github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1735] New (detailed) firejail tutorial available - fact check review appreciated #1175

New issue
Closed
opened 2026-05-05 07:35:38 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 07:35:38 -06:00
Owner
Copy link

Originally created by @sakaki- on GitHub (Jan 16, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1735

Hi @netblue30,

I have just published a detailed addendum (first mentioned in #1600) to my EFI Install Guide on the Gentoo wiki, covering the use of firejail to X11-sandbox firefox (and potentially other applications) - the new document can be viewed here.

While the installation instructions themselves are obviously quite Gentoo-specific, I have also included a fairly in-depth "background" section at the start (covering namespaces, seccomp etc.)... I've tried to make this as accurate as possible (based on your online docs, manpages and the source) but if you (or any of the other firejail contributors) could take a quick look and let me know of any obvious errors, I'd very much appreciate it.

Thanks again for making firejail available!
sakaki
sakaki@deciban.com

Originally created by @sakaki- on GitHub (Jan 16, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1735 Hi @netblue30, I have just published a detailed addendum (first mentioned in #1600) to my EFI Install Guide on the Gentoo wiki, covering the use of `firejail` to X11-sandbox `firefox` (and potentially other applications) - the new document can be viewed **[here](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail)**. While the installation instructions themselves are obviously quite Gentoo-specific, I have also included a fairly in-depth "background" section at the start (covering namespaces, seccomp etc.)... I've tried to make this as accurate as possible (based on your online docs, manpages and the source) but if you (or any of the other `firejail` contributors) could take a quick look and let me know of any obvious errors, I'd very much appreciate it. Thanks again for making `firejail` available! sakaki sakaki@deciban.com
gitea-mirror commented 2026-05-05 07:35:41 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jan 16, 2018):

I'm not @netblue30, but I've read through most of it (skipped some Gentoo specific parts), and it is quite nice. 👍 I only have a few minor comments as listed below.

If you are using Wayland, a quick way to see if a given application is running 'natively', or is hosted inside the shared XWayland X11 server, is to run the xeyes program.

An easier way would be to run xlsclients.

We'll write a short script to construct (and, when instructed, tear down) the bridge part of this plumbing first.

Why not make a package for all those scripts?

the following two sentinel files can be used to control whether the main desktop clipboard is readable (and so reflected into Xephyr windows) and writeable

OT: that is a neat way of managing that

Be careful if you intend to deploy the result within a business environment however, as many of the icons (including the above) have a 'no commercial use' stipulation.

IANAL, but afaik you could deploy the icon in a business environment as long as you aren't selling it to anyone. eg. an internal IT department could deploy that icon+.desktop file with no issue, but an (external and paid-for/contracted) MSP deploying that onto a businesses network would violate it. Reading some more it seems to depend on the specific license and location.

The following is a miscellaneous list of hints and tips that you may find useful.

Consider adding https://github.com/pyllyukko/user.js, the relaxed branch variant is very usable for day-to-day use.

Extra comments:

  • Why don't you instruct the user to run 'firecfg'? The extensive sandboxing (Network namespace + Xephyr) is great for the browser, but there are still benefits of sandboxing all of the other user's supported applications.
  • Since you're using GNOME, why isn't Wayland recommended as the default? Even if most application will be thrown into the same XWayland instance, it is still an improvement.
<!-- gh-comment-id:358121573 --> @SkewedZeppelin commented on GitHub (Jan 16, 2018): I'm not @netblue30, but I've read through most of it (skipped some Gentoo specific parts), and it is quite nice. :+1: I only have a few minor comments as listed below. > If you are using Wayland, a quick way to see if a given application is running 'natively', or is hosted inside the shared XWayland X11 server, is to run the xeyes program. An easier way would be to run xlsclients. > We'll write a short script to construct (and, when instructed, tear down) the bridge part of this plumbing first. Why not make a package for all those scripts? > the following two sentinel files can be used to control whether the main desktop clipboard is readable (and so reflected into Xephyr windows) and writeable OT: that is a neat way of managing that > Be careful if you intend to deploy the result within a business environment however, as many of the icons (including the above) have a 'no commercial use' stipulation. ~IANAL, but afaik you could deploy the icon in a business environment as long as you aren't selling it to anyone. eg. an *internal* IT department could deploy that icon+.desktop file with no issue, but an (external and paid-for/contracted) MSP deploying that onto a businesses network would violate it.~ Reading some more it seems to depend on the specific license and location. > The following is a miscellaneous list of hints and tips that you may find useful. Consider adding https://github.com/pyllyukko/user.js, the relaxed branch variant is very usable for day-to-day use. Extra comments: - Why don't you instruct the user to run 'firecfg'? The extensive sandboxing (Network namespace + Xephyr) is great for the browser, but there are still benefits of sandboxing all of the other user's supported applications. - Since you're using GNOME, why isn't Wayland recommended as the default? Even if most application will be thrown into the same XWayland instance, it is still an improvement.
gitea-mirror commented 2026-05-05 07:35:42 -06:00
Author
Owner
Copy link

@sakaki- commented on GitHub (Jan 17, 2018):

@SpotComms, many thanks for taking the time to look through the doc. To your comments:

An easier way would be to run xlsclients.

Agreed, I'll add that in. (The only nice thing about xeyes is that you can leave it running in a corner and it acts as a constant reminder when you are using an X11 app.)

Why not make a package for all those scripts?

I probably will at some point, I put the (baseline) scripts in as a teaching aid, really.

Consider adding https://github.com/pyllyukko/user.js, the relaxed branch variant is very usable for day-to-day use.

That's nice, hadn't seen it before. I'll add it.

Why don't you instruct the user to run 'firecfg'?

No reason not to mention it... I'll add this too.

Since you're using GNOME, why isn't Wayland recommended as the default?

Wayland has got reasonably usable now (even with nvidia proprietary drivers), so I'm planning to change the GNOME install chapter of the guide to have the Wayland USE flag set by default (you can always elect to have a regular X11 session when logging in anyhow, so there's nothing really to lose by doing this).

Best, sakaki

<!-- gh-comment-id:358372455 --> @sakaki- commented on GitHub (Jan 17, 2018): @SpotComms, many thanks for taking the time to look through the doc. To your comments: > An easier way would be to run xlsclients. Agreed, I'll add that in. (The only nice thing about `xeyes` is that you can leave it running in a corner and it acts as a constant reminder when you are using an X11 app.) > Why not make a package for all those scripts? I probably will at some point, I put the (baseline) scripts in as a teaching aid, really. > Consider adding https://github.com/pyllyukko/user.js, the relaxed branch variant is very usable for day-to-day use. That's nice, hadn't seen it before. I'll add it. > Why don't you instruct the user to run 'firecfg'? No reason not to mention it... I'll add this too. > Since you're using GNOME, why isn't Wayland recommended as the default? Wayland has got reasonably usable now (even with nvidia proprietary drivers), so I'm planning to change the [GNOME install chapter](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Setting_up_the_GNOME_3_Desktop) of the guide to have the Wayland USE flag set by default (you can always elect to have a regular X11 session when logging in anyhow, so there's nothing really to lose by doing this). Best, sakaki
gitea-mirror commented 2026-05-05 07:35:44 -06:00
Author
Owner
Copy link

@sakaki- commented on GitHub (Jan 23, 2018):

Hi, I've now removed the draft marker and linked this page into the EFI guide itself. Thanks for the comments received in this thread, and by email.

If you get a chance, perhaps you could put a link to this somewhere in the firejail online docs, or blog?
Full URL: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail

Thanks! sakaki

<!-- gh-comment-id:359877647 --> @sakaki- commented on GitHub (Jan 23, 2018): Hi, I've now removed the draft marker and linked this page into the [EFI guide](https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide) itself. Thanks for the comments received in this thread, and by email. If you get a chance, perhaps you could put a link to this somewhere in the `firejail` online docs, or blog? Full URL: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Sandboxing_the_Firefox_Browser_with_Firejail Thanks! sakaki
gitea-mirror commented 2026-05-05 07:35:47 -06:00
Author
Owner
Copy link

@sakaki- commented on GitHub (Jan 24, 2018):

Closing now so as not to clog your issues list ^-^

<!-- gh-comment-id:359981703 --> @sakaki- commented on GitHub (Jan 24, 2018): Closing now so as not to clog your issues list ^-^
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1175
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?