Well, it seems that it's not enabled in the Synaptic settings. But to make things a bit easier, you can execute the following command in the console: Code: sudo apt install -t stretch-backports firejail firejail-profiles No, but you should execute them in the console after installing Firejail. I strongly suggest that you look into the Debian documentation where you'll find plenty of information.
i ran the stretch-backport cmd and it came back stretch-backports is invalid for APT. i ran the 2 codes(sound and config) lots of items with created by their name. went back into Synaptic and now firejail and profiles have blue checkmarks instead of green.how do you tell if it is installed and working? i promise this is my last question. thanks for your help.
You have to enable the stretch-backports first - either in Synaptic (Settings -> Sources) or by editing /etc/apt/sources.list.d/debian.list and removing the # at the start of the stretch-backports line. Then execute Code: sudo apt update and then Code: sudo apt install -t stretch-backports firejail firejail-profiles Finally again Code: sudo firecfg as new profiles have been added. Code: firejail --version should show that 0.9.56 is running now. If you start applications for which Firejail profiles are available (e.g. Firefox) you'll see that when executing Code: firejail --list or, more detailed, Code: firejail --tree
summerheat, Synaptic- settings- (no Sources listed) ran the cmd - permission denied. since i had already ran the firejail config code, i ran the version code. it showed firejail 0.9.50. installed. i then ran tree cmd it listed several items as enabled( apparmor, ....x11 sandbox). i guess it is installed and working. i'm use to sandboxie yellow bordor) hopefully mx-17 will offer an update for firejail. thanks for your help, i never would have made this far without it.
Well, I'm not sure if it's called "Sources" or "Repositories" in the English version. In any case there is an entry in the settings where all repositories are listed and where you have to enable the backports repository. Close Synaptic and execute the commands above. And sudo firecfg should be executed with every Firejail update as new profiles are usually added.
I've read many articles about Firejail, but there is one think I am still confused about. I am unclear as to why Firejail is better than running an app as a restricted user. There is a similar question on superuser.com, but it received no answer: https://superuser.com/questions/1359975/sudo-pkexec-vs-sandbox-differences-pros-cons It seems to me that Firejail has a wider surface attack than simply running the app as a restricted system user. What are the pros and cons of Firejail vs. Restricted User.
1. First of all this contradistinction doesn't exist. If you run applications sandboxed with Firejail, they are not running with root privileges, either. The sandbox process starts as root but after it configures the filesystem, network and seccomp it drops privileges and starts the user application. 2. It's true that a restricted user doesn't have access to most "dangerous" stuff. Nevertheless, privilege escalation is possible if there is a vulnerability in an application. Besides, it's possible that, e.g., an infected browser starts a helper application that does something evil. As for most applications all capabilities are dropped by Firejail and a seccomp filter is applied, the attack surface of the system (and the kernel in particular) is dramatically reduced. 3. Apart from this an application running as restricted user still has access to your whole home directory. Firejail restricts that access considerably by blacklisting critical folders and files (not only in your home) by the various *.inc files included in all profiles. And applications with whitelisted profiles have actually only access to folders/files which are explicitly whitelisted. This doesn't only improve your security but also your privacy.
@summerheat Do you know how can I make firejail allow gimp to execute a single file? Like in gimp.profile it says "noexec ${HOME}", but how can prevent execution of anything EXCEPT in a folder like "/home/amarildo/.gimp-2.8/plug-ins/"?
I've seen that you asked this question also here. I can't really add to what is said there. As a matter of fact, noexec ${HOME} is commented in the gimp profile that comes with Firejail. So if you uncommented it manually the suggestions made by glitsj16 are probably the way to go as noexec takes precedence over whitelist.
summerheat, i feel like a real dumbaxx. after synaptic-settings-repo, i had to expand the repo window to see the backports-stretch to enable it. after doing that and following all the commands you listed, firejail updated to 9.56. will firejail auto-update now? thanks again for all of your help.
Is anyone familiar with how Firejail is set up on Parrot? I've read they integrated it into the system. Maybe its just preinstalled and nothing more than that. Just wondering,
Just a quick thank you to summerheat !. I've read several comments in this huge thread and you are so helpful in many many ways. Thank you so much for taking the time to help everybody as much as you can and for announcing new versions quite frequently. I think I speak for everyone in saying that this is simply awesome. Thank you very very much for this amazing piece of software and your additional help.
Sorry if I've asked this question sometime before, but if I did, I've already forgotten the answer I ran sudo firecfg to automatically sandbox all relevant applications, but is there a way to run an app like google-chrome-stable un-sandboxed temporarily for the purpose of exporting bookmarks or retrieving files from MS Onedrive, for example? EDIT: I suppose I may have answered my own question - maybe. I created a separate launcher and edited the command to: firejail --noprofile google-chrome-stable
Thank you very much for your nice words! I‘m a bit embarrassed now ... Just a clarification: this is not my software and I am only an interested user who is happy to help.
Well, the easiest way is using the full path for the application , i.e. starting it like Code: /usr/bin/google-chrome-stable This makes sure that the respective symlink in /usr/local/bin (pointing to /usr/bin/firejail) is not used and, consequently, the application is executed unsandboxed.
how will i know if/when it is offered to mx-17? i have saved the commands from post 603 to a folder so i will always have them. my backports are enabled. thanks again for your help.
In your MX Package Installer, click on the MX Test Repo tab, search for firejail. I show 0.9.58 available for firejail and firejail-profiles.
yes, i see that also. i have 9.56 installed. what is the proper way to update to 9.58? will it be offered in a daily update or will i need to run the commands again? thanks for everyone's help
That is the proper way to upgrade if you don't want to wait indefinitely for it to be offered in the stable repo where it will arrive with the normal updates. In the package installer test repo, just select firejail 0.9.58-1~mx17+1 and firejail-profiles if desired, they should have the orange symbol with arrows by them showing they're upgradable as you have an earlier version installed, then at the bottom click on upgrade once you have them checked. Just to be sure; you are looking at the MX Package Installer, and not Synaptics, if not, click on the MX symbol in the task bar (I think it's called the "whisker menu") and type "MX Package Installer" in the search box, then click on the MX Test Repo tab. I believe the test repo is pretty safe and reliable, and if something goes wrong you can downgrade. Though personally I tend to wait for things to be offered through the stable repo.
snowwalker, since i'm new to firejail i wasn't sure how the update would be offered. like you, i will wait for it in the daily updates. thanks again for your help.
I know that firejail isolate specified applications, but there is a way to isolate folders? (i mean if a process/program start from a specified folder, Firejail automatically isolate it).