We are happy to announce the release of Firejail version 0.9.26. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release fixes a number of bugs reported by users, new default profiles, and brings in the following new features:
Private /dev directory
Command line option –private-dev mounts a new /dev directory and populates it with the following device files: null, full, zero, tty, pts, ptmx, random, urandom and shm. The option is targeted to programs that are not supposed to use sound or video camera devices.
New /dev directory created with –private-dev option.
Private home whitelisting
The format for this command is as follows:
--private.keep=comma-separated-list-of-files-and-directories
The command mounts an empty tmpfs on top of /home/user directory, and copies all the files and directories in the list in the new filesystem. The list elements are separated by comma ‘,’. All modifications are discarded when the sandbox is closed. The original files are not modified.
Example:
$ firejail --private.keep=.mozilla,Downloads firefox
User namespaces
Command –noroot attaches a new user namespace to the sandbox. The namespace has a single user defined, the current user. There is no root user available. Programs requiring root privileges will not be able to run:
Trying to run SUID binaries in a –noroot sandbox.
User namespaces have been introduced in Linux kernel 3.9. If the feature is not available in the kernel at runtime, Firejail will print a warning and continue setting up the sandbox.
New default profiles
This version brings in new default profiles for Deluge and qBittorrent BitTorrent clients.
About
For more information please visit the project page.
l3net - a layer 3 networking blog 
I am happy about –noroot parameter although having a little trouble testing it
I have not sudo setup
What exactly happens when you are root and do a firejail –join to a –noroot jail?
thanks for awesome work
I still have to add noroot support in –join. I will let the root join the sandbox, without an user namespace. Nothing can stop him. If I don’t let him go in, he will use another tool to go in.
Thanks NetBlue30, and team, for the private home whitelisting feature. Looking forward to trying it. BTW, how soon until you make debs for it? At release?
You’ve got a great application on your hands. You should be proud, which I’m sure you are. :). Great work.
Best regards,
Bob Good
Thanks!
I’ll make debs when I release it in the next two weeks. There are still bugs coming in. Probably it will be another rc release before that.
Hi, I love the new “private.keep=” feature, but it appears to be having trouble with keeping extra folders in my “$HOME” directory. For instance: I have a locally installed Firefox at the base of “$HOME (~/firefox/),” but when I add it into a private firejail session, firejail won’t copy over all the containing files and sub-directories from within that Firefox folder. Could you look into this before the next RC/Final release, please?
Sure, I’ll look into it! How are you starting the sandbox? What command are you using? I want to try to reproduce it here on my machine.
Actually, it turns out the Firefox directory copies; I was having trouble with copying QtAV ( http://sourceforge.net/projects/qtav/ ) into the sandbox. That got fixed when I re-installed QtAV without the examples or source files. Now `firejail –private.keep=QtAV` copies everything; before it failed to copy at a certain point, “duplicate334,” or something and only three files and one subdirectory made it over…
I’ll do some tests copying large files over.
Hi netblue30,
Is there any way to recover downloaded files from tmpfs with the –private.keep switch? I listed Desktop (my usual download location) in the directories list but the downloaded file doesn’t show. My switch is firejail –cpu=0,1 –shell=none –private.keep=Desktop,.themes,.icons,.config/google-chrome google-chrome.
Thanks for your work on firejail. :).
Best regards,
Bob Good
Actually is quite easy. First you find the process id (PID) of your firefox process (“ps aux” or “firejail –tree”). The filesystem as viewed by the process is exposed in /proc/PID/root directory.
Example:
$ firejail –tree
3170:netblue:firejail –private=~/myfirefox firefox
3171:netblue:firefox
$ ls /proc/3171/root/
Hey netblue30,
It’s me again…with another feature request. I know what you’re thinking…”Go away kid…you draw flies!”. Sorry about that. :). Anyway, all joking aside, I’d like to request that any downloaded files be copied to their respective user-space folder. At present I’m using a bash script triggered by a cronjob to copy files….
#!/bin/bash
download=`ps -ef | awk ‘/[c]hrome -start-maximized/{print $2}’`
dire=/proc/$download/root/$HOME/Desktop
if [ -d $dire ]; then
rsync -rvcm –compare-dest=../$HOME/Desktop/ /proc/$download/root/$HOME/Desktop/ $HOME/Desktop/
fi
exit 0
I’ve looked into inotifywait and incron but if the /proc/PID/root/$HOME/download-location folder doesn’t exist at startup then it exits.
In the meantime, until you decide whether to include this feature request, do you have any suggestions? I’d be glad to hear them.
BTW, I love the new –private.keep switch. It’s perfect (except for the downloaded files thingy). ;).
Later…
Bob Good
Any time you have an idea just put it here. Some of the best features firejail has, have been suggested by users. The main reason I run this project off a blog is to encourage user participation.
Try this: create a directory outside your home:
$ sudo mkdir /storage
$ sudo chmod 777 /storage
and configure your browser to save the downloads there. You can also use /tmp or /var/tmp, but they get cleaned up automatically at startup
Hi again netblue30, are you able to provide a download mirror for your releases? Sourceforge has stopped working again…
Sure:
ftp://ftp2.uk.freebsd.org/sites/ftp.sourceforge.net/pub/sourceforge/f/fi/firejail/firejail/
ftp://ftp.mirrorservice.org/sites/dl.sourceforge.net/pub/sourceforge/f/fi/firejail/firejail/
http://iweb.dl.sourceforge.net/project/firejail/firejail/
Thanks!
Hi netblue30,
I have a question. What limitations are there with running Firejail with google-chrome? Is containment of the google-chrome profile the only benefit? Chrome uses sandboxes already…so is google-chrome being ran within a Firejail sandbox?
I hope I made myself clear to you.
BTW, how’s the next release coming? What new features can we expect?
Thanks for you and your teams efforts. :).
Best regards,
Bob
Hi Bob,
Namespace sandboxes can be chained, so Chrome sandbox will run in Firejail sandbox. With a few exceptions – seccomp filters, linux capabilities fiters, and user namespaces – all Firejail features should work. The benefit is you can lock the filesystem which Chrome does not, install a new network namespace, a chroot, control groups (cgroups), a new /dev directory etc.
The next release will be coming in about one month, with support for network bandwidth management, a graphical user interface, and a number of smaller features.
Any possible way for that private.keep stuff to be a mount instead of a copy?
Hopefully it will come in a future release, I just didn’t find a way to do it yet.
Hello netblue,
May be it is a bit stupid question but when running Firefox (Skype also) in sandboxed mode it display “(as superuser)” in title of Firefox.
Execution Command line :
“xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin %u” limitliuser
I played a bit with command line switches of firejail.No avail it still displays “As Superuser” in title of Firefox.
$ ps aux|grep -i “fireja”
root 4649 0.0 0.0 205572 6480 ? Ss 13:43 0:00 su -l -c xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin limitliuser
limitli+ 4652 0.0 0.0 121908 3480 ? Ss 13:43 0:00 -bash -c xhost +SI:localuser:limitliuser && firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin
root 4684 0.0 0.0 9724 1960 ? S 13:43 0:00 firejail –noroot –private /usr/lib64/firefox/firefox/firefox-bin
Thank you!
It is actually a very good question! If you start the sandbox as a regular user, the processes inside the sandbox should run as regular user. The sandbox itself runs as root. For example in a terminal, running as a regular user, you would do:
$ firejail firefox &
Then you can check using ps aux:
$ ps aux | grep firefox
root 17071 0.0 0.0 15848 2112 ? S 09:51 0:00 firejail firefox
netblue 17072 30.2 5.3 990236 379072 ? Rl 09:51 2:20 firefox
The sandbox process (17071) reported as root does nothing. It just monitors firefox process in order to close the sandbox when firefox is shut down. Firefox process 17072 should definitely be reported as a regular user. If not, it is a bug!
Hello,
First, let me congratulate you for the excellent tool this is. To me this should become part of any security oriented packages, like AppArmor or GRSecurity.
I think I’ve found a bug with the private-dev options: it seems to tamper with the /dev/pts in the normal namespace, so that i can’t open any new terminal, I ge a “grantp failed”, which goes away if I remount /dev/pts.
regards,
H
It should not tamper with the original /dev/pts. What exactly are you doing?
Hi,
I create one firejail for an app with the –nodev option.
Then in my normal namespace, the /dev/pts becomes blocked and I can’t open up new terminals without getting “grantp failed”.
If i remount it, it works.
For your information I use Gentoo hardened stable.
I’ll definitely look into it! What desktop environment or window manager are you using?
Hello.
Some of my home directories are in a common directory under /home. Firejail blacklists that directory, making $HOME unavailable.
Yes, it does it by default. It tries to hide other users.
So, how do I make it work (with 0.9.28 now)? Preferably without unhiding all other users or making ~ discarded every time.
I probably can stop using such subdirectories though; if a future file system switch causes problems, bind mounts might solve them.
I assume each subdirectory in /home belongs to a different user. It is hardcoded in 0.9.28. What is the use case to make it configurable, or to disable it?