Please note Firejail project page has moved to http://firejail.wordpress.com
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:
$ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start
Home page: http://firejail.wordpress.com
Firetools
Firetools is the graphical user interface of Firejail security sandbox. It provides a sandbox launcher integrated with the system tray, sandbox editing, management and statistics. The application is built using Qt4 libraries, and it is distributed as a separate package.
Home page: http://firejail.wordpress.com
Hi!
The company I work for is looking for an easy way to sandbox some of the development environments, it have everything we need except for one thing: it’s not available on Ubuntu’s repositories. I see they are available upstream. Any plans to get it approved so we can just apt-get? It’s the only way I could justify the use for my company, they don’t even allow PPAs.
Thank you for this amazing piece of software!
It is included in upcoming Ubuntu 15.10
https://launchpad.net/ubuntu/+source/firejail
Regarding the Pulseaudio discussion in https://github.com/netblue30/firejail/issues/69
There is no need to disable shared memory in Pulseaudio entirely, or to copy files from ~/.config/pulse/ into the sandbox.
Just edit /etc/pulse/default.pa – change the line
load-module module-native-protocol-unix
to
load-module module-native-protocol-unix srbchannel=no
and restart the pulseaudio daemon.
Sorry for posting this here, but I don’t have a Github acct.
Thanks for the hint. Today I put a fix in firejail code (on github), so it will always start PulseAudio client with enable-shm=no inside the sandbox.
I wished there was a way where firejail would “watch” which protocols/mime/apps are getting started and if they are in the “sandbox list” then firejail would automatically sandbox them.
E.g. if I run “okular” from the application finder than okular wont simply start but firejail will interupt and run “firejail okular”.
Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would dedect and interupt and start “firejail iceweasel” -> link.
Thanks for the suggestion. It will come in one form or another in a future release.
Btw sorry for that bad english.. I will re-write with correct english lol
E.g. if I would run “okular” from the application finder then okular wouldn’t simply start but firejail would interupt the start of “okular” and instead runs “firejail okular”.
Same goes for links which I would click on, instead of opening a link in a document with “iceweasel” firejail would detect, interupt and start as “firejail iceweasel” -> link.
You are talking about integrating firejail in the desktop, so when you click on an icon, or menu, or some file in the file manager, the program will run inside the sandbox instead of running directly. This feature is still under development, and it will be a while until something like this becomes available. btw, there’s nothing wrong with your English!
I wrote firejail up briefly and linked it on the security wiki page for Archlinux. Feel free to enhance as you see fit everyone.
https://wiki.archlinux.org/index.php/Firejail
Thanks!
I did not manage in any way to get it working with Skype. Even with a basic profile, when running firejail skype, I get:
….
Child process initialized
parent is shutting down, bye…
And nothing else.
Try without any profile – add –noprofile option – maybe something in the profile prevents it from running:
Pingback: Unix:LXC containers as a sandbox environment – Unix Questions
Pingback: Unix:Can LXC be used to jail instances of an installed browser? – Unix Questions
Sorry if I’m stupid, but… Is there a Chrome profile included? I’m considering making an idiot proof computer with Linux Mint, Chrome and Firejail, but I don’t feel like dedicating my life to it. Great program by the way!
Yes, a Chromium profile is included. You start it as “firejail chromium”
Yeah but does that work for Google Chrome? I’m not talking about Chromium. Sorry if I’m unclear as… I dunno, only slept 4 hours tonight. Thanks for the response!
The same profile is used for Chromium and Google Chrome. This is how you start Google Chrome:
Pingback: Unix:How can I use Skype with lxc? – Unix Questions
Pingback: Unix:replicate and isolating user environments on the fly – Unix Questions
Pingback: Lightweight method of an application sandbox for which I can control network settings of? « news-Knowlage FeeD
Once you started the sandbox, you can modify the bandwidth for the sandbox, and make it 0 if this is what you need. Example:
Start the sandbox with a network namespace:
From a different terminal window you set the bandwidth. The first number is rx bandwidht in (kilobytes per second), the second number is tx bandwidth:
I’ll try to bring into the next version support to change iptables/netfilter configuration for a running sandbox. In this moment netfilter config is supported only when the sandbox is started.
How would I go about sandboxing my browser so that it can only connect to localhost:9050 (my socks proxy)? It would be great if there was a –net=local option that only allowed connections to the existing loopback interface, because I can’t for the love of me figure out how to do this. Maybe I’m just missing something obvious.
I’ll have to implement it. I am tracking it here: https://github.com/netblue30/firejail/issues/108
Great, thanks. I’ll keep an eye on it.
Great product, thanks. rpms fail to install on fedora23
Does it gives any error when you try to install it?
Thanks for firejail. I get the following crash for Firefox:
Firefox 42.0 in Ubuntu 64 bit, firejail –version 0.9.34
crash with:
(firefox:1): GLib-WARNING **: getpwuid_r(): failed due to: Permission denied.
WARNING: content window passed to PrivateBrowsingUtils.isWindowPrivate. Use isContentWindowPrivate instead (but only for frame scripts).
pbu_isWindowPrivate@resource://gre/modules/PrivateBrowsingUtils.jsm:25:14
nsBrowserAccess.prototype.openURI@chrome://browser/content/browser.js:15449:21
Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `GtkRange::activate-slider’ of type `gboolean’ from rc file value “((GString*) 0x7f9f8accc3c0)” of type `GString’
Vector smash protection is enabled.
libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
libdc1394 error: Failed to initialize libdc1394
ERROR: Could not determine network interfaces, you must use a interfaces config line
I have Firefox 42.0 running fine under Arch Linux. Try this command:
$ firejail –noprofile firefox
This disables the default profile for Firefox. If it works, it means it is something in the profile that bothers him. So, you open the profile file in an editor and comment up lines in the file until you find the one that creates the problem. The profile file is /etc/firejail/firefox.profile, you’ll have to edit it as user root. Start with “noroot” and”protocol …” lines, just a guess. When you do this test, you start firefox as usual:
$ firejail firefox
Thanks for the reply. Commenting out #protocol unix,inet,inet6 line in profile seems to work. What could be the problem?
I managed to get some more log lines from firefox crash when firejail protocol line is not commented. I have to browse for a few seconds for it to crash. It seems I have to add netlink to protocol. When set as protocol unix,inet,inet6,netlink fireforks works ok.
libudev: udev_monitor_new_from_netlink_fd: error getting socket: Operation not supported
libdc1394 error: Failed to initialize libdc1394
ERROR: Could not determine network interfaces, you must use a interfaces config line
[NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768
[NPAPI 67] ###!!! ABORT: Aborting on channel error.: file /build/firefox-0CLoLb/firefox-42.0+build2/ipc/glue/MessageChannel.cpp, line 1768
It is trying to connect some firewire or usb camera and it fails to open the socket (netlink is disabled by default). It is a firefox bug, it should not crash. I will enable netlink in the next release, so for now use “protocol unix,inet,inet6,netlink”. Thanks!
Hey, how’s it going?
Look, I have been thinking, is Firejail possible to port to ARM architecture? Specifically to work with debian armhf.
If you could provide a deb package for that architecture it would be useful for use with boards like banana pi, raspberry pi, beagleboard, etc.
ARM is supported already in stretch:
https://packages.debian.org/stretch/firejail
Hello,
I’m using firejail 0.9.34 on a Gentoo machine.(Linux 4.1.7).
Whatever command i run (even “firejail ls”), I get a Warning telling me “an existing sandbox was detected”… effectively cancelling all of the jailing and running my “ls” in the normal userspace.
Any thoughts on this behavior ?
regards,
H
It means when you run “firejail ls” you are already in a firejail sandbox – or maybe in another type of sandbox?
ls will run without any additional sandboxing. The rules imposed by the existing sandbox still apply.
In version 0.9.36 I’ve introduced a –force option that will alow you to chain multiple sandboxes. Depending how the first sandbox was configured, it might prevent the second sandbox from staring. It is usefull for running firejail in LXC or Docker containers.
Hi,
is it possible to re-attach to an overlay after the sandbox is closed? Now, a new overlay is always created, but I would like to continue where I left of.
Thanks,
eli
I will have to add support for it. I put an entry on GitHub:
https://github.com/netblue30/firejail/issues/239
Hello,
Not sure if this is possible since I’m not sure how each desktop manager handles it, but would it be possible to change the window title for applications sandboxed with firejail? For example, change “app_title” in the taskbar to read “[sandbox_name] app_title” when the program is running inside the sandbox.
Thanks!
I’ll try it! I put an entry on GitHub:
https://github.com/netblue30/firejail/issues/242
Firetools is great for usability. Can you package it for Debian also?
I do have some packages here:
https://sourceforge.net/projects/firejail/files/firetools/
Official packages in Debian are still being tested:
http://mentors.debian.net/package/firetools
How does firejail handle isolation for X-server? Do you use Xpra? Similar software like the oz-sandboxing framework have begun to integrate Wayland support to provide stronger isolation properties for GUI applications. Any Similar plans or ETA?
We are still working on it: https://github.com/netblue30/firejail/issues/57
Hey netblue30,
Is there any chance for read-only whitelisting? I would like to whitelist a certain file, but also to make sure the program can’t change that file. Right now, I try to make a copy of that file to a temporary private home, but some files are too large to do that with.
Thanks for the update!
I’ll have to implement it. I track it here:
https://github.com/netblue30/firejail/issues/280
Hello,
First off, thanks for this awesome program. I’ve been looking for something that would do this in Linux for over a decade. I always ended up using some painful process to accomplish what firejail does so easily.
One problem, though. When I have an encrypted folder mounted using cryptkeeper (which uses EncFS), when I blacklist the mount point for a specific program, the program can see into the directory anyway. The process works fine using the .profile files in HOME$/.config/firejail/firefox.profile for any other folder, it is just ineffective on the mounted path of the encrypted volume, and lets the program see right in there and access all contents. I have tested this every way and there must be a solution somewhere.
Thanks for any ideas,
A_User
Howdy,
Very cool project, I really like the idea and execution (pun intended!).
I was wondering if it would be possible to compile this for OSX – does it depend on anything that’s specific to the Linux kernel?
It uses a number of features implemented in Linux kernel. It will not work on OSX.
firejail version 0.9.44.10 still breaking pulseaudio 8.0 when i run firefox 53.0b9 (64-bit). the provided fix does not work for me. i have had to stop using it which is a huge security risk.
using linux mint 18.1 64bit cinnamon desktop.
all help appreciated.
How do you start the sandbox?
I use an icon on my desktop which runs “firejail firefox %u”. It uses teh default firefox profile.
I installed firefox 53 as distributed by Mozilla (https://www.mozilla.org/en-US/firefox/new/) on a Ubuntu Gnome 17.04 with PulseAudio 10.0. The sound works fine.
I compiled the source code for pulseaudio 10 and installed it. The issue is gone. Obviously firejail and pulseaudio 8 have some sort of disagreement going on. 😀
Pingback: Sandbox firefox in Linux with firejail
it’s look like sandboxie for windows. Is it able to sandbox a software installation ? And keep all the files installed on the drive to be located on a separated/sandboxed file system, installing dependancies in that file system ?
No, it needs to have the files already installed.
I am curious to know how I can get torrent or magnet file to open automatically in a default client/Firejailed mode. I have tried using a custom launcher which runs from user/bin but I am sceptical about how secure this is.
Any opinions appreciated.
BTW, thanks for Firejail………..Really, really useful tool.
Thisis what I usually do:
I have Firefox and Transmission-qt open, each one in its own sandbox. I grab the magnet link with the mous in Firefox window and drop it in Transmission window.
Pingback: Windows Sandbox | david pliskine
Pingback: Ubuntu HowTo: Installing Sandboxie on Ubuntu - TECHPRPR