github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2031] [feature request] Allow all directories, not just top-level for --private-home #1371

New issue
Open
opened 2026-05-05 07:57:19 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 07:57:19 -06:00
Owner
Copy link

Originally created by @rieje on GitHub (Jul 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2031

Not exactly sure why the limitation for --private-home requiring top-level directories only exists, but it would be great if directories didn't need to be top-level. As a specific example, addons are installed in the extensions/ directory within the firefox profile directory. Being able to use this directory for --private-home means I can run a new and temporary instance of Firefox with these addons pre-installed. If the top-level directory ~/.mozilla is used instead, then any sensitive footprint-related data are also used in the instance of Firefox and that's a privacy concern (since ~/.mozilla contains data regarding your Firefox profile).

Originally created by @rieje on GitHub (Jul 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2031 Not exactly sure why the limitation for `--private-home` requiring top-level directories only exists, but it would be great if directories didn't need to be top-level. As a specific example, addons are installed in the `extensions/` directory within the firefox profile directory. Being able to use this directory for `--private-home` means I can run a new and temporary instance of Firefox with these addons pre-installed. If the top-level directory `~/.mozilla` is used instead, then any sensitive footprint-related data are also used in the instance of Firefox and that's a privacy concern (since `~/.mozilla` contains data regarding your Firefox profile).
gitea-mirror added the
enhancement
 label 2026-05-05 07:57:19 -06:00
gitea-mirror commented 2026-05-05 07:57:23 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 8, 2018):

Side note: if you use ~/.mozilla/firefox/<profile>/extensions as the home directory, wouldn't the profile not load those extensions? Or are you talking about a scenario where you would install those extensions manually after it created the (temporary) profile?

<!-- gh-comment-id:403316631 --> @chiraag-nataraj commented on GitHub (Jul 8, 2018): Side note: if you use `~/.mozilla/firefox/<profile>/extensions` as the home directory, wouldn't the profile not load those extensions? Or are you talking about a scenario where you would install those extensions manually after it created the (temporary) profile?
gitea-mirror commented 2026-05-05 07:57:27 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Jul 9, 2018):

Side note: if you use ~/.mozilla/firefox//extensions as the home directory, wouldn't the profile not load those extensions?

Damn, you're right. I have a simple script that creates multiple profiles of the same name called main with each sandboxed like this: ~/.firejail/firefox-<profile-name>/.mozilla/firefox/main/. so in my script I can refer to it e.g. ~/.firejail/firefox-${1}/.mozilla/firefox/main. This consistent naming scheme means I can cp the addons to each profile. Problem with this is it requires the profiles to be persistent even though it is sandboxed, and persistent profiles are more susceptible to browser tracking footprints.

Do you see any way in which firejail can support this natively and also support temporary instances (more ideal)?

<!-- gh-comment-id:403495447 --> @rieje commented on GitHub (Jul 9, 2018): > Side note: if you use ~/.mozilla/firefox/<profile>/extensions as the home directory, wouldn't the profile not load those extensions? Damn, you're right. I have a simple script that creates multiple profiles of the same name called `main` with each sandboxed like this: `~/.firejail/firefox-<profile-name>/.mozilla/firefox/main/`. so in my script I can refer to it e.g. `~/.firejail/firefox-${1}/.mozilla/firefox/main`. This consistent naming scheme means I can `cp` the addons to each profile. Problem with this is it requires the profiles to be persistent even though it is sandboxed, and persistent profiles are more susceptible to browser tracking footprints. Do you see any way in which firejail can support this natively and also support temporary instances (more ideal)?
gitea-mirror commented 2026-05-05 07:57:29 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 9, 2018):

One way is to do something like this:

#!/bin/bash
mkdir ~/.firejail/firefox/tmp-profile;
cp -R ~/.firejail/firefox/firefox-permanent/extensions/ ~/.firejail/firefox/tmp-profile/extensions/;
cp -R ~/.firejail/firefox/firefox-permanent/browser-extension-data ~/.firejail/firefox/tmp-profile/browser-extension-data;
cp ~/.mozilla/firefox/firefox-permanent/{extension-preferences.json,extension-settings.json,extensions.json} ~/.mozilla/firefox/tmp-profile/;
firejail -- firefox --new-instance --profile ~/.firejail/firefox/tmp-profile;
rm -rf ~/.firejail/firefox/tmp-profile

It's kind of hacky, but I think it should work (off to test!).

[Edit] It works! You may also want to copy some other directories (which contain extension preferences) as well as set some profile preferences by way of prefs.js.

<!-- gh-comment-id:403497847 --> @chiraag-nataraj commented on GitHub (Jul 9, 2018): One way is to do something like this: ``` #!/bin/bash mkdir ~/.firejail/firefox/tmp-profile; cp -R ~/.firejail/firefox/firefox-permanent/extensions/ ~/.firejail/firefox/tmp-profile/extensions/; cp -R ~/.firejail/firefox/firefox-permanent/browser-extension-data ~/.firejail/firefox/tmp-profile/browser-extension-data; cp ~/.mozilla/firefox/firefox-permanent/{extension-preferences.json,extension-settings.json,extensions.json} ~/.mozilla/firefox/tmp-profile/; firejail -- firefox --new-instance --profile ~/.firejail/firefox/tmp-profile; rm -rf ~/.firejail/firefox/tmp-profile ``` It's kind of hacky, but I think it should work (off to test!). [Edit] It works! You may also want to copy some other directories (which contain extension preferences) as well as set some profile preferences by way of prefs.js.
gitea-mirror commented 2026-05-05 07:57:31 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 11, 2018):

If you want multiple temporary Firefox profiles, you can do something like this:

#!/bin/bash

# Edit the variables below to set the directory to copy files from and which files to copy
SRCPROFDIR=~/.mozilla/firefox/5rupfy34.dev-edition-default-1518356819076
DESTPROFDIR=$(mktemp -d -p ~/.mozilla/firefox/)
TOCOPY=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json )

for i in ${TOCOPY[@]}
do
    cp -R ${SRCPROFDIR}/${i} ${DESTPROFDIR}/${i}
done

firejail  -- firefox --no-remote --profile ${DESTPROFDIR};
rm -rf ${DESTPROFDIR}

You should only have to modify $SRCPROFDIR and $TOCOPY. Everything else should Just Work™. This is also a much cleaner script because it uses mktemp to safely create a temporary directory, doesn't re-use the existing profile (so every time you run it you will get a new profile and a new firefox instance), and actually uses variables. tl; dr: don't use the previous script and use this one instead xD

Also, thanks for getting me to think about this and hack up the script - I might actually use it! 😀

<!-- gh-comment-id:404252936 --> @chiraag-nataraj commented on GitHub (Jul 11, 2018): If you want _multiple_ temporary Firefox profiles, you can do something like this: ``` #!/bin/bash # Edit the variables below to set the directory to copy files from and which files to copy SRCPROFDIR=~/.mozilla/firefox/5rupfy34.dev-edition-default-1518356819076 DESTPROFDIR=$(mktemp -d -p ~/.mozilla/firefox/) TOCOPY=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json ) for i in ${TOCOPY[@]} do cp -R ${SRCPROFDIR}/${i} ${DESTPROFDIR}/${i} done firejail -- firefox --no-remote --profile ${DESTPROFDIR}; rm -rf ${DESTPROFDIR} ``` You should only have to modify `$SRCPROFDIR` and `$TOCOPY`. Everything else should Just Work™. This is also a much cleaner script because it uses `mktemp` to safely create a temporary directory, doesn't re-use the existing profile (so every time you run it you _will_ get a new profile and a new firefox instance), and actually uses variables. tl; dr: don't use the previous script and use this one instead xD Also, thanks for getting me to think about this and hack up the script - I might actually use it! :grinning:
gitea-mirror commented 2026-05-05 07:57:36 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 11, 2018):

I'll still mark this as an enhancement though, since this may be useful for other usecases.

<!-- gh-comment-id:404257043 --> @chiraag-nataraj commented on GitHub (Jul 11, 2018): I'll still mark this as an enhancement though, since this may be useful for other usecases.
gitea-mirror commented 2026-05-05 07:57:37 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 14, 2018):

By the way, I actually use this script now as a general-purpose way to launch my firefox profiles:

firefox.common:

#!/bin/bash

PROFILE=$1
NAME=$(basename $PROFILE)
PRIVATE=$2
COPY=$3
RMPROF=0
shift
shift
shift

. ~/scripts/gen_libraries

LIBS=`compile_list /usr/lib/firefox nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1,libnss_resolve.so.2,libnss_systemd.so.2`

if [ "$PRIVATE" -eq 1 ]
then
    SRCDIR=${PROFILE}
    PROFILE=$(mktemp -d -p ~/.mozilla/firefox/)
    NAME=$(basename $PROFILE)
    TOCOPY=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json prefs.js )
    RMPROF=1
    if [ "$COPY" -eq 1 ]
    then
	for i in ${TOCOPY[@]}
	do
	    cp -R ${SRCDIR}/${i} ${PROFILE}/${i}
	done
    fi
fi

if systemctl --user --quiet is-active firefox-${NAME}.service
then
    firefox --profile ${PROFILE} $*
else
    systemd-run --wait --user --unit=firefox-${NAME}.service --description="`echo "Firefox ("${NAME}")"`" firejail --private-lib="$LIBS" -- firefox --new-instance --profile ${PROFILE} $*
fi

if [ "$RMPROF" -eq 1 ]
then
    rm -rf ${PROFILE}
fi

gen_libraries:

#!/bin/bash

get_deps()
{
    ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep -v '/usr/lib/.*/.*/.*.so' | grep -v "not found" | grep '^	' | awk -F '=>' '{ print $1; };' | sed 's/(.*//g' | sort | uniq
}

get_folders()
{
    ldd "$1" | grep '/usr/lib/.*/.*/.*.so' | grep -o '/.*/' | sed 's/\/usr\/lib\///g' | sed 's/\/$//g' | sort | uniq
}

compile_list()
{
    PRIMARY="$1"
    SECONDARY="$2"
    LIBS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_deps "$file"; done | sort | uniq`)
    LIBFLDRS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_folders "$file"; done | sort | uniq`)
    LIBS2=(`echo "$SECONDARY" | tr ',' ' '`)
    echo "${LIBS[@]}" "${LIBFLDRS[@]}" "${LIBS2[@]}" | tr ' ' ','
}

To use, you'd invoke firefox.common as something like this:
~/scripts/firefox.common ~/.mozilla/firefox/5rupfy34.dev-edition-default-1518356819076 0 0 $*
The first argument is the path to the profile. The second argument is whether you want this to be a private (temporary) profile. The third argument is whether you want to copy anything to the temporary profile. So in this case, it's just loading a regular firefox profile.

If you want to invoke the script to setup a private profile, you'd run it like this:
~/scripts/firefox.common ~/.mozilla/firefox/050wncor.FailSafe 1 1 $*
In this case, the first argument gives the profile to copy information from. The second argument tells the script to create a temporary profile. The third argument tells the script to copy the files in $TOCOPY from the first argument to the temporary profile (edit $TOCOPY to your desire).

In addition to what the previous script did, this script also sets up a private-lib filter by dynamically resolving the specific libraries needed in your version of firefox (unlike the firejail version, this one will use find to locate all executables within a directory and run ldd on them if provided a directory as the first argument - it makes generating the filter a lot less tedious). The second argument to compile_list is the list of extra libraries needed (you may need to play with that, sorry...or just disable the private-lib stuff if you don't care). Oh, and it uses systemd-run so that the service can be managed by systemd (and it gives the service a nice name and stuff 😀).

I hope you find it useful (and I promise I'll stop spamming this issue now xD).

(Updated version in my repo https://github.com/chiraag-nataraj/firejail-profiles/)

<!-- gh-comment-id:404991824 --> @chiraag-nataraj commented on GitHub (Jul 14, 2018): By the way, I _actually_ use this script now as a general-purpose way to launch my firefox profiles: `firefox.common`: ``` #!/bin/bash PROFILE=$1 NAME=$(basename $PROFILE) PRIVATE=$2 COPY=$3 RMPROF=0 shift shift shift . ~/scripts/gen_libraries LIBS=`compile_list /usr/lib/firefox nss,pulseaudio,nvidia,python3.6,gconv,libpulse.so.0,libFLAC.so.8,libogg.so.0,libopus.so.0,libvorbis.so.0,libvorbisenc.so.2,libavcodec.so.57,libavutil.so.55,libcrystalhd.so.3,libdrm.so.2,libGL.so.1,libnss_resolve.so.2,libnss_systemd.so.2` if [ "$PRIVATE" -eq 1 ] then SRCDIR=${PROFILE} PROFILE=$(mktemp -d -p ~/.mozilla/firefox/) NAME=$(basename $PROFILE) TOCOPY=( extensions browser-extension-data extension-preferences.json extension-settings.json extensions.json prefs.js ) RMPROF=1 if [ "$COPY" -eq 1 ] then for i in ${TOCOPY[@]} do cp -R ${SRCDIR}/${i} ${PROFILE}/${i} done fi fi if systemctl --user --quiet is-active firefox-${NAME}.service then firefox --profile ${PROFILE} $* else systemd-run --wait --user --unit=firefox-${NAME}.service --description="`echo "Firefox ("${NAME}")"`" firejail --private-lib="$LIBS" -- firefox --new-instance --profile ${PROFILE} $* fi if [ "$RMPROF" -eq 1 ] then rm -rf ${PROFILE} fi ``` `gen_libraries`: ``` #!/bin/bash get_deps() { ldd "$1" | grep -v "/lib64" | grep -v 'not a dynamic' | grep -v "linux-vdso" | grep -v '/usr/lib/.*/.*/.*.so' | grep -v "not found" | grep '^ ' | awk -F '=>' '{ print $1; };' | sed 's/(.*//g' | sort | uniq } get_folders() { ldd "$1" | grep '/usr/lib/.*/.*/.*.so' | grep -o '/.*/' | sed 's/\/usr\/lib\///g' | sed 's/\/$//g' | sort | uniq } compile_list() { PRIMARY="$1" SECONDARY="$2" LIBS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_deps "$file"; done | sort | uniq`) LIBFLDRS=(`find "$PRIMARY" -type f -print0 | while IFS= read -r -d '' file; do get_folders "$file"; done | sort | uniq`) LIBS2=(`echo "$SECONDARY" | tr ',' ' '`) echo "${LIBS[@]}" "${LIBFLDRS[@]}" "${LIBS2[@]}" | tr ' ' ',' } ``` To use, you'd invoke `firefox.common` as something like this: `~/scripts/firefox.common ~/.mozilla/firefox/5rupfy34.dev-edition-default-1518356819076 0 0 $*` The first argument is the path to the profile. The second argument is whether you want this to be a private (temporary) profile. The third argument is whether you want to copy anything to the temporary profile. So in this case, it's just loading a regular firefox profile. If you want to invoke the script to setup a private profile, you'd run it like this: `~/scripts/firefox.common ~/.mozilla/firefox/050wncor.FailSafe 1 1 $*` In this case, the first argument gives the profile to copy information from. The second argument tells the script to create a temporary profile. The third argument tells the script to copy the files in `$TOCOPY` from the first argument to the temporary profile (edit `$TOCOPY` to your desire). In addition to what the previous script did, this script also sets up a `private-lib` filter by dynamically resolving the specific libraries needed in your version of firefox (unlike the `firejail` version, this one will use `find` to locate all executables within a directory and run `ldd` on them if provided a directory as the first argument - it makes generating the filter a lot less tedious). The second argument to `compile_list` is the list of extra libraries needed (you may need to play with that, sorry...or just disable the `private-lib` stuff if you don't care). Oh, and it uses `systemd-run` so that the service can be managed by `systemd` (and it gives the service a nice name and stuff :grinning:). I hope you find it useful (and I promise I'll stop spamming this issue now xD). (Updated version in my repo https://github.com/chiraag-nataraj/firejail-profiles/)
gitea-mirror commented 2026-05-05 07:57:40 -06:00
Author
Owner
Copy link

@rieje commented on GitHub (Aug 15, 2018):

You shared so much, so you're begging for some noob questions (sorry). So is the systemd and/or gen_libraries suppose to replace firejail entirely or just resolve specific libraries for a particularly version of firefox? Based on the script, it seems like it's the latter, but here it says you don't use firejail (at all?) and use gen_libraries instead (or am I entirely misunderstanding? What are non-system processes since you've said you use systemd for all system ones?).

Similarly, is systemd sandbox capabilities that you're using a full replacement to firejail or an addition to it?

Will gen_libraries it be implemented by firejail in the future or is it just something different that is supposed to be more "strict" than firejail? If the latter, why not?

You say you use systemd anyway so it make sense to use "sandboxing capabilities of systemd itself". Is this script an example of this? It looks like it's just running systemd service which calls firejail and uses a list of libraries generated by gen_libraries.

Whatever sandboxing capabilities systemd offers aside, why do you run processes like firefox as a systemd service? Advantages/disadvantages? Do you do this with as many applications as possible or only those that are somehow more suitable to be run as services?

Lastly, are you looking to incorporate any part of that script (or what it does) to firejail?

Appreciate it, will be using your script and glad someone shares my usecase.

<!-- gh-comment-id:413255314 --> @rieje commented on GitHub (Aug 15, 2018): You shared so much, so you're begging for some noob questions (sorry). So is the systemd and/or `gen_libraries` suppose to replace firejail entirely or just resolve specific libraries for a particularly version of firefox? Based on the script, it seems like it's the latter, but [here](https://github.com/chiraag-nataraj/firejail-profiles/) it says you don't use firejail (at all?) and use `gen_libraries` instead (or am I entirely misunderstanding? What are non-system processes since you've said you use systemd for all system ones?). Similarly, is systemd sandbox capabilities that you're using a full replacement to firejail or an addition to it? Will `gen_libraries` it be implemented by firejail in the future or is it just something different that is supposed to be more "strict" than firejail? If the latter, why not? You say you use systemd anyway so it make sense to use "sandboxing capabilities of systemd itself". Is this script an example of this? It looks like it's just running systemd service which calls firejail and uses a list of libraries generated by `gen_libraries`. Whatever sandboxing capabilities systemd offers aside, why do you run processes like firefox as a systemd service? Advantages/disadvantages? Do you do this with as many applications as possible or only those that are somehow more suitable to be run as services? Lastly, are you looking to incorporate any part of that script (or what it does) to firejail? Appreciate it, will be using your script and glad someone shares my usecase.
gitea-mirror commented 2026-05-05 07:57:43 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 15, 2018):

All good questions!

So is the systemd and/or gen_libraries suppose to replace firejail entirely or just resolve specific libraries for a particularly version of firefox? Based on the script, it seems like it's the latter, but here it says you don't use firejail (at all?) and use gen_libraries instead (or am I entirely misunderstanding? What are non-system processes since you've said you use systemd for all system ones?).

It's a generic way to resolve libraries. Notably, the way it differs from the way firejail deals with private-lib is that private-lib will only resolve the libraries of binaries specified with private-bin (as well as any you list manually), while gen_libraries will find all ELF binaries (and shared libraries) and resolve all of their dependencies if passed a directory as an argument. It's a replacement/enhancement for private-lib, not for firejail or systemd. I only use it on things like firefox and dropbox, where there are binaries other than the ones listed in private-bin.

Similarly, is systemd sandbox capabilities that you're using a full replacement to firejail or an addition to it?

I will flesh this out in more detail below, but basically, systemd has two different modes - system mode (i.e. the init part) and user mode (started when you log in). I use systemd directives to sandbox system services, while I use firejail to sandbox user services. To explore further, you can look in /lib/systemd/system and /lib/systemd/user and the output of systemctl status and systemctl --user status to get an idea of which services run as what.

Will gen_libraries it be implemented by firejail in the future or is it just something different that is supposed to be more "strict" than firejail? If the latter, why not?

Unknown. You can see #1920 for a discussion of what led me to create the script in the first place. I don't think private-lib will be as powerful as this script without rewriting a bunch of things and possibly introducing new directives (e.g. private-lib-extra-dirs or something for directories to scan in addition to dealing with the binaries in private-bin). It's not supposed to be more "strict" or "loose" - as I mentioned above, it's more an extension of private-lib which helps when dealing with larger programs and/or programs that dynamically read dependencies (e.g. firefox).

You say you use systemd anyway so it make sense to use "sandboxing capabilities of systemd itself". Is this script an example of this? It looks like it's just running systemd service which calls firejail and uses a list of libraries generated by gen_libraries.

No, this script only deals with generating the library list that one can pass to --private-lib on the command line when launching firejail. So this script is useful, but doesn't do anything on its own (which is why it just defines a bash function!). In order to use it, you can look at the firefox.common script (or various others now in my repo). They all follow a similar pattern - use the function from gen_libraries to compile the list of libraries and then launch the program with systemd-run (so that it's launched as a systemd user service - something I happen to prefer).

The only way systemd figures in here is for service management. I'm not using any of systemd's sandboxing stuff in my user services (the ones I'm spawning with e.g. firefox.common).

Whatever sandboxing capabilities systemd offers aside, why do you run processes like firefox as a systemd service? Advantages/disadvantages? Do you do this with as many applications as possible or only those that are somehow more suitable to be run as services?

I do this with most longer-running processes. I just happen to prefer it - it's not essential (which is why the later versions of my firefox.common script allow you to disable the systemd integration). One thing that is easier is checking if a program is running in the user session without having to use pgrep or pidof. This helps because if you use hidepid=2 (which I do), anything launched by firejail will not appear in "your" processes - that is, to your regular user, those processes are invisible. Hence, in that case, systemd is useful to keep track of what is running.

Lastly, are you looking to incorporate any part of that script (or what it does) to firejail?

I'd like to see its functionality somehow incorporated, but I'm not quite sure how exactly we'd do it. I also don't really trust my C enough to rewrite that much code... 😜

Appreciate it, will be using your script and glad someone shares my usecase.

Glad to hear it! 🙂

<!-- gh-comment-id:413266311 --> @chiraag-nataraj commented on GitHub (Aug 15, 2018): All good questions! > So is the systemd and/or gen_libraries suppose to replace firejail entirely or just resolve specific libraries for a particularly version of firefox? Based on the script, it seems like it's the latter, but here it says you don't use firejail (at all?) and use gen_libraries instead (or am I entirely misunderstanding? What are non-system processes since you've said you use systemd for all system ones?). It's a generic way to resolve libraries. Notably, the way it differs from the way `firejail` deals with `private-lib` is that `private-lib` will only resolve the libraries of binaries specified with `private-bin` (as well as any you list manually), while `gen_libraries` will find all ELF binaries (and shared libraries) and resolve _all_ of their dependencies _if passed a directory as an argument_. It's a replacement/enhancement for `private-lib`, not for `firejail` or `systemd`. I only use it on things like `firefox` and `dropbox`, where there are binaries other than the ones listed in `private-bin`. > Similarly, is systemd sandbox capabilities that you're using a full replacement to firejail or an addition to it? I will flesh this out in more detail below, but basically, `systemd` has two different modes - system mode (i.e. the `init` part) and user mode (started when you log in). I use `systemd` directives to sandbox system services, while I use `firejail` to sandbox user services. To explore further, you can look in `/lib/systemd/system` and `/lib/systemd/user` and the output of `systemctl status` and `systemctl --user status` to get an idea of which services run as what. > Will gen_libraries it be implemented by firejail in the future or is it just something different that is supposed to be more "strict" than firejail? If the latter, why not? Unknown. You can see #1920 for a discussion of what led me to create the script in the first place. I don't think `private-lib` will be as powerful as this script without rewriting a bunch of things and possibly introducing new directives (e.g. `private-lib-extra-dirs` or something for directories to scan in addition to dealing with the binaries in `private-bin`). It's not supposed to be more "strict" or "loose" - as I mentioned above, it's more an extension of `private-lib` which helps when dealing with larger programs and/or programs that dynamically read dependencies (e.g. `firefox`). > You say you use systemd anyway so it make sense to use "sandboxing capabilities of systemd itself". Is this script an example of this? It looks like it's just running systemd service which calls firejail and uses a list of libraries generated by gen_libraries. No, this script only deals with generating the library list that one can pass to `--private-lib` on the command line when launching `firejail`. So this script is useful, but doesn't do anything on its own (which is why it just defines a bash function!). In order to use it, you can look at the `firefox.common` script (or various others now in my repo). They all follow a similar pattern - use the function from `gen_libraries` to compile the list of libraries and then launch the program with `systemd-run` (so that it's launched as a systemd user service - something I happen to prefer). The only way `systemd` figures in here is for service management. I'm not using any of `systemd`'s sandboxing stuff in my user services (the ones I'm spawning with e.g. `firefox.common`). > Whatever sandboxing capabilities systemd offers aside, why do you run processes like firefox as a systemd service? Advantages/disadvantages? Do you do this with as many applications as possible or only those that are somehow more suitable to be run as services? I do this with most longer-running processes. I just happen to prefer it - it's not essential (which is why the later versions of my `firefox.common` script allow you to disable the `systemd` integration). One thing that _is_ easier is checking if a program is running in the user session without having to use `pgrep` or `pidof`. This helps because if you use `hidepid=2` (which I do), anything launched by `firejail` will not appear in "your" processes - that is, to your regular user, those processes are invisible. Hence, in that case, `systemd` is useful to keep track of what is running. > Lastly, are you looking to incorporate any part of that script (or what it does) to firejail? I'd like to see its functionality somehow incorporated, but I'm not quite sure how exactly we'd do it. I also don't really trust my C enough to rewrite that much code... :stuck_out_tongue_winking_eye: > Appreciate it, will be using your script and glad someone shares my usecase. Glad to hear it! :slightly_smiling_face:
gitea-mirror commented 2026-05-05 07:57:45 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Aug 16, 2018):

I think Firejail and systemd provide roughly the same level of sandboxing features, for example for seccomp and networking. Firejail has private-lib and similar features and lots of tuning (or even hacks) to help specific user applications, while systemd has other features that firejail does not have (but they might be mostly interesting to system services). Perhaps the best is to use both as you have.

About the gen_libraries, I think your idea of private-lib-extra-dirs would cater for most (if not all) needs. A more flexible way could be to run program specific scripts before the program is launched and to cleanup after it exits (like /etc/firejail/pre-start.d/firefox.sh). Those scripts could copy additional material to the sandbox, remove unused files or do other setup.

<!-- gh-comment-id:413459377 --> @topimiettinen commented on GitHub (Aug 16, 2018): I think Firejail and systemd provide roughly the same level of sandboxing features, for example for seccomp and networking. Firejail has `private-lib` and similar features and lots of tuning (or even hacks) to help specific user applications, while systemd has other features that firejail does not have (but they might be mostly interesting to system services). Perhaps the best is to use both as you have. About the `gen_libraries`, I think your idea of `private-lib-extra-dirs` would cater for most (if not all) needs. A more flexible way could be to run program specific scripts before the program is launched and to cleanup after it exits (like `/etc/firejail/pre-start.d/firefox.sh`). Those scripts could copy additional material to the sandbox, remove unused files or do other setup.
gitea-mirror commented 2026-05-05 07:57:47 -06:00
Author
Owner
Copy link

@mindstormer12 commented on GitHub (Aug 28, 2018):

I don't think private-lib will be as powerful as this script without rewriting a bunch of things and possibly introducing new directives (e.g. private-lib-extra-dirs or something for directories to scan in addition to dealing with the binaries in private-bin). It's not supposed to be more "strict" or "loose" - as I mentioned above, it's more an extension of private-lib which helps when dealing with larger programs and/or programs that dynamically read dependencies (e.g. firefox).

I don't know much about dynamic dependencies and I guess static ones. So gen_libraries only searches for dynamic ones and static ones still need to be specified (i.e. hardcoded)? Otherwise, wouldn't gen_libraries be more strict in the sense that it's more comprehensive than what private-lib offers (which uses private-bin and manually specified ones)?

I only use it on things like firefox and dropbox, where there are binaries other than the ones listed in private-bin.

As a noob, how can I find whether I should use gen_libraries? I guess I'll start off with whatever *.common scripts you have in your repo and everything else uses default private-lib? Just curious the process of figuring out how to secure apps where possible when using the script. Also, whether you use systemd for system services or firejail for user services, this has nothing to do with whether you use *.common scripts and gen_libraries, right?

Thanks.

<!-- gh-comment-id:416566360 --> @mindstormer12 commented on GitHub (Aug 28, 2018): > I don't think private-lib will be as powerful as this script without rewriting a bunch of things and possibly introducing new directives (e.g. private-lib-extra-dirs or something for directories to scan in addition to dealing with the binaries in private-bin). It's not supposed to be more "strict" or "loose" - as I mentioned above, it's more an extension of private-lib which helps when dealing with larger programs and/or programs that dynamically read dependencies (e.g. firefox). I don't know much about dynamic dependencies and I guess static ones. So `gen_libraries` only searches for dynamic ones and static ones still need to be specified (i.e. hardcoded)? Otherwise, wouldn't `gen_libraries` be more strict in the sense that it's more comprehensive than what `private-lib` offers (which uses `private-bin` and manually specified ones)? > I only use it on things like firefox and dropbox, where there are binaries other than the ones listed in private-bin. As a noob, how can I find whether I should use `gen_libraries`? I guess I'll start off with whatever `*.common` scripts you have in your repo and everything else uses default `private-lib`? Just curious the process of figuring out how to secure apps where possible when using the script. Also, whether you use systemd for system services or firejail for user services, this has nothing to do with whether you use *.common scripts and `gen_libraries`, right? Thanks.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1371
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?