Firejail

 
  Firejail   Firetools   News   Downloads   Install   HOWTOs
 

Mozilla Firefox starting in a Firejail sandbox.

Mozilla Firefox starting in a Firejail sandbox.


Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.

Written in C with virtually no dependencies, the software should run on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.

The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:

$ firejail firefox            # starting Mozilla Firefox
$ firejail transmission-gtk   # starting Transmission BitTorrent 
$ firejail vlc                # starting VideoLAN Client
$ sudo firejail "/etc/init.d/nginx start && sleep inf"

Documentation: Features   Installation   Usage
Manual Pages: firejail, firemon, firejail profile files

 

Firetools

Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.

Firetools launcher and active sandbox list

Firetools launcher and active sandbox list

Dependencies: Firejail, Qt4 libraries, xterm
Documentation: Installation, Screenshots
Manual Pages: firetools

 

Downloads

logo-sml Firejail Source Code Archive.
Firetools Source Code Archive.
download-deb Debian, Ubuntu, Linux Mint etc.:
Firejail 64-bit DEB Package
Firetools 64-bit DEB Package
Firejail 32-bit DEB Package
Firetools 32-bit DEB Package
download-rpm Fedora, openSUSE, Centos 7, RHEL 7
Firejail 64-bit RPM Package
Firetools 64-bit RPM Package
download-arch Arch Linux package in AUR.
download-slackware Slackware Linux package on SlackBuilds.org.
 

News

June 2015 – Firejail included in Debian.

June 2015 – released Firetools version 0.9.26.1. This is a bugfix release.

May 2015 – released Firetools version 0.9.26. Firetools is a graphical user interface for Firejail sandbox. This is the first release of the program.

May 2015 – version 0.9.26 released. The new version brings in support for private /dev directory, private home directory whitelisting, user namespaces, default profiles for Deluge and qBittorrent, and lots of bugfixes. Release Announcement, Release Notes.

April 2015 – version 0.9.24 released. It brings in several bugfixes, full support for blacklist and whitelist seccomp filters, doubledash support, –shell=none support, default profiles for Audacious, Clementine, Gnome-MPlayer, Rhythmbox and Totem, and a number for smaller features. Note: support for empty seccomp attribute has been deprecated. Use –seccomp.drop instead. Release Announcement, Release Notes.

March 2015 – version 0.9.22 released. Starting with this release, 32-bit builds are supported. A 32-bit .deb package for Debian/Ubuntu/Mint and derivatives is available in our download section. The release implements Linux capability whitelists and blacklists filters, macvlan networking support, Netfilter and DNS support, network statistics support via –netstats options, overlay filesystem support when running on Linux kernel version 3.18 or newer (–overlay option), and sandbox standard output logging. The release also introduces support for Thunderbirs/Icedove email client and updated security profiles for all other applications supported by default by Firejail.
Release Announcement, Release Notes

 

HOWTOs

 

Across the Internet

 

Support

All contributions are welcome: ideas, feature requests, patches, documentation, bug reports, complaints. Please use the comment section on any page on this blog, or the facilities provided by sourceforge.net.

 

203 thoughts on “Firejail

  1. somePasserby

    With regards to pulseaudio segfaults mentioned above:

    Could it be so that it is related to the Skype-pulseaudio shared memory crash I described (and am still experiencing in most recent version)?

    Terrance Harris, could you try disabling shared memory for pulseaudio and see if problem persists ?

    Reply
  2. Pingback: Firejail, un sandbox universal para Linux - Detrás del pingüino

  3. somePasserby

    Any news with regards to skype-pulseaudio shared-memory related crash ? (still getting the same behavior on most recent version) ?

    I don’t wanna nag or anything (but I do want to have better sound latency with jailed skype :) )

    Reply
      1. somePasserby

        Lubuntu 12.04

        I have reported this bug previously (here in the comments and on sourceforge)
        Basically, if pulse is configured to use shared memory and Skype is launched within firejail, trying to do a voice call with cause a crash.

      2. somePasserby

        Not to nag too much, but any ETA on pulseaudio shared memory-related bug (aka Skype segfaults when pulse has shared memory enabled) ?

        I realize that weirdo closed-source apps that rely on pulse specifically are probably not a priority :)

  4. vds

    Thanks a lot for releasing this application, it’s extremely useful and easy to use. I wonder if it is possible to restrict the access to /tmp and /var like the private option allows for $HOME. Thanks.

    Reply
    1. netblue30 Post author

      You’re welcome. Private option also installs a new /tmp directory, similar to /home.

      To install a new temporary fs (similar to /home and /tmp above) on top of any other directory use –tmpfs option:

      $ firejail –private –tmpfs=/var

      You will get a new /home/user, new /tmp, and a new /var.

      Reply
  5. Hackepeter

    Hi netblue30,

    Thank you for making POSIX capabilities fully configurable in the latest release! Now it would be very nice to have syscall whitelist filters too …

    Keep up your good work!

    Reply
  6. Hackepeter

    Hi netblue30,

    Why are the following options not allowed in profile files?
    chroot
    defaultgw
    dns
    ip
    ipc-namespace
    name
    net
    netfilter filename (netfilter without filename works!)
    overlay
    shell

    Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

    Reply
    1. netblue30 Post author

      The plan is to have all the command line options supported also in profile files.

      > Also, separating options and arguments by tabs doesn’t work, at least not immediately following the option.

      What exactly are you trying to do, can you give an example, thanks!

      Reply
  7. Hackepeter

    Hi netblue30,

    > What exactly are you trying to do, can you give an example, thanks!

    Tabs between options and arguments *do* work – sorry for the false alarm! Looks like I had a typo in the profile file while testing this issue.

    Reply
  8. a name was required

    Can you add an option for starting without a shell?
    Currently if I want to sandbox an arbitrary program, ‘firejail “$@”‘ won’t work. There’s no “–” argument (usually used to terminate option lists and specify that everything afterwards is a positional argument), and there’s no –no-shell option or something like that.

    I’d like to be able to say ‘firejail — “$@”‘ and have it run the argument list as a program with the given arguments in the sandbox, but (as well as not having –), the presence of the shell means that special characters will get mangled and broken unless correctly escaped. Escaping should not be necessary.

    Test cases:
    firejail — echo ‘hello ” world’
    firejail — touch ‘file with spaces’
    firejail — echo ‘and & or |’
    # This next one needs a little preparation
    firejail — -dir-with-initial-hyphen/testscript

    (Also, if this were github, I’d probably just find and fix it myself and pull request it. It’s never anywhere near that convenient on SF)

    Reply
  9. droptorootshell

    Hello.
    Really fantastic Job bro.Keep up please!
    One question regarding whitelisting and blacklisting directories.
    /etc/firejail/firefox.profile

    blacklist /etc/
    whitelist /etc/pango/
    Is here any whitelist option? or At least like this:

    blacklist /etc/ ! /etc/pango/ #assuming /etc/ blocked except /etc/pango/
    Is here any such configuration about whitelist?
    Thanks in advance and please Keep Up!

    Reply
  10. AnArchy

    I started a thread over at ,
    http://forums.scotsnewsletter.com/index.php?showtopic=76690#entry419011
    If anyone has any tips and tricks to share they would be most welcom to do so.

    A very interesting program indeed and some of the best documentation for a new program, or a lot of more mature programs, that I have ever come across.
    The program runs fine in Arch 64 and seems to have minimal overheads. Tried running “$ firejail –private firefox” and “$ firejail firefox” and both ran as if I had started them as normal.
    Thanks for all the work.

    Reply
  11. Lukas Schauer

    Can’t report bugs on sourceforge so I’ll just do it here.

    I’m having a fun little security problem with firejail… I’m using it as a wrapper for chromium and use that as default browser for my system. Now i found that if there is a ‘&’ in a url chromium doesn’t open…
    Playing around with it i found that using an ‘&’ in a parameter in firejail makes firejail execute whatever comes after that character, probably because it’s interpreting it as a shell would…
    This is kinda problematic… I build a workaround encoding the url in base64 first, but this is quite ugly, and I hope this will get fixed eventually…

    Test case: firejail –profile=/etc/firejail/chromium.profile /usr/bin/chromium “&echo hello world”

    Output:
    Child process initialized
    hello world

    At least it gets executed inside the jail… but it’s still quite bad.

    Reply
    1. netblue30 Post author

      Actually I prefer the bugs left here on the blog. It is much easier to handle them.

      Character ‘&’ is a control char for bash shell, so it needs to be escaped (add a \ before it) or placed into quotes (single or double).

      What happens is firejail internally starts the program using a second bash shell. As a result, character ‘&’ has to be escaped twice. These are some examples that should work:

      $ firejail chromium “http://asdf\&jklm”
      $ firejail chromium ‘”http://asdf&jklm”‘
      $ firejail “chromium ‘http://asdf&jklm'”

      Reply
  12. bob nelson

    I’ve been attempting to run firejail from within a chroot environment and I always get the following error:
    Error mounting filesystem as slave:sandbox(117): Invalid argument
    I assumed that all I would need mounted would be normal stuff such as /dev /proc /sys, but apparently not. Any ideas?

    Reply
    1. netblue30 Post author

      It is actually a bug in the program, thanks!

      This is a workaround. Assuming you have a root filesystem in /systems/rootfs, chroot into your rootfs:

      # chroot /systems/rootfs

      Export an environment variable “container” and start firejail:

      # container=”firejail” firejail

      I’ll bring in a real fix in the next version.

      Reply
  13. bob nelson

    Thanks that did the trick. Now I’m faced with a different problem, whenever I run something with it, it ends up unmounting /proc, both inside my chroot and outside (it’s a normal bind mount). Any ideas on that one?

    Reply
    1. netblue30 Post author

      I cannot reproduce it on Debian 7.
      Suggestion: use firejail to set the chroot, something like this:

      # firejail –chroot=/path-to-new-rootfs

      Reply
  14. bob nelson

    unfortunately running it from within the chroot is necessary, ie nothing can be initiated from outside of it including firejail itself. my test machine is debian 7 as well. also, as a side-effect of running something i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away, such as:

    /dev/vda1 on /test_chroot/usr/bin/sudo type ext4 (rw,relatime,errors=remount-ro,commit=60,data=ordered)

    mount |grep chroot -c
    57

    even after exiting the firejail process, they remain.

    is there any way to tell it not do do the remounting of proc or other things?

    Reply
    1. netblue30 Post author

      > i end up with tons of mounts for all of the things that firejail is blacklisting, that never go away

      This means when the sandbox is shut down, some process inside the sandbox is still running, and the kernel does not remove the namespaces.

      If you can open another terminal you can check what processes are created in the sandbox. So, while the sandbox is active, in a different terminal run “firejail –tree” and it gives you a list of all processes inside the sandbox. Then close the sandbox and check the processes with “ps aux”.

      Reply
  15. somePasserby

    Oh, cool!
    New versions.

    Would it be worthwhile for me to test if the bug with skype/shared memory/pulse audio persists ?

    I am almost done using skype, but hunting bugs never hurts…

    Reply
  16. fju

    When I launch Firefox in private mode, I am still able to view my home dir by visiting file:///. Using private mode with other applications (bash, chromium) works as expected. The problem seems to be limited to Firefox (Mozilla Firefox 37.0.2).

    $ firejail –private firefox
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/disable-mgmt.inc
    Reading profile /etc/firejail/disable-secret.inc
    Parent pid 15928, child pid 15929
    Interface IP Mask Status
    lo 127.0.0.1 255.0.0.0 UP
    enp0s25 10.0.0.20 255.255.255.0 UP

    Child process initialized

    (process:1): GLib-CRITICAL **: g_slice_set_config: assertion ‘sys_page_size == 0′ failed

    parent is shutting down, bye…

    Interestingly, firejail exits with its “parent is shutting down…” message immediately (despite succesfully launching Firefox and the process still being visible with firejail –list). When I launch Chromium, firejail stays in the foreground and does not display the “parent is shutting down…” message until I actually close Chromium. I don’t know if this is related to the problem with private mode.

    Any suggestions?

    Reply
    1. netblue30 Post author

      By default Firefox tries to keep only one process running. When you start a new firefox process, it looks for an existing one. If one is found, the new process shuts down, and the existing one opens a new tab or a new window.

      You could try -new-instance option:

      firejail –private firefox -new-instance

      Reply
  17. Pingback: Firejail - Une sandbox pour Linux - Korben

  18. Pingback: Firejail – Une sandbox pour Linux - Mon Blog

  19. Pingback: Firejail – Une sandbox pour Linux | MégaPassions le blog

  20. Pingback: Firejail – Une sandbox pour Linux | My Tiny Tools

  21. Pingback: Firejail – Une sandbox pour Linux | L'actualité de la High Tech

  22. Pingback: W-Infos | Firejail – Une sandbox pour Linux

  23. Pingback: NF.sec – Linux Security Blog - Firejail – proste budowanie klatek

  24. pyrrhicvictory

    Possibly a stupid question – Every time I launch firejail (firefox/thunderbird/palemoon), it launches them “as superuser”, and the –noroot option does nothing. Am I doing something wrong? Running Mageia.

    Reply
    1. netblue30 Post author

      Is not a stupid question. If you start the sandbox as a regular user, the processes inside the sandbox should run as regular user. The sandbox itself runs as root. For example in a terminal, running as a regular user, you would do:

      $ firejail firefox &

      Then you can check using ps aux:

      $ ps aux | grep firefox
      root 17071 0.0 0.0 15848 2112 ? S 09:51 0:00 firejail firefox
      netblue 17072 30.2 5.3 990236 379072 ? Rl 09:51 2:20 firefox

      The sandbox process (17071) reported as root does nothing. It just monitors firefox process in order to close the sandbox when firefox is shut down. Firefox process 17072 should definitely be reported as a regular user. If not, it is a bug!

      –noroot option applies to the processes running inside the sandbox (17072) and not to the sandbox process itself (17071). The sandbox still needs to be root in order to remove root user from inside the sandbox. Also you would need a kernel 3.8 or newer to run it. Do a simple experiment:

      $ firejail –noroot
      Parent pid 17183, child pid 17184
      Child process initialized
      $ ping google.com
      ping: icmp open socket: Operation not permitted
      $

      If it cannot ping, it means the root user was removed. I hope it helps.

      Reply
      1. pyrrhicvictory

        Ah, makes total sense and checks out perfectly! Thank you for your work and thank you for taking the time to explain this to me!

  25. somePasserby

    Hi netblue30!

    Just passed by :) and decided I should let you know that the Skype/pulsaudio shared memory crash thing is still there in most recent version.

    Symptoms and reproduction steps are exactly the same.

    Reply
    1. linux_user9

      yep, i can concur on this issue. in addition to skype, i’m also having google chrome stable crash due to the pulseaudio shared memory (“okay google” and google voice apparently are using pulseaudio). hate pulseaudio, loving firejail. thank you for all your hard work. btw, where can i donate to your project?

      os: debian 7.8 x86_64
      kernel: 3.16.0-0.bpo.4-amd64
      window manager: xfwm
      desktop environment: xfce
      cpu: intel(r) core(tm) i5-2450m cpu @ 2.50ghz

      Reply
  26. Jiggler

    Nice work netblue30!
    Do you think it would be straightforward to use firejail achieve the holy-grail of Tor usage: The Isolating Proxy?
    This is a jailed environment or virtual machine where the only network access to the Internet is via the Tor proxy running on the host. Proofs against DNS leaks, proxy bypassing etc by the applications running therein. It would be nice to derive a recipe for this with firejail!
    https://kromey.us/2013/10/using-shorewall-to-configure-a-tor-isolating-proxy-584.html
    https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy

    Reply
  27. laughinghost

    Hi!
    I’m probably momentarily confused, but a quick question:

    Does the most recent firejail allow apps “inside” the jail to bind to “host”‘s localhost, or do I have to make a fancy iptables dance to make that work?

    Specific usecase:

    Force Shadowsocks client to use a specific interface (tun0) for outgoing traffic.

    I do this via a bridge interface and iptables and the part where shadowsocks has to connect to server works.
    However, the part where it has to bind to localhost and listen there does not appear to work (at least from host’s perspective)

    Reply
    1. netblue30 Post author

      Yes, firejail allows you to bind sockets to localhost – this is how servers such as nginx or apache are running.

      Are you using –net option? This creates a new network namespace with a new localhost.

      Reply
      1. laughinghost

        Yes, because I want to constrain it to using a specific network interface, so I use -net to constrain it to br0 and then use iptables to ensure stuff gets NATed between br0 and the tun interface I want to constrain shadowsocks to.

        Is there a way to “add” the host’s localhost into the isolated namespace and/or otherwise transparently ferry traffic between firejail’s localhost and, well, host’s localhost ?

        P.S.:
        Threat model doesn’t assume app is “malicious” and will “break out” via localhost, but rather that app is dumb and will often try connecting “naked” (eth0) in case of tinyest VPN failure

      2. netblue30 Post author

        Network namespace always creates a new localhost, isolated from the real localhost.

        You have br0 on both real host and also inside the namespace, and I assume you have an IP address configured for it. Can you communicate with the real local host using this address? Can you ping it?

  28. laughinghost

    Yes.

    Hm, this gives me an idea…

    I can configure separate iptables rules “inside” the jail that will apply to interfaces exposed inside the namespace, right ?

    Reply
    1. netblue30 Post author

      Each namespace has its own netfilter subsystem. So, you will have to set iptables twice, once for localhost and once for the sandbox. Look at –netfilter option in the man page. It applies a filter you specify to the sandbox.

      Reply
  29. laughinghost

    I suspect that if I connect two bridge interfaces to the sandbox (br0, br1), then forward a port from in-sandbox localhost to “br1″, then on host forward same port from “br1″ to host’s localhost….
    and use br0 the way I’m using it now (for talking to tun0 on host) it should get me exactly what I want, right ?

    Reply
    1. netblue30 Post author

      Yes, you can try it out. Also, look if you can bind the server socket directly to br0 or br1 instead of local host (127.0.0.1). Most servers allow you to do it.

      Reply
  30. Terrance Harris

    Ok, after disabling the shared memory feature in pulseaudio everything works fine and the sound settings or sound related apps don’t crash when started. Thanks for figuring this out.

    Reply
    1. Passerby

      Well, that causes some (occasionally noticeable) performance degradation, so, hopefully netblue30 will eventually find a way to fix pulseaudio’s shared memory.

      Reply
    1. netblue30 Post author

      0% CPU load, less than 2MB RSS size.

      It is easy to measure, start firejail in an xterm, and in another xterm do “ps au”:

      $ ps au
      USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
      root 2622 1.8 1.1 229720 80108 tty7 Ssl+ 14:04 7:54 /usr/bin/X :0 -
      root 2826 0.0 0.0 16268 1924 tty1 Ss+ 14:04 0:00 /sbin/getty 384
      root 2827 0.0 0.0 16268 1868 tty2 Ss+ 14:04 0:00 /sbin/getty 384
      netblue 3185 0.0 0.0 21084 5376 pts/1 Ss 14:20 0:00 /bin/bash
      root 4649 0.0 0.0 15856 1864 pts/1 S 21:10 0:00 firejail
      netblue 4650 0.0 0.0 20960 5100 pts/1 S+ 21:10 0:00 /bin/bash
      netblue 4695 0.0 0.0 20960 4984 pts/0 Ss 21:10 0:00 /bin/bash
      netblue 4745 0.0 0.0 16848 2352 pts/0 R+ 21:12 0:00 ps au

      The memory load is smaller than a /bin/bash process.

      Reply
  31. Pingback: » Linux: Can LXC be used to jail instances of an installed browser?

  32. scoreunder

    Hi, my current script for launching firefox is this:
    https://github.com/ScoreUnder/scripts-and-dotfiles/blob/master/bin/firefox

    I asked for –shell=none support some time ago and I’m glad to see that it made it into the program. I’ve come up against a problem though: it doesn’t work for –join, so I have to revert to re-quoting the arguments when joining the sandbox.

    I recently stopped using –name with firejail. It makes –join convenient but since it changes what the program sees as the hostname, it is denied access to the X server. This isn’t a firejail problem per se but I thought I’d throw it in here since some people have probably come up against it before. I’m sure there’s a way around that without resorting to blanket allowing hosts via xhost (I run a sshd on this system), but I haven’t figured it out… Ideally I just want to generate a second magic cookie that the sandbox can use, and stick that in its Xauthority.

    Reply
    1. netblue30 Post author

      If I understand correctly, you need a –shell=none option available to –join. Currently, it is hardcoded to /bin/bash. I will add it in the next version.

      –name basically changes the hostname. The name is also used for convenience by several other other options such as –join and –shutdown. I think you shouldn’t use it, as it will be rejected by X server. Instead, use the pid of the sandbox for –join and –shutdown. Extract the pid using –list option:

      $ firejail –list
      4259:netblue:firejail firefox
      $ firejail –join=4295

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s