My machine is home desktop(personal) running Debian Buster with i3 window manager. I recently installed firejail with apt install firejail* firetools and also downloaded the new Firefox 83 browser from Firefox official website. I can run the firefox binary as a non-firejail user, as in, navigating to the new firefox directory and running [user@debian]:$ ./firefox It works fine and all. However, if I try doing, firejail --noprofile --seccomp --private --nonewprivs /home/user/downloads/firefox/firefox it says, the file firefox isn't executable. Running ls -l on the executable returns that it is executable. Then I copied the whole new firefox directory to /tmp/ then opened a new firejail bash session with firejail --seccomp --private --nonewprivs bash, then started a sandboxed bash session. Then copied the firefox directory from /tmp/ to $HOME and tried running the firefox binary from there, and it says permission denied The file was executable, and was owned by same user. What am I doing wrong here.

It's trivial to limit _all_ network access via systemd service sandboxing. However, would it be possible to disallow all external network connections, _except_ for listed domains?

Setting [PrivateIPC=true](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateIPC=) in a user systemd service causes following to be printed in journal:

(myservice): myservice.service: PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: Operation not permitted
(myservice): myservice.service: Failed to set up mount namespacing: /dev/mqueue: Operation not permitted
(myservice): myservice.service: Failed at step NAMESPACE spawning myservice: Operation not permitted

The linked documentation above mentions > This option is only available for system services, or for services running in per-user instances of the service manager in which case PrivateUsers= is implicitly enabled (requires unprivileged user namespaces support to be enabled in the kernel via the "kernel.unprivileged_userns_clone=" sysctl)

$ cat /proc/sys/kernel/unprivileged_userns_clone
1

Also other settings with the same caveat, e.g. [PrivateNetwork](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=) , seem to work. What gives - why are the errors above shown?

The goal is to create a generic sandboxing systemd .conf file to be included as a snippet to application unit files in order to harden/sandbox them. One major requirement is to block the application all network access to the outside world, and preferably also locally. One option is setting [PrivateNetwork=true](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=) , but this breaks the graphical applications that no longer are able to connect to xserver:

Warning: [qt.qpa.xcb] QtWarning: could not connect to display :0
Warning: [qt.qpa.plugin] QtWarning: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin

Is there a way to use PrivateNetwork with GUI programs? --- As an alternative I'm considering following two settings:

# restricts the network interfaces that processes of this unit can use:
RestrictNetworkInterfaces=lo
# block all network traffic, including localhost:
IPAddressDeny=any

Is this alternative good enough for my requirement? Is PrivateNetwork still even required with these settings?

I have Pinta 2.1.1 running in Flatpak (v1.14.5). When I run Pinta from the command line passing an image located in /tmp as an argument, it complains about the file not existing:

$ /var/lib/flatpak/exports/bin/com.github.PintaProject.Pinta  /tmp/img.jpg 

Pinta: GLib.GException: Error when getting information for file “/tmp/img.jpg”: No such file or directory

I am guessing this is due to [/tmp being blacklisted by default](https://docs.flatpak.org/en/latest/sandbox-permissions.html) , and Pinta [not configured](https://github.com/flathub/com.github.PintaProject.Pinta/blob/7d1e540906c8f52af7e9060aded28cf755f1456b/com.github.PintaProject.Pinta.yaml#L12-L33) to enable access to it. However, once the application is running, said image can be opened via 'Open file' (Ctrl+o) dialog. Is this expected?

I am on Ubuntu 20.04 and installed evince via flatpak, when I open evince, it usually makes a copy of the opened file into /run/user/1000/doc. I learned that /run/user/1000/doc is the temporary directory for storing file used by running applications, but when I quit evince the files created by it does not go away. Even if I reboot my machine, the files still exist. As the directory cannot be accessed in the usual way, it is not writable and cannot be changed with chmod. How can I remove the contents of /run/user/1000/doc ?

I have this local network service and this client program needing to access it. I am running them both as an unprivileged user. I am looking for a way to sandbox the client using firejail, in a way that it cannot access network, except for localhost (or even better, except for that service). first thing I tried was of course firejail --net=lo program But it didn’t work. Error: cannot attach to lo device I think I could work around it by creating a virtual network interface, for example veth0 and veth1, moving veth1 to a new network namespace in which I’d run the service and using firejail to restrain the client to veth0 Is there a way to actually automate this setting in a firejail profile, so that all of these interfaces are created and veth1 is moved when I type firejail server (without having to run anything as root)? Or is there a simpler way solve this problem? (I cannot run both the client and the service in the same namespace, because the service needs to access the network)

I am developing some AppArmor profiles, and came across the kernel flag unprivileged_userns_apparmor_policy, but I cannot find any documentation about it. Does anyone know what it does? I wonder if it might be helpful to me because I am writing AppArmor policies for apps that can use unprivileged user namespaces and I don't want those apps to be able to use a mount namespace to get around the AppArmor profile's file permission restrictions.

I use this version of Kali Linux :

Linux kali 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/Linux

I downloaded google chrome from chrome's website and installed it with this command:

-shell
dpkg -i google-chrome-stable_current_amd64.deb

When I launch google chrome by typing google-chrome in the terminal, that is what I get:

[1984:1984:0726/112742.739106:ERROR:zygote_host_impl_linux.cc(89)] Running as root without --no-sandbox is not supm/638180.

But when I launch it by typing google-chrome --no-sandbox it works correctly. Sometimes chrome notifies me that there is a lack of security because it works without sandbox. What does that mean? And what should I do in order to run chrome without --no-sandbox?

I have been playing around with firejail and tried to get a profile, where access to the webcam is blocked. I tried this with 'cheese' as an application, which shows the webcam and found --novideo in the documentation So:

$ firejail --novideo cheese

And success, no video found. But if I use that same configuration with a shell:

$ firejail --novideo bash

And then start cheese from there, video works fine. So access to the webcam is still possible? Does cheese connect to some other process? I tried other promising settings, but I always was able to have cheese access the webcam. I assume if that program can access it, other programs could as well.

I am having a hard time understanding Manual for PrivateUsers= . It mentions a few caveats for it to fail **silently**... But I think i'm avoiding them all and still not managing to reach the manual promise of "and thus to create an effective sandbox environment." > If true, sets up a new user namespace for the executed processes and configures a minimal user and group mapping, that maps the "root" user and group as well as the unit's own user and group to themselves and everything else to the "nobody" user and group. To me, it's not clear what the manual means by "the unit's own user and group". Is it User=? I don't think so because that would make starting the process as root mapped to a local user impossible (i would have to use User=root to start the process as the namespaced root, but that would also make root the user that root maps to...). The term "own user" is never mentioned in any of the many manual pages required to understand a service unit file, only three times in the paragraph for PrivateUsers=. I set up this very simple test service

[Unit]                                                                                                                                                                    
Description=My test
[Service]
Type=simple
PrivateUsers=yes
User=http
ExecStart=...

That is exactly the same as

[Unit]                                                                                                                                                                    
Description=My test
[Service]
Type=simple
User=http
ExecStart=...

(without privateusers) I cannot tell any difference between these two in my tests. Both access all local users with no mapping taking place. > All files, directories, processes, IPC objects and other resources owned by users/groups not equaling "root" or the unit's own will stay visible from within the unit but appear owned by the "nobody" user and group. I see and create everything owned by the regular users inside and out of the scope. > If this mode is enabled, all unit processes are run without privileges in the host user namespace (regardless if the unit's own user/group is "root" or not). Again, not sure what it means by unit's own user. Am I expected to assume ui 0 after starting the process as another User=? > Note that the implementation of this setting might be impossible (for example if user namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security. Running unshare -U on the host works fine and creating files as root shows as a different user, as expected.

I am working on creating a chroot sandbox and want to avoid the time-consuming and storage-intensive process of copying large directories such as bin, lib, and others. Is it possible to use symbolic links, hard links, or bind mount to reference these directories from the host system within the chroot environment? What are the implications or potential issues with each method in terms of: 1. Performance 2. Security 3. Compatibility 4. Ease of setup Any insights or best practices on this would be greatly appreciated.

It seems that usually it is talked about snapshots as read-only. (In a scenario where [one creates a snapshot, then does some experiments with the main volume, and then restores the old state](https://unix.stackexchange.com/q/18913/4319) by ["merging" the snapshot into the main volume](https://unix.stackexchange.com/questions/18913/how-to-create-a-read-only-snapshot-in-lvm-and-then-rollback-to-it-after-some-wor/18914#18914).) Is an alternative scenario possible in LVM? I.e., where one doesn't even want the temporary experiments to be visible in the main volume, so one creates a "temporary" snapshot, makes it writable, does the experiments there, in that "branch", and then discards the snapshot (or perhaps merges it if one is satisfied with the results)? And if writable snapshots are possible in LVM, then what happens when merging a modified snapshot into the main volume which also has had some different modifications? (BTW, [btrfs snapshots seem to be writable by default](https://unix.stackexchange.com/q/18912/4319) , so this scenario seems to be well possible in btrfs.)

I'd like to set up an instance of Thunderbird on a Fedora VM (with a VPN). I want it to use ONLY an alias I have set up with the email providers. But I will still have to use my real credentials to log into the server. So they are in `.thunderbird` somewhere. I have to deal with websites on that VM that are pretty invasive by nature (rental tenancy applications like 2apply, snug.com, etc). Each are in a Firefox Container. They all have the facility to browse your system to upload files and documents, or 'drag-and-drop' - i.e. I have enabled those scripts in NoScript, and I have no choice about that. I'm worried that information will leak from Thunderbird to the websites, particularly my real email address. I understand/believe/have heard that linux doesn't allow programs to work without explicitly commanding them to do so, but... haven't I done exactly that with the websites by enabling file-uploading scripts? How should I think about this? Is it really a risk?

I would like to be able to merge changes from the upper filesystem of an overlay mount to a lower filesystem. I am interested both **online** (i.e. merge *while* the overlay is mounted) and **offline** (unmount the overlay and then merge) solutions. I have found a couple of offline solutions, which I have added as answers. Does anyone know of any **online** solutions? It would be good to have a "commit" type command you could run to merge down the layers while the overlay is still mounted. Something like this has been asked in the following questions with no answer: - Is there anyway to modify one file and sync to the lower directory in OverlayFs? - How to modify a lower file through an OverlayFS directory? - OverlayFS Seamlessly Edit File in Lower Directory - OverlayFS - How to make changes to upper filesystem persistent without unmounting? Comments in these posts suggest variously mergerfs and bcache , both of which solve specific use cases but not the generic filesytem-agnostic use case that overlays provide. My goal is to have a safe filesystem sandbox with snapshots that can be used with any Linux application over any (where practical) underlying filesystem, allowing you to roll back changes or manually commit them when you are ready. I have a suspicion that modern mainline Linux has all the necessary features to do this built-in, thanks to all the sandboxing/virtualization innovations of the last few years, if only I knew how to use them.

I am using Chromium browser on Debian Wheezy. I read that Chromium is using sandbox to isolate its processes from the rest of the system and thus to increase security. How can I verify that Chromium is indeed running inside a sandbox? Is Chromium using sandbox by default, or do I have to configure it? When I start Chromium by clicking on the icon, and then look at the running process with ps, I see no indication that it runs in sandbox (i.e. no --sandbox parameter).

I'm running Chromium like so : chromium --no-sandbox I'm doing this because I'm running Debian Squeeze on an OpenVZ VM Container and it's the only way I can get it to work. Though I keep reading **this is terrible**. But I want to know why exactly. Can someone please explain it to me? Does someone need to hack into your computer to do damage? Or does the vulnerability come from a file on the web like a JavaScript file? What if I locked browsing down to only a handful of "trusted" sites? (Gmail, stackexchange (ofcourse), and facebook)

I'd like to override some hardcoded paths stored in pre-compiled executables like "/usr/share/nmap/" and redirect them to another dir. My ideal solution should not require root priviledges, so creating a symlink is not ok. (Also recompiling it's not an option)

How can i create a DBUS connection to PipeWire (to communicate with the sound daemon) from a SElinux sandbox?

Hello Linux folks i need help running with firejail with a java program that is in sandbox

--private --trace java -jar program.jar

But this program can't spawn child process (chromium) due to sandbox restriction The trace error:

3: java:lstar64 /home/username/.program/101.0.4951.54/chrome-sandbox:0

3: java:access /proc/self/ns/user:0

3:java:access /proc/sys/kernel/unprivileged_userns_clone:0

3:java:open64 /proc/sys/kernel/unprivileged_userns_clone:47

If I run the program without firewall it successfully spawns the child process but when run with firejail it does not spawn it It seems I can't spawn this child process due to the restricted process using the firejail any help will be appreciated.