[GH-ISSUE #5046] One time private application (no sharing) #2864

New issue

Closed

opened 2026-05-05 09:31:29 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:31:29 -06:00

Owner

Originally created by @ghost on GitHub (Mar 14, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5046

I am sorry for asking this here but I don't know where else I could have.

I am interested in using firejail for creating a disposable sandbox for a browser.

The thing is, while that instance is running it should not allow anyone to access its contents by running a command.

It should be restricted to the window that it created in the first place.

This is for security reasons.

Is this something that firejail supports and if any special parameters are required, what would those be?

Originally created by @ghost on GitHub (Mar 14, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5046 I am sorry for asking this here but I don't know where else I could have. I am interested in using firejail for creating a disposable sandbox for a browser. The thing is, while that instance is running it should not allow anyone to access its contents by running a command. It should be restricted to the window that it created in the first place. This is for security reasons. Is this something that firejail supports and if any special parameters are required, what would those be?

gitea-mirror closed this issue

2026-05-05 09:31:30 -06:00

gitea-mirror commented

2026-05-05 09:31:32 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 14, 2022):

Firejail creates a security boundary between inside the sandbox and outside the sandbox.

Code running inside the sandbox should not be able to do things that we didn't allow it to do. Firejail pretty much doesn't care about the world outside the sandbox. What you want to do is not part of the job description of a sandbox.

It is not impossible that a sandbox can help to achieve your goals, for example by blocking D-Bus and other IPC channels, as for IPC it doesn't matter which end you block. It might make sense to use a new network namespace (--net). But Firejail and similar tools will always fall short of a comprehensive solution.

What I would try in your place is running the browser as a different user in a Wayland session, which should solve most of the obvious problems. Check /proc/sys/kernel/yama/ptrace_scope, it should exist and be set to 1 or higher (to defend the Wayland server). Even then a talented adversary might find workarounds. I don't think this is an easy task.

@smitsohu commented on GitHub (Mar 14, 2022): Firejail creates a security boundary between inside the sandbox and outside the sandbox. Code running inside the sandbox should not be able to do things that we didn't allow it to do. Firejail pretty much doesn't care about the world outside the sandbox. What you want to do is not part of the job description of a sandbox. It is not impossible that a sandbox can help to achieve your goals, for example by blocking D-Bus and other IPC channels, as for IPC it doesn't matter which end you block. It might make sense to use a new network namespace (`--net`). But Firejail and similar tools will always fall short of a comprehensive solution. What I would try in your place is running the browser as a different user in a Wayland session, which should solve most of the obvious problems. Check `/proc/sys/kernel/yama/ptrace_scope`, it should exist and be set to `1` or higher (to defend the Wayland server). Even then a talented adversary might find workarounds. I don't think this is an easy task.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2864

No description provided.

Rows
Columns