[solved] "An existing sandbox was detected. /usr/bin/firefox will run without sandboxing features" #5575
-
Arch Linux virtual machine (qemu), with linux_hardened kernel. Host is also Arch Linux. I have apparmor installed and enabled. I am trying to run firefox using firejail, making sure that firefox is adequately sandboxed. But it's not working. The way I've tested that it doesn't work is by downloading a file through firefox (yes, after I ran it using firejail), closing firefox, and then checking that same file using a file manager such as nemo. The file persists, indicating to me that the sandbox did not work. The error is an indication that it's not working. I have searched all instances of this warning I can find online and I haven't found a solution. Yes, I have seen this referenced as an issue on this very github but the solutions did not work for me. It is commonly attributed to not using the --force parameter, which I used, without success. It still shows the warning. It's also been said that you can't run a sandbox within a sandbox, which isn't the case with my situation (as far as I'm aware). Unless a virtual machine is considered a sandbox. I also made sure to run I followed this guide and the associated video: https://null-byte.wonderhowto.com/how-to/locking-down-linux-using-ubuntu-as-your-primary-os-part-3-application-hardening-sandboxing-0185710/. I indeed ran Is the problem that I'm using a virtual machine, or maybe linux_hardened kernel? Or maybe apparmor is not installed properly (I'm fairly certain it is)? I installed and configured firejail according to instructions from various sources such as the arch wiki, nullbyte link above, and a few youtube tutorials. Am I doing something wrong? Lastly, I am on the fence regarding firejail and bubblewrap. Keep in mind I'm still doing my research but I've heard that bubblewrap is more secure, and that firejail is not as reliable because of how easy it is to run without adequately sandboxing it. I know they both have their pros and cons but I'd like a little nudge in the right direction. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 5 replies
-
Was removed decades ago (as far as i remember the date 😉).
If you run |
Beta Was this translation helpful? Give feedback.
-
There are two things, the security of sandboxed programs (i.e. how tight is the sandbox) and the possibility an unsandboxed program can exploit a vulnerability in bubblewrap/firejail. For the later case (an unsandboxed program exploits a vulnerability in bubblewrap/firejail), bubblewrap wins because of smaller attack surface. If you installed bubblwrap w/o suid bit, the attack surface (for priv-escalation) is practically zero. For security of the sandbox, firejail wins in my eyes because it's much easier. For bubblewrap you need to know a lot details of a linux system, write your own profiles because there aren't >1000 community maintained profiles (to start with), you need to find a way to handle network stuff (firejail has optional Both firejail and bubblewrap allow to start programs unsandboxed. |
Beta Was this translation helpful? Give feedback.
-
@rusty-snake Sorry to bother you, but I have a question that is unrelated to the issue posted, but I don't think it warrants creating a new topic. Where do downloaded files go in the sandbox / where is the sandbox actually located on my filesystem? In other words, if I want to transfer a file to/from the sandbox, where would I look? I know it may defeat the purpose of the sandbox, but I'm sure there would be some situation where I would want to do this. |
Beta Was this translation helpful? Give feedback.
Was removed decades ago (as far as i remember the date 😉).
If you run
sudo firecfg
after the installation, this command will start a sandbox in a sandbox. Tryfirejail --private /usr/bin/firefox
(all other arguments are already in firefox.profile).