Firejail

 
  Firejail   Firetools   News   Downloads   Install   HOWTOs
 

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:

$ firejail firefox            # starting Mozilla Firefox
$ firejail transmission-gtk   # starting Transmission BitTorrent 
$ firejail vlc                # starting VideoLAN Client
$ sudo firejail "/etc/init.d/nginx start && sleep inf"

Documentation: Features   Installation   Usage   FAQ
Manual Pages: firejail, firemon, firejail profile files
Development: https://github.com/netblue30/firejail

 

Firetools

Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.

Firetools launcher and active sandbox list

Firetools launcher and active sandbox list

Dependencies: Firejail, Qt4 libraries, xterm
Documentation: Installation, Screenshots
Manual Pages: firetools
Development: https://github.com/netblue30/firetools

 

Downloads

logo-sml Firejail Source Code Archive.
Firetools Source Code Archive.
download-deb Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
Debian testing/unstable: apt-get install firejail
download-rpm Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
download-arch Arch Linux package in AUR.
download-slackware Slackware Linux package on SlackBuilds.org.
 

News

AUgust 2015 – source code repository and bug tracker available on GitHub

August 2015 – released Firejail version 0.9.28. This release contains significant improvements, and a large number of enhancement and bug fixes. New features: network scanning (–scan option), interface MAC address support (–mac option), IP address range (–iprange option) and network traffic shaping (–bandwidth option). Default profile support was added for GNU Icecat, FileZilla, Pidgin, XChat, Empathy and DeaDBeeF. Release Announcement, Release Notes.

June 2015 – Firejail included in Debian.

June 2015 – released Firetools version 0.9.26.1. This is a bugfix release.

May 2015 – released Firetools version 0.9.26. Firetools is a graphical user interface for Firejail sandbox. This is the first release of the program.

May 2015 – version 0.9.26 released. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces, default profiles for Deluge and qBittorrent, and lots of bugfixes. Release Announcement, Release Notes.

April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.

 

HOWTOs

 

Across the Internet

 

Support

All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by sourceforge.net or GitHub.

 

236 thoughts on “Firejail

  1. somePasserby

    With regards to pulseaudio segfaults mentioned above:

    Could it be so that it is related to the Skype-pulseaudio shared memory crash I described (and am still experiencing in most recent version)?

    Terrance Harris, could you try disabling shared memory for pulseaudio and see if problem persists ?

    Reply
  2. Pingback: Firejail, un sandbox universal para Linux - Detrás del pingüino

  3. somePasserby

    Any news with regards to skype-pulseaudio shared-memory related crash ? (still getting the same behavior on most recent version) ?

    I don’t wanna nag or anything (but I do want to have better sound latency with jailed skype :) )

    Reply
      1. somePasserby

        Lubuntu 12.04

        I have reported this bug previously (here in the comments and on sourceforge)
        Basically, if pulse is configured to use shared memory and Skype is launched within firejail, trying to do a voice call with cause a crash.

      2. somePasserby

        Not to nag too much, but any ETA on pulseaudio shared memory-related bug (aka Skype segfaults when pulse has shared memory enabled) ?

        I realize that weirdo closed-source apps that rely on pulse specifically are probably not a priority :)

  4. vds

    Thanks a lot for releasing this application, it’s extremely useful and easy to use. I wonder if it is possible to restrict the access to /tmp and /var like the private option allows for $HOME. Thanks.

    Reply
    1. netblue30 Post author

      You’re welcome. Private option also installs a new /tmp directory, similar to /home.

      To install a new temporary fs (similar to /home and /tmp above) on top of any other directory use –tmpfs option:

      $ firejail –private –tmpfs=/var

      You will get a new /home/user, new /tmp, and a new /var.

      Reply
  5. Hackepeter

    Hi netblue30,

    Thank you for making POSIX capabilities fully configurable in the latest release! Now it would be very nice to have syscall whitelist filters too …

    Keep up your good work!

    Reply
  6. Hackepeter

    Hi netblue30,

    Why are the following options not allowed in profile files?
    chroot
    defaultgw
    dns
    ip
    ipc-namespace
    name
    net
    netfilter filename (netfilter without filename works!)
    overlay
    shell

    Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

    Reply
    1. netblue30 Post author

      The plan is to have all the command line options supported also in profile files.

      > Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

      What exactly are you trying to do, can you give an example, thanks!

      Reply
  7. Hackepeter

    Hi netblue30,

    > What exactly are you trying to do, can you give an example, thanks!

    Tabs between options and arguments *do* work – sorry for the false alarm! Looks like I had a typo in the profile file while testing this issue.

    Reply
  8. a name was required

    Can you add an option for starting without a shell?
    Currently if I want to sandbox an arbitrary program, ‘firejail “$@”‘ won’t work. There’s no “–” argument (usually used to terminate option lists and specify that everything afterwards is a positional argument), and there’s no –no-shell option or something like that.

    I’d like to be able to say ‘firejail — “$@”‘ and have it run the argument list as a program with the given arguments in the sandbox, but (as well as not having –), the presence of the shell means that special characters will get mangled and broken unless correctly escaped. Escaping should not be necessary.

    Test cases:
    firejail — echo ‘hello ” world’
    firejail — touch ‘file with spaces’
    firejail — echo ‘and & or |’
    # This next one needs a little preparation
    firejail — -dir-with-initial-hyphen/testscript

    (Also, if this were github, I’d probably just find and fix it myself and pull request it. It’s never anywhere near that convenient on SF)

    Reply
  9. droptorootshell

    Hello.
    Really fantastic Job bro.Keep up please!
    One question regarding whitelisting and blacklisting directories.
    /etc/firejail/firefox.profile

    blacklist /etc/
    whitelist /etc/pango/
    Is here any whitelist option? or At least like this:

    blacklist /etc/ ! /etc/pango/ #assuming /etc/ blocked except /etc/pango/
    Is here any such configuration about whitelist?
    Thanks in advance and please Keep Up!

    Reply
  10. AnArchy

    I started a thread over at ,
    http://forums.scotsnewsletter.com/index.php?showtopic=76690#entry419011
    If anyone has any tips and tricks to share they would be most welcom to do so.

    A very interesting program indeed and some of the best documentation for a new program, or a lot of more mature programs, that I have ever come across.
    The program runs fine in Arch 64 and seems to have minimal overheads. Tried running “$ firejail –private firefox” and “$ firejail firefox” and both ran as if I had started them as normal.
    Thanks for all the work.

    Reply
  11. Lukas Schauer

    Can’t report bugs on sourceforge so I’ll just do it here.

    I’m having a fun little security problem with firejail… I’m using it as a wrapper for chromium and use that as default browser for my system. Now i found that if there is a ‘&’ in a url chromium doesn’t open…
    Playing around with it i found that using an ‘&’ in a parameter in firejail makes firejail execute whatever comes after that character, probably because it’s interpreting it as a shell would…
    This is kinda problematic… I build a workaround encoding the url in base64 first, but this is quite ugly, and I hope this will get fixed eventually…

    Test case: firejail –profile=/etc/firejail/chromium.profile /usr/bin/chromium “&echo hello world”

    Output:
    Child process initialized
    hello world

    At least it gets executed inside the jail… but it’s still quite bad.

    Reply
    1. netblue30 Post author

      Actually I prefer the bugs left here on the blog. It is much easier to handle them.

      Character ‘&’ is a control char for bash shell, so it needs to be escaped (add a \ before it) or placed into quotes (single or double).

      What happens is firejail internally starts the program using a second bash shell. As a result, character ‘&’ has to be escaped twice. These are some examples that should work:

      $ firejail chromium “http://asdf\&jklm”
      $ firejail chromium ‘”http://asdf&jklm”‘
      $ firejail “chromium ‘http://asdf&jklm'”

      Reply
  12. bob nelson

    I’ve been attempting to run firejail from within a chroot environment and I always get the following error:
    Error mounting filesystem as slave:sandbox(117): Invalid argument
    I assumed that all I would need mounted would be normal stuff such as /dev /proc /sys, but apparently not. Any ideas?

    Reply
    1. netblue30 Post author

      It is actually a bug in the program, thanks!

      This is a workaround. Assuming you have a root filesystem in /systems/rootfs, chroot into your rootfs:

      # chroot /systems/rootfs

      Export an environment variable “container” and start firejail:

      # container=”firejail” firejail

      I’ll bring in a real fix in the next version.

      Reply
  13. bob nelson

    Thanks that did the trick. Now I’m faced with a different problem, whenever I run something with it, it ends up unmounting /proc, both inside my chroot and outside (it’s a normal bind mount). Any ideas on that one?

    Reply
    1. netblue30 Post author

      I cannot reproduce it on Debian 7.
      Suggestion: use firejail to set the chroot, something like this:

      # firejail –chroot=/path-to-new-rootfs

      Reply
  14. bob nelson

    unfortunately running it from within the chroot is necessary, ie nothing can be initiated from outside of it including firejail itself. my test machine is debian 7 as well. also, as a side-effect of running something i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away, such as:

    /dev/vda1 on /test_chroot/usr/bin/sudo type ext4 (rw,relatime,errors=remount-ro,commit=60,data=ordered)

    mount |grep chroot -c
    57

    even after exiting the firejail process, they remain.

    is there any way to tell it not do do the remounting of proc or other things?

    Reply
    1. netblue30 Post author

      > i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away

      This means when the sandbox is shut down, some process inside the sandbox is still running, and the kernel does not remove the namespaces.

      If you can open another terminal you can check what processes are created in the sandbox. So, while the sandbox is active, in a different terminal run “firejail –tree” and it gives you a list of all processes inside the sandbox. Then close the sandbox and check the processes with “ps aux”.

      Reply
  15. somePasserby

    Oh, cool!
    New versions.

    Would it be worthwhile for me to test if the bug with skype/shared memory/pulse audio persists ?

    I am almost done using skype, but hunting bugs never hurts…

    Reply
  16. fju

    When I launch Firefox in private mode, I am still able to view my home dir by visiting file:///. Using private mode with other applications (bash, chromium) works as expected. The problem seems to be limited to Firefox (Mozilla Firefox 37.0.2).

    $ firejail –private firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Parent pid 15928, child pid 15929
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    enp0s25 10.0.0.20 255.255.255.0 UP

    Child process initialized

    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0’ failed

    parent is shutting down, bye…

    Interestingly, firejail exits with its “parent is shutting down…” message immediately (despite succesfully launching Firefox and the process still being visible with firejail –list). When I launch Chromium, firejail stays in the foreground and does not display the “parent is shutting down…” message until I actually close Chromium. I don’t know if this is related to the problem with private mode.

    Any suggestions?

    Reply
    1. netblue30 Post author

      By default Firefox tries to keep only one process running. When you start a new firefox process, it looks for an existing one. If one is found, the new process shuts down, and the existing one opens a new tab or a new window.

      You could try -new-instance option:

      firejail –private firefox -new-instance

      Reply
  17. Pingback: Firejail - Une sandbox pour Linux - Korben

  18. Pingback: Firejail – Une sandbox pour Linux - Mon Blog

  19. Pingback: Firejail – Une sandbox pour Linux | MégaPassions le blog

  20. Pingback: Firejail – Une sandbox pour Linux | My Tiny Tools

  21. Pingback: Firejail – Une sandbox pour Linux | L'actualité de la High Tech

  22. Pingback: W-Infos | Firejail – Une sandbox pour Linux

  23. Pingback: NF.sec – Linux Security Blog - Firejail – proste budowanie klatek

  24. pyrrhicvictory

    Possibly a stupid question – Every time I launch firejail (firefox/thunderbird/palemoon), it launches them “as superuser”, and the –noroot option does nothing. Am I doing something wrong? Running Mageia.

    Reply
    1. netblue30 Post author

      Is not a stupid question. If you start the sandbox as a regular user, the processes inside the sandbox should run as regular user. The sandbox itself runs as root. For example in a terminal, running as a regular user, you would do:

      $ firejail firefox &

      Then you can check using ps aux:

      $ ps aux | grep firefox
      root 17071 0.0 0.0 15848 2112 ? S 09:51 0:00 firejail firefox
      netblue 17072 30.2 5.3 990236 379072 ? Rl 09:51 2:20 firefox

      The sandbox process (17071) reported as root does nothing. It just monitors firefox process in order to close the sandbox when firefox is shut down. Firefox process 17072 should definitely be reported as a regular user. If not, it is a bug!

      –noroot option applies to the processes running inside the sandbox (17072) and not to the sandbox process itself (17071). The sandbox still needs to be root in order to remove root user from inside the sandbox. Also you would need a kernel 3.8 or newer to run it. Do a simple experiment:

      $ firejail –noroot
      Parent pid 17183, child pid 17184
      Child process initialized
      $ ping google.com
      ping: icmp open socket: Operation not permitted
      $

      If it cannot ping, it means the root user was removed. I hope it helps.

      Reply
      1. pyrrhicvictory

        Ah, makes total sense and checks out perfectly! Thank you for your work and thank you for taking the time to explain this to me!

  25. somePasserby

    Hi netblue30!

    Just passed by :) and decided I should let you know that the Skype/pulsaudio shared memory crash thing is still there in most recent version.

    Symptoms and reproduction steps are exactly the same.

    Reply
    1. linux_user9

      yep, i can concur on this issue. in addition to skype, i’m also having google chrome stable crash due to the pulseaudio shared memory (“okay google” and google voice apparently are using pulseaudio). hate pulseaudio, loving firejail. thank you for all your hard work. btw, where can i donate to your project?

      os: debian 7.8 x86_64
      kernel: 3.16.0-0.bpo.4-amd64
      window manager: xfwm
      desktop environment: xfce
      cpu: intel(r) core(tm) i5-2450m cpu @ 2.50ghz

      Reply
  26. Jiggler

    Nice work netblue30!
    Do you think it would be straightforward to use firejail achieve the holy-grail of Tor usage: The Isolating Proxy?
    This is a jailed environment or virtual machine where the only network access to the Internet is via the Tor proxy running on the host. Proofs against DNS leaks, proxy bypassing etc by the applications running therein. It would be nice to derive a recipe for this with firejail!
    https://kromey.us/2013/10/using-shorewall-to-configure-a-tor-isolating-proxy-584.html
    https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy

    Reply
  27. laughinghost

    Hi!
    I’m probably momentarily confused, but a quick question:

    Does the most recent firejail allow apps “inside” the jail to bind to “host”‘s localhost, or do I have to make a fancy iptables dance to make that work?

    Specific usecase:

    Force Shadowsocks client to use a specific interface (tun0) for outgoing traffic.

    I do this via a bridge interface and iptables and the part where shadowsocks has to connect to server works.
    However, the part where it has to bind to localhost and listen there does not appear to work (at least from host’s perspective)

    Reply
    1. netblue30 Post author

      Yes, firejail allows you to bind sockets to localhost – this is how servers such as nginx or apache are running.

      Are you using –net option? This creates a new network namespace with a new localhost.

      Reply
      1. laughinghost

        Yes, because I want to constrain it to using a specific network interface, so I use -net to constrain it to br0 and then use iptables to ensure stuff gets NATed between br0 and the tun interface I want to constrain shadowsocks to.

        Is there a way to “add” the host’s localhost into the isolated namespace and/or otherwise transparently ferry traffic between firejail’s localhost and, well, host’s localhost ?

        P.S.:
        Threat model doesn’t assume app is “malicious” and will “break out” via localhost, but rather that app is dumb and will often try connecting “naked” (eth0) in case of tinyest VPN failure

      2. netblue30 Post author

        Network namespace always creates a new localhost, isolated from the real localhost.

        You have br0 on both real host and also inside the namespace, and I assume you have an IP address configured for it. Can you communicate with the real local host using this address? Can you ping it?

  28. laughinghost

    Yes.

    Hm, this gives me an idea…

    I can configure separate iptables rules “inside” the jail that will apply to interfaces exposed inside the namespace, right ?

    Reply
    1. netblue30 Post author

      Each namespace has its own netfilter subsystem. So, you will have to set iptables twice, once for localhost and once for the sandbox. Look at –netfilter option in the man page. It applies a filter you specify to the sandbox.

      Reply
  29. laughinghost

    I suspect that if I connect two bridge interfaces to the sandbox (br0, br1), then forward a port from in-sandbox localhost to “br1”, then on host forward same port from “br1” to host’s localhost….
    and use br0 the way I’m using it now (for talking to tun0 on host) it should get me exactly what I want, right ?

    Reply
    1. netblue30 Post author

      Yes, you can try it out. Also, look if you can bind the server socket directly to br0 or br1 instead of local host (127.0.0.1). Most servers allow you to do it.

      Reply
  30. Terrance Harris

    Ok, after disabling the shared memory feature in pulseaudio everything works fine and the sound settings or sound related apps don’t crash when started. Thanks for figuring this out.

    Reply
    1. Passerby

      Well, that causes some (occasionally noticeable) performance degradation, so, hopefully netblue30 will eventually find a way to fix pulseaudio’s shared memory.

      Reply
    1. netblue30 Post author

      0% CPU load, less than 2MB RSS size.

      It is easy to measure, start firejail in an xterm, and in another xterm do “ps au”:

      $ ps au
      USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
      root 2622 1.8 1.1 229720 80108 tty7 Ssl+ 14:04 7:54 /usr/bin/X :0 -
      root 2826 0.0 0.0 16268 1924 tty1 Ss+ 14:04 0:00 /sbin/getty 384
      root 2827 0.0 0.0 16268 1868 tty2 Ss+ 14:04 0:00 /sbin/getty 384
      netblue 3185 0.0 0.0 21084 5376 pts/1 Ss 14:20 0:00 /bin/bash
      root 4649 0.0 0.0 15856 1864 pts/1 S 21:10 0:00 firejail
      netblue 4650 0.0 0.0 20960 5100 pts/1 S+ 21:10 0:00 /bin/bash
      netblue 4695 0.0 0.0 20960 4984 pts/0 Ss 21:10 0:00 /bin/bash
      netblue 4745 0.0 0.0 16848 2352 pts/0 R+ 21:12 0:00 ps au

      The memory load is smaller than a /bin/bash process.

      Reply
  31. Pingback: » Linux: Can LXC be used to jail instances of an installed browser?

  32. scoreunder

    Hi, my current script for launching firefox is this:
    https://github.com/ScoreUnder/scripts-and-dotfiles/blob/master/bin/firefox

    I asked for –shell=none support some time ago and I’m glad to see that it made it into the program. I’ve come up against a problem though: it doesn’t work for –join, so I have to revert to re-quoting the arguments when joining the sandbox.

    I recently stopped using –name with firejail. It makes –join convenient but since it changes what the program sees as the hostname, it is denied access to the X server. This isn’t a firejail problem per se but I thought I’d throw it in here since some people have probably come up against it before. I’m sure there’s a way around that without resorting to blanket allowing hosts via xhost (I run a sshd on this system), but I haven’t figured it out… Ideally I just want to generate a second magic cookie that the sandbox can use, and stick that in its Xauthority.

    Reply
    1. netblue30 Post author

      If I understand correctly, you need a –shell=none option available to –join. Currently, it is hardcoded to /bin/bash. I will add it in the next version.

      –name basically changes the hostname. The name is also used for convenience by several other other options such as –join and –shutdown. I think you shouldn’t use it, as it will be rejected by X server. Instead, use the pid of the sandbox for –join and –shutdown. Extract the pid using –list option:

      $ firejail –list
      4259:netblue:firejail firefox
      $ firejail –join=4295

      Reply
    1. netblue30 Post author

      Initially, –private was configuring a tmpfs on top of /tmp, but at some point I run into problems with some programs expecting sockets and other files there. Today I leave /tmp unchanged when the sandbox is started as a regular user, and I only mount tmpfs if the sandbox is started as root. It is a documentation problem. I’ve opened a ticket to track it:

      https://sourceforge.net/p/firejail/tickets/26/

      Thanks!

      Reply
  33. Antoine

    Hi,

    It seems the supplied rules aren’t compatible with the “pipelight” plugin for Firefox. In /var/log/syslog I get:

    Aug 8 10:55:39 fsol firejail[5401]: firejail –debug firefox
    Aug 8 10:55:39 fsol firejail[1]: sandbox 5401, execvp into firefox
    Aug 8 10:55:45 fsol kernel: [ 2142.975659] audit: type=1326 audit(1439024145.192:36): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=5485 comm=”wine” exe=”/opt/wine-staging/bin/wine” sig=31 arch=40000003 syscall=45 compat=1 ip=0xf771af69 code=0x0
    Aug 8 10:55:46 fsol kernel: [ 2144.736935] audit: type=1326 audit(1439024146.956:37): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=5505 comm=”wine” exe=”/opt/wine-staging/bin/wine” sig=31 arch=40000003 syscall=45 compat=1 ip=0xf76f9f69 code=0x0

    Unfortunately I can’t make sense of these messages. Any idea how to solve this issue?

    Thanks.

    Reply
    1. netblue30 Post author

      Wine is crashed by the kernel on trying to execute syscall 45. Can you please run:

      $ firejail --debug-syscall | grep 45
      

      It will tell us what function Wine was running. Thanks!

      Reply
      1. netblue30 Post author

        No, it shouldn’t be blocked. I suspect is “caps.drop all” line in the profile file /etc/firejail/firefox.profile. You can play around commenting out some of the lines in that file (add a # in front).

      2. Antoine

        It turns out the “seccomp” line is responsible. Any idea why that would be? What are the dangers of disabling it?

      3. netblue30 Post author

        The seccomp filter I use shouldn’t mess up with rcvfrom. It is looking only at system-level syscalls that modify the swap memory, mount hard drives etc. I don’t know what’s going on. I’ll keep an eye on it on my side here, maybe I come up with something.

        From a security perspective running windows executables under wine in your Linux web browser is a very bad idea.

      4. netblue30 Post author

        wine is a 32bit executable – at least on my Debian system. The seccomp filter is architecture specific, set at compile time – 64bit for most users. It turns out syscall numbers don’t match in 32bit and 64bit architectures. For example, syscall 311 is a harmless sys_set_robust_list on 32bit and a troublesome process_vm_writev on 64bit (disabled by the default filter on 64bit architectures).

        “firejail –seccomp wine –version” fails the architecture validation at the start of default filter, printing a false recvfrom syscall. If I remove the architecture validation at the start of the filter, I immediately get syscall 311 failing. This will never work without heavy duty lifting in Linux kernel.

        The workaround is not to use seccomp in this case.

  34. Vasya

    Does firejail currently have any options on X server isolation?

    Any application having access to it can read all keyboard strokes, capture mouse movements and could probably hijack the whole “host” user who runs the Xserver.

    Maybe there is some work underway?

    Reply
      1. Vasya

        Note: some people use Xephyr for this task.
        Most applications work through it (with rare exceptions). Although I don’t know whether the code base is bug-free and reliable enough. Just worth mentioning in this context.

  35. suds

    Thank you (and team?) for all your hard work! I don’t use/understand all aspects, but i appreciate it highly none-the-less. Currently i Firejail Iceweasel, google-chrome, and TorBrowser. Thank you again, I hope this never goes away.

    Reply
  36. Comodet

    This really is very promissing, simple to use jailing. Just the SUID makes me bit nervous. Is it not possible to do this with capabilities and drop them when everything is set up?

    Reply
    1. netblue30 Post author

      I don’t really know, maybe is possible. It all depends on the kernel code, if you can control seccomp and namespaces using capabilities from a regular user account.

      From what I’ve seen so far, people using namespaces and seccomp run either full root, or SUID.

      Reply
  37. Antt

    Hi, can you add an option for net = none in the profiles? Right now I have to pass it everytime I start firejail. Thanks.

    Reply
    1. netblue30 Post author

      My intention is to have all networking options exposed in profile files.in the next two or three releases.

      Just curious, what programs are you running with –net=none? So far I’ve heard from a number of users about vlc.

      Reply
  38. intelcow

    When I try to use a network namespace attached to my ethernet device (enp0s25) it always defaults to being down. Is there anything I need to do to bring the interface up automatically?

    $ firejail –private –net=enp0s25
    Parent pid 24957, child pid 24959

    Interface MAC IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    eth0-24957 00:00:00:00:00:00 10.0.0.21 255.255.255.0 DOWN
    Default gateway 10.0.0.1

    Child process initialized
    $

    Reply
    1. netblue30 Post author

      Strange, the Ethernet address seems to be all 0 (00:00:00:00:00:00). What distribution are you using? Is this a wireless interface?

      Can you try to force a MAC address and post the output here: “firejail –debug –net=enp0s25 –mac=00:11:22:33:44:55”.

      Can you please post the output of

      Reply
      1. intelcow

        I’m sorry, I should have clarified. I changed the MAC address to zeroes for posting (which I guess was pointless, that address is just random?). It is set correctly. I didn’t edit anything else in the output.

        I’m on Arch Linux. The interface in question is wired.

        Unedited output follows.

        $ firejail –debug –net=enp0s25
        macvlan parent device enp0s25 at 10.0.0.20/24
        Command name #bash#
        Parent pid 9521, child pid 9523
        create macvlan eth0-9521, parent enp0s25
        Initializing child process
        PID namespace installed
        Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
        Mounting tmpfs on /var/lock
        Mounting tmpfs on /var/tmp
        Mounting tmpfs on /var/log
        Mounting tmpfs on /tmp/firejail/mnt directory
        Create the new utmp file
        Mount the new utmp file
        Disable /home/lost+found
        Remounting /proc and /proc/sys filesystems
        Remounting /sys directory
        Disable /proc/sysrq-trigger
        Disable /proc/sys/kernel/hotplug
        Disable /sys/kernel/uevent_helper
        Disable /proc/irq
        Disable /proc/bus
        Disable /proc/kcore
        Disable /proc/kallsyms
        Mounting a new /boot directory
        Disable /dev/port
        ARP-scan eth0-9521, 10.0.0.20/24
        IP address range from 10.0.0.1 to 10.0.0.255
        Trying 10.0.0.84 …
        Configuring 10.0.0.84 address on interface eth0-9521
        Network namespace enabled

        Interface MAC IP Mask Status
        lo 127.0.0.1 255.0.0.0 UP
        eth0-9521 52:53:9d:68:1e:cb 10.0.0.84 255.255.255.0 DOWN
        Default gateway 10.0.0.1

        Username lcd, groups 100, 7, 10, 91, 108, 1000, 1001, 992,
        Starting /bin/bash
        execvp argument 0: /bin/bash
        execvp argument 1: -c
        execvp argument 2: /bin/bash
        Child process initialized
        [lcd@myhost ~]$ ip link
        1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        2: eth0-9521: mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
        link/ether 52:53:9d:68:1e:cb brd ff:ff:ff:ff:ff:ff link-netnsid 0

  39. v

    Hi, I run into a very strange issue with firejail today and I am not sure what is the reason, I wrote in my blog

    https://madebits.github.io/#blog/2015/2015-08-28-Strange-visudo-Error.md

    and I am pasting the text here:

    I run into a strange visudo error in Ubuntu 14.04. If I try to edit via sudo visudo, or sudo -i and then visudo, I cannot save my changes, and get the following error:

    visudo: error renaming /etc/sudoers.tmp, /etc/sudoers unchanged: Device or resource busy

    I thought first it was some SSD related issue (I have a SSD). After failing to find anything in Google, I noticed by chance this is related to chromium-browser being open. As soon as I open chromium-browser I get same error, and and soon as I close it, visudo works, fully reproducible.

    After a further look, it turned out that I use firejail chromium-browser to start Chrome. If I start chromium-browser without firejail then visudo works without problems, so it seems to be related to filejail usage. However, just starting only filejail (with bash) I do not get this problem. So it should be related somehow to firejail chromium-browser profile.

    Reply
  40. v

    I just wrote about visduo, one missing piece: I have customized the chromium firejail profile (in ~.config/firejail) to add blacklist /etc/sudoers. But, I fail to see how this affects visudo in a separate terminal.

    Reply
    1. netblue30 Post author

      To be honest, I would be very worried if my browser suddenly starts calling sudo, visudo or any other program in /usr/sbin. The security filter used by firejail with Chromium will prevent system administration programs in /sbin and /usr/sbin from running. When you start bash under firejail, the filter is more permissive.

      You can always see what the filter is blocking by running with –debug option, in your case “firejail –debug chromium”.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s