And then again, the pulseaudio developers clearly stated that the fix is far from perfect or even good as it will cause pukseaudio to create tons of little files which wont get deleted by pulseaudio.
I'm having some difficulties with version 0.9.36_1. I'm unable to drag and drop files into Dropbox and on Linux Mint KDE 17.2 Private Keep isn't working I keep getting an error message something like invalid command. Note: Private Keep works just fine on Linux Mint Cinnamon 17.1 heck it even works properly now on the non-admin account. BTW how do I use Private Home with Firefox.
man firejail just scroll down to the --private option and you'll see how it can be used in place of private-keep.
Thanks. firejail --private-home=.mozilla firefox BTW does Private Home allow you to save downloads or bookmarks?
Wow, this thing is awesome! It's like AppArmor in a 120 KB binary. Rockin'. I am a little concerned about the user-administered part though. IOW: it is a setuid binary. We know the sandbox is okay; but do we know that the binary itself won't provide a possible means of privilege escalation, from non-sandboxed programs? This calls for some experimentation, I think. Edit: it looks like Firejail drops privileges very fast indeed. I think we're okay here.
Indeed! With the .inc files included, e.g., in firefox.profile basically all critical folders/files are blacklisted, and in your home only those folders/files are visible/accessible which are explicitly whitelisted. I recommend it for all distros. For example, in Ubuntu there is an apparmor profile for Firefox available but it's disabled by default. And if you enforce it you have to add various own rules in order to not make it break things. And in Fedora? I've recently installed v. 23 in a Virtualbox VM and noticed to my surprise that Firefox is not confined by SELinux. Ouch! Now consider how easy that is with Firejail. Finally Firefox has a sandbox as strong as the one of Chromium/Google Chrome. And even the latter is considerably more confined by Firejail. FWIW, I've firejailed quite a number of applications, including Thunderbird, Okular, Gwenview, unbound, dnscrypt-proxy, LibreOffice, Guayadeque Good to know. How did you test that?
Nothing even remotely interesting - just trying to run various already-setuid binaries with it. Don't assume there are no holes just because I haven't found any.
Downloads yes, but I haven't figured out how to create exceptions for bookmarks when using the --private option. Essentially any and all changes to and within the browser are discarded when the sandbox is closed using the private-home option, because it overrides whitelisting. I'm hoping someone does know how to create these exceptions and can provide an example. Summerheat maybe? ...who seems to have a good handle on it.
No, I meant running Firefox firejailed. EDIT: If you're running Firefox firejailed and open about:support in the browser you'll see at the bottom of that page that seccomp-bpf is enabled.
Me neither, but usually I don't have to download anything when I'm using the --private option (which I only do to use Youtube and Facebook). But if I have to download something, I usually upload it to MEGA/Sendspace, and then download via the regular browser that is opened with "Firejail iceweasel".
Thanks. Yeah, Downloads are easy enough. It's only bookmarks and basically everything else that's a problem. Of course having all changes flushed away when closing the sandboxed browser is a nice security and privacy benefit, but it would be nice if one could include exceptions such as bookmarks and on-the-fly changes to extensions, such as when updating the ruleset to uBlockO, for example.
Quite frankly - I don't see why this should be necessary. I block 3rd-party cookies by default, allow those 1st-party cookies which I don't block with uMatrix anyhow only until the browser closes (with a few exceptions), additionally the extension "Self-destructing cookies" takes care of cookies and local storage, and the browser cache, website offline-data etc. are deleted when the browser closes. And my privacy is already well protected by uBlock0 and strict settings in uMatrix beforehand. I simply don't see the benefits of the --private option for me considering all the trouble discussed above.
You only lose changes if you use the --private option. Normal "firejail firefox" won't make the changes go away. But then, if you need the --private option you might as well not have anything stored as it may be used to identify you and your browser. I never used this option, but I think "firejail --private-home=/home/your-user/.mozilla/profile-x" is a good idea to have a separate browser profile. Just remember to create the new profile first, and then point it's directory with the command above.
Points well taken, but it's just I like the fact all history is wiped when I close the firejailed browser, along with any other possible, even if unlikely, unauthorized changes that may have happened in the browser and extensions during the sandboxed session. I don't need an extension to wipe history or cookies this way, either. Of course there is for me a small inconvenience factor whenever I want to make persistent changes such as updating the extensions (uBlockO, Lastpass & New Tab Redirect), expecially uBlock, or the rare times I want to add or manage bookmarks. Updating the browser to a newer version also requires I launch it unsandboxed too. At least I can backup my extension configurations and download files to my Downloads folder on my backup drive in the sandboxed session. It's worth it for me. EDIT oops, forgot to mention also using HTTPS Everywhere extension I have two launchers on my panel for this: One to launch the browser unsandboxed for updating and other maintenance reasons, and one to launch it sandboxed for typical browsing. Ohh, just saw your post after I posted I use Chromium, and for identity concerns, well, uBlockO hopefully to some extant, at least, handles this concern, plus i block 3rd party cookies. What it all comes down to is I like the fact I know for sure when I open a new sandboxed session, it's opening a clean session because of the private-home option.
I confess that I'm something of a lackwit on the inner workings of Linux – so my usage of firejail is in the 'monkey see > monkey do' category. For the benefit of others who may be likewise, this forum link provides some easier to understand (IMO) tips and examples on using firejail than the formal Wordpress articles. http://forums.linuxmint.com/viewtopic.php?f=42&t=202735
OK so with Firejail Firefox is as secure as Chromium/Chrome minus Firejail. So what about Private Home is that comparable or on par with Sandboxie? wat0114 I haven't been able to save downloads with Private Home, am I doing something wrong?
Sorry, I should have mentioned you'll have to create a Downloads folder in a location other than under your /home/user_name Thanks, but there is also the outdated Flash issue in Firefox under Linux which I don't like. The PPAPI (pepper-Flash) plugin under Chromium looks far more secure than that of Firefox'.
That Flash version is not outdated security-wise as it still gets security updates. That said, isn't Flash sandboxed, too, if you run Firefox firejailed? It should but I can't tell for sure as I haven't Flash installed at all but Shumway instead. And most sites work flawlessly.