Firejail worsening security?

Hi There,

Firejail/firetools included by default in Whonix Anonymous OS distro (just jealousy from parrot :stuck_out_tongue_closed_eyes:), but recently discussion appeared that Firejail is worsening the security of the OS and i will copy (with rearranging) the arguments here:

  • High rate or hole of privilege escalations: references CVEs and Seclist discussion.
  • Firejail bulky code and complexity increases security threats and surface attack
  • Review from bubblewrap/flatpak maintainer Simon McVittie: here
  • Review from security guy like Daniel Micay: here

and thus if any sandboxing tool to be used is Bubblewrap. (full discussion can be found here)

^^^ These are the arguments posted in our forums, i hope the replies going to be technically based to this issue because this is not a matter of opinion but rather technical security outcome. cc @palinuro


We should research about new sandbox and share the result to each others then


Yep its totally correct thats why i opened this subject.

Where have we reached:

I opened a ticket on FireJail github with the same points of arguments and there was great discussion:

My (TNT) personal conclusion from the conversation:

  • both has same impact of security, less code doesn’t mean much because its functionality reduced then less interaction with apps.

  • The choice is either having one/both of them OR delete both of them NOT one over another because both are the same in a way or another.

  • Apparmor is the grand master of wise secure sandboxing over them.(sadly very low effort contributors towards it)

Comment on Daniel Micay: hes obsessed with google&proprietary security (i call it security through delusion) here are some collective comments from him: (you can check his responses in arch mailinglist and reddit posts)

Daniel Micay’s statements aren’t very productive, even if the basic premise of what he is saying is often true.

In the gVisor documentation they mention the limitations of AppArmor and seccomp systems (

Rule-based execution , such as seccomp, SELinux and AppArmor, allows the specification of a fine-grained security policy for an application or container. These schemes typically rely on hooks implemented inside the host kernel to enforce the rules. If the surface can be made small enough (i.e. a sufficiently complete policy defined), then this is an excellent way to sandbox applications and maintain native performance. However, in practice it can be extremely difficult (if not impossible) to reliably define a policy for arbitrary, previously unknown applications, making this approach challenging to apply universally.

1 Like

IMO everything can have vuln. Extra security layer means extra vuln can have. I personally don’t really like golang because the performance could be fast but it is still slow than C (and after i found the nim lang) but it can get rid of common vulns so it is better (but we still don’t know about logic 0day vulns).
But all of that is theory. We’ll check more sandbox solution and ask Palinuro about them :smiley:

1 Like

decision either to have bubblwrap or deleting any sandboxing tool at the moment and stay using only mandatory access control (MAC) like apparmor. Not yet decided but i will mention here once Whonix will be released with whatever decision will be made.

1 Like

Why Firejail is allowing Firefox to access to my USB drive or Windows installation on the same drive as Parrot? That was not an issue some time ago?? I could saved downloads then only to my Home folder and notting beside that…

You can black list your path :slight_smile:

OFC, but in previous releases Firejail settings were more restricted, wasn’t it? By default I couldn’t save something from browser to USB, or some other HDD…, or even other folder except /Downloads…

Yes but the problem is maybe other users want it be like that. I agree with the USB part but other locations, it depends on users and we provide basic settings. You see, there are users don’t even want to use firejail.


This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.