Looking for firejail / seccomp maintainer for better security!



Originally published at: https://www.whonix.org/blog/looking-for-firejail-maintainer
firejail is a sandbox to restrict the application environment.

Please contribute. Task:

  • play around with firejail in Whoinx
  • see how it goes
  • report (and possibly fix) issues upstream in firejail
  • test the Tor Browser firejail profile, consider packaging it
  • maintain firejail profiles in Whonix
This is a volunteer position.

Whonix firejail / seccomp development discussion:

Clicking links inside Thunderbird asking to reinstall Tor Browser - Due to Firejail sandboxing
firejail / seccomp / More Options for Program Containment

Hi Patrick,Why not use the Xen Hypervisor for isolation since it can isolate at the GUI-level, which is essential for a desktop system.Unless of course firejail already has that feature Xen also includes other features that this program might not have heres a link with a full description of how xen differs from most other isolation solution http://theinvisiblethings.blogspot.com/2012/09/how-is-qubes-os-different-from.html

pls let me know your thoughts I would love to hear them!

Anyway take care and stay healthy don’t over work that genius brain of yours


I can’t volunteer because I have no experience packaging, but if someone makes better profiles I’ll try them.

I already run firejail using a modified /etc/firejail/firefox.profile for TBB (what the firejail author said he was doing).

It works fine with both apparmor and firejail enabled at the same time (only a few extra tweaks to apparmor needed for files under /run/firejail).


Because we already do with Qubes-Whonix and becuase firejail / seccomp is a protection layer at a different level.

Yes, great! Testing will certainly help once we found a maintainer to work on this!

Good to know!

I’ll post more questions here: firejail / seccomp / More Options for Program Containment


A ton of firejail profiles for by parrot! Please feel encouraged to test them inside Whonix!

Check Parrot OS sandboxing code
firejail / seccomp / More Options for Program Containment

I am green with Whonix, Firejail, and packaging for a distribution in general, but I would dive in* if you’re willing to give me a shot. I’m experienced with Linux and a programmer by trade.

The topic of process isolation via features already found in the Linux kernel (cgroups and namespaces) is intriguing, so Firejail is something I want to learn about and help improve if at all possible. I can say the same for Whonix itself - I may not use it on a daily basis but I see why it’s a necessity and believe in the goals of the project. Even if you say “No, we’re looking for someone with more experience” I’ll still try to find some way to help out.

Thanks for taking the time to read this and for all the work you do.

* I’m getting married and going on my honeymoon shortly, but I would devote time to the project as soon as I got back on the 24th of September.


Welcome! Amazing! Looking forward to be working with you!

No worries, there’s no “No, we’re looking for someone with more experience”. I guess if someone is willing to help, it’s going to be helpful either way. :slight_smile:


I wanted everyone to know that I’m still looking at everything… Everything. I’m trying to learn more about Firejail, so I actually wrote some documentation up for an open source project named TLDR that lets you read better documentation from the command line: tldr#2354.

I’ve also been looking at Whonix building, and what goes into all of that. I’m still looking through the Wiki and the source trying to get up to speed, but to be honest at my pace it’s slow going. I’ve been using Firejail in Whonix with great success so far.

I also just stumbled across a different project that I wanted to bring to people’s attention, called bubblewrap.

I’m still on the case! :slight_smile: I’ll touch base again soon.