i just updated my mx-17 32 bit laptop to mx-19. i enabled the backports in synaptic and it is showing firejail 9.58.2. shouldn't the version number be 9.6? is the install process the same as the instructions you gave me about a year ago? should i install 9.6(+) and ifso, how? thank you for your help
The sourceforge.net download link summerheat gives is correct. That's where I got mine from a while back: Code: @debian:~$ firejail --help firejail - version 0.9.62
I see Firejail is available for download in Solus Gnome, also a GUI for Firejail. Is it worth it for a basically beginner to Linux? Do you need to tweak things to get them to work?
Usually not. It has per application profiles. If FireJail does not work for particular application then you may just ignore it for that application, but use FireJail for other applications.
newbie to Firejail here. I am using several Firefox profiles, when I launch firefox in firejail it opens the default one. The question is, when I open another profile alongside the default one (I launch that another one from about: profiles in the default one), is it opened inside firejail? I guess it should, but I am not 100% sure. Thanks.
You can easily check if a program runs firejailed by executing firejail --list or, for a more detailed view, firejail --tree in the console.
There are no ready-to-use binaries on the Firejail download site, AFAIK. However, there are versions for several architectures on the respective site for Debian SID. The armhf version should be the right one.
Hello, I have a problem when running LibreOffice while firejailed. Some background; my OS (Debian) is partitioned as root, home and files. The 'files' partition is mounted on boot at /files. If I try to open a LibreOffice document from the "files" directory, as you may guess, it is read-only due to Firejail restrictions. When I disable Firejail, read-write access is restored. I have tried to overcome this by: 1. Creating a custom profile, as https://firejail.wordpress.com/documentation-2/building-custom-profiles/ 2. Adding the following below "noblacklist": "whitelist /files" When I then attempt to start LibreOffice, it fails to start out with: error invalid whitelist path /files. I've tried various other solutions but I'm not sure if I have the syntex correct? Thanks,
The relevant line from fstab is: /dev/mapper/vg001-files /files ext4 defaults 0 2 This was created on install. The hierarchy for this device is basically: LUKS > LVM > LVs > filesystems As you can see, the partition is mounted at boot. Thanks for your help
I suggest to start with the --tracelog option - perhaps it reveals some additional details. Btw.: Does your profile contain disable-mnt ? (although it shouldn't matter here ...) Just to make sure that I understood this correctly. You wrote The first rule is "noblacklist /files", isn't it?
I will run a tracelog shortly. No, the profile does not contain 'disalbe-mnt'. The only customisation from my part is to add the line (below existing noblacklist entries): whitelist /files I followed instructions from this guide (right at the bottom, where he adds a documents whitelist): https://www.techrepublic.com/article/how-to-install-and-use-firejail-on-linux/ As a temporary fix, would I be breaking anything by mv-ing the libreoffice.profile out of /etc/firejail and re-issuing firecfg - is there an easier way of removing a single application from Firejail? I don't want to disable it for all apps. I guess that Firejail is trying to protect any files that are outside of the home/default directories and especially those directories at the top level of root /.
I added the following to the custom profile: $ firejail --tracelog libreoffice Reading profile /home/USER/.config/firejail/libreoffice.profile Reading profile /etc/firejail/allow-java.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 8520, child pid 8521 Error: invalid whitelist path /files Error: proc 8520 cannot sync with peer: unexpected EOF Peer 8521 unexpectedly exited with status 1 LibreOffice does not start.
I switched them around and with the 'whitelist' entry enabled, LibreOffice does not start - same errors as previous post. With 'whitelist' commented out of the profile, LibreOffice starts but any files outside of home are read-only. When issuing $ sudo firejail --clean, all files are read-write.. As additional info, I have keepass (Firejailed) files as well as things like txt files that I can happily edit via Geany (Firejailed) - everything on this partition works except for LibreOffice files - it must be linked to the default LibreOffice profile rather than my system setup (IMO).
@sthmptn : Please show your complete profile. By looking only to fractions of it it's difficult to say what's wrong. Btw., I forgot to answer this question: Not quite. This article explains the default access to the filesystem. Additionally a lot of specific folders/files are blacklisted by the various *.inc files included in every profile. And if the profile contains disable-mnt, /mnt, /media, /run/mount and /run/media are blacklisted as well. So actually /files is not covered at all by default which means that noblacklist /files and whitelist /files are moot. I hadn't thought about that earlier. These rules would only be necessary if you had created a file like, say, myrules.inc in ~/.config/firejail which contains the rule blacklist /files and which you added to your profiles or (even easier) if you added that rule to the globals.local file (which is automatically included in every profile) to make sure that no application can access this folder.
Thank you for your time - I appreciate the effort you make to provide advice and information for others! My solution currently is to move any files/directories over to ~/home first, edit, and then move back when complete - bit of a faff but it's my choice to use this OS/LibreOffice. I tried moving and also renaming the libreoffice.profile in /etc/ to see if I could disable Firejail for LibreOffice but this freezes my desktop environment with only a hard reset (hold power) available. As per previous post, this is tracelog output: And this is the profile contents: $ cd ~ $ mkdir -p .config/firejail $ cd .config/firejail $ cp /etc/firejail/libreoffice.profile libreoffice.profile $ nano ~/.config/firejail/libreoffice.profile Note: I have currently commented out my two entries. Everything else is default. As you hint to, I think the culprit/solution may be in those additionally included config files (disable-devel, disable-common??) but I'm not sure I have the knowledge to troubleshoot. For me, the PROS Firejail adds to my security outweighs the CONS regarding LibreOffice.
As mentioned, this shouldn't be necessary as /files is not blocked by Firejail by default - unless you added blacklist /files to, e.g., globals.local. I have a partition named Backup on an extra hard disk: Code: # /dev/sdc1 LABEL=Backup UUID=7d87ed2f-1f93-456c-a50e-8330cda01a23 /Backup ext4 defaults,noatime 0 2 ... and I can access it with LibreOffice without any problems Ouch This shouldn't happen at all (and it doesn't on my system, I just tried to reproduce). It seems something is broken on your system. Btw.: in order to disable Firejail for a specific application you can simply delete the respective symlink in /usr/local/bin. Code: Error: invalid whitelist path /files This makes sense: if it's not blacklisted it cannot get whitelisted. However, I wonder why this message still appears considering that you wrote: No, as those *.inc files are in my LIbreOffice profile as well and I can access my /Backup drive as mentioned above. Could you, please, execute Code: firejail --debug libreoffice
Thanks for your comments - I have been testing over the weekend. As I can see that you have a working set up not /too/ dissimilar to mine I have not given up hope. Regarding the system, it only freezes when trying to start LibreOffice with Fierjail enabled AND those custom rules in place. Obviously not good but apart from this the system is rock solid, and is a fresh install from the last month or so. Putting aside my original device, I decided to spin up a test VM and try and keep it as vanilla as possible while still recreating my setup. I installed using a Debian 10 minimal ISO. At partitioning, I chose manual, created a /boot and a /root as well as a new partition at /files. For software, I simply chose DE of XFCE along with standard sys utils. Once inside, and with LibreOffice already installed as default, I issued the following commands: $ sudo chown deb -R /files && sudo chmod 770 -R /files $ sudo nano /etc/apt/sources.list :: deb http://deb.debian.org/debian buster-backports main $ sudo apt-get update && sudo apt-get upgrade $ sudo apt-get install -t buster-backports firejail firejail-profiles $ firecfg --fix-sound $ sudo firecfg $ sudo apt-get install vdagent - for copy / paste After a reboot, I can create odt documents and save to home - I can also copy these to files but when opening from files the error (read-only) persists. After issuing sudo firecfg --clean, odt documents are subsequently read-write. Is it simply a permissions issues? See my first command above for the files directory. Here is the debug output: EDIT: BTW, this is without any custom profiles, as the permissions error is present even at this stage - I didn't want to complicate it further.
@sthmptn : Could you, please, show the output of Code: ls -l /files and Code: id and Code: cat /etc/firejail/firejail-users