[GH-ISSUE #1160] [Information] Firejail + Tor

gitea-mirror commented

2026-05-05 06:51:55 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Mar 25, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1160

I thought I'd leave a little note here about an easy way to make jailed applications work with Tor when they don't have proxy options and don't respect HTTP_PROXY and its variants. You will need a program called proxychains (it should be in your repo).

Now trying something like proxychains firejail <program> or firejail --profile=<path to profile> proxychains <program> will not work since proxychains (and other programs like it) refuse to work on SUID binaries.

The key is to use --env. Use firejail --env="LD_PRELOAD=libproxychains.so.3" <program>. If you're using private-etc, make sure you whitelist proxychains.conf. If you're using private-bin, make sure you whitelist sh,dig,awk. Oh, and if you're using seccomp.keep, make sure you whitelist gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait (I think that was all of them?).

Just thought I'd drop that by since I had a lot of trouble at first getting them to work together (I didn't want to use a bridge and other stuff that was detailed here: https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/). Hope this helps someone!

Originally created by @chiraag-nataraj on GitHub (Mar 25, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1160 I thought I'd leave a little note here about an easy way to make jailed applications work with Tor when they don't have proxy options and don't respect `HTTP_PROXY` and its variants. You will need a program called `proxychains` (it should be in your repo). Now trying something like `proxychains firejail <program>` or `firejail --profile=<path to profile> proxychains <program>` will not work since proxychains (and other programs like it) refuse to work on SUID binaries. The key is to use `--env`. Use `firejail --env="LD_PRELOAD=libproxychains.so.3" <program>`. If you're using `private-etc`, make sure you whitelist `proxychains.conf`. If you're using `private-bin`, make sure you whitelist `sh,dig,awk`. Oh, and if you're using `seccomp.keep`, make sure you whitelist `gettid,sigaltstack,epoll_create,getgroups,epoll_ctl,rt_sigsuspend,setsockopt,epoll_wait` (I think that was all of them?). Just thought I'd drop that by since I had a lot of trouble at first getting them to work together (I didn't want to use a bridge and other stuff that was detailed here: https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/). Hope this helps someone!

gitea-mirror

2026-05-05 06:51:55 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:52:00 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 26, 2017):

It is by far the best Tor/Firejail howto I've seen so far. I have a link to them here: https://firejail.wordpress.com/2017/03/13/into-the-void-firejail-with-tor-howto/

@netblue30 commented on GitHub (Mar 26, 2017): It is by far the best Tor/Firejail howto I've seen so far. I have a link to them here: https://firejail.wordpress.com/2017/03/13/into-the-void-firejail-with-tor-howto/

gitea-mirror commented

2026-05-05 06:52:02 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 27, 2017):

Yeah, I mean...I saw that. Just felt that this is an alternative that works if you have very few applications that won't obey the proxy settings (and if you're using proxychains or something like it already).

@chiraag-nataraj commented on GitHub (Mar 27, 2017): Yeah, I mean...I saw that. Just felt that this is an alternative that works if you have very few applications that won't obey the proxy settings (and if you're using proxychains or something like it already).

gitea-mirror commented

2026-05-05 06:52:04 -06:00

Author

Owner

@ghost commented on GitHub (Apr 25, 2017):

I'm getting the following result: "ERROR: ld.so: object 'libproxychains.so.3' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored"

I've also tryied using the guide @netblue30 pointed out. But got stuck at the third quotation box, the one that starts with " firejail --net=tornet /bin/bash". After firejailing bash, using the command " host www.debian.org" returns ";; connection timed out; no servers could be reached".

I'm using Debian Jessie with the firejail version available through jessie-backports, that is, "0.9.44.8-1~bpo8+". bridge-utils and proxychains are in versions "1.5-9" and "3.1-6" respectively.

@ghost commented on GitHub (Apr 25, 2017): I'm getting the following result: "ERROR: ld.so: object 'libproxychains.so.3' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored" I've also tryied using the guide @netblue30 pointed out. But got stuck at the third quotation box, the one that starts with "$ firejail --net=tornet /bin/bash". After firejailing bash, using the command "$ host www.debian.org" returns ";; connection timed out; no servers could be reached". I'm using Debian Jessie with the firejail version available through jessie-backports, that is, "0.9.44.8-1~bpo8+". bridge-utils and proxychains are in versions "1.5-9" and "3.1-6" respectively.

gitea-mirror commented

2026-05-05 06:52:06 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 27, 2017):

Hmmm...are you trying to run an SUID binary with proxychains? That is, is the application you're running with firejail an SUID binary?

@chiraag-nataraj commented on GitHub (Apr 27, 2017): Hmmm...are you trying to run an SUID binary with proxychains? That is, is the application you're running with firejail an SUID binary?

gitea-mirror commented

2026-05-05 06:52:09 -06:00

Author

Owner

@ghost commented on GitHub (Apr 27, 2017):

I wouldn't know how to identify an SUID binary, sorry. But indeed, I messed up by not providing the command I've used for this attempt. I've used "firejail --env="LD_PRELOAD=libproxychains.so.3" chromium". And this is the firejail profile used for this particular application:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/chromium.local

# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc

whitelist ${DOWNLOADS}
mkdir ~/.config/chromium
whitelist ~/.config/chromium
mkdir ~/.cache/chromium
whitelist ~/.cache/chromium
mkdir ~/.pki
whitelist ~/.pki

# specific to Arch
whitelist ~/.config/chromium-flags.conf

include /etc/firejail/whitelist-common.inc

ipc-namespace
netfilter
nogroups
shell none

private-dev
private-tmp

noexec ${HOME}
noexec /tmp

Thank you for giving this matter your time and consideration. ;)

@ghost commented on GitHub (Apr 27, 2017): I wouldn't know how to identify an SUID binary, sorry. But indeed, I messed up by not providing the command I've used for this attempt. I've used "firejail --env="LD_PRELOAD=libproxychains.so.3" chromium". And this is the firejail profile used for this particular application: ``` # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/chromium.local # Chromium browser profile noblacklist ~/.config/chromium noblacklist ~/.cache/chromium noblacklist ~/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc # chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc whitelist ${DOWNLOADS} mkdir ~/.config/chromium whitelist ~/.config/chromium mkdir ~/.cache/chromium whitelist ~/.cache/chromium mkdir ~/.pki whitelist ~/.pki # specific to Arch whitelist ~/.config/chromium-flags.conf include /etc/firejail/whitelist-common.inc ipc-namespace netfilter nogroups shell none private-dev private-tmp noexec ${HOME} noexec /tmp ``` Thank you for giving this matter your time and consideration. ;)

gitea-mirror commented

2026-05-05 06:52:12 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 1, 2017):

Ah, that's why - chromium uses an SUID helper to create its own sandbox. From what I remember, though, chromium should respect the system proxy settings (so if you use something like privoxy, you can just export http_proxy=localhost:8118, https_proxy=localhost:8118, and the uppercase equivalents and Chromium should Just Work™ 😄)

@chiraag-nataraj commented on GitHub (May 1, 2017): Ah, that's why - chromium uses an SUID helper to create its own sandbox. From what I remember, though, chromium should respect the system proxy settings (so if you use something like privoxy, you can just export `http_proxy=localhost:8118`, `https_proxy=localhost:8118`, and the uppercase equivalents and Chromium should Just Work™ 😄)

gitea-mirror commented

2026-05-05 06:52:14 -06:00

Author

Owner

@ghost commented on GitHub (May 2, 2017):

I see @chiraag-nataraj. Anyway, I used Chromium just for testing as I normally use a firejailed Tor Browser. I've now tested the command with another application using the command "firejail --env="LD_PRELOAD=libproxychains.so.3" trans word" and it worked. Anyway, in the case this problem arises in the future, do you have a source I could refer to in order to lear how to setup my system's proxy settings? As of now, it has none. Also, is it possible to declare this environment variable using the applicattion's firejail profile?

Thanks!

@ghost commented on GitHub (May 2, 2017): I see @chiraag-nataraj. Anyway, I used Chromium just for testing as I normally use a firejailed Tor Browser. I've now tested the command with another application using the command "firejail --env="LD_PRELOAD=libproxychains.so.3" trans word" and it worked. Anyway, in the case this problem arises in the future, do you have a source I could refer to in order to lear how to setup my system's proxy settings? As of now, it has none. Also, is it possible to declare this environment variable using the applicattion's firejail profile? Thanks!

gitea-mirror commented

2026-05-05 06:52:17 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 5, 2017):

Basically, you'll have to export environment variables (that's the easiest way of doing it in my experience): https://justintung.com/2013/04/25/how-to-configure-proxy-settings-in-linux/

I would think you would be able to pass it using --env, so yes.

@chiraag-nataraj commented on GitHub (May 5, 2017): Basically, you'll have to export environment variables (that's the easiest way of doing it in my experience): https://justintung.com/2013/04/25/how-to-configure-proxy-settings-in-linux/ I would think you would be able to pass it using `--env`, so yes.

gitea-mirror referenced this issue

2026-05-05 10:07:19 -06:00

[PR #798] [MERGED] Quiet SSH config #3755

Rows
Columns

[GH-ISSUE #1160] [Information] Firejail + Tor #798