We are happy to announce the release of Firejail version 0.9.34 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes:
PulseAudio 7.0 issue
The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Arch Linux users are reporting sound problems when running applications in Firejail sandbox. PulseAudio developers are aware of the problem, a fix will be provided in a future PulseAudio release. The following configuration fix will mask the problem for now:
$ mkdir -p ~/.config/pulse $ cd ~/.config/pulse $ cp /etc/pulse/client.conf . $ echo "enable-shm = no" >> client.conf
Home directory whitelisting in default Firefox profile
Starting Firefox using the default security profile
$ firejail firefox
whitelists files and directories under /home/user:
Firefox home directory.
Home directory whitelisting in default Chromium profile
Starting Firefox using the default security profile
$ firejail chromium
whitelists files and directories under /home/user:
Chromium home directory.
–ignore
Use this option to disable commands in security profiles. Example:
$ firejail –ignore=seccomp wine
–protocol
Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. Valid values: unix, inet, inet6, netlink and packet.
$ firejail –protocol=unix,inet,inet6
“unix” describes the regular Unix socket connections, while “inet” and “inet6” describe IPv4 and IPv6 traffic. Most GUI applications need “unix,inet,inet6”. “netlink” is the protocol used to talk to Linux kernel. You’ll only need this for applications used in system administration (iproute2 etc). “packet” is used by sniffers to talk directly with the Ethernet layer.
Protocol filter is enabled for most GUI applications (“protocol unix,inet,inet6”).
Dual 32 bit/64 bit seccomp filter
–seccomp option now installs a dual 32 bit/64 bit default filter. i386 applications running on regular amd64 computers (Skype, Steam etc.), are protected by i386 seccomp filter.
New default security profiles
Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications.
About
For more information please visit the project page.
l3net - a layer 3 networking blog 
I possibly found a bug. When Steam is launched with either ‘firejail /usr/games/steam’ or ‘firejail –profile=/etc/firejail/steam.profile /usr/games/steam’ the whole /home/user/ is available with no restrictions. I tested again by comparing ‘firejail –profile=/etc/firejail/steam.profile bash’ and ‘firejail –profile=/etc/firejail/firefox.profile bash’ with ‘ls -a’. Again the whole home folder is accessible with default Steam profile. I tried it on another machine with same results, both have firejail_0.9.43_1_amd64.deb installed.
Looking through Firejail profiles and inspecting manpage I found no reason why this is happening.
This cannot be correct behavior right?
> the whole /home/user/ is available with no restrictions
No, some directories and files under /home/user are blocked, mainly files with passwords or encryption keys ( ~/.ssh, ~/.gnupg).
To go one step further and clean up everything in home directory, you need to do whitelisting. Currently this is implemented only for firefox and chromium.
Whitelisting is not a big deal. You just have specify what directories you want to be visible under /home. For example, if there is a directory /home/user/steam, then you would start steam as follows:
$ firejail –whitelist=~/steam /usr/games/steam
I have more example in the man page. Look for directories specific to steam and give it a try.
Thanks for your reply! I discovered the behavior of whitelist (and its impact on a profile without any whitelisted files/folders) just before your reply. And you are right that files specified in disable-*****.inc files are still protected. My bad, I should have read the manpage more carefully.
Now I have one file whitelisted, and it works as it’s made to work.
Keep up the good work 🙂
How did you run it? I am interested in making whitelisting default for steam default in the next version. Thanks.
I just added a new line to steam.profile: whitelist ~/black.png. So it works only for me because I have that file.
Steam creates a folder called Steam on user home at the first time it is run after installing it on the system. Could that folder be used, it contains only Steam logs and skins (also it’s not in steam.profile)? The problem is that the folder must exist before running Steam for first time while it should not be created unless it’s really needed.
Without better knowledge I don’t know a better solution, I hope I gave you some idea.
Whitelisting by default on Steam profile would be a great improvement for end-users like me.
Thanks, I’ll look into it.
I can’t seem to get it working with symlinks.
I have a file ~/.pentadactylrc which is a symlink to ~/.dotfiles/pentadactylrc.
Even though I have whitelisted ~/.pentadactylrc, firefox still cannot see it hence not loading my settings.
Any idea ?
I’ve fixed it in the development version.
https://github.com/netblue30/firejail
I have searched & googled without success & was wondering if its possible to run firejail with portable apps.
I use a browser called SlimJet which I think is a great browser when it comes to security.
Can someone give an update on using firejail with portables?
Firejail runs only Linux binaries, so you would need to install the Linux version. It should run fine under Firejail with the default profile. You will basically get all the crazy security filters enabled (seccomp, caps, protocol, noroot).
Same for portables, as long as you have a Linux version Firejail should run it. If it doesn’t, it is a bug – you let me know and I’ll fix it.
Yep Sorry I should have noted I was using linux, I run a lot software as portable apps, as a lot of the software for linux involves just being able to extract to a folder & then click & they run without installation.
AnyWay wether I symlink slimjet to local/bin or run from the folder it was extracted to that the error is the same-
firejail /usr/local/bin/flashpeak-slimjet
Reading profile /home/me/.config/firejail/flashpeak-slimjet.profile
Parent pid 3869, child pid 3870
Warning: cannot disable /sys/hypervisor directory
Child process initialized
/bin/bash: /usr/local/bin/flashpeak-slimjet: Permission denied
parent is shutting down, bye…
And running firefox as a portable is very similar
firejail /home/GENTOO-FILES/GENTOO-APPS/APPS-NETWORK/FireFox-38.0.1-ESR/firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 28838, child pid 28839
Warning: cannot disable /sys/hypervisor directory
Child process initialized
/bin/bash: /home/GENTOO-FILES/GENTOO-APPS/APPS-NETWORK/FireFox-38.0.1-ESR/firefox: No such file or directory
parent is shutting down, bye…
Thanks
I put a bug in, I’ll look into it. Thanks.
https://github.com/netblue30/firejail/issues/164
Firejail cleans all the directories under /home with the exception of the current user directory. This is done on purpose in order not to leak user information – /etc/passwd and /etc/group inside the sandbox are also modified removing other users. Move GENTOO-FILES directory outside /home and all should be fine.
Hello!
Comand “firejail firefox” are whitelist some directory, but on Desktop and Download, files are not saved. So it should be? (Sorry for my English). Linux Mint Cinnamon 17.3, browser Firefox
Your English is fine!
“Desktop” directory is not whitelisted. It is created by Firefox and discarded when you close the browser. Your your real “Desktop” directory is hidden from the browser.
Downloads directory is whitelisted. Make sure you already have a “Downloads” directory in your home, otherwise Firefox will create one and it will get discarded when you close the browser. You would need to check in Firefox under Preference where is Firefox configured to put the downloads.
Many thanks for the answer! In Russian localization folder Donwloads refers to Загрузки and Firejail in it does not keep (for us it Downloads). Has created folder Downloads (home/myname/Downloads) and it has kept. You could add in whitelist also a folder of Загрузки (Downloads on Russian language). Where it is possible to look all folders in whitelist?
I beginning user GNU/Linux, am pleasant to me studies. Your program has very much liked, is assured that at it the big future. Would like to write even small, but interesting, article about the program. Therefore I ask questions, hardly there will be another questions later:)
Yes, you are right. Somebody reported it and it is fixed for the next version. You can get a test version from the download page (http://sourceforge.net/projects/firejail/files/firejail/ – get 0.9.36-rc1), or you can edit /etc/firejail/firefox.profile and add a “whitelist Загрузки” line – you would need to be root to edit that file.
The new version coming in the next few days will whitelist Загрузки
Thanks, has turned out. In the whitelist is ./mozilla, but two files that store passwords (Key3.DB, logins. json), yes they are encrypted, but an attacker could decipher them. It is possible to limit access of a browser to these files?
That’s easy, you need to add a blacklist command for each of the two files in /etc/firejail/firefox.profile. Example:
blacklist ~/.mozilla/firefox/8t1m3f8a.default/logins.json
Thank you very much for the quality of support. At one Russian-speaking site read that firejail blocking access only ~/.ssh, ~/.gnupg. Is it true? Where can I view or you can tell which browser access blocked directories, and which in the whitellist?
I think in the version you have firefox and chromium whitelist, while opera and midori blacklist.
But where can I view or you can tell which browser access blocked directories, and which in the whitellist? It is very important to know. To me will ask a question, to what directories on blacklist, and what is whitelist directories.
In the next release I will log a message to syslog every time a blacklisted directory is accessed.
Also, you can try –trace option. Start firefox like this:
$ firejail –trace firefox
It will print on the screen all files the browser is accessing.
Thank you. Sorry for the many questions. “1:firefox:access /home” . It is not too big access?