I depends on your kernel configuration. On Arch Linux, e.g., user namepaces are currently not supported as the Arch developers see security problems. Hence the SUID sandbox is enabled. Other distros treat it differently. Fedora supports user namespaces, hence the SUID sandbox is disabled. Debian 8 again supports the SUID sandbox but doesn't support seccomp-bf with TSYNC and Yama LSM, the situation on CentOS is identical. Regarding user namespaces, there is a similar "problem" with Firejail but:
Thanks I've been playing with this for the last few days now. It might be my imagination but after using Thumbnail View Plus it looks like there's cache being saved to the system because when I use Bleachbit I see some cache files for Firefox but no browser cache I don't know if the thumbnail cache is escaping I'm not an expert just something I noticed. I also tried Flashgot and Uget together and of course I wasn't able to recover any files initially but after opening Uget first then trying download with Flasgot I was able to recover something but unfortunately it was corrupted so Flashgot and Uget aren't working together correctly. I know this because I tried downloading something without FJ and had the same problem so if there where working correctly then this combo could've allowed me to recover files from the private.keep switch. I also have some ideas for Firetools it would be nice to have an action launcher feature kinda like Android has so when your clicking on a link FireTools would prompt you with a launch window with customizable browser/application shortcuts, my second idea is to have a download popup window similar to Sandboxie to allow you to recover files individually or in mass.
I'm not really sure about something. If I do Code: firejail steam what jail settings will Steam be on?
Use the --debug switch. EDIT: You'll find comprehensive documentation and many examples on https://l3net.wordpress.com/projects/firejail/
I can confirm this happens in debian testing and probably in all debian derivatives and I just found out that this is the normal behaviour. Just do a $ ps aux and you will see there are two firefox/iceweasel process running. One is firejail firefox and another is firefox; firejail firefox runs as root whereas firefox will be running with normal user privilege. Firejail firefox is the sandbox process which needs to be run as root. The sandbox process reported as root does nothing, It just monitors firefox process in order to close the sandbox when firefox is shut down. Go to the comments area, you will find out the explanation.
Thanks, I've forgotten about debug! I know I looked like a help-vampire, but in all honesty that doesn't happen often hehehee.
I got firejail working, but i see errors towards the bottom. Can anyone answer why? Code: ~ $ firejail --seccomp --debug firefox Command name #firefox# Found firefox profile in /etc/firejail directory Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Using the local network stack Parent pid 5554, child pid 5555 Initializing child process PID namespace installed Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /tmp/firejail/mnt directory Create the new utmp file Mount the new utmp file Disable /sbin Disable /usr/sbin Disable /bin/umount Disable /bin/mount Disable /bin/fusermount Disable /bin/su Disable /usr/bin/sudo Disable /usr/bin/xinput Disable /usr/bin/strace Disable /home/unixman/.ssh Mounting tmpfs on /home/unixman/.gnome2_private Disable /home/unixman/.pki/nssdb Disable /home/unixman/.gnupg Disable /home/unixman/.local/share/recently-used.xbel Disable /home/unixman/.adobe Disable /home/unixman/.macromedia Disable /home/unixman/.thunderbird Disable /home/unixman/.config/chromium Disable /home/unixman/.config/google-chrome Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /sys/kernel/uevent_helper Disable /proc/irq Disable /proc/bus Disable /proc/kcore Disable /proc/kallsyms Mounting a new /boot directory Disable /dev/port Initialize seccomp filter Blacklisting syscall 165 mount Blacklisting syscall 166 umount2 Blacklisting syscall 101 ptrace Blacklisting syscall 246 kexec_load Blacklisting syscall 304 open_by_handle_at Blacklisting syscall 175 init_module Blacklisting syscall 176 delete_module Blacklisting syscall 172 iopl Blacklisting syscall 173 ioperm Blacklisting syscall 167 swapon Blacklisting syscall 168 swapoff Blacklisting syscall 103 syslog Blacklisting syscall 310 process_vm_readv Blacklisting syscall 311 process_vm_writev Blacklisting syscall 133 mknod Blacklisting syscall 139 sysfs Blacklisting syscall 156 _sysctl Blacklisting syscall 159 adjtimex Blacklisting syscall 305 clock_adjtime Blacklisting syscall 212 lookup_dcookie Blacklisting syscall 298 perf_event_open Blacklisting syscall 300 fanotify_init Ending syscall filter SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL BLACKLIST 165 mount BLACKLIST 166 umount2 BLACKLIST 101 ptrace BLACKLIST 246 kexec_load BLACKLIST 304 open_by_handle_at BLACKLIST 175 init_module BLACKLIST 176 delete_module BLACKLIST 172 iopl BLACKLIST 173 ioperm BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 103 syslog BLACKLIST 310 process_vm_readv BLACKLIST 311 process_vm_writev BLACKLIST 133 mknod BLACKLIST 139 sysfs BLACKLIST 156 _sysctl BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 300 fanotify_init RETURN_ALLOW Save seccomp filter, size 392 bytes seccomp enabled Droping all capabilities User namespace (noroot) installed Starting firefox execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: firefox Child process initialized (process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::sm-connect after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::show-crash-dialog after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::display after class was initialised (firefox:1): GLib-GObject-WARNING **: Attempt to add property GnomeProgram::default-icon after class was initialised
These are trivial errors related to some gnome library and these are GUI related things; almost everyone using Gnome or one of its derivatives gets them when running some GUI application in terminal.
Yeah and I run xfce Arch with the following errors at the bottom with Chromium firejailed, with no problems to note: Code: <memory>:1: Invalid color constant '@selected_bg_color' Gtk-Message: (for origin information, set GTK_DEBUG): failed to retrieve property `ChromeGtkFrame::scrollbar-slider-prelight-color' of type `GdkColor' from rc file value ""@selected_bg_color"" of type `gchararray' libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile libpng warning: iCCP: known incorrect sRGB profile getrlimit(RLIMIT_NOFILE) failed getrlimit(RLIMIT_NOFILE) failed getrlimit(RLIMIT_NOFILE) failed IOW, trivial stuff as UnknownK mentions.
Firejail is now in Parabola's pcr repo. https://www.parabola.nu/packages/?q=firejail Those using Parabola can now do a simple pacman -S for installation. Arch users can also use this repo.
Those errors happen for everybody, aparently. Also, as already explained on this thread, there's no need to use the --seccomp flag with Firefox. Simply using "firejail firefox" will already add that flag. You know, I love Parabola's efforts, I really do. I tried installing the kernel firmware blobs in Parabola, using the package from Arch's repos, but I couldn't make the libre Kernel load my PITCAIRN firmware. There must be an internal syscall for that. I now use Arch, with "your-freedom" form Parabola (the package that conflicts with everything non-FreeSoftware), and their Iceweasel too, because regular Firefox is a privacy disaster (and Parabola's Iceweasel is soooo nicely configured ).
I concur. Their settings are privacy and security friendly, out of box; no google/yahoo/bing search engines, no hello, pocket ,etc. I have "your-freedom" installed too. There is also a "your-privacy" package, but I haven't used it though.
Yes, with the profile that comes with Firejail (plus some more directories blacklisted). No problems here. EDIT. Since VLC is (again) affected by a vulnerability which is not yet fixed in Arch, firejailing it makes sense.
Weird. If I click on a video, and VLC's KDE Menu is set with Firejail, it will not open that video. But if I launch VLC with Firejail, via Terminal, it will open the video. Maybe GRSec is interfeering with Firejail.
No problems here. How did you configure it? My command in the KDE startmenu is: Code: firejail --profile=/home/heat/.config/firejail/vlc.profile /usr/bin/vlc --started-from-file %U
Do you actually need the "--profile" flag? I tried: Code: firejail --caps.drop=all --noroot --seccomp /usr/bin/vlc --started-from-file %U and Code: firejail /usr/bin/vlc --started-from-file %U If I open a folder (with Dolphin) and try opening a video this is the error I get: https://i.imgur.com/CDhxJX3.png However, if I just open VLC with Firejail from KDE's application launcher or via Terminal I can browse (from VLC) to my videos folder and open them there. Do you have GRSec Kernel installed? Or default Linux Kernel?
No, actually you don't. I used it because I copied/created my profiles to/in ~/.config/firejail in order to make sure that not the profiles in /etc/firejail are used. But I think that existing profiles in ~/.config/firejail take precedence anyhow. It's somewhere documented on the Firejail homepage or in the man page. You're right, I got that error, too, if the file name has blanks. I have a similar problem when I want to open image files with blanks in their file names with Gwenview. Yes, same here. The default Arch kernel, but self-compiled with just AppArmor added.
I've found this solution. Works great. EDIT: You can alternatively add Code: shell none to the respective profile. It's a bit easier, IMHO.
Here's the Firejail 0.9.30-rc1 Release Announcement with several interesting enhancements, e.g. a --whitelist option: I'll wait for the final, though.
