Talk:Firejail

You are completely correct, I don't know what I was thinking of. I like to test everything, and, at the time of editing, I knew the example worked with '--profile=/etc/firejail/thunar.profile'. Yet, when I tried the example with '--profile=/etc/firejail/Thunar.profile', it failed. Hence the note. Now that you have brought it to my attention, I checked again, and both worked. Go figure! .... The basic example is sound though(?) IrvineHimself (talk) 15:12, 22 October 2017 (UTC)Reply[reply]

I've removed the note, should I remove the example? IrvineHimself (talk) 16:35, 22 October 2017 (UTC)Reply[reply]

I have removed the Accurate flag. Which example? Could you be more specific? --Fengchao (talk) 23:31, 22 October 2017 (UTC)Reply[reply]

The example to launch 'Thunar Bulk Rename' inside a sandbox. IrvineHimself (talk) 00:35, 23 October 2017 (UTC)Reply[reply]

If you have time, I think the whole "Desktop files" section should be merged to Configuration. The example could be removed because it is already explained in Configuration. --Fengchao (talk) 05:29, 23 October 2017 (UTC)Reply[reply]

I've removed the example. Are you sure that "Configuration" is the best place for the "Desktop files" section? While "Configuration" might benefit from a minor re-write to bring it more in line with the updated page, "Desktop files" seems a more natural fit inside "Using Firejail by default"? IrvineHimself (talk) 14:13, 25 October 2017 (UTC)Reply[reply]

Sorry, it should be "Using Firejail by default". I wrongly thought this section belongs to Configuration. --Fengchao (talk) 02:54, 26 October 2017 (UTC)Reply[reply]

Again, I can only agree. The entry was there before I tried to update the Firejail page to cover recent developments and rationalize the page layout. When I was trying to figure out why 'Thunar' was not being sandboxed, suggestions like 'updatedb' just produced errors. On the other hand, the specific problem with 'Thunar' is fairly common. See https://github.com/netblue30/firejail/issues/1311 IrvineHimself (talk) 15:15, 22 October 2017 (UTC)Reply[reply]

I have tried to clean up the entry to make it more acceptable. Could you let me no if it's okay. IrvineHimself (talk) 14:03, 25 October 2017 (UTC)Reply[reply]

Thanks. I have a a question about "Some applications, notably Thunar, run with only one instance. As a result, the profile will not be loaded until the next login". According to the linked report, a new symbolic links needs be created from firejail to /usr/local/bin/Thunar, and then a new login should occur. That seems something different to me or at least some part of the information is left out. -- Alad (talk) 15:19, 25 October 2017 (UTC)Reply[reply]

Since it was in the section about troubleshooting symlinks, I didn't think it needed to be explicitly stated. However I edited the entry to reflect your concerns. IrvineHimself (talk) 16:50, 25 October 2017 (UTC)Reply[reply]

If yes? Which? My edit of this being the case for the pulseaudio thing might be incorrect.Jasper1984 (talk) 01:11, 2 December 2017 (UTC)Reply[reply]

I was studying firejail to sandbox a wine program when I stumbled upon this FAQ question on firejail's github repo wiki about Firejail comparisson with Apparmor. It says "It is recommended to only use AppArmor OR Firejail but not both at the same time for the same app. [...] Many times they will cancel each other out rather than be complementary." which may be a source of attention by users, as it was for me. Should this issue be included in the wiki article? Thanks in advance!

Rahcor (talk) 03:13, 21 November 2020 (UTC) rahcorReply[reply]

I'm new here and didn't want to edit the page until I'm more familiar with things. It seems there is a new config option called 'browser-allow-drm' which is set to no by default. If not properly set to yes, the widevine plugin (used by spotify, netflix etc.) crashes when visiting forementioned pages. Should this be mentioned under the topic troubleshooting? Or in firefox's wiki-page?

JoeoJ (talk) 17:32, 22 December 2020 (UTC)Reply[reply]

This is already documented in the upstream wiki. I am against duplicating information but a note or a reference is appropriate for this. I would mention this on the Firejail page, not on the Firefox one.

-- NetSysFire (talk) 18:27, 16 March 2021 (UTC)Reply[reply]

I get why patching profiles after updating firejail is a bad idea, but how can statements like `private-dev` or `private-etc` be ignored? Is `ignore private-dev` in a `.local` file going to work? Anyways as @NetSysFire already mentioned we should not duplicate information that's available elsewhere, but I couldn't find anything on the www so I decided to put it on the wiki. To follow the no-dupe rule, we should remove the seccomp stuff, as it's mentioned in the profile itself.

EDIT: I just tested it: `ignore private-dev` and `ignore private-etc` in a `.local` file do work. I think this whole section can now be removed.

—This unsigned comment is by Mr nUUb (talk) 17:33, 10 April 2021‎ (UTC). Please sign your posts with ~~~~!Reply[reply]

Yes, .local files are preferred since they will not get overwritten. The problem with the section is also that it is missing other information. I would have let this stay if there was a bug report about this and information such as which games are impacted. Always report such issues to the Firejail folks. Also check your journal. The blocked syscall will be in a log message by audit. Add it to the seccomp filter and try again. Repeat until you got every syscall.

-- NetSysFire (talk) 17:47, 10 April 2021 (UTC)Reply[reply]

I've some suggestions for this wiki page. I will not add them myself because I do a lot work upstream and I believe that downstream documentation should be written by users and not by developers.

1. Usage: Since firejail 0.9.58 you can use firejail --profile=<profile-name> <program-name> for profiles in /etc/firejail and ~/.config/firejail.
2. Creating custom profiles >> Profile writing: Since firejail 0.9.62 you can use /usr/share/doc/firejail/profile.template.
3. Creating custom profiles >> Profile writing >> Persistent local customisation: Since firejail 0.9.58 you can also create .locals in ~/.config/firejail without the need of creating a redirect profile there.
4. Creating custom profiles >> Testing profiles: --audit was removed in firejail 0.9.66. You can now use sudo jailcheck to check all running sandboxes. (Or my https://github.com/rusty-snake/raudit).
5. Since firejail 0.9.64.2 new users can run /usr/lib/firejail/firejail-welcome.sh to do some basic configuration like browser-disable-u2f, browser-allow-drm and firecfg.
6. If https://bugs.archlinux.org/task/70596 results in xdg-dbus-proxy in optdepends, suggest to install it if it isn't installed.

--Rusty-snake (talk) 12:19, 4 July 2021 (UTC)Reply[reply]

These are nice suggestions, thanks! The whole page needs some love IMO but this needs some time to accomplish since it is not a small page.

-- NetSysFire (talk) 16:35, 4 July 2021 (UTC)Reply[reply]

One more suggestion: put in a troubles the keyboard with xephyr. This can be solved with this thread. It could be passing parameters with

xephyr-extra-params -keybd ephyr,,,xkbmodel=pc105,xkblayout=es,xkbrules=evdev,xkbvariant=cat

in /etc/firejail/firejail.conf

--Xan (talk) 11:14, 28 May 2023 (UTC)Reply[reply]

I try to run this profile

firejail --no3d --nodvd --private --apparmor --blacklist=zync/ --x11=xephyr --xephyr-screen=1024x1000 --net=wlan0 --seccomp --caps.drop=all --nonewprivs --noroot openbox --startup "firefox"

with hardened malloc:

firejail --env=LD_PRELOAD='/usr/lib/libhardened_malloc.so' --no3d --nodvd --private --apparmor --blacklist=zync/ --x11=xephyr --xephyr-screen=1024x1000 --net=wlan0 --seccomp --caps.drop=all --nonewprivs --noroot openbox --startup "firefox"

but it does not work. It seems you cannot use --env with --x11=xephyr.

Xan (talk) 16:18, 13 January 2024 (UTC)Reply[reply]

You could be running into https://github.com/GrapheneOS/hardened_malloc/issues/123.

--Indigo (talk) 15:33, 14 January 2024 (UTC)Reply[reply]

I get this error: firejail: x11.c:569: x11_start_xephyr: Assertion `env_get("LD_PRELOAD") == NULL' failed. Error: failed to start xephyr --Xan (talk) 17:26, 14 January 2024 (UTC)Reply[reply]