Jailing the Zoom Client

While there are many Open Source solutions for browser-based videoconferencing and online meetings, like BigBlueButton or Jitsi, I am still forced to use zoom in a lot of contexts.

But the zoom web client lacks a lot of functionality and generally does not work well in my experience.

On the other hand I absolutely distrust the zoom client. Just inspect the strings that appear in the binary of the launcher…

$ strings /opt/zoom/ZoomLauncher | grep grep
pacmd list-sinks |grep 'name:\|module:'

Yes, they are using a lot of shell commands in their compiled binaries.

Firejail to the rescue!

In short, Firejail is a wrapper that allows to limit what a process is allowed to to with regards not only to the filesystem but also all other aspects of your system.

A profile is used to define the permissions and view on the filesystem, then the binary is called via the Firejail wrapper.

This approach allows me to always use the latest published version of the client, provided as .deb by zoom and install it directly on my system. Which makes updating really easy.


I created two directories in my home, zoom.back and zoom.data to store Images to use for virtual backgrounds in the first and to store recordings or files downloaded via zoom client in the other.

The Profile

You probably have to tune the profile file below, according to your needs, with regards to filesystem access and mounted directories. It can probably be improved additionally but below profile works for me.

include /etc/firejail/disable-common.inc 
include /etc/firejail/disable-passwdmgr.inc

include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-xdg.inc
include /etc/firejail/disable-exec.inc
include /etc/firejail/disable-devel.inc


read-only ~/

whitelist ~/zoom.back
read-write ~/zoom.back

whitelist ~/zoom.data
read-write ~/zoom.data

whitelist ~/.zoom
read-write ~/.zoom

whitelist ~/.config/zoomus.conf
read-write ~/.config/zoomus.conf

private-etc group,hostname,passwd,profilem,bash.bashrc,fonts
blacklist /mnt
blacklist /data
blacklist /media
protocol inet,inet6,netlink,unix
caps.drop all
# needed by zoom: memory-deny-write-execute
shell none
dbus-user none
dbus-system none

My startup script

As a bonus I am checking if my camera is attached and enable the microphone profile on my headset before starting zoom. The important line is the last command, make sure when copy pasting to have no trailing whitespace after the backslashes.


# switch the audio profile of my headset
~/bin/headset meeting

# check if my external camera is attached, as
# firejail will only show devices already present

lsusb -d 046d:0825
if [ ! "$?" -eq 0 ]; then
  # wait until ok is pressed
  xmessage "Turn on camera!"

# call zoom in the jail, write a trace file to inspect
# afterwards if it crashed or throws errors

firejail --trace=~/.zoomtrace \
    --profile=~/.firejail-zoom-profile \
    /usr/bin/zoom $@

The Result

The zoom client and all it’s client processes should now not be able to access your home directory or drop files somewhere etc. With that I am somewhat less concerned running that binary on my user account on my main working machine.

Below you see how the dialog to choose a virtual background looks like with that profile.

Software Versions

I am currently running Debian 11.1 and the deb-package versions are zoom, and for firejail and firejail-profiles.





Dieser Beitrag wurde unter de, debian, Desktop, IT, Linux, security veröffentlicht. Setze ein Lesezeichen auf den Permalink.