netblue30 / firejail Goto Github PK

I'm trying to run Steam with Firejail. Everything works except when I enable seccomp. I tried keeping one by one with no results. It seems like all of the seccomp calls break Steam?

The error:

Error: You are missing the following 32-bit libraries, and Steam may not run:
libc.so.6

The log:

[amarildo@amarildo ~]$ firejail --noprofile --debug --seccomp steam
Command name #steam#
Using the local network stack
Parent pid 12153, child pid 12154
Initializing child process
PID namespace installed
Mounting read-only /bin, /sbin, /lib, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /tmp/firejail/mnt directory
Create the new utmp file
Mount the new utmp file
Disable /home/lost+found
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /sys/kernel/uevent_helper
Disable /proc/irq
Disable /proc/bus
Disable /proc/kcore
Disable /proc/kallsyms
Mounting a new /boot directory
SECCOMP Filter:
VALIDATE_ARCHITECTURE
EXAMINE_SYSCAL
BLACKLIST 165 mount
BLACKLIST 166 umount2
BLACKLIST 101 ptrace
BLACKLIST 246 kexec_load
BLACKLIST 304 open_by_handle_at
BLACKLIST 175 init_module
BLACKLIST 313 finit_module
BLACKLIST 176 delete_module
BLACKLIST 172 iopl
BLACKLIST 173 ioperm
BLACKLIST 167 swapon
BLACKLIST 168 swapoff
BLACKLIST 103 syslog
BLACKLIST 310 process_vm_readv
BLACKLIST 311 process_vm_writev
BLACKLIST 139 sysfs
BLACKLIST 156 _sysctl
BLACKLIST 159 adjtimex
BLACKLIST 305 clock_adjtime
BLACKLIST 212 lookup_dcookie
BLACKLIST 298 perf_event_open
BLACKLIST 300 fanotify_init
BLACKLIST 312 kcmp
RETURN_ALLOW
Save seccomp filter, size 408 bytes
seccomp enabled
Username amarildo, groups 100, 10, 90, 91, 92, 93, 95, 98,
Starting steam
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: steam
Child process initialized
/home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
/home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
Running Steam on arch 64-bit
/home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable
STEAM_RUNTIME is enabled automatically
Error: You are missing the following 32-bit libraries, and Steam may not run:
libc.so.6
/home/amarildo/.local/share/Steam/steam.sh: line 756: 93 Bad system call >$STEAM_DEBUGGER "$STEAMROOT/$STEAMEXEPATH" "$@"

parent is shutting down, bye...
[amarildo@amarildo ~]$

Arch Linux
linux-grsec Kernel

If you try to run a 32 bit executable on a 64 bit kernel with seccomp filter enabled you get a "Bad system call" message.

The following should pass "http://example.com/?foo&bar" to firefox:

% firejail --debug /usr/bin/firefox http://example.com/\?foo\&bar
…
Starting /usr/bin/firefox http://example.com/?foo&bar 
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: /usr/bin/firefox http://example.com/?foo&bar 
Child process initialized
/bin/bash: bar: command not found

parent is shutting down, bye...

Attempting to launch chromium in firejail with no arguments other than attempting to specify a name will cause chromium to crash, saying it cannot find the display. If the --name argument is omitted, chromium will launch just fine as expected. Attempting to run chromium with --noprofile fails as well when trying to specify a name.

firejail --name=GENERIC chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc
Parent pid 12617, child pid 12618
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized
No protocol specified
[1:1:1016/174803:ERROR:browser_main_loop.cc(243)] Gtk: cannot open display: :0

parent is shutting down, bye...

This error appears most likely because the --name option sets a new hostname, which causes the user to be unable to use the display for any graphical programs. Terminal programs appear to work just fine. You can launch graphical programs by using the xhost program to allow all client connections, but this is unsafe for the Xserver (however using xhost + before attempting the above command does result in success).

Would it be possible to add a seperate option, such as --hostname, or some other equivalent that will change the hostname, and use --name as a flag for just firejail to handle named jail instances of programs?

Using the latest stable version of Firejail from the AUR (0.9.30) on ArchLinux 64 bit.

Wouldn't it make sense to add

read-only /etc/firejail
read-only ~/.config/firejail

to, say, disable-mgmt.inc to make sure that those profiles don't get tampered?

Attempting to use --private-home on a directory with white space fails, even with the white space escaped.

$ firejail --private-home=/home/pigmonkey/test\ dir/
Warning: default profile disabled by --private-home option
Parent pid 20112, child pid 20113
cp: cannot stat ‘/home/pigmonkey/test’: No such file or directory
cp: cannot stat ‘dir/’: No such file or directory
Error system cp -a --parents:duplicate(378): No such file or directory
Child process initialized
...

Trying it with quotes:

$ firejail --private-home="/home/pigmonkey/test\ dir/"
Error: file /home/pigmonkey/test\ dir/ not found.

Same thing for other special characters, like parenthesis:

$ touch ~/tmp/File\(1\).txt
$ firejail --private-home=/home/pigmonkey/tmp/File\(1\).txt

Hi netblue30 and contributors!

I'd like to see firejail parse generic.profile by default unless:

• Another profile is explicitly specified on the command line, or
• Another profile matches the extracted command name, or
• A flag is specified to disable it (ex. "--nodefault")

Don't get me wrong: I love the flexibility of firejail to specify all kinds of options. The target here is the new/desktop user who wants to sandbox but may be getting less security than they expect from sandboxing a profile-less program.

Feel free to reject this suggestion if you think it is the wrong direction for the firejail project. Otherwise, I'd be happy to make the change and submit a pull request.

Trying to run a 32-bit application under Wine (firejail --trace wine winecfg) spits out a bunch of errors that look like this:

ERROR: ld.so: object '/usr/lib/firejail/libtrace.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.

You can also observe crashes in some of Wine's services:

[wineboot.exe] <defunct>
[winemenubuilder] <defunct>

This has some negative side-effects. eg. run firejail wine winecfg change the operating system version, and click OK. Then run it again, and observe the operating system change was not saved.

/usr/lib/firejail/libtrace.so is an amd64 binary, but it looks like we need a 32-bit version for some Wine prefixes, so we need multiarch support. To support multiarch, I think these should be installed under /usr/lib/{x86_64,i386}-linux-gnu.

I am getting a the following error when I try to start firejail and firefox. I have replaced the firefox firejail profile with one copied from the word-press site. The new profile resolved an error about line 2 in the profile. Now I am getting the error below. I have reinstalled Firejail 0.9.30_1_amd64.deb with no resolution.

$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Parent pid 77, child pid 78
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

parent is shutting down, bye...
$

Thanks in advance

Brian

SITUATION

:: in a non-sandboxed world firefox users can easily add rss feeds to liferea by
instructing the browser to use a script liferea offers as handler for web feeds
(i.e. liferea-add-feed)

:: in a sandboxed context things are different and the above routine fails
because liferea-add-feed checks for a running liferea process..

[...]
if ! pgrep -x liferea >/dev/null 2>&1; then
    echo "Liferea is not running! You need to start it first."
    exit 1
fi
[...]

..which is invisible (expected behavior) from within a firejailed firefox:

$ firejail --list
2212:glitsj:firejail --private=/home/glitsj firefox 
26367:glitsj:firejail --private=/home/glitsj liferea

$ firejail --join=2212
Switching to pid 2213, the first child process inside the sandbox
[glitsj@lab16 ~]$ liferea-add-feed https://l3net.wordpress.com/feed/
Liferea is not running! You need to start it first.

SOLUTION

:: use a shell script as firefox's rss handler, intercepts the feed URL, greps firejail --list
and joins liferea's sandbox to execute the regular liferea-add-feed command.

:: from a terminal this all works just fine..

$ firejail --join=26367
Switching to pid 26368, the first child process inside the sandbox
[glitsj@lab16 ~]$ liferea-add-feed https://l3net.wordpress.com/feed/

QUESTION

How can this be done using a shell script? Getting liferea's sandbox pid by grepping
'firejail --list' for liferea and issuing a 'firejail --join=26367' command isn't the issue.
How to execute a command inside that joined sandbox in a shell script is. Any pointers
on how to tackle this?

Maybe you could import the revision history from the SVN repository on SourceForge in order to not lose history.

What do you think about this?

Zotero is a commonly used free open source citation manager.

If the zotero addon is enabled, invoking firejail firefox results in firefox crashing on startup.

I was surprised there was no line in the default configuration like so:

blacklist ${HOME}/.config/firejail

Without that, an untrusted app could modify its own firejail profile and terminate. When it is relaunched (either automatically via a service management daemon or via user intervention), it could run with elevated privileges.

Even more surprising, manually adding the entry does nothing - the line is silently ignored.

The top of the FIREJAIL-PROFILE(5) and FIREJAIL(1) man pages both say man(5) and man(1) respectively, instead of having the correct name.

Also, I think it's a mistake for the firejail-profile(5) seccomp section to not list the defaults. I assume it's the same as those in --seccomp discussed in firejail(1), but it would be nice if it was explicit and didn't force the user to hunt the list down. I would suggest either duplicating the list, or simply pointing the reader to the firejail(1) --seccomp section.

It would be useful to support symlinks to the firejail binary, which means that a symlink firefox to firejail would start firefox, instead of bash.

The idea comes from envoy.

This would allow you to add a symlink firefox to e.g. ~/bin, and it would automatically use firejail, if ~/bin is before /usr/bin in your PATH.

We now have the options "--private-dev" and "--private-etc", but the equivalent for the $HOME directory is called "--private.keep". This looks different, as it doesn't include the directory name and it uses a dot instead of a minus sign.

A nice little enhancement would be to have a "--private-home" option that is just another name for "--private.keep". Old scripts wouldn't have to change (as "--private.keep" would still work) but it would make the commands more consistent.

hi there,

is it possible to run it on android? even for browser and some other apps too.

Micha

Imported form reddit: https://www.reddit.com/r/linux/comments/3lt0p1/firejail_a_security_sandbox_for_mozilla_firefox/cvb3qo1

I gladly saw that noblacklist was implemented. I was looking for such a feature within firejail.
But I do not quite understand how to operate it.
Would something like this work ?

noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.Xauthority
noblacklist ${HOME}/Downloads/
blacklist ${HOME}/

First: I'm happy to report that the Arch warnings in the todo list are gone for me using the current git version! Probably worth confirming with someone else though.

Second: I've been having an issue with getting "execvp: Permission denied" -- I've narrowed it down to (the profile or manually) blacklisting either /sbin or /usr/sbin

$ firejail --noprofile --blacklist=/mnt
Parent pid 1619, child pid 1620
Child process initialized
$ exit

parent is shutting down, bye...
$ firejail --noprofile --blacklist=/sbin
Parent pid 1630, child pid 1631
Child process initialized
execvp: Permission denied

parent is shutting down, bye...
$ 

The reason is because both /sbin and /usr/sbin are symlinks to /usr/bin and firejail is unable to execvp /usr/bin/bash, or most programs on my system for that matter, after blacklisting the folder. The system defaulted these symlinks at some point.

Interestingly, this is not an issue with firejail-0.9.28, only the git head version.

Checking the --debug for both, the 0.9.28 version is actually failing to blacklist the symlink /sbin folder. Of course I get the same error when I blacklist /usr/bin explictly.

It looks like in fixing symlinks during some commit, it actually broke systems that use symlinks for /sbin and /usr/sbin. Note that I do think there are perfectly valid scenarios for blacklisting /usr/bin.

How do you want to proceed? Check the symlink to see if it ends up blacklisting the command we're calling and ignore the blacklist it if it does? Force explict, non-symlink paths to blacklist bin/sbin FHS-compliant folders?

Currently, it is possible to create a filesystem blacklist:

blacklist /etc/shadow*

However, we cannot create a whitelist in the same way. It would be useful to support both blacklist and whitelist options in the same profile.

Use case:
Often it's easier (and safer, in the event of filesystem changes) to just specify one or two files in a directory you want to grant access to. eg.

blacklist /etc
whitelist /etc/fstab
whitelist /etc/hostname
whitelist /etc/issue
whitelist /etc/localtime
whitelist /etc/mailcap
whitelist /etc/nsswitch.conf
whitelist /etc/passwd
whitelist /etc/resolv.conf

Starting with --overlay:

$ firejail --overlay 
Parent pid 32340, child pid 32341
Warning: /var/lock not mounted
Error mounting /var/tmp:fs_var_tmp(302): No such file or directory
Error: cannot establish communication with the parent, exiting...

$ uname -r
4.1.4-1-ARCH

In netfilter.c at line 70, malloc is called and the return value is passed to memset before being checked for null. I made a pull request to fix the issue by just moving the memset to after the null check, could you review and merge it please?

I tried running Steam in firejail using the seccomp option in the profile, which resulted in
Steam failing to launch and syslog reporting syscall=45 (recvfrom) has been blocked. Strange, since that wasn't mentioned in the man page as being blacklisted.

Then I tried replacing seccomp with the option
seccomp.drop mount,umount2,ptrace,kexec_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,mknode,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp
where all syscalls are taken from the list in the firejail(1) man page (under --seccomp section) as being the default blacklist, but I still get the same error.

I even went so far as to comment out every other line in my profile for Steam (including "include" lines) and I still run into the same issue.

Wine is also affected by this (even just running wine --version will result in the same failure).

Currently opening any downloaded file, including those for SPICE/KVM or javaws doesn't work when running firefox under firejail.

Do I need to whitelist the javaws and spice paths, or is this just the need to whitelist /usr/bin?

In order to have script automation, it is better to provide a switcher to disable all the firejail output.

I just executed Firefox in the console and got this:

firejail firefox
Reading profile /home/xxx/.config/firejail/firefox.profile
Reading profile /home/xxx/.config/firejail/myrules.inc
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc
Warning: user namespaces not available in the current kernel.
Parent pid 2318, child pid 2319
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

I got the same problem when I executed any other firejailed application. (That user namespaces are not suuported is normal as I'm using Arch Linux). Something is wrong here ...

I guess this is the active place for firejail now so I re-post here the same trouble
that I did on sourceforge.

I am on 0.9.28-rc1

I met with a problem I do not understand using firejail.

When I have an application started in firejail and do as root,
outside of jail, losetup -d /dev/loopXX ( or umount -d )

the command returns OK but loop device is just marked auto-clear
that is will remain until all references to it are closed.

If I have no application started with firejail the command just releases
the loop device so that makes me draw the conclusion that firejail
instance hold a reference to it.

Anyway I tried both private-dev and mounting a tmpfs on the directoty holding the
mount point but still firejail holds a reference to the loop device.

I tried lsof that reported no open references then I tried
fuser -v -m mntpnt and my whole system went down.

Please explain how it comes to have this reference!

How can I tell firejail not to hold a reference to the loop device????

As an example of how things work now, the firefox profile contains this:

include /etc/firejail/disable-common.inc .mozilla

The .mozilla makes the include skip this line:

blacklist ${HOME}/.mozilla

This approach doesn't work too well when the blacklist uses globs, so better control is needed.

The obvious thing to do would be to create a "whitelist" command that somehow does the opposite of "blacklist", but I think this could end up being being confusing. What if a directory is blacklisted and a file inside it is whitelisted? What kind of access is allowed to the directory? Different users could reasonably make different assumptions.

An alternative is a "noblacklist" command that doesn't explicitly whitelist, but blocks further explicit blacklisting of anything that matches its pattern. E.g., the firefox profile would look like this:

noblacklist ${HOME}/.mozilla
include /etc/firejail/disable-common.inc

I'm happy to go ahead and implement this.

The problem: http://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html

Possible solutions:

• https://xpra.org (See also: https://github.com/subgraph/oz/wiki/Oz-Technical-Details)

Thanks for developing firejail! Some profiles could be useful for desktop environments.

• play audio
• read from microphones
• read from webcam
• read contents from clipboards
• write to clipboards
• list X window titles, get current window focus
• send keystrokes/mouse clicks to other X windows

I frequently use firejail --private chromium to launch a disposable Chromium session. Very rarely I find that I need to download a file and recover it from the private jail. Up till now this has only happened with text files, so I've been able to --join the jail, cat the file, and paste it into a file outside of the jail.

Is there any sort of canonical way to copy files from within a private jail (before the jail has closed)? It would be nice if I could to something like:

$ firejail --copy-from [pid of jail] --destination /home/user/ /path/to/file/within/jail

I've run into the following issue:

1. open a LUKS device with cryptsetup and mount it
2. start firejail sandbox
3. unmount the drive
4. run "cryptsetup luksClose $device". (outside of the sandbox)
   -> cryptsetup can't close the dm device and complains that it is still in use.

I am trying to sandbox firefox but I can still access files that should be blocked like my private ssh key. Is kernel 4 supported?

> firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Warning: user namespaces not available in the current kernel.
Parent pid 5042, child pid 5043
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

parent is shutting down, bye...
> uname -rv
4.1.4-1-ARCH #1 SMP PREEMPT Mon Aug 3 21:30:37 UTC 2015

Currently, it's possible to specify:
blacklist ${HOME}/.ssh

However, it's not possible to specify:
include ${HOME}/.config/firejail/disable-mgmt.inc
or (for a file in the same directory as the one doing the include):
include disable-mgmt.inc

Use case: I have all my dotfiles stored in git, and I use GNU Stow to deploy these on systems I use. eg.

~$ cd .dotfiles
~/.dotfiles$ git pull
~/.dotfiles$ stow firejail

I would rather not have my full home directory path hard-coded so I can deploy these same profiles to systems where my home directory is in a different location.

subj

I've got a nice setup with firejail for icedove and iceweasel, where my shortcuts and Xfce "preferred applications" settings all have the application commands prefixed with firejail. So far so good.

But then I open an e-mail in Icedove and want to click on a link somebody e-mailed me. It goes to open firejail iceweasel and fails - no suid support. I can't call iceweasel directly either, since the icedove profile is blocking .mozilla which iceweasel requires. I have to open iceweasel up manually first, and only then click on the link, which gets tiresome after a while.

It would be nice to have a profile option (if it's technically possible) to have the suid /usr/bin/firejail binary available for execution to apps like icedove, but no other suid binary. That should make the software more usable in situations like the one described.

Hey there,

I am on Arch running firejail with Iceweasel (from parabola repo). When running firejail iceweasel I get the following output:

[sneida@_____ ~]$ firejail iceweasel
Reading profile /home/sneida/.config/firejail/iceweasel.profile
Warning: user namespaces not available in the current kernel.
Reading profile /etc/firejail/disable-common.inc
Parent pid 598, child pid 599
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
console.error: 
  [CustomizableUI]
  Custom widget with id loop-button does not return a valid node
console.error: 
  [CustomizableUI]
  Custom widget with id loop-button does not return a valid node

This is my iceweasel.profile:

caps.drop all
seccomp
noroot
shell none
netfilter

############### disable-mgmt.inc########

# system directories
blacklist /sbin
blacklist /usr/sbin

# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
blacklist ${PATH}/fusermount
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/xinput
blacklist ${PATH}/evtest
blacklist ${PATH}/xev
blacklist ${PATH}/strace

# Prevent manipulation of firejail configuration
blacklist /etc/firejail
blacklist ${HOME}/.config/firejail

############disable-secret.inc##############

# HOME directory
blacklist ${HOME}/.ssh
tmpfs ${HOME}/.gnome2_private
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/kde4/share/apps/kwallet
blacklist ${HOME}/kde/share/apps/kwallet
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.local/share/recently-used.xbel

################ disable-common.inc###############
# HTTP / FTP / Mail
blacklist ${HOME}/.adobe
blacklist ${HOME}/.macromedia
blacklist ${HOME}/.icedove
blacklist ${HOME}/.thunderbird
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/chromium
blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.config/filezilla
include /etc/firejail/disable-common.inc .mozilla

# Instant Messaging
blacklist ${HOME}/.purple
blacklist ${HOME}/.config/psi+

# VNC
blacklist ${HOME}/.remmina

# Other
blacklist ${HOME}/.tconn

############## disable-history.inc #################
# History files in $HOME
blacklist ${HOME}/.history
blacklist ${HOME}/.*_history

Also I am wondering, is there a way to stop firejail from deleted the "last session" between reboots?

Thanks !

I am using Vimperator in Firefox and have set editor=vim-in-term, which is a script that calls urxvt ... vim.

The noroot option in /etc/firejail/firefox.profile causes urxvt to fail:

urxvt: can't initialize pseudo-tty, aborting.

From reading the description of noroot this does not seem to be obvious:

  --noroot - install a user namespace with a single user - the current
    user. root user does not exist in the new namespace. This option
    is not supported for --chroot and --overlay configurations.

The code from rxvt-unicode is this, where pty appears to come from libptytty (CVS at :pserver:[email protected]/schmorpforge):

if (!pty->get ())
  rxvt_fatal ("can't initialize pseudo-tty, aborting.\n");

It can be reproduced using:

firejail --noroot /usr/bin/rxvt-unicode

Using firejail --noroot strace -f /usr/bin/rxvt-unicode shows this at the end (group 5 being tty):

chown("/dev/pts/10", 1000, 5)           = -1 EINVAL (Invalid argument)
clone(Process 7 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f5891234ad0) = 7
[pid     6] wait4(7,  <unfinished ...>
[pid     7] set_robust_list(0x7f5891234ae0, 24) = 0
[pid     7] setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
[pid     7] dup2(7, 3)                  = 3
[pid     7] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 8
[pid     7] getdents(8, /* 11 entries */, 32768) = 264
[pid     7] close(0)                    = 0
[pid     7] close(1)                    = 0
[pid     7] close(2)                    = 0
[pid     7] close(4)                    = 0
[pid     7] close(5)                    = 0
[pid     7] close(6)                    = 0
[pid     7] close(7)                    = 0
[pid     7] getdents(8, /* 0 entries */, 32768) = 0
[pid     7] close(8)                    = 0
[pid     7] open("/dev/null", O_RDONLY) = 0
[pid     7] open("/dev/null", O_WRONLY) = 1
[pid     7] dup2(1, 2)                  = 2
[pid     7] execve("/usr/lib/pt_chown", ["pt_chown"], [/* 0 vars */]) = 0
[pid     7] brk(0)                      = 0x7efede80a000
[pid     7] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
[pid     7] mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7efede28a000
[pid     7] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid     7] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
[pid     7] fstat(4, {st_mode=S_IFREG|0644, st_size=265876, ...}) = 0
[pid     7] mmap(NULL, 265876, PROT_READ, MAP_PRIVATE, 4, 0) = 0x7efede249000
[pid     7] close(4)                    = 0
[pid     7] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
[pid     7] open("/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY|O_CLOEXEC) = 4
[pid     7] read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\25\0\0\0\0\0\0"..., 832) = 832
[pid     7] fstat(4, {st_mode=S_IFREG|0644, st_size=18952, ...}) = 0
[pid     7] mmap(NULL, 2114160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7efeddc60000
[pid     7] mprotect(0x7efeddc64000, 2093056, PROT_NONE) = 0
[pid     7] mmap(0x7efedde63000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x3000) = 0x7efedde63000
[pid     7] close(4)                    = 0
[pid     7] access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
[pid     7] open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 4
[pid     7] read(4, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\v\2\0\0\0\0\0"..., 832) = 832
[pid     7] fstat(4, {st_mode=S_IFREG|0755, st_size=1869392, ...}) = 0
[pid     7] mmap(NULL, 3972864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x7efedd896000
[pid     7] mprotect(0x7efedda56000, 2097152, PROT_NONE) = 0
[pid     7] mmap(0x7efeddc56000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x1c0000) = 0x7efeddc56000
[pid     7] mmap(0x7efeddc5c000, 16128, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7efeddc5c000
[pid     7] close(4)                    = 0
[pid     7] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7efede248000
[pid     7] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7efede247000
[pid     7] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7efede246000
[pid     7] arch_prctl(ARCH_SET_FS, 0x7efede247700) = 0
[pid     7] mprotect(0x7efeddc56000, 16384, PROT_READ) = 0
[pid     7] mprotect(0x7efedde63000, 4096, PROT_READ) = 0
[pid     7] mprotect(0x7efede28c000, 4096, PROT_READ) = 0
[pid     7] mprotect(0x7efede088000, 4096, PROT_READ) = 0
[pid     7] munmap(0x7efede249000, 265876) = 0
[pid     7] geteuid()                   = 1000
[pid     7] getuid()                    = 1000
[pid     7] setuid(1000)                = 0
[pid     7] brk(0)                      = 0x7efede80a000
[pid     7] brk(0x7efede82b000)         = 0x7efede82b000
[pid     7] write(2, "pt_chown: ", 10)  = 10
[pid     7] write(2, "needs to be installed setuid `ro"..., 35) = 35
[pid     7] write(2, "\n", 1)           = 1
[pid     7] exit_group(4)               = ?
[pid     7] +++ exited with 4 +++
<... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 4}], 0, NULL) = 7
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7, si_status=4, si_utime=0, si_stime=0} ---
rt_sigreturn()                          = 7
close(7)                                = 0
write(1, "urxvt: ", 7urxvt: )                  = 7
write(1, "can't initialize pseudo-tty, abo"..., 39can't initialize pseudo-tty, aborting.
) = 39
futex(0x7f588f3a9650, FUTEX_WAKE_PRIVATE, 2147483647) = 0
munmap(0x7f588b49c000, 475136)          = 0
poll([{fd=6, events=POLLIN|POLLOUT}], 1, 4294967295) = 1 ([{fd=6, revents=POLLOUT}])
writev(6, [{"_\24\2\0\2\0\0\5<\0\2\0\0\0\0\5.\0\2\0\3\0\0\5+\0\1\0", 28}, {NULL, 0}, {"", 0}], 3) = 28
poll([{fd=6, events=POLLIN}], 1, 4294967295) = 1 ([{fd=6, revents=POLLIN}])
recvmsg(6, {msg_name(0)=NULL, msg_iov(1)=[{"\1\2\235\0\0\0\0\0\t\0\300\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096}], msg_controllen=0, msg_flags=0}, 0) = 32
recvmsg(6, 0x7ffc5207d360, 0)           = -1 EAGAIN (Resource temporarily unavailable)
recvmsg(6, 0x7ffc5207d360, 0)           = -1 EAGAIN (Resource temporarily unavailable)
shutdown(6, SHUT_RDWR)                  = 0
close(6)                                = 0
rt_sigaction(SIGINT, {SIG_DFL, [INT], SA_RESTORER|SA_RESTART, 0x7f588f3df2f0}, {0x4381a0, ~[KILL STOP RTMIN RT_1], SA_RESTORER|SA_RESTART, 0x7f588f784d10}, 8) = 0
rt_sigaction(SIGTERM, {SIG_DFL, [TERM], SA_RESTORER|SA_RESTART, 0x7f588f3df2f0}, {0x4381a0, ~[KILL STOP RTMIN RT_1], SA_RESTORER|SA_RESTART, 0x7f588f784d10}, 8) = 0
exit_group(1)                           = ?
+++ exited with 1 +++

parent is shutting down, bye...

Is this a issue with rxvt-unicode, or is there anything firejail can do to allow this still?

I have Midori (for example) which I have built from source and installed into its own prefix for testing. eg. binaries in ${HOME}/opt/midori/bin, libs in ${HOME}/opt/midori/lib/x86_64-linux-gnu, etc. I have ${HOME}/opt/midori/lib-related stuff in my LD_LIBRARY_PATH so the binary can find the shared libraries. Sometimes I do this for binaries where I don't want to use root privileges to install it, and I don't have time to create a package, and it's exactly the kind of thing I'd like to use with firejail.

Unfortunately firejail breaks breaks with this setup, as it seems the LD_LIBRARY_PATH environment variable is silently dropped. I understand this is probably for security, but it would be great if you could either tell firejail to not do this in the profile via a profile option, or to have the ability to specify a custom LD_LIBRARY_PATH environment variable for the jail in the application profile. Both would be wonderful. :)

As a workaround, I need to update all shortcuts to have firejail LD_LIBRARY_PATH=.... midori which I feel is quite cumbersome.

I want to use firejail and --private.keep to view a PDF file within a sandbox. If my PDF reader is pdfreader and the file is in ~/, this works great:

$ cd ~/
$ firejail --private.keep=dirty.pdf pdfreader dirty.pdf

However, this fails when the file is somewhere other than ~/

$ cd ~/tmp/random/directory
$ firejail --private.keep=alsodirty.pdf pdfreader alsodirty.pdf
Error: file /home/pigmonkey/alsodirty.pdf not found.

I would like --private.keep to accept files in the current directory, as well as paths. For instance, in addition to the previous example I'd like to be able to do stuff like:

$  firejail --private.keep=~/tmp/random/directory/alsodirty.pdf ...
$  firejail --private.keep=../alsodirty.pdf ...

I understand that --private.keep was probably originally intended just to copy over dotfiles from the real home, but I think expanding it to support file paths like this would make it much more useful.

With the upgrade to PulseAudio 7.0 on Archlinux, audio in Chromium 45 and other applications which use pulseaudio fail to work properly.

In the case of chromium, launching with the default sandbox and no profile/seccomp chomium will launch and instantly report a failure that it is unable to open a slave. Firejail worked fine on PulseAudio 6.

Aside from the debug output of firejail the only other noteworthy output that Chromium spews is the failure to open a slave, which I have found is something dealing with ALSA on the system.

A similar outcome can be observed when launching firefox with no profile, as well as any other application which may use pulseaudio.

Oddly enough, things like Steam work fine at outputting audio via Pulse, but seem to fail when attempting to record audio input via a microphone in firejail, even though this functionality was working under PulseAudio 6.

Apologies for the very vague bug report, I am rather confused about where the source of the problem exactly is.

Firejail version 0.9.30
PulseAudio version 7.0

Would you like to add more error handling for return values from functions like the following?

• fclose ⇒ save_cgroup
• fprintf ⇒ shm_write_bandwidth_file

At the time of writing, firejail supports:

       seccomp
              Enable default seccomp filter.

       seccomp syscall,syscall,syscall
              Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.

       seccomp.drop syscall,syscall,syscall
              Enable seccomp filter and blacklist  the system calls in the list.

       seccomp.keep syscall,syscall,syscall
              Enable seccomp filter and whitelist the system calls in the list.

What I actually want is the default seccomp filter, with some additional system calls on top of the default seccomp filter. Additionally, I might want to remove some system calls in the same profile. To facilitate this functionality, I suggest changing the second seccomp usage option to work like follows:

       seccomp -syscall,-syscall,-syscall,+syscall,+syscall,+syscall
              Enable seccomp filter and whitelist and/or blacklist additional system calls in the list on top of the default seccomp filter.

Regardless of how the information is specified in the profile, it would be very helpful to somehow just say "use the default filter +/- these other system calls". This should cut down the work required for people following the Firejail Seccomp Guide.

I have an OpenVPN setup that spawns the tun interface in its own namespace, thus obviating the need for bridge interfaces (detailed here).
--net and sudo exist, but I would rather pass --netns (or --net=ns:foo to stay within style) to firejail than use my rather hacky sudo line.
If necessary I could implement it myself and submit a PR, but my C is minimal.

I've noticed a strange problem with my firejailed VLC. Whenever I try to open, e.g., a video whose filename contains a blank or is located in a directory with a blank, VLC opens and I get an error like the following (for the file "/media/Multimedia/Filme/Die Tribute von Panem - The Hunger Games.avi"):

Note that this problem does not occur if I open VLC directly and navigate to that file, and it does not occur with an un-firejailed VLC. Rather, it only occurs if I want to open that file with firejailed VLC in a filemanager (Krusader or Dolphin - I'm running KDE Plasma 5 on Arch Linux). A similar problem happens if I want to open pictures with blanks in their filenames in firejailed Gwenview.

Thanks a lot for the new version, netblue30!

One suggestion: Doesn't it make sense to blacklist the various autostart folders to prevent their manipulation? Like this:

blacklist ${HOME}/.config/autostart
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde/Autostart

Other DE's will have different autostart folders.

Hey there,

I am suddenly having troubles loading up Iceweasel with firejail. Without really doing any changes to my profiles I get the following error when running "firejail iceweasel":

Error: Access was denied while trying to open files in your profile directory.

This is my /home/sneida/.config/firejail/iceweasel.profile:

caps.drop all
seccomp
noroot
shell none
netfilter
#include ${HOME}/.config/firejail/mine.inc

############### disable-mgmt.inc########

# system directories
#blacklist /usr/bin
#blacklist /usr/sbin
#blacklist /bin
blacklist /sbin
blacklist /usr/sbin

# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
blacklist ${PATH}/fusermount
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/xinput
blacklist ${PATH}/evtest
blacklist ${PATH}/xev
blacklist ${PATH}/strace

# Prevent manipulation of firejail configuration
blacklist /etc/firejail
blacklist ${HOME}/.config/firejail

############disable-secret.inc##############

# HOME directory
blacklist ${HOME}/.ssh
tmpfs ${HOME}/.gnome2_private
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/kde4/share/apps/kwallet
blacklist ${HOME}/kde/share/apps/kwallet
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.local/share/recently-used.xbel

################ disable-common.inc###############
# HTTP / FTP / Mail
blacklist ${HOME}/.adobe
blacklist ${HOME}/.macromedia
blacklist ${HOME}/.icedove
blacklist ${HOME}/.thunderbird
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/chromium
blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.config/filezilla
blacklist ~/.wine
blacklist ${HOME}/.wine
include /etc/firejail/disable-common.inc

# Instant Messaging
blacklist ${HOME}/.purple
blacklist ${HOME}/.config/psi+

# VNC
blacklist ${HOME}/.remmina

# Other
blacklist ${HOME}/.tconn

#xfce..

############## disable-history.inc #################
# History files in $HOME
blacklist ${HOME}/.history
blacklist ${HOME}/.*_history

I am the owner of the file, it is in the group "users" and permissions are "-rw-r--r--".
Any ideas?

Running e.g. VLC with the same profile content works fine.

Thanks !

Hey there, I am on arch linux and whenever I run firejail (e.g. "firejail vlc") it will crash pulseaudio / pavucontrol.

Is there anything I can do to provide more information?

Thanks !

In the recent past, SourceForge has gained a really bad reputation (non-https downloads, adware-sprinkled installers). See this and this.

Due to these events, I can not trust any code and/or binaries served from sourceforge. I almost passed up a great piece of software because this github project did not show up in my search results for "firejail" and the firejail website links to sourceforge.

Action Items

• update links in source code. PR #79
• serve packages and binaries from github. about-releases
• update links on the firejail website (https://l3net.wordpress.com/projects/firejail)