Sometimes see using Lubuntu with XP skin as replacement for XP Now converted six family members (all aged over 70) to Linux. Due to the credit crunch their son's and daughters did not buy new PC's. One of them had a problem, because they talk to each other, the others also wanted the "free-XP". The reason behind this voluntary conversion is the fact that the photo-viewer of lubuntu shows much more detail (and they look at their grand children's pictures a lot so it seems). I had ran in the same problems. Because I did not want to spend much time, I decided to not firejail the mail client. So thanks very much for solving this, Thomas Regards Kees
Aha - YOU were the one You're welcome. I just notived that I need to do this also for other filetypes (doc, xls, odt etc.).
Can someone tell me if I installed Firejail correctly? Because I used the Qapt Package installer instead of dpkg.
@wat0114: FWIW, I recently compiled my own AppArmor-enabled kernel and installed the apparmor package from the AUR. Everything is working well (after some tweaks). Just in case you're interested
You should try, or at least look at, Firejail 0.9.26. It now has a --private.keep switch that copies your browser profile (chrome, in my case...which includes bookmarks, passwords, extensions, etc.), runs your browser with it, then deletes everything afterwards. Your original profile is left untouched. Reminds me of Sandboxie. A nice feature. The only down side with it is any downloads are not transferred to their respective user home folder. I requested that netblue30 add this feature. Hopefully, he will. In the mean time, I have a work-around bash script that automatically moves my downloads to its respective home folder, but it does involve installing inotifywait (about 360 kilobytes in Ubuntu 14.04) to make it work. Later... Bob
You're welcome! If you need help just PM me. I don't know if it's worth to create a new thread for this ...
Bookmarks being updated to the original profile would be nice...but extensions? Sounds unwise. Trying an extension update, or a new extension, within firejail first, would be the safest course of action. Afterwards, if everything checks out OK, you could update the original profile (with firejail not running). To each his own, I guess. I personally think running your browser with the --private.keep switch is a very safe way to surf the internet with all the bells and whistles of the original profile yet all changes made during the session deleted on browser close. Later... Bob
Thanks for pointing this out, Bob. I've been using 0.9.26 for a while but never noticed the private.keep option. I see your point. The only trouble is in my case I use uMatrix so if I want to update its rules or modify its settings in the private.keep profile, they won't persist. Also, the option doesn't seem to like spaces between directory names such as ".config/chromium/Default/Extension State/". I tried wildcards but no luck. Maybe I'm missing something? I was hoping to whitelist only enough needed to keep uMatrix rules and settings changes persisting across new sessions. *EDIT* After further play with this, I guess there is no way to retain extension modifications over multiple sessions using this option.
This is only for Chrome. I can't say it will work for Firefox or any other browser. Here's my bash script to copy downloads to their respective user home folder and copy bookmarks, should you add a new link, to your chrome original profile. It, though, requires that you install inotifywait before it will work.... Code: #!/bin/bash # For firejail 0.9.26 dldir=`cat ~/.config/google-chrome/Default/Preferences | grep -o -P "(?<=/home/$USER/).*?(?=})" | sed 's/\"$//g' | head -n 1` while : ; do cpid=`ps -ef | awk '/[c]hrome/{print $2}' | head -n 3 | tail -n 1` fhome=/proc/$cpid/root/$HOME [[ -d "$fhome" ]] && break sleep 1 done dir1="$fhome/$dldir";dir2="$HOME/$dldir" file2="$HOME/.config/google-chrome/Default/Bookmarks";file1="/proc/$cpid/root/$file2" while inotifywait $m -r -q -e create $fhome do if [ ! $cpid ]; then break ; fi dif=`diff "$dir1" "$dir2" | sed 's/Only in \([^ ]*\): /\1\//'` if [ -f "$dif" ]; then cp "$dif" "$dir2" ;rm -rf $dir2/*.crdownload $dir2/.com.google.* ; fi diff "$file1" "$file2" > /dev/null if [ $? = 1 ]; then cp "$file1" ~/.config/google-chrome/Default ;fi if [ -e $cpid ]; then m="-m" ; fi done pkill inotifywait exit 0 It functions fine on my system. For your chrome launcher you need to use this... bash -c "~/.scripts/mydl & firejail --private.keep=.themes,.icons,.config/google-chrome google-chrome" You can add any chrome switches you may use after the last google-chrome from the line above. The launcher above only activates inotifywait while the browser is open and kills it on browser close. I store all my bash scripts in ~/.scripts, which is why it is listed in the chrome launcher. And the name "mydl" is what I call that script. You can place and name the script whatever you wish...just make the appropriate changes to the launcher line. If you study the script a little you'll see you can copy just about anything back to the original chrome profile should you wish. I just chose Bookmarks because it seemed the most harmless. Later... Bob Edit.... ...Er...a slight refinement? . The -q switch quiets down the output if you run it in terminal. The -r switch means recursive. The $m allows me turn the -m (monitor) switch off if the browser closes while it's looping. Otherwise inotifywait would keep running after the browser closes. Edit 2.... Back again. inotifywait can be picky especially if you run it with the -r (recursive) switch. And the less events you use in the inotifywait command the better. If you use too many then inotifywait can miss events...like what was happening to my first script post. I'm just using just one now. Later...once again... .
Another adjustment... Code: #!/bin/bash # For firejail 0.9.26 while : ; do cpid=`ps -ef | awk '/[c]hrome/{print $2}' | head -n 3 | tail -n 1` fhome="/proc/$cpid/root/$HOME" inotifywait -qqt 2 -e create "$fhome" && break done dldir=`cat ~/.config/google-chrome/Default/Preferences | grep -o -P "(?<=/home/$USER/).*?(?=})" | sed 's/\"$//g' | head -n 1` file2="$HOME/.config/google-chrome/Default/Bookmarks";file1="/proc/$cpid/root/$file2" dir1="/proc/$cpid/root/$HOME/$dldir";dir2="$HOME/$dldir" while inotifywait $m -qr -e modify,create "$fhome" do f1=`ls "$dir1" | wc -l`;f2=`ls "$dir2" | wc -l` if [ $f1 != $f2 ]; then if [ -e "$dir1"/.com.google.* ] || [ -e "$dir1"/*.crdownload ]; then : else rsync "$dir1"/* "$dir2"/ fi fi diff "$file1" "$file2" > /dev/null if [ $? = 1 ]; then cp "$file1" $HOME/.config/google-chrome/Default ;fi if [ -e $cpid ]; then m="-m";fi done exit 0 It copies files you download to your original folder destination from firejail's tmpfs file system. Plus, it allows you to add or remove bookmarks from within firejail. Only for chrome. I have learned that inotifywait is a real pain. You have to delay its activation until the firejail virtual file system directory structure exists. So, it's a question of timing, particularly at the initial "cold" browser startup. I think I've pretty much solved the problems I was experiencing...but you never know. It works fine...as of this moment...but fate has a way of suddenly kicking you in the a** when you least expect it. Compound that situation with me being obsessive...and you can see my problem. . But, I do enjoy mulling over a coding conundrum. Time just flies by when you're doing it. . Later... Bob
Just had a quick look at Firetools 0.9.26_1, which is a graphical launcher and sandbox monitor for Firejail. It implements a pre-built icon-based system tray launcher for "standard" profiles. You can add your own commands/icon to the launcher. In addition, the list of default profiles is now quite extensive, including in no particular order for applications: Deluge qBittorrent Audacious Clementine Gnome-mplayer Rythmbox Totem (Gnome Videos) Transmission Vlc Firefox Thunderbird Chromium Clementine Dropbox Icedove Iceweasel Midori and Opera. There are additional guides to a couple of these, and the profiles can be used as a base for other applications. Although the Firetools is an ease-of-use thing for an already easy-to-use utility, I would like to encourage anyone who hasn't yet had a try of Firejail to give it a go - there is an awful lot to like, and it significantly adds security and privacy with little impact and very easy to use.
looks a very nice application.A sort of sandboxie for linux if you like. I may just be brave and try this.
I've been using Firejail for a while without any problems. Good to know that a firejail'ed Firefox is now on par with Chromium security-wise (apart from multi-processing).
I'm still kind of noob to Linux could you explain how I'm suppose to use the private.keep switch feature? I would love to be able to use this Sandboxie like feature. I mean the default FJ profile is OK but it doesn't protect against malicious add-ons and Private Mode does but I cant access my bookmarks or use my extensions.
I haven't used this switch, but it's explained with an example given on the Firejail Release announcement page: https://l3net.wordpress.com/2015/04/22/firejail-0-9-26-release-announcement/
I just installed Firejail & FireTools in LInux Mint to try it out. Maybe I'm misunderstanding its capabilities or maybe I'm doing something wrong. If I open Firefox through the FireTools GUI, make changes in Firefox and then close it, shouldn't all the changes made in Firefox be lost? I deleted some bookmarks, etc., and after closing Firefox and then opening it up again without using FireJail all the changes I made remained. Also, why is it that when using FireJail to open Firefox it says at the top of the Firefox window that it's opened as Superuser?
That's the normal behavior. Firejal sandboxes Firefox but it doesn't discard any changes. If you want that you have to use the --private.keep switch. Quote from the Firejail manual: Really How did you start it? If you execute firejail firefox there is no way that firefox is running as superuser. I highly recommend that you read the documentation on https://l3net.wordpress.com/projects/firejail/
Thanks for the info about private.keep. I'll look into that more. As far as documentation goes I did look through it but it's very possible I missed something. I'm pretty new to Linux, so that doesn't help. As far as how I started Firefox I just opened it through the shortcut in FireJail's GUI, FireTools.
@Firebytes, to use the --private.keep switch do as follows (will use Chromium as an example as I did under Arch Linux): 1. create a directory under your home directory and call it whatever you like. eg: Code: sudo mkdir Chromium_Temp 2. you may have to change ownership to yourself and the users. eg: Code: sudo chown your_account_name:users Chromium_Temp 3. then you launch it as: Code: firejail --profile=/etc/firejail/chromium.profile --private.keep=.config/chromium/,chromium_Temp chromium For Firefox the path for its profile will of course be different, but that's basically what works for me using Chromium browser. Any and all changes I make are discarded when I close the firejail-launched browser. *EDIT* just keep in mind that if you want to make any changes to, say, your browser settings or update extensions/plugins, you will have to open your browser normally (non-firejailed) make the changes, then close it and re-open firejailed. *EDIT #2* Also, you can insert the --debug switch in there to see exactly what is being affected by the Firejailing process.
You're welcome, amarildojr. Wilders member tlu deserves a lot of credit for me figuring this out, as he helped me with a similar Firejail switch a while back. BTW, I played a bit with Firefox and this works: Code: firejail --profile=/etc/firejail/firefox.profile --private.keep=.mozilla,Firefox_Temp firefox ...of course I created a directory called Firefox_Temp
