github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4050] question regarding running "firejail firefox" #2519

New issue
Closed
opened 2026-05-05 09:12:01 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:12:01 -06:00
Owner
Copy link

Originally created by @Rosika2 on GitHub (Mar 5, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4050

system: Linux/Lubuntu 20.04.2 LTS, 64 bit
firejail version: 0.9.64.4
firetools version: 0.9.64

Hello altogether,

on https://wiki.ubuntuusers.de/firejail/#Anwendung (the German language forum of ubuntuusers.de) I recently stumbled upon a remark that made me think:

They discussed the topic of how to run programmes using firejail by default:

"To avoid having to open a terminal every time Firejail is used, symbolic links can be created in /usr/local/bin that point to the Firejail binary file", like so:

sudo ln -s /usr/bin/firejail firefox # Firefox will be executed within a firejail sandbox from now on

I get that but what I don´t understand is the following remark:

"Firefox is a special case and should always be started automatically in a Firejail sandbox. Otherwise situations are possible in which the command "firejail firefox" has no effect."
(translated from German)

I am a bit confused now. Is there any truth in this statement?

Because I start firefox by clicking on the respective icon in "firetools".
I edited the command thus:

firejail --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 firefox

Many thanks for your help in advance.

Greetings from Rosika

Originally created by @Rosika2 on GitHub (Mar 5, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4050 system: Linux/Lubuntu 20.04.2 LTS, 64 bit firejail version: 0.9.64.4 firetools version: 0.9.64 Hello altogether, on https://wiki.ubuntuusers.de/firejail/#Anwendung (the German language forum of ubuntuusers.de) I recently stumbled upon a remark that made me think: They discussed the topic of how to run programmes using firejail **by default**: "To avoid having to open a terminal every time Firejail is used, symbolic links can be created in /usr/local/bin that point to the Firejail binary file", like so: `sudo ln -s /usr/bin/firejail firefox # Firefox will be executed within a firejail sandbox from now on ` I get that but what I don´t understand is the following remark: "Firefox is a **special case** and should **always** be started **automatically** in a Firejail sandbox. Otherwise situations are possible in which the command "firejail firefox" _has no effect_." (translated from German) I am a bit confused now. **Is there any truth in this statement?** Because I start firefox by clicking on the respective icon in "firetools". I edited the command thus: `firejail --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 firefox` Many thanks for your help in advance. Greetings from Rosika
gitea-mirror 2026-05-05 09:12:01 -06:00
gitea-mirror commented 2026-05-05 09:12:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 5, 2021):

I think they mean that if you first start firefox w/o firejail (e.g. /usr/bin/firefox) and the run firejail firefox, the firejailed firefox talks to the unsandboxed, running instances and opens a new window/tab in it.

<!-- gh-comment-id:791409878 --> @rusty-snake commented on GitHub (Mar 5, 2021): I think they mean that if you first start firefox w/o firejail (e.g. `/usr/bin/firefox`) and the run `firejail firefox`, the firejailed firefox talks to the unsandboxed, running instances and opens a new window/tab in it.
gitea-mirror commented 2026-05-05 09:12:06 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Mar 5, 2021):

@rusty-snake:

Hi and thanks a lot for your very fast response.

I see.
I completely understand your explanation and it makes perfect sense.
But wouldn´t that be valid of other programmes as well? If yes, then I´d think they shouldn´t have stated that firefox is a "special case"...

O.K. then. I´m a bit relieved now.
Plus: I think running "firejail --tree" or taking a look at what firetools tells me in its "Sandbox List" should be confirmation enough that a certain programme runs within firejail.

Many greetings and thanks again.
Rosika

<!-- gh-comment-id:791418062 --> @Rosika2 commented on GitHub (Mar 5, 2021): @rusty-snake: Hi and thanks a lot for your very fast response. I see. I completely understand your explanation and it makes perfect sense. But wouldn´t that be valid of other programmes as well? If yes, then I´d think they shouldn´t have stated that firefox is a "special case"... O.K. then. I´m a bit relieved now. Plus: I think running "firejail --tree" or taking a look at what firetools tells me in its "Sandbox List" should be confirmation enough that a certain programme runs within firejail. Many greetings and thanks again. Rosika
gitea-mirror commented 2026-05-05 09:12:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 5, 2021):

But wouldn´t that be valid of other programmes as well? If yes, then I´d think they shouldn´t have stated that firefox is a "special case"...

Just tried gedit, same. Almost every program with instance management has this.

<!-- gh-comment-id:791523735 --> @rusty-snake commented on GitHub (Mar 5, 2021): > But wouldn´t that be valid of other programmes as well? If yes, then I´d think they shouldn´t have stated that firefox is a "special case"... Just tried gedit, same. Almost every program with instance management has this.
gitea-mirror commented 2026-05-05 09:12:07 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Mar 6, 2021):

@rusty-snake:

Hi again.
Thanks a lot for your confirmation. Good to know.

In the meantime I found in the firefox-guide on https://firejail.wordpress.com/documentation-2/firefox-guide/ :

If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:
$ firejail firefox -no-remote

I think this is the scenario you described.

As I normally don´t have an instance of firefox running (especially not an un-sandboxed one) when starting
firejail --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 firefox
I think the decribed case should not be an issue for me.

Just out of curiosity:

Is there another way of checking if a certain process/programme is definitively running within firejail?
As already mentioned I normally use "firejail --tree" for checking that or (as an alternative) look at the "Sandbox List" in firetools.

Many greetings
Rosika

<!-- gh-comment-id:791927411 --> @Rosika2 commented on GitHub (Mar 6, 2021): @rusty-snake: Hi again. Thanks a lot for your confirmation. Good to know. In the meantime I found in the firefox-guide on https://firejail.wordpress.com/documentation-2/firefox-guide/ : > > If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process: > `$ firejail firefox -no-remote` I think this is the scenario you described. As I normally don´t have an instance of firefox running (especially not an un-sandboxed one) when starting `firejail --private=/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/work2 firefox` I think the decribed case should not be an issue for me. Just out of curiosity: Is there another way of checking if a certain process/programme is definitively running within **firejail**? As already mentioned I normally use "firejail --tree" for checking that or (as an alternative) look at the "Sandbox List" in **firetools**. Many greetings Rosika
gitea-mirror commented 2026-05-05 09:12:08 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 6, 2021):

Is there another way of checking if a certain process/programme is definitively running within firejail?

See #4034.

<!-- gh-comment-id:791936170 --> @ghost commented on GitHub (Mar 6, 2021): > Is there another way of checking if a certain process/programme is definitively running within firejail? See #4034.
gitea-mirror commented 2026-05-05 09:12:08 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 6, 2021):

@glitsj16 That's more a programmable way for the sandboxes program itself (though you can hack something with it, maybe by preloading a library). I think @Rosika2 is looking for a indicator to the user like #303.

Is there another way of checking if a certain process/programme is definitively running within firejail?

Although it is possible that it could also be faked by malicious programs, but to spot out configuration/usage mistakes you can use env to set a different GTK/QT theme (https://wiki.archlinux.org/index.php/Gtk#Themes and https://wiki.archlinux.org/index.php/Qt#Appearance).

<!-- gh-comment-id:791940214 --> @rusty-snake commented on GitHub (Mar 6, 2021): @glitsj16 That's more a programmable way for the sandboxes program itself (though you can hack something with it, maybe by preloading a library). I think @Rosika2 is looking for a indicator to the user like #303. > Is there another way of checking if a certain process/programme is definitively running within firejail? Although it is possible that it could also be faked by malicious programs, but to spot out configuration/usage mistakes you can use `env` to set a different GTK/QT theme (https://wiki.archlinux.org/index.php/Gtk#Themes and https://wiki.archlinux.org/index.php/Qt#Appearance).
gitea-mirror commented 2026-05-05 09:12:09 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Mar 6, 2021):

@glitsj16 and @rusty-snake :

Thanks to both of you for your suggestions. They´re highly appreciated.

As far as [https://github.com/netblue30/firejail/issues/303] is concerned I see that the user wanted to have some kind of window decoration (or something like that) as some sort of optical feedback for the sandboxed process.

That´s really not necessary for me. All I´d like to ascertain is the fact that a ceratain process/programme (e.g.) firefox really runs within firejail.
I just wanted to know whether there are further means to check that out.
But I assume that firejail --tree should be good enough to be sure.

So thanks again to both of you for your help.
Many greetings.
Rosika

<!-- gh-comment-id:791945692 --> @Rosika2 commented on GitHub (Mar 6, 2021): @glitsj16 and @rusty-snake : Thanks to both of you for your suggestions. They´re highly appreciated. As far as [https://github.com/netblue30/firejail/issues/303] is concerned I see that the user wanted to have some kind of window decoration (or something like that) as some sort of optical feedback for the sandboxed process. That´s really not necessary for me. All I´d like to ascertain is the fact that a ceratain process/programme (e.g.) firefox really runs within firejail. I just wanted to know whether there are further means to check that out. But I assume that `firejail --tree` should be good enough to be sure. So thanks again to both of you for your help. Many greetings. Rosika
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2519
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?