@summerheat Whenever I run firecfg, google chrome stops opening. Firefox works fine though. I have to run firecfg --clean for chrome to open. Even running chrome from terminal - firejail google-chrome, it still crashes. Is there any way to get this to work?
I'm not using Google Chrome so I can't really tell. 1. If you start it in a terminal - are there any error messages? 2. Which distro are you using? If you're using Ubuntu or derivatives the included Firejail version is outdated and you should use the ppa. (Note that the google-chrome.profile includes the chromium-common.profile which has seen various changes in the past months which might solve your problem.) Note also that by executing sudo firecfg --clean no application is sandboxed by Firejail anymore. That's certainly not what you want. You should remove the symlink /usr/local/bin/google-chrome instead.
Thanks. Unfortunately, that didn't work. I ended up installed the LTS version and this worked for me.
Sigh. Good for you - but I wonder why you asked for help if you didn't bother to provide any info and answer my questions. As a consequence I'm no longer willing to show an interest in such queries.
ok np. I tried the ppa but didn't work either. I didn't see any error message, or missed it. I'll make sure not to tag you anymore. sorry for any inconvenience..
I have the exact same problem. I also installed ppa but no luck. If I find anything useful i will let you know.
I downloaded the LTS firejail and it fixed my problem. https://sourceforge.net/projects/firejail/files/LTS/firejail-apparmor_0.9.56.2-LTS_1_amd64.deb/download
Trying to update Firetools and Firejail in Linux Mint without success. Following message reads: An unhandlable error occured. There seems to be a programming error in aptdaemon, the software that allows you to install/remove software and to perform other package management related tasks. Also unable to close the package installer. It remains frozen on screen after clicking on install button.
I installed Firejail,Firetools and Firejail-profiles (PPA install) in Mint. Firejail 0.9.72-2 Firetools 0.9.72-1 Firejail-profiles 0.9.72-2 Firetools launches OK and when clicking on the Firefox icon it launches Firefox Firetools stats: Command: Firejail Firefox Profile:/etc/firejail/firefox.profile RX:system TX:system Seccomp:enabled Capabilities: // when clicking on the numbers it opens a box listing what is disabled. User Namespace: enabled Protocols: unix,inet,inet6,netlink Memory deny exec: disabled Apparmor: firejail-default enforce When launching Firejail Configuration Wizard: Step 1:Choose an application Select Network from left side and Firefox from right side from the menus Step 2: Choose a security profile Select: Build a default security profile Continue button // no modifications by me made Results # Custom profile for /usr/bin/firefox # file system include /etc/firejail/disable-common.inc private-tmp private-dev blacklist /mnt blacklist /media # network # multimedia # kernel seccomp nonewprivs caps.drop all noroot apparmor Click on Done button. Firefox launches, but unable to do searches or even open up Ublock Origin. Opening up Firetool stats: Click on PID Command: /usr/bin/firejail--profile=/tmp/firejail-ui-<numbers & letters> /usr/bin/firefox Profile:/tmp/firejail/-ui-<same numbers & letters> RX:system TX:system Seccomp:enabled Capabilities: // looks to be the same disabled list User Namespace:enabled Protocols:disabled Memory deny exec:disabled Apparmor:firejail-default//&unconfined enforce Notice the FCW UI is hard to read. All wording is hard to see.(white) When typing into boxes to make changes wording comes out white. When closing Firefox I have to hit 'Shutdown' in Firetools to close PID. Does this have anything to do with /etc/apparmor.d/disable/usr.bin.firefox? Why is the Firejail Configuration Wizard UI messed up?
I don‘t use Firetools as I don‘t need it. And most probably you don’t need it, either. Rather, follow the steps for desktop integration and start your applications as usual. I‘m confused. Why do you want to create a new profile for Firefox when Firejail comes with a ready-to-use one for it? That makes no sense to me. No. This profile is disabled (that‘s why it is in the disable sub-directory), and Firejail uses for all confined applications only the firejail-default profile anyhow. I have no idea as I don’t use it.
@summerheat I ran command: Code: firecfg --fix-sound It wrote file to /home/<username>/.config/pulse/client.conf PulseAudio configured, please logout and login back again Did that. File is there Also ran command Code: sudo firecfg Removing all firejail symlinks: Configuring symlinks in /usr/local/bin based on firecfg.config NOTE: A symlinks created list, but I just shortened it for this post and highlighted a few. The /usr/local/bin has 78 files listed. catfish created firefox created // Browser is firejailed when opened librewolf created // Browser IS NOT firejailed when opened Added my username to Firejail access database in /etc/firejail/firejail.users User <username> already in the database // my username is there Loading AppArmor profile Fixing desktop files in /home/<username>/.local/share/applications io.github.celluloid_player.Celluloid.desktop skipped: file exists org.gnome.Logs.desktop skipped: file exists menulibre.desktop skipped: file exists librewolf.desktop skipped: file exists org.xfce.Catfish.desktop skipped: file exists org.gnome.baobab.desktop skipped: file exists Can't open 'Catfish File Search' When clicked on I receive this popup message: Is that denied write access?
Yes, but I don't have this message here (so it's not related to AppArmor on my system). I installed catfish on Arch Linux - and it doesn't start here, indeed. But it's related to the entry Code: dbus-user none in /etc/firejail/catfish.profile. After commenting that rule catfish starts without a problem. I suggest that you report this issue here. EDIT: In the meantime you can create the file /home/<your_user>/.config/firejail/catfish.local and add the line: Code: ignore dbus-user none EDIT: Changed /home/<your_user>/.config/firejail/catfish.profile to /home/<your_user>/.config/firejail/catfish.local
@summerheat You are correct. Catfish does open when ignore dbus-user none. Thank you. Catfish open: Command:/user/bin/firejail/user/bin/catfish Profile:/etc/firejail/catfish.profile Apparmor:firejail-default//&unconfined enforce Something else I noticed. When Firefox and/or Librewolf are firejailed and I open uBlock Origin > My filters > click on Import and append... to add some extra filters I had stored in 'Documents' folder, but that folder won't open when clicked on. I opened Firefox and typed file:///home/<username>/Documents into address bar. Result: File not found Firefox can’t find the file at /home/<username>/Documents. Check the file name for capitalization or other typing errors. Check to see if the file was moved, renamed or deleted. Same results happen if I type Pictures and Videos into FF address bar. Did the same thing with Firefox NOT FIREJAILED and able to open Documents folder to add uBO filters and of course can see the Documents content when again I type in file:///home/<username>/Documents in the FF search address bar. Is Firejail default settings set to have no access to my Documents, Pictures and Videos folders? EDIT From firejail.wordpress.com To protect user’s privacy, we deploy a very strict Mandatory Access Control (MAC) on top of the existing file system. Access to passwords, encryption keys, and private data is blocked for more than 1000 desktop applications supported by default. For most networked apps and games the sandbox is configured to hide all the files in home directory, with the exception of app configuration and Downloads. Index of file:///home/<user name>/ Name File:.Xauthority File:.bashrc .cache .config File:.gtkrc-2.0 File:.inputrc .local .mozilla .pki Downloads User home directory as seen by Mozilla Firefox browser process // Edited
Yes, this is the expected behavior. /etc/firejail/firefox.profile (which includes /etc/firejail/firefox-common.profile) doesn't allow access to your ~/Documents folder. If you want to allow this you have to add Code: whitelist ${HOME}/Documents to ~/config/firejail/firefox.local. It's mandatory to make yourself familiar with the basic usage of Firejail by reading through https://firejail.wordpress.com/documentation-2/basic-usage/, https://firejail.wordpress.com/documentation-2/building-custom-profiles/, e.g. https://wiki.archlinux.org/title/Firejail and the man pages (man firejail and man firejail-profile) to understand the logic and the various commands particularly if you want to modify existing profiles.
OK thanks, but for now I'll keep Documents folder to have no access. LibreWolf browser stats: Command: firejail librewolf Profile: /home/user name/.config/firejail/librewolf.profile Apparmor:unconfined /home/user name/.config/firejail/librewolf.profile #ignore noroot ignore apparmor ignore dbus-user none Firefox browser stats: Command: firejail firefox Profile: /home/user name/.config/firejail/firefox.profile Apparmor:firejail-default enforce /home/user name/.config/firejail/firefox.profile #ignore noroot ignore dbus-user none NOTE: No modifications made yet except transfering both browser profiles via command to /home/user name/.config/firejail Why is Apparmor unconfined in librewolf.profile while Apparmor in firefox.profile has firejail-default enforce? Also in librewolf.profile includes line ignore apparmor whereas firefox.profile DOES NOT contain that line. If I comment out or remove ignore apparmor from librewolf.profile the browser will not open. I've looked at those links you posted, but didn't see info on what I've posted probably because it's more specific and maybe not covered or I missed it.
Huh? Why are you doing such strange things? There is a reason why apparmor is deactivated in the librewolf.profile. I don't know if there is a work-around as I don't use Librewolf. Perhaps you can find out what is blocked with sudo aa-logprof and add the required rules to /etc/apparmor.d/local/firejail-default. Anyways, Librewolf is still properly sandboxed by Firejail so I wouldn't worry too much. The firejail-default profile offers only limited additional protection. EDIT: Please notice the edit in my post here. It contained a typo. Did you report that issue as suggested? Projects like Firejail can only progress if such problems are reported.
Rather than editing the profiles in /etc/firejail I can place a number of local profiles in there where I can add ignore commands or others such as blacklisting or whitelisting other files or folders not found in the /etc/firejail profiles. Firejail will read the local profile first before reading the /etc/firejail profiles. I can experiment safely in the copied profiles and my modifications will remain intact and not be overwritten after every install/upgrade of firejail as happens with /etc/firejail profiles. Read your posted link and now understand why apparmor wasn't enabled and ignore apparmor was listed in firejail/librewolf.profile. Still trying to figure out aa-logprof. Had this come up. Code: $ sudo aa-logprof Reading log entries from /var/log/syslog. Updating AppArmor profiles in /etc/apparmor.d. Enforce-mode changes: Profile: firejail-default Path: /run/systemd/userdb/io.systemd.DynamicUser Old Mode: mrlk New Mode: mrwlk Severity: unknown [1 - #include <abstractions/nameservice>] 2 - /{,**} mrwlk, 3 - /run/systemd/userdb/io.systemd.DynamicUser mrwlk, (A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / Abo(r)t / (F)inish Nothing was selected. Haven't reported the issue, but for now just added catfish.local as you mentioned in your edit.
Yes, but this is why *.local profiles exist. In every profile there is a line like Code: include catfish.local and this *.local file (which can be placed in ~/.config/firejail or in /etc/firejail) should be used to make modifications. Copying the original profiles to ~/.config/firejail (and modifying them) works, indeed, but you shouldn't do this. When Firejail gets an update and profiles receive fixes/improvements/hardenings you won't benefit. And I guess that a lot of changes will arrive before long now that Landlock has landed in Firejail. So I strongly suggest that you add your modifications to *.local files. Besides, an advantage of the *.profile files located in /etc/firejail is that they are write-protected for users and, hence, from being modified by applications running with user rights. While this scenario is not very likely it's a good practice that configuration files for a security-critical application like Firejail can only be modified with root permissions. I don't know. I haven't seen this on my system. If everything works as expected I would ignore it. If you notice a problem related to this message you can tentatively add Code: /run/systemd/userdb/io.systemd.DynamicUser mrwlk, to /etc/apparmor.d/local/firejail-default.
@summerheat OK kept catfish.local file, but removed Firefox and Librewolf profile files from /home/<user name>/.config/firejail/ until I make changes to the browsers and set them as *.local in /.config/firejail. Thanks for letting me know that. Ran sudo aa-logprof again, but it just updated apparmor profiles in /etc/apparmor.d and no new entries seen in terminal, however I still am getting 1 apparmor popup message from what we discussed about the /run/systemd/userdb/io.systemd.DynamicUser, Message recorded in /var/log/kern.log Code: apparmor="DENIED" operation="connect" profile="firejail-default" name="/run/systemd/userdb/io.systemd.DynamicUser" pid=6890 comm="catfish" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 Catfish firejailed opens and seems to run fine. Command:/usr/bin/firejail/usr/bin/catfish Profile:/etc/firejail/catfish.profile Apparmor:firejail-default//&unconfined enforce You mentioned if you notice a problem related you can tentatively add /run/systemd/userdb/io.systemd.DynamicUser mrwlk, to /etc/apparmor.d/local/firejail-default. I'm not sure though if this is related to the message I have in Code: above.
just allow the first option: #include <abstractions/nameservice> It already has mrlk access as seen in "Old Mode" and now is simply asking for the addition of write access as can be seen with "New Mode" mrwlk, .
Well, that's possible, of course. However, the nameservice abstraction allows a lot more, and if the 3rd option is sufficient I would prefer that one. Remember that all Firejail profiles are affected by firejail-default. And again, if catfish or whatever work without that addition I would simply ignore it. Or possibly even add Code: deny /run/systemd/userdb/io.systemd.DynamicUser mrwlk, to /etc/apparmor.d/local/firejail-default in order to silence aa-logprof.
Right, I was looking at possibly the second option. However, I'm just thinking going down the easiest path for CompuK might be the best option in an effort to reduce him having to use aa-logprof.
Can I use ignore instead or better to use deny? Code: ignore /run/systemd/userdb/io.systemd.DynamicUser mrwlk,
Just to clarify: When I wrote that the "*.local file (which can be placed in ~/.config/firejail or in /etc/firejail) should be used to make modifications" that didn't mean that the complete profile should be copied to the local files. The local file should only contain new or modified rules including ignore rules like the one mentioned here.
