Firejail

 

Please note that Firejail project page has moved to http://firejail.wordpress.com

 

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:

$ firejail firefox            # starting Mozilla Firefox
$ firejail transmission-gtk   # starting Transmission BitTorrent 
$ firejail vlc                # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start

Home page: http://firejail.wordpress.com

 

Firetools

Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.

Firetools launcher and active sandbox list

Firetools launcher and active sandbox list

Home page: http://firejail.wordpress.com

293 thoughts on “Firejail

  1. Brohn Doe

    Hi!

    The company I work for is looking for an easy way to sandbox some of the development environments, it have everything we need except for one thing: it’s not available on Ubuntu’s repositories. I see they are available upstream. Any plans to get it approved so we can just apt-get? It’s the only way I could justify the use for my company, they don’t even allow PPAs.

    Thank you for this amazing piece of software!

    Reply
  2. SomeoneWhoCares

    Regarding the Pulseaudio discussion in https://github.com/netblue30/firejail/issues/69
    There is no need to disable shared memory in Pulseaudio entirely, or to copy files from ~/.config/pulse/ into the sandbox.
    Just edit /etc/pulse/default.pa – change the line

    load-module module-native-protocol-unix

    to

    load-module module-native-protocol-unix srbchannel=no

    and restart the pulseaudio daemon.

    Sorry for posting this here, but I don’t have a Github acct.

    Reply
    1. netblue30 Post author

      Thanks for the hint. Today I put a fix in firejail code (on github), so it will always start PulseAudio client with enable-shm=no inside the sandbox.

      Reply
  3. Utini

    I wished there was a way where firejail would “watch” which protocols/mime/apps are getting started and if they are in the “sandbox list” then firejail would automatically sandbox them.

    E.g. if I run “okular” from the application finder than okular wont simply start but firejail will interupt and run “firejail okular”.
    Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would dedect and interupt and start “firejail iceweasel” -> link.

    Reply
      1. Utini

        Btw sorry for that bad english.. I will re-write with correct english lol

        E.g. if I would run “okular” from the application finder then okular wouldn’t simply start but firejail would interupt the start of “okular” and instead runs “firejail okular”.
        Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would detect, interupt and start as “firejail iceweasel” -> link.

      2. netblue30 Post author

        You are talking about integrating firejail in the desktop, so when you click on an icon, or menu, or some file in the file manager, the program will run inside the sandbox instead of running directly. This feature is still under development, and it will be a while until something like this becomes available. btw, there’s nothing wrong with your English!

  4. Ali Abdallah

    I did not manage in any way to get it working with Skype. Even with a basic profile, when running firejail skype, I get:
    ….
    Child process initialized
    parent is shutting down, bye…

    And nothing else.

    Reply
  5. Pingback: Unix:LXC containers as a sandbox environment – Unix Questions

  6. Pingback: Unix:Can LXC be used to jail instances of an installed browser? – Unix Questions

  7. Batmancatman

    Sorry if I’m stupid, but… Is there a Chrome profile included? I’m considering making an idiot proof computer with Linux Mint, Chrome and Firejail, but I don’t feel like dedicating my life to it. Great program by the way!

    Reply
      1. Batmancatman

        Yeah but does that work for Google Chrome? I’m not talking about Chromium. Sorry if I’m unclear as… I dunno, only slept 4 hours tonight. Thanks for the response!

      2. netblue30 Post author

        The same profile is used for Chromium and Google Chrome. This is how you start Google Chrome:

        $ firejail --profile=/etc/firejail/chromium.profile google-chrome
        
  8. Pingback: Unix:How can I use Skype with lxc? – Unix Questions

  9. Pingback: Unix:replicate and isolating user environments on the fly – Unix Questions

  10. Pingback: Lightweight method of an application sandbox for which I can control network settings of? « news-Knowlage FeeD

    1. netblue30 Post author

      Once you started the sandbox, you can modify the bandwidth for the sandbox, and make it 0 if this is what you need. Example:

      Start the sandbox with a network namespace:

      $ firejail --name=browser --net=eth0 chromium
      

      From a different terminal window you set the bandwidth. The first number is rx bandwidht in (kilobytes per second), the second number is tx bandwidth:

      $ firejail --bandwidth=browser set eth0 80 20
      

      I’ll try to bring into the next version support to change iptables/netfilter configuration for a running sandbox. In this moment netfilter config is supported only when the sandbox is started.

      Reply
  11. anonymous

    How would I go about sandboxing my browser so that it can only connect to localhost:9050 (my socks proxy)? It would be great if there was a –net=local option that only allowed connections to the existing loopback interface, because I can’t for the love of me figure out how to do this. Maybe I’m just missing something obvious.

    Reply
  12. p

    Thanks for firejail. I get the following crash for Firefox:

    Firefox 42.0 in Ubuntu 64 bit, firejail –version 0.9.34
    crash with:

    (firefox:1): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.
    WARNING: content window passed to PrivateBrowsingUtils.isWindowPrivate. Use isContentWindowPrivate instead (but only for frame scripts).
    pbu_isWindowPrivate@resource://gre/modules/PrivateBrowsingUtils.jsm:25:14
    nsBrowserAccess.prototype.openURI@chrome://browser/content/browser.js:15449:21
    Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider’ of type `gboolean’ from rc file value “((GString*) 0x7f9f8accc3c0)” of type `GString’
    Vector smash protection is enabled.
    libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
    libdc1394 error: Failed to initialize libdc1394
    ERROR: Could not determine network interfaces, you must use a interfaces config line

    Reply
    1. netblue30 Post author

      I have Firefox 42.0 running fine under Arch Linux. Try this command:

      $ firejail –noprofile firefox

      This disables the default profile for Firefox. If it works, it means it is something in the profile that bothers him. So, you open the profile file in an editor and comment up lines in the file until you find the one that creates the problem. The profile file is /etc/firejail/firefox.profile, you’ll have to edit it as user root. Start with “noroot” and”protocol …” lines, just a guess. When you do this test, you start firefox as usual:

      $ firejail firefox

      Reply
      1. p

        Thanks for the reply. Commenting out #protocol unix,inet,inet6 line in profile seems to work. What could be the problem?

      2. p

        I managed to get some more log lines from firefox crash when firejail protocol line is not commented. I have to browse for a few seconds for it to crash. It seems I have to add netlink to protocol. When set as protocol unix,inet,inet6,netlink fireforks works ok.

        libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
        libdc1394 error: Failed to initialize libdc1394
        ERROR: Could not determine network interfaces, you must use a interfaces config line
        [NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768
        [NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768

      3. netblue30 Post author

        It is trying to connect some firewire or usb camera and it fails to open the socket (netlink is disabled by default). It is a firefox bug, it should not crash. I will enable netlink in the next release, so for now use “protocol unix,inet,inet6,netlink”. Thanks!

  13. GNUser

    Hey, how’s it going?
    Look, I have been thinking, is Firejail possible to port to ARM architecture? Specifically to work with debian armhf.
    If you could provide a deb package for that architecture it would be useful for use with boards like banana pi, raspberry pi, beagleboard, etc.

    Reply
  14. Henry

    Hello,

    I’m using firejail 0.9.34 on a Gentoo machine.(Linux 4.1.7).

    Whatever command i run (even “firejail ls”), I get a Warning telling me “an existing sandbox was detected”… effectively cancelling all of the jailing and running my “ls” in the normal userspace.

    Any thoughts on this behavior ?

    regards,
    H

    Reply
    1. netblue30 Post author

      It means when you run “firejail ls” you are already in a firejail sandbox – or maybe in another type of sandbox?

      ls will run without any additional sandboxing. The rules imposed by the existing sandbox still apply.

      In version 0.9.36 I’ve introduced a –force option that will alow you to chain multiple sandboxes. Depending how the first sandbox was configured, it might prevent the second sandbox from staring. It is usefull for running firejail in LXC or Docker containers.

      Reply
  15. eli

    Hi,

    is it possible to re-attach to an overlay after the sandbox is closed? Now, a new overlay is always created, but I would like to continue where I left of.

    Thanks,
    eli

    Reply
  16. thatguy

    Hello,

    Not sure if this is possible since I’m not sure how each desktop manager handles it, but would it be possible to change the window title for applications sandboxed with firejail? For example, change “app_title” in the taskbar to read “[sandbox_name] app_title” when the program is running inside the sandbox.

    Thanks!

    Reply
  17. bancfc

    How does firejail handle isolation for X-server? Do you use Xpra? Similar software like the oz-sandboxing framework have begun to integrate Wayland support to provide stronger isolation properties for GUI applications. Any Similar plans or ETA?

    Reply
  18. xwFAoz

    Hey netblue30,

    Is there any chance for read-only whitelisting? I would like to whitelist a certain file, but also to make sure the program can’t change that file. Right now, I try to make a copy of that file to a temporary private home, but some files are too large to do that with.

    Thanks for the update!

    Reply
  19. a_user

    Hello,

    First off, thanks for this awesome program. I’ve been looking for something that would do this in Linux for over a decade. I always ended up using some painful process to accomplish what firejail does so easily.

    One problem, though. When I have an encrypted folder mounted using cryptkeeper (which uses EncFS), when I blacklist the mount point for a specific program, the program can see into the directory anyway. The process works fine using the .profile files in HOME$/.config/firejail/firefox.profile for any other folder, it is just ineffective on the mounted path of the encrypted volume, and lets the program see right in there and access all contents. I have tested this every way and there must be a solution somewhere.

    Thanks for any ideas,
    A_User

    Reply
  20. Sam

    Howdy,

    Very cool project, I really like the idea and execution (pun intended!).
    I was wondering if it would be possible to compile this for OSX – does it depend on anything that’s specific to the Linux kernel?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s