github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3079] noroot option is not available #1931

New issue
Closed
opened 2026-05-05 08:35:50 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 08:35:50 -06:00
Owner
Copy link

Originally created by @CocoR55 on GitHub (Dec 14, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3079

Bonjour,

I am trying Firejail with Linux Mint 19.2 Mate
firejail version 0.9.60
Download comes from https://firejail.wordpress.com/download-2/
Installation is made by dpkg -i firejail_0.9.60_1_amd64.deb
Command was $ sudo firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: noroot option is not available
Parent pid 2708, child pid 2709
The new log directory is /proc/2709/root/var/log ( I don't find it)
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.

*** Warning: cannot whitelist ${DOWNLOADS} directory
*** Any file saved in this directory will be lost when the sandbox is closed.

Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice,
Child process initialized in 185.39 ms
No protocol specified
Unable to init server: Impossible to connect : Refused connexion 😨
Error: cannot open display: :0
Parent is shutting down, bye...

I looked at firefox.profile then firefox-common.profile noroot is mentioned but apprently not available.

Do you have any idea how fix this problem?
Regards,
Leloup78

Originally created by @CocoR55 on GitHub (Dec 14, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/3079 Bonjour, I am trying Firejail with Linux Mint 19.2 Mate firejail version 0.9.60 Download comes from https://firejail.wordpress.com/download-2/ Installation is made by dpkg -i firejail_0.9.60_1_amd64.deb Command was $ sudo firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: noroot option is not available Parent pid 2708, child pid 2709 The new log directory is /proc/2709/root/var/log ( I don't find it) Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. *** *** Warning: cannot whitelist ${DOWNLOADS} directory *** Any file saved in this directory will be lost when the sandbox is closed. *** Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice, Child process initialized in 185.39 ms No protocol specified Unable to init server: Impossible to connect : Refused connexion :fearful: Error: cannot open display: :0 Parent is shutting down, bye... I looked at firefox.profile then firefox-common.profile noroot is mentioned but apprently not available. Do you have any idea how fix this problem? Regards, Leloup78
gitea-mirror 2026-05-05 08:35:50 -06:00
gitea-mirror commented 2026-05-05 08:35:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 14, 2019):

Command was $ sudo firejail firefox

There's your issue: norootis not supported for sandboxes started as root (see man firejail). Trying to run firefox as root will get you into all kinds of trouble. Drop the sudo and you should be fine.

<!-- gh-comment-id:565707463 --> @ghost commented on GitHub (Dec 14, 2019): > Command was $ sudo firejail firefox There's your issue: `noroot`is not supported for sandboxes started as root (see `man firejail`). Trying to run firefox as root will get you into all kinds of trouble. Drop the `sudo` and you should be fine.
gitea-mirror commented 2026-05-05 08:35:52 -06:00
Author
Owner
Copy link

@CocoR55 commented on GitHub (Dec 14, 2019):

Bonjour glitj16,
You are right. I saw with man firejail and if sudo is dropped, I don't see the noroot warning any more.
Nevertheless, other warning appeared:
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,m............//.............vhangup,vmsplice,
Child process initialized in 71.87 ms
[ERROR audio_thread_priority::rt_linux] setrlimit64: 1

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: 17:18:59.993: Unable to get session bus: Impossible de se connecter : Permission non accordée
I tried firejail --noroot firefox
Result is the same.
I tried without any sandbox, I think.
firejail --noprofile firefox
Parent pid 7707, child pid 7708
Child process initialized in 10.88 ms
[ERROR audio_thread_priority::rt_linux] setrlimit64: 1
Issue looks as similar.
This is better but there's still something wrong with it. Do you have another good idea?
Regards,
Leloup78

<!-- gh-comment-id:565734251 --> @CocoR55 commented on GitHub (Dec 14, 2019): Bonjour glitj16, You are right. I saw with man firejail and if sudo is dropped, I don't see the noroot warning any more. Nevertheless, other warning appeared: Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,m............//.............vhangup,vmsplice, Child process initialized in 71.87 ms [ERROR audio_thread_priority::rt_linux] setrlimit64: 1 (firefox:9): LIBDBUSMENU-GLIB-WARNING **: 17:18:59.993: Unable to get session bus: Impossible de se connecter : Permission non accordée I tried firejail --noroot firefox Result is the same. I tried without any sandbox, I think. firejail --noprofile firefox Parent pid 7707, child pid 7708 Child process initialized in 10.88 ms [ERROR audio_thread_priority::rt_linux] setrlimit64: 1 Issue looks as similar. This is better but there's still something wrong with it. Do you have another good idea? Regards, Leloup78
gitea-mirror commented 2026-05-05 08:35:53 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 14, 2019):

@CocoR55 what happens without any sandbox (/bin/firefox).

<!-- gh-comment-id:565738697 --> @rusty-snake commented on GitHub (Dec 14, 2019): @CocoR55 what happens without any sandbox (`/bin/firefox`).
gitea-mirror commented 2026-05-05 08:35:54 -06:00
Author
Owner
Copy link

@CocoR55 commented on GitHub (Dec 14, 2019):

Bonjour rusty-snake,
~$ firejail --noprofile firefox
Parent pid 8093, child pid 8094
Child process initialized in 9.52 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

Parent is shutting down, bye...
And the firefox page opens up. That works.
Regards,
CocoR55

<!-- gh-comment-id:565740180 --> @CocoR55 commented on GitHub (Dec 14, 2019): Bonjour rusty-snake, ~$ firejail --noprofile firefox Parent pid 8093, child pid 8094 Child process initialized in 9.52 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features Parent is shutting down, bye... And the firefox page opens up. That works. Regards, CocoR55
gitea-mirror commented 2026-05-05 08:35:54 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 14, 2019):

@CocoR55 I hope you still see this now you've closed the issue. It's important to understand that running an application with --noprofile offers NO security, and should only be used as a temporary debugging feature. Let's reopen this and try to determine what's going on exactly.

There are a few warnings in your earlier post that are harmless:

Warning: cleaning all supplementary groups

This stems from the nogroups option in /etc/firejail/firefox-common.profile and can be ignored here.

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.

(firefox:9): LIBDBUSMENU-GLIB-WARNING **: 17:18:59.993: Unable to get session bus: Impossible de se connecter : Permission non accordée

These warnings stem from the fact that nodbus is enabled in /etc/firejail/firefox-common.profile. See the comments inside that file for more info. If you need DBUS functionality, the proper way to do that is to use an override file containing ignore nodbus in either ${HOME}/.config/firejail/firefox-common.local (affecting your user only) or /etc/firejail/firefox-common.local (affecting all users on your machine).

That leaves us with this one:

[ERROR audio_thread_priority::rt_linux] setrlimit64: 1

I'm not entirely sure, but that might be due to the fact that you're running a realtime kernel (rt_linux). Correct? If so, you can try to give firefox the proper capabilities by putting these lines in the aforementioned firefox-common.local file:

ignore caps.drop all
caps.keep=CAP_SYS_NICE

Regards

<!-- gh-comment-id:565741887 --> @ghost commented on GitHub (Dec 14, 2019): @CocoR55 I hope you still see this now you've closed the issue. It's important to understand that running an application with `--noprofile` offers **NO** security, and should only be used as a temporary debugging feature. Let's reopen this and try to determine what's going on exactly. There are a few warnings in your earlier post that are harmless: > Warning: cleaning all supplementary groups This stems from the `nogroups` option in /etc/firejail/firefox-common.profile and can be ignored here. > Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. > > (firefox:9): LIBDBUSMENU-GLIB-WARNING **: 17:18:59.993: Unable to get session bus: Impossible de se connecter : Permission non accordée These warnings stem from the fact that `nodbus` is enabled in /etc/firejail/firefox-common.profile. See the comments inside that file for more info. If you need DBUS functionality, the proper way to do that is to use an override file containing `ignore nodbus` in either ${HOME}/.config/firejail/firefox-common.local (affecting your user only) or /etc/firejail/firefox-common.local (affecting all users on your machine). That leaves us with this one: > [ERROR audio_thread_priority::rt_linux] setrlimit64: 1 I'm not entirely sure, but that might be due to the fact that you're running a realtime kernel (rt_linux). Correct? If so, you can try to give firefox the proper capabilities by putting these lines in the aforementioned firefox-common.local file: ``` ignore caps.drop all caps.keep=CAP_SYS_NICE ``` Regards
gitea-mirror commented 2026-05-05 08:35:56 -06:00
Author
Owner
Copy link

@CocoR55 commented on GitHub (Dec 14, 2019):

I reinstalled firejail then suppressed the firewall more precisely, all traffic is allowed.
Then $sudo firecfg
then $sudo apparmor_parser -r /etc/apparmor.d/firejail-default
then $firejail firefox
Looks like it's working. I can open a firefox page without any problem. I didn't see the personal folder named Documents from the command file://home in the firefox browser.
~$ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5633, child pid 5634
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice,
Child process initialized in 97.19 ms
Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features

Parent is shutting down, bye...
However, whatever application I open, it is in a sand box......strange......
$ firejail --tree
6572:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier
6574:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier
6578:michaou::/usr/bin/xed /home/michaou/Bureau/nouveau fichier
6637:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng
6639:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng
6641:michaou::/usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng
6808:michaou::/usr/bin/firejail /usr/bin/gnome-calculator
6811:michaou::/usr/bin/firejail /usr/bin/gnome-calculator
6818:michaou::/usr/bin/gnome-calculator
6824: (zombie)
$ firejail --list
6572:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier
6637:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng
6808:michaou::/usr/bin/firejail /usr/bin/gnome-calculator
6827:michaou::/usr/bin/firejail /usr/bin/firefox

<!-- gh-comment-id:565746987 --> @CocoR55 commented on GitHub (Dec 14, 2019): I **reinstalled firejail** then **suppressed the firewa**ll more precisely, all traffic is allowed. Then **$sudo firecfg** then **$sudo apparmor_parser -r /etc/apparmor.d/firejail-default** then **$firejail firefox** Looks like it's working. I can open a firefox page without any problem. I didn't see the personal folder named Documents from the command file://home in the firefox browser. ~$ firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 5633, child pid 5634 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,vhangup,vmsplice, Child process initialized in 97.19 ms Warning: an existing sandbox was detected. /usr/bin/firefox will run without any additional sandboxing features Parent is shutting down, bye... However, **whatever application I open**, it is in a sand box......strange...... **$ firejail --tree** 6572:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier 6574:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier 6578:michaou::/usr/bin/xed /home/michaou/Bureau/nouveau fichier 6637:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng 6639:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng 6641:michaou::/usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng 6808:michaou::/usr/bin/firejail /usr/bin/gnome-calculator 6811:michaou::/usr/bin/firejail /usr/bin/gnome-calculator 6818:michaou::/usr/bin/gnome-calculator 6824: (zombie) **$ firejail --list** 6572:michaou::/usr/bin/firejail /usr/bin/xed /home/michaou/Bureau/nouveau fichier 6637:michaou::/usr/bin/firejail /usr/bin/wireshark /home/michaou/Bureau/test_Societe_G.pcapng 6808:michaou::/usr/bin/firejail /usr/bin/gnome-calculator 6827:michaou::/usr/bin/firejail /usr/bin/firefox
gitea-mirror commented 2026-05-05 08:35:57 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 14, 2019):

I didn't see the personal folder named Documents from the command file://home in the firefox browser.

Reason: ${DOCUMENTS} is not whitelisted.

However, whatever application I open, it is in a sand box......strange......

xed, wireshark, gnome-calculator, firefox have firejail profiles.

<!-- gh-comment-id:565748506 --> @rusty-snake commented on GitHub (Dec 14, 2019): > I didn't see the personal folder named Documents from the command file://home in the firefox browser. Reason: `${DOCUMENTS}` is not `whitelist`ed. > However, whatever application I open, it is in a sand box......strange...... xed, wireshark, gnome-calculator, firefox have firejail profiles.
gitea-mirror commented 2026-05-05 08:35:58 -06:00
Author
Owner
Copy link

@CocoR55 commented on GitHub (Dec 15, 2019):

Bonjour all,
I wrote a little fast and I wasn't clear. If I don't see the Documents folder, it's because the sandbox works fine. It isolates private folders. I downloaded some music and was able to check it out.
However, I had understood that to include an application in the sandbox, you had to run the command $firefox application-to-launch but this is not the case. Apparently, it's not a user's choice but it's firejail's. He chooses which application is or is not in the sandbox.
Are you okay with that?
Regards,
CocoR55

<!-- gh-comment-id:565795378 --> @CocoR55 commented on GitHub (Dec 15, 2019): Bonjour all, I wrote a little fast and I wasn't clear. If I don't see the Documents folder, it's because the sandbox works fine. **It isolates private folders**. I downloaded some music and was able to check it out. However, I had understood that to include an application in the sandbox, you had to run the command **$firefox application-to-launch** but this is not the case. Apparently, it's not a user's choice but it's firejail's. He chooses which application is or is not in the sandbox. Are you okay with that? Regards, CocoR55
gitea-mirror commented 2026-05-05 08:35:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 15, 2019):

However, I had understood that to include an application in the sandbox, you had to run the command $firefox application-to-launch but this is not the case. Apparently, it's not a user's choice but it's firejail's. He chooses which application is or is not in the sandbox.

You mean firejail not firefox. And this is the command to run a program in the firejail sandbox. It is a user choice, because you can run any program in a sandbox with this command. The miss understanding that you have is the list of program sandboxed by default, those are created by running sudo firecfg. This creates symlinks in /usr/local/bin for the most programs where a firejail profile exists.

Are you okay with that?

Yes, to run only program which a profile in a sandbox by default. If any program is sandboxed by default, a lot of programs without a profile will not work.

<!-- gh-comment-id:565798772 --> @rusty-snake commented on GitHub (Dec 15, 2019): > However, I had understood that to include an application in the sandbox, you had to run the command $firefox application-to-launch but this is not the case. Apparently, it's not a user's choice but it's firejail's. He chooses which application is or is not in the sandbox. You mean fire*jail* not fire*fox*. And this is the command to run a program in the firejail sandbox. It is a user choice, because you can run any program in a sandbox with this command. The miss understanding that you have is the list of program sandboxed by default, those are created by running `sudo firecfg`. This creates symlinks in `/usr/local/bin` for the most programs where a firejail profile exists. > Are you okay with that? Yes, to run only program which a profile in a sandbox by default. If any program is sandboxed by default, a lot of programs without a profile will not work.
gitea-mirror commented 2026-05-05 08:35:59 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Dec 15, 2019):

I'm closing this, the original question about noroot has been answered.
@CocoR55 Feel free to open a new issue if you encounter problems/have other questions.

<!-- gh-comment-id:565852112 --> @ghost commented on GitHub (Dec 15, 2019): I'm closing this, the original question about noroot has been answered. @CocoR55 Feel free to open a new issue if you encounter problems/have other questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1931
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?