firejail / seccomp / More Options for Program Containment


Asked the folks at parrotos about what they do which may help.

1 Like

Some great feedback from the ParrotOS dev. Its very doable with their technique. [0] @Patrick see if you have any further questions you would like to ask.

[0] They enable it automatically for all available programs and re-aply symlinks in event of package updates. Also the home folder is whitelisted for saving files the users wants persistent. I asked about the code and whether its deb packaged.

1 Like

i tried by default to run firejail and it WORKED without adding anything:

run inside whonix:

firejail torbrowser

if you installed tbb from torbrowser-downloader developed by micah lee

firejail torbrowser-laucher

and it will run magically with seccom without adding anything


By automatic we mean out of the box. We don’t want people to type firejail X to take advantage of its security but rather the process is completely transparent to the user.


Hi TNT_Bom_Bom

Yes I know it works, but it defaults to a “default profile” in that mode (which is not very restrictive).

We really need something to auto-select the Tor Browser profile for improved usability and stricter containment if Firejail is used.

1 Like

packaged for Debian and includes custom code

1 Like

Problem is, it is these profiles is mixed up with all the C code provided by firejail. A full fork of firejail. That would be good if it was taken by firejail developers like this and merged upstream at firejail.

Just the parts they changed (added profiles; Debian maintainer scripts) in a separate package would a lot a lot better to avoid adding C code and compilation to Whonix source code. Otherwise I’d need to verify firejail by firejail upstream vs firejail from that package matches; and compile.


OK I suggested it.

1 Like

Could we add firejail to the default packages being installed so it would maybe also get some more testing? The version from backports looks close to the upstream version. Also the specific profile for the torbrowser seems to work, not just the default profile.


i already asked for that


continue discussion here


1 Like

Tickets are a bit “disorganized” since now firejail is suggested as standalone without T804. Be that as it may…

The suggestion is to add https://packages.debian.org/stretch/firejail to some Whonix meta package? Which one? Please send a pull request. Can you please test that installing firejail alone doesn’t add any regression? Does it activate by default?


I don’t think we can guarantee zero regressions, but anecdotally I have yet to find a program that doesn’t work with firejail.

From the ParrotOS thread, it appears that what happens is Firejail has a script which can automatically compare installed system binaries and reinstall symlinks as packages are reinstalled. Parrot runs this script (which I haven’t seen but haven’t really dug for yet) every time a package is installed via a post-installation step. This itself could be dangerous as perhaps a user is unaware that firejail is not reinstalled in front of a package reinstall, or perhaps they install a package that is not protected by default firejail profiles and also not ParrotOS firejail profiles and expect it to be automatically applied. User education will always solve problems where technology is lacking. We should make the user aware that firejail is in play on the system regardless of how seamless we can make the integration as they may want to review firejail and the available integrated profiles for themselves.

That all said, I am still learning and still educating myself on firejail and the current state of Whonix development itself. If I could send a pull request that would implement firejail as a default package on a meta package, and then create a post-install hook to implement firejail profile reinstallation, and then implement specific and tight firejail profiles, that would still not alleviate all of the potential problems. Again, user education is key, and I’ve noticed this mentioned a couple of times in the Whonix wiki and could not agree more.

That’s just my $.02 on the matter, for what that’s worth right now. Still learning.


Looks like what we were interested in this firejail issue was implemented.


When I run firejail --debug --seccomp torbrowser

I get this error

ERROR: Failed to start Tor Browser!

Failed to run:

systemctl --no-pager --no-block status tb-updater-first-boot.service.

systemctl output:

Failed to connect to bus: Permission denied

To see this for yourself, you could try:
Start Menu -> Applications -> System -> Terminal
Then run:
systemctl --no-pager --no-block status tb-updater-first-boot.service

Installing /run/firejail/mnt/seccomp.protocol seccomp filter
[ERROR] [torbrowser] Failed to start Tor Browser!

Failed to run:
systemctl --no-pager --no-block status tb-updater-first-boot.service.

systemctl output:

Failed to connect to bus: Permission denied

To see this for yourself, you could try: Start Menu -> Applications -> System -> Terminal
Then run:
systemctl --no-pager --no-block status tb-updater-first-boot.service
Sandbox monitor: waitpid 6 retval 6 status 1024

I use Tor Browser 8.0.6.


@0brand is it a bug for all people ? or just for me ?


Unfortunately everyone.

1 Like

Please experiment with this in Whonix 15.

sudo apt-get install firejail-profiles

(Whonix VirtualBox - Debian buster based - Testers Wanted!)

Let me know if this breaks anything.
(Related to https://phabricator.whonix.org/T869#18198)


using this command:

firejail --debug --seccomp torbrowser

it is working!

1 Like

Not related to Firejail but I would like to suggest bubblewrap as an alternative sandboxing program. It uses Linux namespaces to isolate programs and doesn’t require profiles like Firejail does so it should be easier to maintain. It’s used as a command instead. e.g.

bwrap --dev-bind / / --unshare-all foo

This will use all namespaces available to sandbox foo.

It can also be used to remove network access for programs that don’t need it with the --unshare-net option.

It’s in the Debian repos too.

It’s not that complicated either.

Another advantage to Firejail is that it has a very small attack surface unlike Firejail which has a massive attack surface. This makes it much more likely to contain less vulnerabilites.




1 Like