Hi pals,
I have been using firejail globally on my desktop. It was interesting to see firefox was only restricted to only ~/Downloads, and akregator crashed had to do some whitelisting to make it work.
Are you using firejail?
What are your experiences?
I want everybody to use firejail, should we make it mandatory on PG?
1 Like
Firejail does have some drawbacks, Sandboxing Applications on Desktop Linux - Privacy Guides.
2 Likes
Yeah setuid bit is the main problem here by design. Hopefully bubblewrap will take over Desktop Linux soon.
bwrap and firejail are not the same. the primary benefit of firejail is that it has hundreds of premade profiles for programs, no other similar program has that.
even flatpak+flatseal is often more permissive than you can make a firejail profile.
If you need an introduction, I strongly recommend watching my video on it.
There are also lightly hardened builds in my rpm repo.
(disclaimer: am/was firejail maintainer)
5 Likes
Can you include a link to the video you mentioned @SkewedZeppelin?
Portals are being made for that IIRC. Yes that’s true flatpak made today claim to be “sandboxed”.
Is apparmor with firejail good?
Your thoughts on SELinux? I want to learn it, but it needs to be simple.
Can you give your thoughts on SELinux vs apparmor, just one word no bashing, what will you pick?
This is a great tutorial. Thanks for putting it together.
Wow, nice job!
Could you do a tutorial for us users on Windows 10/11? That would be amazing!
Firejail is only for linux
Apparmor is less flexible as it doesn’t support MCS, probably why it’s becoming more common due to container workloads Technologies for container isolation: A comparison of AppArmor and SELinux Worth noting also that, MicroOS and Tumbleweed both use it, which in the past Suse was AppArmor by default.
There’s definitely a learning curve w/ firejail that I’m currently tackling, but it is a good tool overall.
IIRC, there are a few solutions to minimize the setuid issue, including a simple flag in /etc/firejail/firejail.conf:
[..]
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no # <--change this to yes
[..]
There’s a non-zero amount of unreported breakage w/ existing profiles, so please remember to load a ticket on GitHub if you run into any issues.
Currently, my favorite firejail flag is --private /path/to/sandbox, which saves all data for an app inside of a folder of your choosing, and removes access to the rest of your traditional system, including $HOME.
1 Like
Firejail does not work on Fedora Silverblue 
on top of that it requires a setuid binary something which is being deprecated, eg sudo being replaced by run0 etc. The more modern solution for that is to use bubblewrap.
1 Like
1 Like
Again the benefit of Firejail is the 1,325 pre-made profiles.
Bubblejail has a whopping 8 profiles.
1 Like
I didn’t know that. I didn’t use both. I’m just aware of it and shared in case there was some benefit.
There also is a community wiki post about using bubblejail
I just realised it only has a wordpress.com address for their website…? That makes it seem badly funded… 
funded? lol
firejail like many projects has zero funding, just volunteers
it doesn’t even accept donations
3 Likes