My machine is home desktop(personal) running Debian Buster with i3 window manager. I recently installed firejail with apt install firejail* firetools and also downloaded the new Firefox 83 browser from Firefox official website. I can run the firefox binary as a non-firejail user, as in, navigating to the new firefox directory and running [user@debian]:$ ./firefox It works fine and all. However, if I try doing, firejail --noprofile --seccomp --private --nonewprivs /home/user/downloads/firefox/firefox it says, the file firefox isn't executable. Running ls -l on the executable returns that it is executable. Then I copied the whole new firefox directory to /tmp/ then opened a new firejail bash session with firejail --seccomp --private --nonewprivs bash, then started a sandboxed bash session. Then copied the firefox directory from /tmp/ to $HOME and tried running the firefox binary from there, and it says permission denied The file was executable, and was owned by same user. What am I doing wrong here.

I have this local network service and this client program needing to access it. I am running them both as an unprivileged user. I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service). first thing I tried was of course firejail --net=lo program But it didn’t work. Error: cannot attach to lo device I think I could work around it by creating a virtual network interface, for example veth0 and veth1, moving veth1 to a new network namespace in which I’d run the service and using firejail to restrain the client to veth0 Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type firejail server (without having to run anything as root)? Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)

I have been playing around with firejail and tried to get a profile, where access to the webcam is blocked. I tried this with 'cheese' as an application, which shows the webcam and found --novideo in the documentation So:

$ firejail --novideo cheese

And success, no video found. But if I use that same configuration with a shell:

$ firejail --novideo bash

And then start cheese from there, video works fine. So access to the webcam is still possible? Does cheese connect to some other process? I tried other promising settings, but I always was able to have cheese access the webcam. I assume if that program can access it, other programs could as well.

Hello Linux folks i need help running with firejail with a java program that is in sandbox

--private --trace java -jar program.jar

But this program can't spawn child process (chromium) due to sandbox restriction The trace error:

3: java:lstar64 /home/username/.program/101.0.4951.54/chrome-sandbox:0

3: java:access /proc/self/ns/user:0

3:java:access /proc/sys/kernel/unprivileged_userns_clone:0

3:java:open64 /proc/sys/kernel/unprivileged_userns_clone:47

If I run the program without firewall it successfully spawns the child process but when run with firejail it does not spawn it It seems I can't spawn this child process due to the restricted process using the firejail any help will be appreciated.

My plan is to: - Turn off listening to all sockets, and initiate X through a command such as: `Xorg -nolisten tcp -nolisten inet -nolisten inet6 -nolisten unix -nolisten local :0 -seat seat0 vt7 -novtswitch` (although I don't know how to prevent X running entirely without this configuration) - Run Xorg rootless - which is far more difficult than it seems considering I don't want to use GNOME or GDM. At the moment I'm using LightDM and XFCE. I did manage to get rootless Xorg working on SDDM, but it's quite buggy. Again the insanity of this baffles me. - FireJail the main X server and only allow communication through for specific inputs (keyboard, mouse, screen, Xephyr). So for this I'd prevent anything speaking to the X server directly other than these applications/devices, thereby forcing GUI applications to use the proxy of Xephyr. It should also keep everything sandboxed to hopefully prevent possible zero-day attacks. - Use seccomp namespacing through FireJail on both applications and the X server to try and further isolate everything However the reality of implementing these measures is much more difficult than I realised, as I've seen with FireJail and Xephyr not preventing keylogging still. Is there anything I should add to this above list? It would be good if we could compile a list in this thread of all the possible fixes to help other people out who are also probably struggling in the same way. What kind of protections do you guys have in place to prevent keylogging (and other issues) on X11 and Xorg? This is a huge issue which affects just about every GUI computer which runs Linux so I absolutely can't and don't believe there's nothing which can be done to prevent this as it's such a notorious issue. Really interested to hear what you all think.

I can create a bash script, then launch it using firejail with the private option : phil@GLaDOS:~$ echo "echo success" > /media/phil/Stockage/firejailtest.sh; chmod +x /media/phil/Stockage/firejailtest.sh phil@GLaDOS:~$ firejail --noprofile --private /media/phil/Stockage/firejailtest.sh Parent pid 117110, child pid 117111 Child process initialized in 8.67 ms success Parent is shutting down, bye... Which works fine. However, if my script is in my home directory, or any folder in the home directory, the above will fail : phil@GLaDOS:~$ echo "echo success" > /home/phil/firejailtest.sh; chmod +x /home/phil/firejailtest.sh phil@GLaDOS:~$ firejail --noprofile --private /home/phil/firejailtest.sh Parent pid 117357, child pid 117358 Child process initialized in 8.73 ms /bin/bash: ligne 1: /home/phil/firejailtest.sh: No such file or directory Parent is shutting down, bye... How do I launch a script or program within my home directory, with firejail, using "private" to ensure no modification is made to any of my files?

I'd like to be able to run GNU Emacs 28 from a Firefox running in firejail, but it gives the following error:

emacs: could not load dump file "/usr/libexec/emacs/28.1/x86_64-linux-gnu/emacs.pdmp": Permission denied

because of

$ ls -ld /usr/libexec
dr-------- 2 nobody nogroup 40 2022-08-22 18:05:49 /usr/libexec

The following lines in my ~/.config/firejail/firefox-common.local file do not solve the problem:

ignore blacklist /usr/libexec
noblacklist /usr/libexec
whitelist /usr/libexec/emacs

(and whitelist /usr/libexec gives an error). Any idea? **EDIT:** An a workaround to the /usr/libexec issue, I can add noblacklist /usr/libexec to ~/.config/firejail/firefox.local since it is run earlier, but the goal is to add everything to ~/.config/firejail/firefox-common.local since it is more general (run by more profiles), in case I would want to use a different web browser profile.

I have been using firejail for sandboxing my application in Ubuntu. It has a --private option. I was using firejail --private=/home/user/Desktop firefox When I try to download a file from Firefox it stores it in a directory called Download inside firejail. Is it possible to get it to store in /home/user/Desktop?

If I run the following:

firejail brave-browser

And then try and access files in the browser (such as when uploading a file), Brave still has access to my entire home folder. Usually this doesn't happen with Firejail. I've tried it with Firefox, and it only gives access to the ~/Downloads folder. I've verified Firejail is running with firejail --list:

18974:daniel::firejail /usr/bin/brave-browser-stable

So I'm not sure what the problem is. The exact same command works with Firefox, so why isn't it hiding files with Brave? ## Environment * OS: Pop!_OS 21.04 * GNOME version: 3.38.5 * Brave browser: v1.29.81 (installed with apt) ## Environment ### /etc/firejail/brave.profile

# Firejail profile for brave
# Description: Web browser that blocks ads and trackers by default.
# This file is overwritten after every install/update
# Persistent local customizations
include brave.local
# Persistent global definitions
include globals.local

# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp
# TOR is installed in ${HOME}
ignore noexec ${HOME}

noblacklist ${HOME}/.cache/BraveSoftware
noblacklist ${HOME}/.config/BraveSoftware
noblacklist ${HOME}/.config/brave
noblacklist ${HOME}/.config/brave-flags.conf
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg

mkdir ${HOME}/.cache/BraveSoftware
mkdir ${HOME}/.config/BraveSoftware
mkdir ${HOME}/.config/brave
whitelist ${HOME}/.cache/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/brave
whitelist ${HOME}/.config/brave-flags.conf
whitelist ${HOME}/.gnupg

# Brave sandbox needs read access to /proc/config.gz
noblacklist /proc/config.gz

# Redirect
include chromium-common.profile

### /etc/firejail/brave-browser.profile

# Firejail profile alias for brave
# This file is overwritten after every install/update

# Persistent local customizations
include brave-browser.local

# Redirect
include brave.profile

If I run the following:

firejail brave-browser

And then try and access files in the browser (such as when uploading a file), Brave still has access to my entire home folder. Usually this doesn't happen with Firejail. I've tried it with Firefox, and it only gives access to the ~/Downloads folder. I've verified Firejail is running with firejail --list:

18974:daniel::firejail /usr/bin/brave-browser-stable

So I'm not sure what the problem is. The exact same command works with Firefox, so why isn't it hiding files with Brave? ## Environment * OS: Pop!_OS 21.04 * GNOME version: 3.38.5 * Brave browser: v1.29.81 (installed with apt)

In zathura, I use :exec firejail firefox to start firefox with firejail. There is an error "cannot create /run/firejail/profile/14844" and firefox does not start. When I type firejail firefox in terminal, it works well. I guess this may be related to privilege problem. But I do not know how. Thanks in advance.

Preferably without using sudo. So far I've just saved it under /opt/telegram/Telegram without adding it to $PATH but that's not a solution since I can easily run it accidentally.

How can I disable the --noprofile option in Firejail? For example, is it possible to disable the use of this option in firejail.config so that no one can use it.

I'll try to be brief and concise. I want to run programs that require ALSA with firejail profiles but it probably doesn't have the permission or ability to access the soundcard for some reason probably relating to overlays and/or groups. I have firejail 0.9.64.2, alsa-utils 1.2.4_1, pulseaudio 14.0_3, and other alsa/pulse emulation packages installed as well as relevant soundcards that probably came with the system install. I installed the pulse packages just in case (pulse also made itself a member of audio). The current condition is that ALSA works decent without firejail and in certain conditions within firejail too, namely without overlays and nogroups options when fiddling with certain profiles. However, I need overlays and filesystem mount abilities for many profiles to work properly with sound. I have already added my user to the supplementary group 'audio' and verified via /etc/group. I checked ownership of folder '/dev/snd' , the files within, all owned by root:audio except a symbolic link 'path-by' owned by root:root linking back to ../controlC0. I am hesitant to change ownership of that as I think it is not the problem and would cause more headache. I did however test the profiles with programs like mpv with overlay options but I get similar error messages about alsa not finding the soundcard. Overlays or nogroups options can ruin alsa in some profiles I tested. I did a few more informative tests, some with logs using firejail's trace function.

$ firejail id
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

Works! It displays my needed groups for sound. (excluding things like mail or wireshark).

$ firejail --overlay-tmpfs id
uid=1000(user1) gid=100(users) groups=100(users)

No audio group while using an overlay? This is important because many firejail profiles utilize overlays and group restrictions. In my case this renders my programs mute due to this problem. That is my guess.

$ firejail aplay -l && aplay -L

Works! It displayed all my cards and pcms! It also made the trace log I specified below. I'm assuming /dev/snd/controlC0:5 return is the reason for the successful device listings.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:5
3:aplay:fopen /usr/share/alsa/alsa.conf:0x564afaf56540
3:aplay:access /usr/etc/alsa/conf.d:-1
3:aplay:access /etc/alsa/conf.d:-1
3:aplay:access /etc/asound.conf:0
3:aplay:fopen /etc/asound.conf:0x564afaf56540
3:aplay:access /home/user1/.asoundrc:-1
3:aplay:access /home/user1/.config/alsa/asoundrc:-1
3:aplay:open /dev/snd/controlC0:5
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs aplay -l && aplay -L

Fail! It only displayed the pcms, no soundcards. It made the log below.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail alsabat-test.sh

It made some sounds. Yes, regular video and sounds also work in the window manager. It also makes sounds in a separate TTY terminal with no graphical windows.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x556402ad6510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x55b5c9529540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f54bc001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f54bc001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-2L9K88eMlGn7/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:access /usr/share/alsa/cards/HDA-Intel.conf:0
5:alsabat:fopen /usr/share/alsa/cards/HDA-Intel.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/front.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround21.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround40.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround41.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround50.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround51.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround71.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/iec958.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/hdmi.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/modem.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs alsabat-test.sh

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x55a7e137d510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x561c3c323540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f09f0001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f09f0001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:-1
5:alsabat:mkdir /tmp/pulse-CcctT9RwKSB1:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-CcctT9RwKSB1/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f09f0001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f09f001b3c0
5:alsabat:open /dev/snd/controlC0:-1
5:alsabat:open /dev/aloadC0:-1
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

Fail! controlC0:-1 in those logs means it failed. No sounds heard! I cut all logs off at aloadC3 as it just continues to return with the -1 error over 30 times repeating the same iterations. I tried removing my user from audio group, rebooting, and did aplay -l and a firejail overlay test. Nothing. All it did was remove my access to soundcards /dev/snd/ altogether. I read on firejail wiki some overlay issues occur on the more current linux kernels so I even tried booting on a LTS linux kernel before the stated version but had the same failure. I could try downgrading firejail. I could also downgrade other relevant audio packages but I don't want to mess around with dependencies and cause unnecessary issues. I could try removing ALSA from the default runit boot and invoke it with bash. But ALSA works fine without firejail so its just hopeless guessing. I'm not going any further until I get a good diagnosis from someone who is more familiar with this than I. Currently no user or entity is using /dev/snd/ so I'm still assuming this is a firejail privilege problem or group issue. Unless the current firejail version is bugged. **EDIT:**

$ firejail --overlay-tmpfs id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 181.47 ms
uid=1000(user1) gid=100(users) groups=100(users)

--overlay-tmpfs --allusers id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 180.15 ms
uid=1000(user1) gid=100(users) groups=100(users)

The trace logs are identical, just id binary being ran.

$ firejail --overlay-tmpfs --allusers aplay -l && aplay -L

aplay -l fails to show sound cards

aplay: device_list:274: no soundcards found...

aplay -L successfully lists my pcms just like the other test. The trace log looks as if it hadn't changed despite --allusers.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

Overlays just don't get group access to audio nor the soundcard. **EDIT 2 (EVEN MORE TESTS):**

$ firejail --debug id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
mountid=80 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
mountid=81 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
mountid=82 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
mountid=83 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
mountid=84 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable
Disable /home/user1/.config/mpv
...
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
...
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
228 77 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=228 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 0
Supplementary groups: 12
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

$ firejail --debug --overlay-tmpfs id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Linux kernel version 5.10
Mounting OverlayFS
DEBUG: chroot dirs are oroot /run/firejail/mnt/oroot  odiff /run/firejail/mnt/odiff  owork /run/firejail/mnt/owork
DEBUG: overlayhome var holds ##/run/firejail/mnt/oroot/home/user1##
Mounting /dev
Mounting /run
Mounting /tmp
Mounting /proc filesystem representing the PID namespace
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
fstype=overlay
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable /home/user1/.config/mpv
Disable /home/user1/.config/straw-viewer
Disable /home/user1/.config/torbrowser
Disable /home/user1/.config/youtube-dl
Disable /home/user1/.links
Disable /home/user1/.local/share/torbrowser
Disable /home/user1/.mozilla
Disable /home/user1/.cache/mozilla
Disable /home/user1/.cache/straw-viewer
Disable /home/user1/.cache/torbrowser
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
251 87 0:43 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=251 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user1/.config/pulse
252 101 0:43 /pulse /home/user1/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=252 fsname=/pulse dir=/home/user1/.config/pulse fstype=tmpfs
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/fire line  OP JT JF    K
...
jail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
254 87 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=254 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             300 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users)

I got some important relevant debug info, scrubbed some personal details and to reserve character space limits here. I'm just a novice at UNIX so I'm not sure what to do with this info to fix overlay and audio group access. This should be my last info possible.

How can I whitelist a directory for execution with firejail? In particular, I would like to execute Firefox Nightly in firejail. But I get the following error: $ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly ./firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 769552, child pid 769553 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 91.60 ms Exec failed with error: Permission denied and testing with a shell: $ firejail --profile=/etc/firejail/firefox.profile --whitelist=$HOME/software/firefox-nightly sh [...] $ ls -l firefox -rwxr-xr-x 1 vinc17 vinc17 16928 2020-05-16 13:22:44 firefox $ ./firefox sh: 2: ./firefox: Permission denied Note: /etc/firejail/disable-exec.inc has noexec ${HOME}. But adding --ignore='noexec ${HOME}' just after firejail has no effect. Moving the directory under /usr/local has no effect either.

I'm trying to use [firejail](https://firejail.wordpress.com/) (version 0.9.58.2) for application sandboxing on my Debian Stable machine. From what I understand it's possible to create a custom configuration file for each application but I wasn't successful in doing so. Currently I'm trying to write a custom man.profile-file, since it [sounds quite easy](https://firejail.wordpress.com/documentation-2/building-custom-profiles/) . I put a file with the following content in my ~/.config/firejail/-directory:

noblacklist /usr/share/man/
noblacklist /usr/lib/man-db/

include whitelist-var-common.inc

seccomp
shell none

private-bin sed,less,man,groff,nroff,tbl,bash
private-dev

But when I run man less, my pager opens only with an empty page and after closing I can read following error message:

Reading profile /home/$USER/.config/firejail/man.profile
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 42020, child pid 42045
7 programs installed in 10.65 ms
Child process initialized in 10.69 ms
/usr/bin/man: command exited with status 255: (cd /usr/share/man && /usr/lib/man-db/zsoelim) | (cd /usr/share/man && /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t ISO-8859-1//IGNORE) | (cd /usr/share/man && tbl) | (cd /usr/share/man && nroff -mandoc -rLL=189n -rLT=189n -Tutf8)

What am I doing wrong? Any ideas/pointers are appreciated! ----- Update (thanks @@artem-s-tashkinov): when running strace -f -e file -o /tmp/man.log man less (after first performing sudo firecfg --clean) and examining the output of /tmp/man.log I found that several other files were read while invoking man less. Therefore I updated the lines starting with private-bin and private-lib to include the following:

private-bin sed,less,man,groff,nroff,tbl,bash,terminfo,locale
private-lib /usr/lib/man-db,/usr/share/groff,/usr/share/locale,/usr/share/terminfo,/usr/share/man,/usr/lib/x86_64-linux-gnu,/lib/x86_64-linux-gnu,/usr/lib/charset.alias,/etc/ld.so.preload,/etc/ld.so.cache,/etc/manpath.config,/etc/suid-debug,/etc/terminfo,/etc/sysless,/etc/localtime

But the result is still negative: man less yields the following error:

bin/bash: error while loading shared libraries: libtinfo.so.6: cannot open shared object file: No such file or directory                                                                        
/usr/bin/man: command exited with status 127: (cd /usr/share/man && /usr/lib/man-db/zsoelim) | (cd /usr/share/man && /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE) | (cd /usr/share/man && preconv -e UTF-8) | (cd /usr/share/man && tbl) | (cd /usr/share/man && nroff -mandoc -rLL=189n -rLT=189n -Tutf8)

When looking for the location of libtinfo.so.6 using find /lib -name "*libtinfo*" the result is in /lib/x86_64-linux-gnu/, which is included in the private-lib-line. And when eliminating the lines starting with private-bin and private-lib, it works (but obviously without the additional sandboxing).

How to exclude a folder or path from a command or application in general? I am trying to exclude a path from find command but available possibilities like prune option explained [here](https://unix.stackexchange.com/questions/350085/is-it-possible-to-exclude-a-directory-from-the-find-command) and [here](https://unix.stackexchange.com/questions/109900/find-prune-does-not-ignore-specified-path) makes the command a little more complicated to achieve advanced search

I run firefox with the following command:

firejail --x11=xephy firefox

----- The command usually opens a firefox window (800x600) that fills the xephyr window (800x600). In this case, the following problems occur. Problems: - When I click on the hamburger menu, it shows the menu briefly appears and then quickly disappears. - When I type "alt" the menu bar at top appears. Then when I type f, the file menu briefly appears then quickly disappears. ----- However, after I run the command, I can intentionally kill xephyr (by pressing alt-f4). When I run the command again, firefox starts in safe-mode. The firefox in safe-mode would open a window that is smaller than 800x600. In this case, the problem disappears ----- Somehow setting the height and width of the firefox command as below doesn't solve the problem.

firejail --x11=xephy firefox -width=700 -height=500

----- The window environment is debian 10 + jwm + xorg. I start it by startx -- -nolisten local.

Update2: Registry's changes **actually** saved. But for entries that will not be permanently stored (that be reset if, for example run `wineboot), after regedit (with firejail`) is closed, those entries are reset to default. Example: If I add a new `String value entry called test`. The change is saved. If I modify

>Hardware>Description>System>CentralProcessor>0>VendorIdentifier

from `AuthenticAMD to None, it does not works with firejail`. Without `firejail, the change is saved, but if I run wineboot`, it reset to default. --- Update: It seems that changes actually wrote to disk, while modifying registry with `regedit (with filejail), I open another regedit`, and saw that data was modified. But, after close `regedit`, the registry is reset. --- I'm using `firejail` version 0.9.56 (default package from Mageia). I have no problem running `wine with firejail`, except when I want to modify registry. Without `firejail, there's no problem, but when I run wine with firejail` all modifications revert back to default. Here is my `firejail` wine profile: # Firejail profile for wine # Description: A compatibility layer for running Windows programs # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/wine.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ${HOME}/.Steam noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/steam noblacklist ${HOME}/.steam noblacklist ${HOME}/.wine # with >=llvm-4 mesa drivers need llvm stuff noblacklist /usr/lib/llvm* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all netfilter nodvd nogroups nonewprivs noroot ############# blacklist /media blacklist /mnt noblacklist ${HOME}/.wine whitelist ${HOME}/.wine noblacklist /tmp/.wine-* whitelist /tmp/.wine-* include /etc/firejail/whitelist-common.inc

I try to run a HTTP server on port 8000 in a firejail sandbox, and make it accessible on all interfaces of the host on port 8888. The whole system can be represented as below:

+----------------------------------------------------+                                       +-------------+
|                      host-112                      |                                       |  host-238   |
|                                                    |               +-------+               |             |
| +--------------------------+              +-----+  | 192.168.1.112 |       | 192.168.1.238 |   +----+    |
| |       firejail           |              |wlan0+------------------+  NAT  +-------------------+eth0|    |
| |                          |              +-----+  |               |       |               |   +----+    |
| |                          |                       |               +-------+               |             |
| |        +----+   10.0.1.2 |   10.0.1.1  +------+  |                                       |             |
| |        |eth0+--------------------------+my_br0|  |                                       |             |
| |        +----+            |             +------+  |                                       |             |
| |                          |                       |                                       |             |
| |                          |                       |                                       |             |
| |      HTTP server 

...

But it doesn't work with a remote host on the same network:

lang-bash
myself@host-238 $ curl 192.168.1.112:8888
curl: (7) Failed to connect to 192.168.1.112 port 8888: Connection timed out

It seems like the request is not well forwarded to the bridge interface. Below is the complete list of iptables rules on host-112:

lang-bash
# iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i my_br0 -p tcp -m tcp --sport 8000 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i my_br0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A POSTROUTING -s 172.19.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o my_br0 -p tcp -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.0.1.2:8000
-A DOCKER -i docker0 -j RETURNo

# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

# iptables -S -t raw
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT

# iptables -S -t security
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

Do you know what can I do to make it work?