We are happy to announce the release of Firejail version 0.9.30 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release contains a large number of bug fixes, several changes to the existing sandbox interface, and the following new features:
Home directory whitelisting
–whitelist option mounts an empty, temporary filesystem over user home directory, and brings in (bind-mount) the files or directories specified. A .bashrc and .Xauthority are included by default. This allows the user to sandbox a program in a home directory with a minimal set of files required by the application. Mozilla Firefox example:
$ firejail --whitelist=~/.mozilla --whitelist=~/Downloads firefox
Modifications to .mozilla and Downloads directories are persistent. Files created outside these directories will be discarded when the sandbox is closed.
Private /etc directory
–private-etc directory allows the user to build a new /etc directory in a temporary filesystem, and copy over the files and directories in the list. All modifications are discarded when the sandbox is closed. Example:
$ firejail --private-etc=group,hostname,localtime,nsswitch.conf,passwd,resolv.conf firefox
–env option configures an environment variable in the sandbox. Example:
$ firejail --env=LD_LIBRARY_PATH=/opt/test/lib $ firejail --env=CFLAGS="-W -Wall -Werror" make
- Firefox PDF.js exploit (CVE-2015-4495) fixes.
- Added /etc/firejail/disable-history, the file is included in all profiles.
- Supporting net none command in profile files.
- Added noblacklist command in order to filter blacklists in included profile files
- Miscellaneous fixes
Unfortunately, from time to time we need to change the sandbox interface in order to allow for new developments. Hopefully, the impact on existing users is minimal. These are the modifications:
- –private.keep option is renamed –private-home.
- Running a Firejail sandbox inside a Firejail sandbox has been disabled. Instead, the program for the second sandbox is run directly in a /bin/sh shell inside the first sandbox. This solves a number of problems Mozilla Thunderbird users are having when they click on a link and expect Firefox to open. In this case, Firefox will open in the sandbox where Thunderbird is already running.
- By default, /etc/firejail/generic.profile is applied every time a sandbox is started by a regular user, if no other profile was set, or if a profile matching the name of the application is not found in the regular places (~/.config/firejail and /etc/firejail directories). This functionality can be disabled by using –noprofile option. Example:
$ firejail Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-history.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 6738, child pid 6739 Child process initialized [...] $ firejail --noprofile Parent pid 6784, child pid 6785 Child process initialized [...]
The default profile is very restrictive, it disables all capabilities, enables seccomp, and noroot user namespace.
- Programs started as root use by default /etc/firejail/server.profile. The functionality is similar to /etc/firejail/generic.profile described above, and it can be disabled using –noprofile option.
- –overlay options stores the filesystem differences in ~/.firejail/ directory. A new option, –overlay-tmpfs was introduced. This option stores the filesystem differences in a temporary filesystem and the differences are discarded when the the sandbox is closed.
Project development has moved to GitHub. SourceForge mirror system will continue to be the main point of distribution for the release archives, everything else there is being phased out.
For more information please visit the project Page.