Goal of this tutorial is providing way to fully sandbox any program inside Debian. Application should be fully chrooted, and running in separated X server.
# apt-get -t buster-backports install firejail firejail-profiles xserver-xephyr firetools openbox debootstrap
# apparmor_parser -r /etc/apparmor.d/firejail-default
Using for one application
This will just run an application as you, but in some isolation (namespace, seccomp, drop caps and other methods).
No extra disk space, no extra memory. Process runs as your user.
Are X isolated(?) probably depends on X method...
Filesystem view is more or less isolated (depending also on firejail profile settings).
Quite easy and transparent (besides bugs in profiles) but not too secure - this is the minimal protection.
As given user on host, run once
sudo firecfg (might need to add that host user e.g. john, to
visudo and to
After that, applications resolve to usr/local, e.g.
$ which mumble /usr/local/bin/mumble $ file /usr/local/bin/mumble /usr/local/bin/mumble: symbolic link to /usr/bin/firejail
So it captures the bash commands using $PATH, and also should capture desktop shortcuts and alike - it runs that app as firejail app with applying profile protections from
Just start application like
and it will use above mechanism to start in firejail. You can still run
to run the application normally, without firejail.
Using as chroot
Stronger protection: is to run a desktop (or application) in firejail in own chroot.
The result is similar to a very light weight "virtual machine" with one user (uses separate / so e.g. 10-20 GB of filesystem, can be shared on normal host filesystems, uses no extra RAM it seems).
It has separated file system and does not see any files of the host.
Downsides: not sure how to update the applications in such "system" (crontab/unattended-upgrades not working?)
Preparing chroot dirs
# mkdir /chroot1 # mkdir /chroot2 # mkdir /chroot3 # mkdir /foo/bar etc. # debootstrap --arch=amd64 buster /chroot1 # debootstrap --arch=amd64 buster /chroot2 # debootstrap --arch=amd64 buster /chroot3 # debootstrap --arch=amd64 buster /foo/bar etc. # firejail --noprofile --chroot=/chroot1 # adduser <your_user_name_here> # apt-get update # apt-get install openbox <application1_you_wish_to_run_in_chroot1> <application2> ... # exit # firejail --noprofile --chroot=/chroot2 # adduser <your_user_name_here> # apt-get install openbox <application1_you_wish_to_run_in_chroot2> <application2> ... # exit and so on
Running example application
To run a chroot with firejail container, as the normal host user (in X) run:
$ firejail --x11=xephyr --apparmor --chroot=/chroot1 openbox
HOME=/home/blacksmith /usr/bin/firejail --allow-debuggers --x11=xephyr --xephyr-screen=3200x1800 --apparmor --chroot=/blacksmith.jails/jail-blacksmith-devel/ awesome
This example also uses /usr/bin/firejail to avoid firejailing the firejail itself (for some reason it was not working at first when running on user who is configured to automatically use firejail on programs).
That will star entire DM like openbox (also awesomewm is nice) from which you can run more programs.
$ firemon --x11 7299:<username>::firejail --apparmor --chroot=/chroot1 openbox DISPLAY :756 $ DISPLAY=:756 firejail --apparmor --chroot=/chroot1 firefox
DBUS and run
Q: problems with /run/user/ it does not exist inside chroot
awesome: a_dbus_connect:611: Could not connect to D-Bus session bus: Failed to connect to socket /run/user/1001/bus: No such file or directory awesome: a_dbus_connect:611: Could not connect to D-Bus system bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
A1: if you run firejail, as in
firejail awesome --chroot==.... (see chapter on running as Chroot) then start that firejail using
A2: otherwise, some applications will have problems with using dbus (especially applications inside the chroot), sometimes creating the directory /run/user/ or /run/user/1001 (or other UID than 1001, the one of your user) seems to resolve problems
Q: Use the hosts's VPN connection, and block hosts's other networks, inside jirejail
A: Currently you can NOT just use VPN of your host (if you wish to only use VPN - to isolate networking), option
firejail ..... --net=openvpn would do it, BUT it can not work (can not work on tun devices).
There might be a work around: https://firejail.wordpress.com/documentation-2/basic-usage/#routed
Another option would be to allow only --net=eth0 ?(or other main network device of host) and login again into VPN as another VPN client from inside the firejail.
Q: I have error when I try to run apt-get update W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
A: Permissions of chroot directory was changed. Restore them.
Q: How to change resolution of Xephyr?
A: xephyr-screen WidthxHeight can be set in /etc/firejail/firejail.config in host where Width and Height are in pixels and based on your screen resolution.
Q: error in bash etc: "I have no name!"
A: this user (UID) does not exist in jailed system - you forgot to run adduser/addgroup (logout and do it)
Openbox-Message: A window manager is already running on screen 0 Parent is shutting down, bye...
maybe also mentioning xpra e.g.:
... 2019-11-19 15:10:08,744 xpra is ready. 2019-11-19 15:10:08,750 15.6GB of system memory *** Attaching to xpra display ... *** ...
A: it is important to use
--x11=xephyr (as seen in
firejail --help) above it was trying to user Xpra instead of Xephyr
Mumble on Debian Buster
If your Mumble does not work correctly edit
/etc/firejail/mumble.profile and comment out line:
load config server
It does not remember Server settings (but does load other settings).