Firejail

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

 

Downloads

logo-sml Source Code Archive.
download-deb 64-bit DEB Package for Debian, Ubuntu, Linux Mint.
32-bit DEB Package for Debian, Ubuntu, Linux Mint.
download-rpm 64-bit RPM Package for Fedora, openSUSE, Centos 7, RHEL 7.
download-arch Arch Linux package in AUR.
download-slackware Slackware Linux package on SlackBuilds.org.
 

News

April 2015 – version 0.9.26-rc2 released. This is the second release candidate for version 0.9.26. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces and bugfixes. Release Announcement, Download.

April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.

March 2015 – version 0.9.22 released. Starting with this release, 32-bit builds are supported. A 32-bit .deb package for Debian/Ubuntu/Mint and derivatives is available in our download section. The release implements Linux capability whitelists and blacklists filters, macvlan networking support, Netfilter and DNS support, network statistics support via –netstats options, overlay filesystem support when running on Linux kernel version 3.18 or newer (–overlay option), and sandbox standard output logging. The release also introduces support for Thunderbirs/Icedove email client and updated security profiles for all other applications supported by default by Firejail.
Release Announcement, Release Notes

February 2015 – version 0.9.20 released. This release fixes a number of bugs reported by users, and brings in several new features: Linux control group support, CPU affinity, Opera web browser and VLC media player support, and monitoring enhancements. A description of the new features is provided in our Release Announcement.
Release Notes

 

Documentation

Features   Download and Installation   Usage

Manual Pages: firejail, firemon, firejail profile files

 

HOWTOs

 

Across the Internet

 

Support

Please use the comment section on any page on this blog, or sourceforge.net/projects/firejail/support. All contributions are welcome: ideas, patches, documentation, bug reports, complaints.

 

170 thoughts on “Firejail

  1. somePasserby

    With regards to pulseaudio segfaults mentioned above:

    Could it be so that it is related to the Skype-pulseaudio shared memory crash I described (and am still experiencing in most recent version)?

    Terrance Harris, could you try disabling shared memory for pulseaudio and see if problem persists ?

    Reply
  2. Pingback: Firejail, un sandbox universal para Linux - Detrás del pingüino

  3. somePasserby

    Any news with regards to skype-pulseaudio shared-memory related crash ? (still getting the same behavior on most recent version) ?

    I don’t wanna nag or anything (but I do want to have better sound latency with jailed skype :) )

    Reply
      1. somePasserby

        Lubuntu 12.04

        I have reported this bug previously (here in the comments and on sourceforge)
        Basically, if pulse is configured to use shared memory and Skype is launched within firejail, trying to do a voice call with cause a crash.

      2. somePasserby

        Not to nag too much, but any ETA on pulseaudio shared memory-related bug (aka Skype segfaults when pulse has shared memory enabled) ?

        I realize that weirdo closed-source apps that rely on pulse specifically are probably not a priority :)

  4. vds

    Thanks a lot for releasing this application, it’s extremely useful and easy to use. I wonder if it is possible to restrict the access to /tmp and /var like the private option allows for $HOME. Thanks.

    Reply
    1. netblue30 Post author

      You’re welcome. Private option also installs a new /tmp directory, similar to /home.

      To install a new temporary fs (similar to /home and /tmp above) on top of any other directory use –tmpfs option:

      $ firejail –private –tmpfs=/var

      You will get a new /home/user, new /tmp, and a new /var.

      Reply
  5. Hackepeter

    Hi netblue30,

    Thank you for making POSIX capabilities fully configurable in the latest release! Now it would be very nice to have syscall whitelist filters too …

    Keep up your good work!

    Reply
  6. Hackepeter

    Hi netblue30,

    Why are the following options not allowed in profile files?
    chroot
    defaultgw
    dns
    ip
    ipc-namespace
    name
    net
    netfilter filename (netfilter without filename works!)
    overlay
    shell

    Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

    Reply
    1. netblue30 Post author

      The plan is to have all the command line options supported also in profile files.

      > Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

      What exactly are you trying to do, can you give an example, thanks!

      Reply
  7. Hackepeter

    Hi netblue30,

    > What exactly are you trying to do, can you give an example, thanks!

    Tabs between options and arguments *do* work – sorry for the false alarm! Looks like I had a typo in the profile file while testing this issue.

    Reply
  8. a name was required

    Can you add an option for starting without a shell?
    Currently if I want to sandbox an arbitrary program, ‘firejail “$@”‘ won’t work. There’s no “–” argument (usually used to terminate option lists and specify that everything afterwards is a positional argument), and there’s no –no-shell option or something like that.

    I’d like to be able to say ‘firejail — “$@”‘ and have it run the argument list as a program with the given arguments in the sandbox, but (as well as not having –), the presence of the shell means that special characters will get mangled and broken unless correctly escaped. Escaping should not be necessary.

    Test cases:
    firejail — echo ‘hello ” world’
    firejail — touch ‘file with spaces’
    firejail — echo ‘and & or |’
    # This next one needs a little preparation
    firejail — -dir-with-initial-hyphen/testscript

    (Also, if this were github, I’d probably just find and fix it myself and pull request it. It’s never anywhere near that convenient on SF)

    Reply
  9. droptorootshell

    Hello.
    Really fantastic Job bro.Keep up please!
    One question regarding whitelisting and blacklisting directories.
    /etc/firejail/firefox.profile

    blacklist /etc/
    whitelist /etc/pango/
    Is here any whitelist option? or At least like this:

    blacklist /etc/ ! /etc/pango/ #assuming /etc/ blocked except /etc/pango/
    Is here any such configuration about whitelist?
    Thanks in advance and please Keep Up!

    Reply
  10. AnArchy

    I started a thread over at ,
    http://forums.scotsnewsletter.com/index.php?showtopic=76690#entry419011
    If anyone has any tips and tricks to share they would be most welcom to do so.

    A very interesting program indeed and some of the best documentation for a new program, or a lot of more mature programs, that I have ever come across.
    The program runs fine in Arch 64 and seems to have minimal overheads. Tried running “$ firejail –private firefox” and “$ firejail firefox” and both ran as if I had started them as normal.
    Thanks for all the work.

    Reply
  11. Lukas Schauer

    Can’t report bugs on sourceforge so I’ll just do it here.

    I’m having a fun little security problem with firejail… I’m using it as a wrapper for chromium and use that as default browser for my system. Now i found that if there is a ‘&’ in a url chromium doesn’t open…
    Playing around with it i found that using an ‘&’ in a parameter in firejail makes firejail execute whatever comes after that character, probably because it’s interpreting it as a shell would…
    This is kinda problematic… I build a workaround encoding the url in base64 first, but this is quite ugly, and I hope this will get fixed eventually…

    Test case: firejail –profile=/etc/firejail/chromium.profile /usr/bin/chromium “&echo hello world”

    Output:
    Child process initialized
    hello world

    At least it gets executed inside the jail… but it’s still quite bad.

    Reply
    1. netblue30 Post author

      Actually I prefer the bugs left here on the blog. It is much easier to handle them.

      Character ‘&’ is a control char for bash shell, so it needs to be escaped (add a \ before it) or placed into quotes (single or double).

      What happens is firejail internally starts the program using a second bash shell. As a result, character ‘&’ has to be escaped twice. These are some examples that should work:

      $ firejail chromium “http://asdf\&jklm”
      $ firejail chromium ‘”http://asdf&jklm”‘
      $ firejail “chromium ‘http://asdf&jklm'”

      Reply
  12. bob nelson

    I’ve been attempting to run firejail from within a chroot environment and I always get the following error:
    Error mounting filesystem as slave:sandbox(117): Invalid argument
    I assumed that all I would need mounted would be normal stuff such as /dev /proc /sys, but apparently not. Any ideas?

    Reply
    1. netblue30 Post author

      It is actually a bug in the program, thanks!

      This is a workaround. Assuming you have a root filesystem in /systems/rootfs, chroot into your rootfs:

      # chroot /systems/rootfs

      Export an environment variable “container” and start firejail:

      # container=”firejail” firejail

      I’ll bring in a real fix in the next version.

      Reply
  13. bob nelson

    Thanks that did the trick. Now I’m faced with a different problem, whenever I run something with it, it ends up unmounting /proc, both inside my chroot and outside (it’s a normal bind mount). Any ideas on that one?

    Reply
    1. netblue30 Post author

      I cannot reproduce it on Debian 7.
      Suggestion: use firejail to set the chroot, something like this:

      # firejail –chroot=/path-to-new-rootfs

      Reply
  14. bob nelson

    unfortunately running it from within the chroot is necessary, ie nothing can be initiated from outside of it including firejail itself. my test machine is debian 7 as well. also, as a side-effect of running something i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away, such as:

    /dev/vda1 on /test_chroot/usr/bin/sudo type ext4 (rw,relatime,errors=remount-ro,commit=60,data=ordered)

    mount |grep chroot -c
    57

    even after exiting the firejail process, they remain.

    is there any way to tell it not do do the remounting of proc or other things?

    Reply
    1. netblue30 Post author

      > i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away

      This means when the sandbox is shut down, some process inside the sandbox is still running, and the kernel does not remove the namespaces.

      If you can open another terminal you can check what processes are created in the sandbox. So, while the sandbox is active, in a different terminal run “firejail –tree” and it gives you a list of all processes inside the sandbox. Then close the sandbox and check the processes with “ps aux”.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s