and both restrictions should apply. Ubuntu already has an LXC (Linux containers) profile for AppArmor, maybe something similar will be necessary for firejail.

      Reply
  6. aa

    I asked before about dropbox, I already found how to do it based on your examples:
    firejail “dropbox start && sleep inf”
    This seems to be working fine. The other two question still apply. Thank you.

    Reply
  7. ruan942

    Could you add a whitelist feature? Also, I’d like a way to be able to trace all files that are accessed during execution, this would be really useful for creating profiles.

    Whitelisting would work like this:
    (dropbox.profile)
    whitelist ${HOME}/.dropbox
    whitelist ${HOME}/Dropbox
    whitelist /opt/dropbox
    for example. The trace feature would help in case there are any other files it requires.

    Also, network blacklisting/whitelisting would be a bonus. This is currently only possible through iptables.

    Reply
    1. netblue30 Post author

      I’ll add filsystem whitelisting to my to do list, thanks. I’ll look also into network whitelist/balcklist.

      On the tracing side, until I figure it out, you can try for now to run all the sandbox under strace using -f flag, something like this:

      strace -f firejail yourprogram

      You will have to be root, however.

      Reply
  8. lAN

    Thank you for your post. Very enlightening. Kindly help me understand.. I thought the only way an application could access the /usr and /sbin folders was through sudo (as root)..

    Reply
    1. netblue30 Post author

      /usr, /sbin and almost all other directories in the box are accessible to everybody. You can check it out by doing a “ls -l /”. Most of them have read and execute permissions, some of them have also write permissions.

      Reply
  9. drinkmoreoil

    Very interesting project! I will give it a try.

    Two small things:

    1. Have you heard of https://github.com/thestinger/playpen ? It seems to have a similar purpose, but it is more minimalistic and less documented. Maybe your projects could profit from each other.

    2. Of course this is your own decision, but is there a particular reason why firejail is on Sourceforge as an SVN repo? IMHO it would make collaboration, issue tracking and viewing changes easier if you used git and hosted it on Github or something similar.

    Reply
    1. netblue30 Post author

      1. I know about it – there are quite a number of sandbox projects in this moment 🙂

      2. I am trying to keep it simple, maybe if the project grows I’ll consider something like Github.

      sf.net allows hosting of packages for download, with a large number of mirrors all over the world. If sf.net disappears tomorrow, the code will still be there on Internet.

      Reply
      1. ypid

        2. The main reason I would recommend to use git for this project is that git better integrates with tools like GPG which allows you as an developer to prove the integrity of your software. You do this already for releases by signing tar balls but this is not reflected by your source control system. I for example sign every git commit (and releases of course). SVN seems to not really address software integrity at all?
        Migration is really easy and you can keep all your history: http://stackoverflow.com/a/79178
        See also: http://doublecmd.sourceforge.net/forum/viewtopic.php?f=5&t=1742&p=13393#p13393
        I also think that GitHub would be nicer for collaborating.

  10. johnw

    When I start firefox with firejail (firejail firefox), I can not use ibus to input chinese.
    any idea to solve it? (my system is debian linux)

    Reply
      1. johnw

        Hi netblue30
        I found a workaround to solve it.
        create a firefox wrapper script like this

        ———————————————————————-
        #!/bin/sh
        env `grep ^I ${HOME}/.config/ibus/bus/*-unix-0` firejail firefox “$@”
        ———————————————————————–

        what is this file look like:
        cat .config/ibus/bus/4f807d482cba7003a685564153f3c5b7-unix-0

        ——————————————————————–
        # This file is created by ibus-daemon, please do not modify it
        IBUS_ADDRESS=unix:abstract=/tmp/dbus-6m048aXr,guid=8cc2812d84ec4472c8ea2880545bd8c3
        IBUS_DAEMON_PID=1448
        ———————————————————————————–

        thank you.

  11. gnomek

    I get error:
    Child process initialized
    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0’ failed
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised
    (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
    Can’t set previliges to configuration folder “/home/user/.gnome2_private/” in user folder to 0700: operation not permited
    parent is shutting down, bye…

    Can you help? I have no other instances of Firefox running.

    Reply
  12. gnomek

    Ok. I’ve found the solution. But is it safe?
    “Enable gnome_private directory. As root, open /etc/firejail/disable-secret.inc file in a text editor and comment out gnome2_private line (add a # in front of it). Like this:
    # blacklist ${HOME}/.gnome2_private
    This should allow firefox to use this directory.”

    Reply
    1. netblue30 Post author

      Some Gnome programs keep passwords in ${HOME}/.gnome2_private directory – evolution mail client for example. These passwords are in clear, and are readable by any program you run, so I disabled gnome_private directory for Firefox.

      What Firefox version are you using? I don’t see this on my version of Firefox. Anyway, enable gnome_private directory for now, I’ll look into it.

      Reply
  13. gnomek

    1. When I use this
    firejail –seccomp –private=/home/user1/downloads firefox
    I can see that when I do save a file in firefox it has access (at least it shows) folders that are outside of /home/user1/downloads
    also I can click into some root owned folders like /usr or /dev
    I don’t know if it secure or not. I’m asking just in case…
    Can I further restrict firejail so that in case there are bad scripts someone can’t see them or break of dedicated /home/user1/downloads folder?

    2.Is it possible to have different “profiles” for firefox, for example one for more important and secure sites like banking and second separate for unknown sites. And premise is that they would be so separate that if one gets “dirty” the second will remain secure.

    Forgive me if these is not a legit question. I use firejail just in case because I don’t understand what are the real threats of entering “bad” internet site I only read that it can be dangerous.

    Reply
    1. netblue30 Post author

      1. /bin, /lib, /lib64, /usr, /etc, /var are read-only. The user cannot modify them from Firefox. Other directories such as /boot, /sbin and /usr/sbin are seen as empty by Firefox. If you run it with –debug option it will give you a full list of filesystem modifications:

      $firejail –debug –seccomp –private=/home/user1/downloads firefox

      Absolute safety cannot be guaranteed, however,it will be much safer.

      2. That’s a good idea, I’ll have to implement it. I’m afraid in this moment it supports a single, common profile. I’ll try to release a test version next week, I’ll leave you a message here on this thread.

      The best thing you can do for accessing your bank is to start always in private mode like this:

      $ firejail –private firefox

      It creates a new, empty home directory. This way you always start fresh from a secure state, and anything you do there will be discarded when you exit Firefox.

      Reply
  14. gnomek

    A big thank you for PROFILES.

    1. Is it possible to run firejail with noexec, nosetuid entry for /tmp in /etc/fstab?

    2. Would it be possible to add option like blacklist all /home folders and subfolders exept of
    /home/specific_subfolder
    (a kind of whitelist)?

    The reason is: Firefox run in Firejail when open files, save files options are used can see other folders outside of –private=/home/folder_name. And I am affraid that (assuming I have some files in /home/user folder with private/personal information like CV’s etc.) someone who will use some bad scripts that I can catch while browsing will be able to have access to my information.
    Having just blacklist option I need to remember to place sensitive files only in blacklisted folders. Am I right?

    3. Strange but I can’t see any profile files stored in ~/.config/firejail directory.

    4. And additional information to profile usage
    firejail –profile=firefox.profile –seccomp –private=/home/user_name/folder_name firefox
    didn’t worked. I needed to give path to profile file
    firejail –profile=/etc/firejail/firefox.profile –seccomp –private=/home/user_name/folder_name firefox
    and it works.

    Reply
    1. netblue30 Post author

      1. I think only –trace option temporarily places a shared library under /tmp, and it will not work if /tmp was mounted noexec. Other than that, everything else should work.

      2. Instead of whitelisting use –private=some-directory. This will mount some-directory as /home/user inside the sandbox. For example, to run firefox set up a private directory (myfox in the example below) and move .mozilla and Downloads in that directory:

      $ cd ~
      $ mkdir myfox
      $ mv .mozilla myfox/.
      $ mv Downloads myfox/.
      $ ln -s myfox/Downloads Downloads

      Downloads is restored in /home/user as a symbolic link. Now, you can start firefox in the new home like this:

      $ firejail –private=~/myfox firefox

      As an example, I have a full Dropbox setup here:

      https://l3net.wordpress.com/2014/11/18/running-dropbox-in-firejail-sandbox/

      3. By default ~/.config/firejail directory does not exist. You can create it (mkdir ~/.config/firejail) and place your profile files there. Profiles in this directory will take precedence over profiles in /etc/firejail

      4. You have to specify full path for profile files. If you don’t specify a profile, firejail will look for a default profile such as program-name.profile first in .config/firejail/program-name.profile and then in /etc/firejail/program-name.profile. In Firefox case, there is a default profile in /etc/firejail/firefox.profile.

      Reply
      1. sullybear

        When I follow instructions above and issue ‘firejail –private=~/myfox firefox’ I get an
        error: the two home directories must have the same owner, aborting…
        everything looks to be owned by me:me or me:users, not sure where the permission issue lives.

      2. netblue30 Post author

        This is definitely a bug! I’ll have it fixed in the next version. Thank you for reporting it.

        Workaround:

        It seems, the software checks both the user and group. For now, set ~/myfirefox directory with exactly the same user:group as you real home directory (“chown me:users ~/myfirefox” or “chown me:me ~/myfirefox”).

  15. gnomek

    Could you help, please. I can’t run Opera.

    firejail –profile=/media/data/jailkonf/.config/jail.profile –seccomp –private=/media/data/jail/ opera
    Reading /media/data/jailkonf/.config/jail.profile
    Reading /etc/firejail/disable-mgmt.inc
    Reading /etc/firejail/disable-secret.inc
    Parent pid 4540, child pid 4541
    Interface IP Mask Status
    lo **** 255.0.0.0 UP
    eth0 **** 255.255.255.0 UP

    Child process initialized
    The setuid sandbox is not running as root. Common causes:
    * An unprivileged process using ptrace on it, like a debugger.
    * A parent process set prctl(PR_SET_NO_NEW_PRIVS, …)
    Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

    I don’t understand where is the problem because I start Firefox with the same command (within the same jail) and it works.

    Reply
    1. netblue30 Post author

      I’ll have to try it out. Probably they are already using namespaces to control it. I’ll put a fix in the next version, thank you for letting me know.

      Reply
  16. Nick

    I can’t enter the jail unless I’m root. I changed the permissions of /usr/local/bin/firejail to the user, and it still gives me permission denied. Anyone have any ideas?
    firejail iceweasel
    bash: /usr/local/bin/firejail: Permission denied

    Reply
  17. Russell Allen

    Hi!
    Thanks for your work on firejail. Its simplicity is really useful.
    I like the new ability to specify syscalls to be excluded. Is it possible to also allow the core syscall list to be selectively specified too? I realise this isn’t something you’d want to encourage but it would be very useful if only for working out which syscalls are causing the sandboxed binary to be terminated.
    Russell

    Reply
    1. netblue30 Post author

      Hi Russel! I still have no idea how to approach syscall whitelisting. In order to start the sandbox and set namespaces and all other features, I need all kind of syscalls active, many more than what the actual sandboxed program would require. Only the /bin/bash session where the program runs would bring in about 40 syscalls. Somehow I have to find a way to apply the seccomp filter after the program was started. I’am looking into it.

      Reply
      1. Russell Allen

        Hi!
        Whitelisting would also be great, but what would be useful now is simply an extension of the blacklist facility so that I can start with an empty blacklist and selectively add. At the moment I always have to blacklist the core list of dangerous syscalls. Some of these break my software; if I start with an empty blacklist and can add them one at a time then I can hopefully find which ones are causing the issue.

        ie something like:

        firejail –unsafeseccomp=mount ./myprog

        would only blacklist mount, not iopl or ioperm etc

        That is, same as –seccomp= but without the initial list of dangerous syscalls.

        Cheers! Russell

  18. johnw

    Hi, if I run firejail /usr/bin/firefox, then the cfg.command become to ‘/usr/bin/firefox’,
    so firejail will not find firefox.profile to use

    Reply
  19. johnw

    I have a ‘no sound’ problem when I run firefox with firejail in lxc.
    if I remove setgroups(0, NULL) in src/firejail/list.c can fix the issus.
    I need audio group to make firefox sound work.

    debian@lxc:~$ id
    uid=1000(debian) gid=1000(debian) groups=1000(debian),29(audio)

    debian@lxc:~$ firejail
    [debian@debian ] id
    uid=1000(debian) gid=1000(debian) groups=1000(debian)

    please help, thank you

    Reply
    1. netblue30 Post author

      I’ll have to try it out. What version of lxc you have? Is your system a Debian wheezy?

      If you are using PulseAudio, somehow firefox cannot connect to pulseaudio socket.

      Or, if you are running ALSA, you need to make sure you don’t restrict the audio devices under /dev in lxc configuration. ALSA is accessing /dev directly. lxc config has some lxc.cgroup.devices entries, comment them out.

      Reply
      1. johnw

        My system is Debian/unstable/i386, but lxc version is 1.0.7-1 (debian experimental package)

        yes, I think firefox want to direct access /dev/snd/controlC0,
        and /dev/snd/controlC0 need the user has audio group permission to read/write,

        ls -l /dev/snd/controlC0 –> 660 root:audio

        but firejail will run setgroups(0, NULL) to remove group list,
        not lxc restrict the audio devices

        why you want firejail run setgroup(0, NULL) in src/firejail/list.c ??
        it restrict firefox to access /dev/snd/controlC0.

        thank you. (sorry, for my very bad english)

      2. netblue30 Post author

        Try this:

        Start lxc, run id, then run firejail (without any program, just a simple bash session), then run id again and speaker-test. Something like this:

        debian@lxc:~$ id
        debian@lxc:~$ firejail
        [netblue@debian~]$ id
        [netblue@debian~]$ speaker-test

        Do you hear any sound? And what is id reporting?

        Update: I think I know what the problem is. setgroups call is bad, dropping all groups. Instead it should set the supplementary groups for the regular user. As a result, the user inside the sandbox does not belong to audio group.

        I have created a ticket at https://sourceforge.net/p/firejail/tickets/4/

        I’ll try to put a fix in for the next release. If not, it will go in the one after.

        Thank you for reporting the problem!

      3. johnw

        Hi, I think dropping all groups is not bad all, for security reason, it is good to drop all permission when you don’t need. maybe you can make the option to disable it –no-dropgroups, like –seccomp / –caps does.

        Anyway, thank you.

      4. johnw

        HI, please also add the keyword(nogroups) to profile

        — src/firejail/profile.c.orig 2015-01-30 21:16:25.968000000 +0000
        +++ src/firejail/profile.c 2015-01-30 21:14:52.000000000 +0000
        @@ -95,6 +95,10 @@
        arg_private = 1;
        return 0;
        }
        + else if (strcmp(ptr, “nogroups”) == 0) {
        + arg_nogroups = 1;
        + return 0;
        + }

        // seccomp list
        if (strncmp(ptr, “seccomp “, 8) == 0) {

  20. scoobs

    I have icecat firejailed and then I want to start another instance of icecat
    not sharing the same sandbox (not the same tmpfs I guess since I am running –private)

    When I do it know another window in the same sandbox appear?
    As displayed with firejail –list

    How to have multiple sandboxes of the same program

    Reply
    1. netblue30 Post author

      For most programs, you can run multiple sandboxes. Firefox somehow enforces only one instance of the program, regardless if you run it in a sandbox or not. I guess they do it in order to preserve the memory and cpu resources consumed by the application.

      Reply
      1. scoobs

        Allright thought it was you who did something for some reason.

        I can happily report when I use “icecat –new-instance” it works as I wanted

  21. Pingback: Sandbox Firefox with Firejail (1) | 0ddn1x: tricks with *nix

  22. gm

    Hi, is it possible to run a video player like VLC or SMplayer by allowing it access to videos in filesystem, while blocking its access to the internet? Thank you.

    Reply
      1. gm

        Thanks, it works.
        Is it possible to combine Firejail with TorBrowser, with the profiles you made for Firefox? (TorBrowser has full access to .gnupg folder contents of same user)
        It will useful if you will write a separate blog article post about this if it is difficult to do.

      2. gm

        “$ firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser”
        Yes, this command works. I can’t see .gnupg folder contents from Tor Browser now. (which is how it should be! …I think firejail should be default in all GNU/Linux systems 🙂 )

        I checked firefox profile and the “include” files also. Is it possible to add “–net=none” as a line in a profile or one of these include files? Then one shall add it to profile of vlc and do away with typing net=none everytime. Sorry for reply to wrong comment, but I don’t seem to see “reply” button on your latest comment.

        Suggestions:
        1) Good to add ~/.purple under default blacklisted folder-list, because it has private OTR keys for pidgin or other libpurple using chat clients.
        2) Please put up files in Github, as Sourceforge doesn’t provide SSL/TLS protection 😦
        3) Sign the source files and binaries please. 🙂

  23. lirazsiriiri

    firejail looks really nice!

    Unfortunately there’s an ancient insecure by design flaw in the X graphics server that limits
    the usefulness of something like firejail.

    The problem is that X itself doesn’t have decent security isolation
    between apps, by design. Any program that has access to X can access all
    events on X including all of your keystrokes, taking screenshots /
    movies of your activity and also initiating events (inserting
    keystrokes). So even if you put a GUI Linux program in a bulletproof
    jail it still has access to your X server and the attacker can not only
    passively monitor everything you but also take control of any terminal
    window (for example) and su to root with with the root password he
    captured earlier.

    To make it more difficult for the attacker you need to set things up so
    the program connects to a nested X server (e.g., xnest) instead of
    having direct access to the main X server.

    Yada yada.

    Reply
    1. netblue30 Post author

      Xorg listens on both /tmp/.X11-unix/X0 in the filesystem and /tmp/.X11-unix/X0 in the abstract namespace (generally written @/tmp/.X11-unix/X0). Using a nested X server will not solve the problem because the abstract socket namespace is globally accessible,. The intruder will go after the main x11 stack, not the one where the program is running.

      They say Wayland will solve this issue.

      Reply
    1. netblue30 Post author

      Yes, actually this is how I run it myself. –caps is not necessary, it does it by default for firefox. This is what I have in mine:

      Exec=firejail firefox %u

      Reply
  24. sullybear

    Thank you for the permissions fix! It worked. I notice that the title bar in firefox shows “(as superuser)” is that normal? Or did I goof a setting? How do I test that I’m ‘sandboxed’?

    Reply
    1. netblue30 Post author

      The sandbox process itself runs as root. The application inside the sandbox runs as a regular user. I don’t know why firefox shows as superuser, “ps aux | grep firefox” reports it as a regular user. I would say is a bug in firefox.

      To check if you are in a sandbox, in a terminal run “firejail –tree”. It will list all running sandboxes and the processes inside.

      Reply
  25. Clara

    After some time messing with SELinux Grsecurity and AppArmor I found Firejail in the Arch Linux Wiki and I really like how it works and how simple it is, but I’m having a problem with Firefox and Firejail (under Arch Linux 64). Whenever I start Firefox with Firejail (no options, just ‘firejail firefox’), it doesn’t write anything in the ~/.mozilla directory, so whenever I restart Firefox it’s not configured…

    This is the optput:

    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Warning: user namespaces not available in the current kernel.
    Parent pid 894, child pid 895
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted
    Child process initialized
    2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/firefox/liblgpllibs.so could not be stored
    2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/libsystemd.so.0 could not be stored
    2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/libnss_myhostname.so.2 could not be stored
    2015-12-08 03:09:37: basic_code_modules.cc:70: ERROR: Module /usr/lib/firefox/components/libdbusservice.so could not be stored

    I think I’m missing something obvious here…

    Reply
    1. netblue30 Post author

      > it doesn’t write anything in the ~/.mozilla directory, so whenever I restart Firefox it’s not configured…

      If ~/.mozilla directory doesn’t exist before the sandbox is started, it will be discarded when the sandbox is closed. It is a bug, I’ll have it fixed in the next version.

      Workaround: run firefox once without the sandbox, so it creates .mozilla directory and stores a default configuration there. After that you shut it down and start it in the sandbox.

      Reply
  26. Nick

    Hello

    I have a problem with firejail and pulseaudio.
    Everytime when i start firefox with firejail, i can only hear sound in firefox, but nothing more in the rest of the system. When i start vlc player, i receive a warning message thats pulseaudio didnt work. After closing firejail, a complete pc restart is needed for pulseaudio to work again. The same problem comes up with chromium too.
    I work with Debian Testing and Cinnamon 2.8.

    Sorry for my english, i am not a native speaker.

    Reply
  27. humberthuxley

    When I run: firejail chromium
    I always get these warnings:
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted

    And I can access /bin, /sbin and /usr/sbin from chromium. Is it still safe or is something wrong?

    Reply
    1. netblue30 Post author

      Disregard it. This happens usually on Arch Linux or Fedora where all executables are stored under /bin, and everything else is a symbolic link to /bin.

      Reply
  28. Earving Arciga

    I am unable to run Vivaldi-web-browser with firejail under Archlinux. This is the output.

    $ firejail vivaldi-stable
    Reading profile /etc/firejail/vivaldi-stable.profile
    Reading profile /etc/firejail/vivaldi.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-devel.inc
    Reading profile /etc/firejail/whitelist-common.inc
    Parent pid 2847, child pid 2848
    Warning: /sbin directory link was not blacklisted
    Warning: /usr/sbin directory link was not blacklisted
    Child process initialized
    The setuid sandbox is not running as root. Common causes:
    * An unprivileged process using ptrace on it, like a debugger.
    * A parent process set prctl(PR_SET_NO_NEW_PRIVS, …)
    Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

    Parent is shutting down, bye…

    Reply
    1. netblue30 Post author

      It is a bug, I’ll fix it in the next version. For now, open /etc/firejail/vivaldi.profile and comment out nonewprivs line:

      #nonewprivs

      Thank you for reporting it.

      Reply
  29. Rosika

    @netblue30:
    Hi,
    unfortunately what you suggested doesn´t work for me:

    “You can reuse an existing profile for another application. Actually, this is how I start tor:
    $ firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser”

    Whenever I type the respective command (which for me is “firejail –profile=/etc/firejail/firefox.profile ./start-tor-browser.desktop”) I get the following error-message:
    “/bin/bash: ./start-tor-browser: Datei oder Verzeichnis nicht gefunden”, i.e. file or folder not found.
    I have no idea why that is.
    Could you help me?
    Greetings.
    Rosika

    Reply
  30. Rosika

    Hi,

    is there a way of running teamviewer in firejail. Whenever I try to do this firejail complains about “teamviewer daemon not running”.

    Child process initialized

    Init…
    XRandRWait: No value set. Using default.
    XRandRWait: Started by user.
    Checking setup…
    Launching TeamViewer …
    Starting network process (no daemon)
    terminate called without an active exception
    /opt/teamviewer/tv_bin/script/tvw_exec: Zeile 95: 113 Abgebrochen “$TV_BIN_DIR/teamviewerd” -n -f
    Network process already started (or error)
    Launching TeamViewer GUI …

    Greetings.
    Rosika

    P.S.:
    system: Linux/Lubuntu 16.04.2 LTS

    Reply
      1. Rosika

        Hi,

        I downloaded and installed it by using this command:

        sudo apt-get purge teamviewer; sudo apt-get purge teamviewer:i386; sudo dpkg –add-architecture i386; sudo apt-get update; sudo apt-get install libasound2:i386 libfontconfig1:i386 libfreetype6:i386 libjpeg62:i386 libpng12-0:i386 libsm6:i386 libxrandr2:i386 libxrender1:i386 libxtst6:i386 libxinerama1:i386; wget –continue ‘http://download.teamviewer.com/download/teamviewer_i386.deb’; sudo dpkg -i teamviewer_i386.deb; sudo apt-get install -f

        This procedure is described on https://wiki.ubuntuusers.de/TeamViewer/ .
        This command loads teamviewer i386.deb (also useable on 64bit-systems) from the TeamViewer-homepage and installs it.
        Well, it works really fine except for use in firejail.

  31. Pingback: Firejail : préservez un peu plus votre vie privée sous Firefox/Thunderbird | Up and Clear

  32. Rosika

    Hi,

    I have a problem running “firejail –net=none” with certain programmes.
    For example when trying to run “firejail –net=none evince” I get the following:

    rosika@rosika-Lenovo-H520e ~> firejail –net=none evince
    Reading profile /etc/firejail/evince.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-devel.inc
    Parent pid 17269, child pid 17270

    Child process initialized
    Failed to connect to Mir: Failed to connect to server socket: Datei oder Verzeichnis nicht gefunden
    Unable to init server: Verbindung ist gescheitert: Verbindungsaufbau abgelehnt
    Cannot parse arguments: Anzeige kann nicht geöffnet werden:

    parent is shutting down, bye…

    The “Failed to connect to Mir”-message also appears with “okular”.
    With other programmes however it works just fine, like “gedit” and all the browsers.

    Greetings.
    Rosika

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s