Well, not for me. For example when I clicked a pdf attachment in a mail in my firejailed Thunderbird, okular wouldn't launch firejailed. (Okay, this might have changed in newer versions of Firejail.) But what about my other example above? I'm sure that you don't firejail your file manager. What happens if you click a pdf file in that application? Does okular start firejailed?
I saw similar behavior on KDE, I think. I remember on openSUSE, the file manager (started via firejail) communicates via non-jailed socket with another file manager, this causes a private firefox to see my real home. Netblue said there's no problem in that, but that is exactly the reason I left Linux. Soon I'll go back to Arch with MATE, though, so I'll be OK. I don't remember if the same bug happens with KDE on Arch. Here's my report: https://github.com/netblue30/firejail/issues/330 You're welcome
I'm confused by the private switch I cant figure out how to direct it to my Firefox profile. I'm still very much a noob with command lines.
I'm trying to figure this out as well... "firejail --private=/home/username firefox" works, but that reads in the whole home directory. so you can make a new folder copy your home directory into it (minus any personal data) and use that for your 'firejail-home' directory - "firejail --private=/home/username/firejail-home firefox" However, I don't think i've quite figured this out because all my changes are saved... all changes are saved with '--read-only' option as well. With no options or with only '--private' then firejail seems to behave as expected. I thought this might be due to my having Apparmor enforced for firefox as well, but disabling it did not help - any suggestions? "firejail --private.keep=.mozilla firefox" seems like a better option then "--private=directory", but it doesn't seem to work at all - maybe not supported anymore?
Do you guys have transmission-gtk opening with firejail? If so, can you open torrent links/magnet links from chrome directly to transmission? I have to manually insert the magnet link in transmission, or I'll open a second instance of transmission and won't start downloading..
@Overdone Works for me as expected. Magnet links and torrents opened from chrome launch transmission firejailed. Not sure what could be the problem on your end. This the launcher line im using for transmission edited via the application finder in linux mint XFCE Im not using simlinks in this instance. Similarly files opened via chrome such as pdf or text files are firejailed with evince document viewer. ie accessed via rightclick open containing folder doubleclick to open file. All done through chrome. If i just click on the downloaded file chromes native pdf viewer is used, and is firejailed under chrome. Torrents and magnet links launch an external application obviously. When the following command in terminal is used the process is not run under chrome. But a new instance/process of the document viewer is shown. Similarly again for transmission. regards.
I'm not yet sure what exactly you're trying to achieve. Basic usage of the --private switch is explained here. By using the --private switch only or in other words (man firejail): As an alternative you can specify an existing directory as your home directory which is used as a persistent sandbox, i.e., any modifications are not discarded. Any access to files outside the sandbox is blocked. See also this example. Personally I rarely see the need for this since you can achieve something similar with the whitelist switch as done in the default Firefox profile. Yes, it's no longer supported.
So what is the exact replacement for "firejail --private.keep=.mozilla firefox" that will achieve the exact same results?
Forgot to answer this. I remember that I had problems with Ktorrent and Transmission because I clicked "Open Magnet" in a firejail Iceweasel and it would open the torrent programs firejail as well. So yes, a firejailed program opens other programs firejailed as well. I'm positive because I remember spending 4 hours to download something and then thinking "where the F is this download?" and realizing it was on a virtual folder But I'll try that Okular test in a moment. I just got back on Arch. And no, I don't firejail my file manager. Doing so would break it.
Thanks for the clarification - my assumption was that the 'existing directory' was used as a template and was not persistent - i.e. the '--private=directory' option is an addition to the '--private' option. Ideally I'd like to have... "firejail --private.keep=.mozilla firefox" (see below). But with bookmarks and uBlockO addon persistent. Maybe this is the closest to that? "firejail --read-only=/home/username --whitelist=/home/username/...places.sqlite --whitelist=/home/username/...extension-data firefox" But, as I said above, I can't seem to get the --read-only option to work... Using "firejail --read-only=/home/username firefox" I can make changes to files in this directory. Is the syntax wrong? Also, how do you use the 'whitelist' opiton? --private.keep= Build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home. All modifications are discarded when the sandbox is closed.
You really left Linux because of this? Isn't that a bit extreme ? I read https://github.com/netblue30/firejail/issues/330 and to me netblue30's explanations make sense. Are you not convinced?
According to the release notes --private.keep was transitioned to --private-home in v. 0.9.30, and --private-home was deprecated in v. 0.9.38. netblue30 wrote:
Yes, it was extreme, because when I left Linux I though COMODO's Sandbox on Windows would work properly, but I can save files on my real desktop or upload present files to the web. So in all reality Firejail works better than COMODO's Sandbox So here I am again, on Arch. I tested Firejail now on MATE and I couldn't see my real /home, so the bug I reported must be related to KDE 5. Notice that I didn't try KDE5 on Arch yet, so it's possible that the bug is only present on openSUSE 42.1.
It depends on what you're doing. If you enter Code: file:///home/amarildojr in the Firefox address line you won't see your real home. However, if you enter about:support and click "Open directory", your file manager will be started which shows your real file system. But as netblue30 said this is not a security problem because:
It might not be a security problem, but it certainly is a privacy problem. And IMO, we cannot live without one of them. But I can only applaud Netblue for creating this great tool. In the end, it's working as it should on MATE I'll try KDE 5 in a moment to see if it's a general issue or only present on openSUSE.
I don't think so. If netblue30 is right and "Firefox cannot access and manipulate the memory of the process running outside the sandbox" - how can this be a privacy problem?
Because the browser can see all the folders in my real /home folder, so the "private" option isn't doing a compelte job. It can't see the files, but it shouldn't see the folders on my real /home. Not to mention, one folder can be used to identify an user, so using Firejail+KDE5 is not a full advantage if the user wants real privacy while browsing. For that, VM is the only solution. Or switch to MATE. And I can confirm, this is a KDE thing, it also happens on Arch.
No, it's not the browser but the file manager which is a process outside the sandbox and, hence, inaccessible by Firefox.
I don't know if an attacker would be able to start the file manager. But the thing is that You can check this yourself by doing what netblue30 suggested here. In other words, even if the attacker were able to start the file manager he would not be able to access it as it is a process outside the sandbox.
Thanks. 'Home' is already whitelisted with no 'options' though so really aren't the replacements 1) '--private=directory' or 2) '--read-only' with some '--whitelist' if you want any files/folder to persist.
That's incorrect. In the default Firefox profile your home is not whitelisted but only specific directories/files: Code: # Firejail profile for Mozilla Firefox (Iceweasel in Debian) noblacklist ${HOME}/.mozilla include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-terminals.inc caps.drop all seccomp protocol unix,inet,inet6,netlink netfilter tracelog noroot whitelist ${DOWNLOADS} mkdir ~/.mozilla whitelist ~/.mozilla mkdir ~/.cache mkdir ~/.cache/mozilla mkdir ~/.cache/mozilla/firefox whitelist ~/.cache/mozilla/firefox whitelist ~/dwhelper whitelist ~/.zotero whitelist ~/.lastpass whitelist ~/.vimperatorrc whitelist ~/.vimperator whitelist ~/.pentadactylrc whitelist ~/.pentadactyl whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.pki include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
Anyone able and willing to answer this question for a Linux and FireJail newbie? I've stayed with an older version of FireJail because I don't know how to get the same results with the new one.