Firejail Tutorial

Here are basic installation instructions (Guidance) I have used.

Project webpage: https://firejail.wordpress.com/
Download and Installation: https://firejail.wordpress.com/download-2/
Features: https://firejail.wordpress.com/features-3/
Documentation: https://firejail.wordpress.com/documentation-2/
FAQ: https://firejail.wordpress.com/support/frequently-asked-questions/
Travis-CI status: https://travis-ci.org/netblue30/firejail

Good reference site(s)/ articles:

First Install:

Firejail
firectl

Follow installation instructions provided here: firectl.

Firejail issues after initial setup:

Thunderbird whitelisting is required if you are running in a non-std location, like Dropbox:
The following seems to work; create a local file (profile) containing the following:
$ sudo mousepad /etc/firejail/thunderbird.local

add the following content (or similar):

# Firejail profile for Thunderbird customization
noblacklist ${HOME}/Dropbox/Thunderbird
[…]

whitelist ${HOME}/Dropbox/Thunderbird
[…]

Thunderbird is unable to attach items to messages
All directories that you wish to have access to from Thunderbird need to be whitelisted in thunderbird.local. To fix my problem I simply whitelisted my Desktop for use by Thunderbird.

It looks like this:

# Firejail profile for Thunderbird customization
noblacklist ${HOME}/Dropbox/Thunderbird
noblacklist ${HOME}/Desktop
[…]
whitelist ${HOME}/Dropbox/Thunderbird
whitelist ${HOME}/Desktop
[…]

Note: If you don’t want to whitelist additions directories you may also access attachments from an accessible directory like /tmp. If the desired attachments are copied and linked from there then things also work.

Virtualbox whitelisting is required if you are running in a non-std location, like Dropbox:
This seems to work, create a local file (profile) containing the following:
$ sudo mousepad /etc/firejail/virtualbox.local

add the following content (or similar):

# Firejail profile for virtualbox Customizations
noblacklist ${HOME}/Dropbox
noblacklist ${HOME}/Desktop

whitelist ${HOME}/Dropbox
whitelist ${HOME}/Desktop

Firefox browser needs the following in firefox.local (this will allow downloads to function “normally” and download on the Desktop or a Dropbox/Downloads folder (rather than going into a “bit bucket” somewhere unpredictable):
# Firejail profile for Firefox Customizations
noblacklist ${HOME}/Dropbox/Downloads
noblacklist ${HOME}/Desktop

whitelist ${HOME}/Dropbox/Downloads
whitelist ${HOME}/Desktop

Create similar {browser}.local files for other browsers.

Care & Feeding:

After performing a system update you will need to run the following terminal command:
$ firectl status

Follow the instructions provided, generally:
$ sudo firectl restore

Additional conflicts:

Chromium default browser status check(s) needs to be disabled.
There is no solution, yet. So far as I am able to determine.

Dropbox does not work reliably.
I am unable to find a solution for this. It appears to be a bug.

DuckDuckGo Security essentials prevent links working between Thunderbird and firefox or chromium.

I have elected to install DropBox via Flatpak.

Brave browser also needs help in order to run, using the following content in /etc/firejail/brave.local seems to work:

# Profile for Brave browser customization
noblacklist ~/.config/brave
noblacklist ~/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc

#caps.drop all
netfilter
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

whitelist ${DOWNLOADS}

mkdir ~/.config/brave
whitelist ~/.config/brave
mkdir ~/.pki
whitelist ~/.pki

# lastpass, keepass
# for keepass we additionally need to whitelist our .kdbx password database
whitelist ~/.keepass
whitelist ~/.config/keepass
whitelist ~/.config/KeePass
whitelist ~/.lastpass
whitelist ~/.config/lastpass

include /etc/firejail/whitelist-common.inc

In order to deal with global system uniqueness in your environment, you may need to create and add a globals.local file.