We are happy to announce the release of Firejail version 0.9.34 (download). Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. This release brings in default home directory whitelisting for Firefox and Chromium, a new seccomp-based security filter (–protocol), dual 32 bit/64 bit seccomp support, support for Skype, Steam and Wine, and a number of smaller features and bugfixes:
PulseAudio 7.0 issue
The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Arch Linux users are reporting sound problems when running applications in Firejail sandbox. PulseAudio developers are aware of the problem, a fix will be provided in a future PulseAudio release. The following configuration fix will mask the problem for now:
$ mkdir -p ~/.config/pulse $ cd ~/.config/pulse $ cp /etc/pulse/client.conf . $ echo "enable-shm = no" >> client.conf
Home directory whitelisting in default Firefox profile
Starting Firefox using the default security profile
$ firejail firefox
whitelists files and directories under /home/user:
Firefox home directory.
Home directory whitelisting in default Chromium profile
Starting Firefox using the default security profile
$ firejail chromium
whitelists files and directories under /home/user:
Chromium home directory.
–ignore
Use this option to disable commands in security profiles. Example:
$ firejail –ignore=seccomp wine
–protocol
Enable protocol filter. It is based on seccomp and it filters the first argument to socket system call. Valid values: unix, inet, inet6, netlink and packet.
$ firejail –protocol=unix,inet,inet6
“unix” describes the regular Unix socket connections, while “inet” and “inet6” describe IPv4 and IPv6 traffic. Most GUI applications need “unix,inet,inet6”. “netlink” is the protocol used to talk to Linux kernel. You’ll only need this for applications used in system administration (iproute2 etc). “packet” is used by sniffers to talk directly with the Ethernet layer.
Protocol filter is enabled for most GUI applications (“protocol unix,inet,inet6”).
Dual 32 bit/64 bit seccomp filter
–seccomp option now installs a dual 32 bit/64 bit default filter. i386 applications running on regular amd64 computers (Skype, Steam etc.), are protected by i386 seccomp filter.
New default security profiles
Steam, Skype, Wine. The dual seccomp filter is enabled by default for these applications.
About
For more information please visit the project page.