User talk:Sakaki/Sakaki's EFI Install Guide/Sandboxing the Firefox Browser with Firejail

Issue with linked /tmp and default firefox profile
On my installation I have /tmp linked to /var-tmp because I have a read-only mounted root filesystem. As a result the firefox profile does not work unless I comment out private-tmp, is there a better way of dealing with this issue? if so could it be added to this wiki page?


 * Apologies, I've only just seen this (as the wiki doesn't seem to notify the original creator of page X when a talk page for X is created by someone else). Could you please elaborate a little on what you'd like to achieve on your setup, and how the default profile fails in your case? Many thanks --Sakaki (talk) 19:10, 10 November 2018 (UTC)

Using the default profile

firejail --profile=/home/Gentoo/jonathan-websurfer/.config/firejail/firefox.profile firefox

I get ...

Reading profile /home/Gentoo/jonathan-websurfer/.config/firejail/firefox.profile

Reading profile /etc/firejail/disable-common.inc

Reading profile /etc/firejail/disable-devel.inc

Reading profile /etc/firejail/disable-programs.inc

Reading profile /etc/firejail/whitelist-common.inc

Warning: noroot option is not available

Parent pid 1214, child pid 1215

Error: invalid whitelist path /tmp/.X11-unix

Error: proc 1214 cannot sync with peer: unexpected EOF

Peer 1215 unexpectedly exited with status 1

If I comment out private-tmp in the firefox.profile then firefox will start.

It looks as though this is due to /tmp being a symlink lrwxrwxrwx  1 root root       11 Oct 27 15:31 tmp -> var/var-tmp


 * What if you use a directive (see  ) in your  to bind mount  over  explicitly (rather then symlinking it); does it fail then? --Sakaki (talk) 22:45, 13 November 2018 (UTC)

Sorry for the delay in responding - bind can only be used as root and I prefer not to start firejail as root user.

Page has reference errors
https://wiki.gentoo.org/index.php?title=Category:Pages_with_reference_errors

Cite error: Invalid tag; name "x11_guide" defined multiple times with different content Cite error: Invalid tag; name "x11_guide" defined multiple times with different content

Cite error: Invalid tag; name "Firejail_Documentation:" defined multiple times with different content

--BT (talk) 04:20, 5 January 2019 (UTC)


 * Thanks, I have fixed the first of these ("x11_guide"), can't find any instances of the second ("Firejail_Documentation:") but I'll have a proper look when back at my workstation early next week. Thanks for bringing this to my attention. --Sakaki (talk) 16:26, 5 January 2019 (UTC)


 * The second reference is  without the underscore.--BT (talk) 03:26, 6 January 2019 (UTC)


 * Ah, thanks. Fixed that one also now; some underlying issue with my emacs ref snippet possibly, I'll need to check that. --Sakaki (talk) 16:02, 6 January 2019 (UTC)

Issue with Firejail and/or OpenBox seizing exclusive control of all input and terminal screens
Really love the security this setup provides, and would like to sandbox my mother's web browser the same way. Only problem is an intermittent bug. I'm not sure if there's some undocumented keypress combination I'm accidentally hitting or something, but at least once per session either Firejail or OpenBox takes complete control of all input devices and will not allow any interaction with the outside Gnome desktop. The cursor will not move outside the Firejail window, keyboard shortcuts only operate within the OpenBox server environment, and even switching to another tty only opens it within the Firejail application window, and only allows me to log into the user account Firejail was opened under, with the same restricted access to files and directories. Ultimately I have to completely shut down OpenBox with the desktop Logout command and then wait for Firejail to close on its own to fix this issue, but for users that are less Linux-savvy (I keep my mother on an almost kiosk-mode account for this reason) it would likely instill panic to suddenly not be able to close the browser window.

Anyone else know what might be causing this problem, or where I might look for a clue why this is happening? When it happens I'm obviously not able to access anything outside of Firejail, and afterward my logs only show typical and expected application startup and shutdown messages.

--Tatterdemalian (talk) 07:07, 23 October 2019 (UTC)

Using nft instead of iptables
Iptables is being phased out in a number of systems, and many Gentoo users are also opting for nftables instead of iptables. As such, it would be much appreciated if you could update this excellent tutorial to add nftables-specific instructions for security.

King Mucus (talk) 14:27, 29 March 2020 (UTC)