github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3197] difference with LXC #1997

New issue

Closed

opened 2026-05-05 08:40:11 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:40:11 -06:00

Owner

Originally created by @baptx on GitHub (Jan 29, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3197

Hello, is there a security difference between firejail and LXC? Is firejail using LXC?
I guess firejail is fine to use with trusted apps (in case of a security bug to limit filesystem access) but if the app is untrusted / not open source, the best thing to do is to run it in an LXC container with Apparmor through VNC.
Maybe it can be clarified in the README file that firejail does not prevent keyloggers logging keys in the background and spywares taking screenshots of the entire desktop (unlike LXC with VNC or X2Go).

Originally created by @baptx on GitHub (Jan 29, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3197 Hello, is there a security difference between firejail and LXC? Is firejail using LXC? I guess firejail is fine to use with trusted apps (in case of a security bug to limit filesystem access) but if the app is untrusted / not open source, the best thing to do is to run it in an LXC container with Apparmor through VNC. Maybe it can be clarified in the README file that firejail does not prevent keyloggers logging keys in the background and spywares taking screenshots of the entire desktop (unlike LXC with VNC or X2Go).

gitea-mirror

2026-05-05 08:40:11 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:40:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 29, 2020):

Hello, is there a security difference between firejail and LXC?

Yes. Usage: firejail is easyer for new users. Security: (example) disable-programs.inc, ...

Is firejail using LXC?

No, but both use the same kernel functions such as Namespaces.

if the app is untrusted / not open source

Not OpenSoure != untrusted (My opinion)

If it is realy untrusted (e.g. malware), you should not execute it at all. If you do have to, you should do it in a VM.

firejail does not prevent keyloggers logging keys in the background and spywares taking screenshots of the entire desktop

You can use X11 isolation with --x11=xephyr for example.

@rusty-snake commented on GitHub (Jan 29, 2020): > Hello, is there a security difference between firejail and LXC? Yes. Usage: firejail is easyer for new users. Security: (example) disable-programs.inc, ... > Is firejail using LXC? No, but both use the same kernel functions such as Namespaces. > if the app is untrusted / not open source Not OpenSoure != untrusted (My opinion) If it is realy untrusted (e.g. malware), you should not execute it at all. If you do have to, you should do it in a VM. > firejail does not prevent keyloggers logging keys in the background and spywares taking screenshots of the entire desktop You can use X11 isolation with `--x11=xephyr` for example.

gitea-mirror commented

2026-05-05 08:40:15 -06:00

Author

Owner

@baptx commented on GitHub (Jan 29, 2020):

Thanks, I consider closed source software untrusted since there could be a spyware hidden but it could also happen for open source software that is not in an official Linux distribution package, so it is better to run it in a container (other people mentioned it here: https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/). I think it is enough to run an untrusted software in LXC using VNC, which will be more lightweight than a VM.
Good to know the X11 isolation with --x11=xephyr, I guess this provides the same security as LXC using VNC, which provides X11 isolation too?
What do you mean by "Security: (example) disable-programs.inc"?

@baptx commented on GitHub (Jan 29, 2020): Thanks, I consider closed source software untrusted since there could be a spyware hidden but it could also happen for open source software that is not in an official Linux distribution package, so it is better to run it in a container (other people mentioned it here: https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/). I think it is enough to run an untrusted software in LXC using VNC, which will be more lightweight than a VM. Good to know the X11 isolation with `--x11=xephyr`, I guess this provides the same security as LXC using VNC, which provides X11 isolation too? What do you mean by "Security: (example) disable-programs.inc"?

gitea-mirror commented

2026-05-05 08:40:15 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 29, 2020):

What do you mean by "Security: (example) disable-programs.inc"?

If you allow access to you real $HOME, firejail has a long list of blacklists/read-only paths for files/dirs where it make sense to be read-only in the sandbox (like .bashrc) or to be blacklisted (= inaccessible) (like ~/.mozilla).

@rusty-snake commented on GitHub (Jan 29, 2020): > What do you mean by "Security: (example) disable-programs.inc"? If you allow access to you real $HOME, firejail has a long list of `blacklist`s/`read-only` paths for files/dirs where it make sense to be read-only in the sandbox (like .bashrc) or to be blacklisted (= inaccessible) (like ~/.mozilla).

gitea-mirror commented

2026-05-05 08:40:16 -06:00

Author

Owner

@baptx commented on GitHub (Jan 29, 2020):

I noticed that by default firejail allows access to home directory, compared to LXC. That's a good difference to have in mind when using untrusted apps. But it can be fixed by using --private and copying the untrusted app in /tmp folder.

@baptx commented on GitHub (Jan 29, 2020): I noticed that by default firejail allows access to home directory, compared to LXC. That's a good difference to have in mind when using untrusted apps. But it can be fixed by using `--private` and copying the untrusted app in `/tmp` folder.

gitea-mirror commented

2026-05-05 08:40:17 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 14, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Mar 14, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:14:34 -06:00

[PR #1997] [MERGED] Add riot-desktop redirect profile, create Riot config directory #4145

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1997

No description provided.

Rows
Columns