Sandboxing Firefox using firejail (portals, d-bus, pipewire, pulseaudio, webcam, ...)

BoredSquirrel · May 26, 2026, 7:26pm

Flatpak is nice, but it consumes way too much storage space and is currently not suitable for browsers at all, as they block user namespace creation and workarounds like zypak should still be considered experimental.

When sandboxing, the browser should be first priority, as it runs executable code with every site you visit. Yes, SVG rendering, PDF viewers etc. are cool, but browsers should be the focus.

As NixOS does not have packages for bubblejail or crabjail yet, and has some support for firejail, I wanted to give that a try.

I want to document what I found, and ask for help closing the many gaps I found.

Findings

I found a bunch of different ways to declare the same thing. Example:

programs.firejail = {
        enable = true;
        wrappedBinaries.firefox = {
                executable = "${lib.getBin pkgs.firefox}/bin/firefox";
                profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
                extraArgs = [
                        "--dbus-user.talk=org.freedesktop.Notifications"
                ];
        };

environment.etc = {
    # DEFAULTS
    "firejail/firejail.config".text = ''
            dbus-user.talk org.freedesktop.Notifications
        ''
 
    # FIREFOX
    "firejail/firefox.local".text = ''
        dbus-user.talk org.freedesktop.Notifications
    '';
};

I decided to go with the latter, building a config for shared permissions (/etc/firejail/firejail.config) , and one for local overrides (/etc/firejail/firefox.local), as they are cleaner and don’t cause huge process commands.

There are default profiles, but I was not able to find a repo where they are stored. They can be accessed locally like so

cp /nix/store/ric45krl3nij5437n8brqx8nayyzimkh-firejail-0.9.80/etc/firejail/firefox.profile .

Things that don’t work

In Firefox, the filechooser portal works. But the “select application to open file” menu does not work at all, which should be handled by the system. I am using, among others, the following configs for all programs

dbus-user.talk org.a11y.Bus
dbus-user.talk org.freedesktop.portal.*
dbus-user.talk org.freedesktop.UPower

read-only ~/.local/share/applications
# system desktop entries folder missing

Questions

How do I replace variables in the profile text, like the ones from the hardened firejail profiles?

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}

How do I replace paths, like these?

whitelist /usr/share/firefox
whitelist /usr/share/mozilla
whitelist /usr/share/fonts
whitelist /usr/share/icons

private-bin firefox,firefox-esr,which,sh,env,bash
private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf,resolv.conf

Future perspective

It seems that firejail is maintained and stable. There were security incidents with it in the past, and I can imagine that other tools might be more secure. But I don’t know that yet.

I can say that firejail works pretty well currently! this workaround did not work and was not needed for icons to appear as usual

Links

Ongoing work for bubblejail

bitbloxhub · May 26, 2026, 7:42pm

Plugging this as a nice way to sandbox things with Bubblewrap on Nix as a Firejail alternative, does not have flatpak userns restrictions by default (you can do disable-userns but that’s optional) but can use Flatpak manifests and translate them to bwrap args, currently using for Spotify and PrismLauncher:

nosferatu · May 26, 2026, 10:40pm

I’ve been meaning to experiment this with steam so winapps can’t run malware on /home
Bookmarking this thread.

BoredSquirrel · May 27, 2026, 8:22pm

that is really cool! I need to learn more about flakes for installing it, but it sounds like a great alternative to firejail, and better than hacking bubblejail to somehow work with nix