With firecfg, how do I configure specific applications to go through firejail?

[Joe23232]

I know that with the command sudo firecfg will get all the applications to open through firejail, however I don't want this, I want to only specify specific applications such as chromium etc.

How would I achieve this if this is even possible?

[rusty-snake]

1. [Question] How to use firejail only for certain apps? #3213 extended with a script (with is started as root). You must verify the .desktop files yourself.

#!/bin/bash
apps=(firefox thunderbird libreoffice)
for app in "${apps[@]}"; do
	ln -s /usr/bin/firejail "/usr/local/bin/$app"
done

2. Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.

3. Use firecfg.py with custom groups (I work on more group control via command-line and config-file).

4. https://github.com/rahiel/firectl.

EDIT: added firectl

[Joe23232]

Hi thanks for your response,

2. Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.

Sorry but in regards to this step, what should I specifically edit in this file?

[rusty-snake]

This file specifies for which programs firecfg creates symlinks (if they installed and have a profile). If a program is not listed there (or commented) no symlinks are created.

Example (create a backup; only set firefox, thunderbird and libreoffice)

$ mv /usr/lib/firejail/firecfg.config /usr/lib/firejail/firecfg.config.bak
$ cat > /usr/lib/firejail/firecfg.config <<EOF
thunderbird
firefox
libreoffice
EOF

[Joe23232]

Hey man cat > /usr/lib/firejail/firecfg.config <<EOF sorry what does cat > and <<EOF mean? I know what cat means but does this > do after the cat?

[rusty-snake]

That's are bash redirections.
https://www.cyberciti.biz/faq/using-heredoc-rediection-in-bash-shell-script-to-write-to-file/
https://wiki.bash-hackers.org/syntax/redirection
https://www.gnu.org/software/bash/manual/html_node/Redirections.html

---

Maybe it is easier to understand for you if it uses echo. However, you do not need to understand them. It is enough to know what they do (replace /usr/lib/firejail/firecfg.config with thunderbird, firefox, libreoffice (see below)).

Both snippets below do the same, replace /usr/lib/firejail/firecfg.config with

thunderbird
firefox
libreoffice

cat with a HERE-document

cat > /usr/lib/firejail/firecfg.config <<EOF
thunderbird
firefox
libreoffice
EOF

multiple echos

rm /usr/lib/firejail/firecfg.config
echo thunderbird >> /usr/lib/firejail/firecfg.config
echo firefox >> /usr/lib/firejail/firecfg.config 
echo libreoffice >> /usr/lib/firejail/firecfg.config 

[Joe23232]

I see mate, thanks :)

[Joe23232]

1. [Question] How to use firejail only for certain apps? #3213 extended with a script (with is started as root). You must verify the .desktop files yourself.

#!/bin/bash
apps=(firefox thunderbird libreoffice)
for app in "${apps[@]}"; do
	ln -s /usr/bin/firejail "/usr/local/bin/$app"
done

2. Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.
3. Use firecfg.py with custom groups (I work on more group control via command-line and config-file).

Hi @rusty-snake in your 2nd step, what do I have to edit within /usr/lib/firejail/firecfg.config for firefox as an example? Am I supposed to just add firefox to it via echo firefox >> /usr/lib/firejail/firecfg.config?

[rusty-snake]

Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it.

If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add firefox as first line and thunderbird as second line. No other lines.

[Joe23232]

Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it.

If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add firefox as first line and thunderbird as second line. No other lines.

Ah right now I see mate.

[Joe23232]

@rusty-snake
Sorry to bother you again but In regards to another question, I looked at this part of the firejail article https://firejail.wordpress.com/documentation-2/building-custom-profiles/ and like wanted to create a whitelist profile for firefox but the only directory that is not private is the ~/.config/firefox, ~/.cache/firefox and ~/Downloads and to those directories it has full read and write access rights.

As stated on the website I have done all those things but I named it as firefox.config.

When I do a cat firefox.config I get this output:

# Firejail profile for default
# This file is overwritten after every install/update
# Persistent local customizations
include default.local
# Persistent global definitions
include globals.local

# generic gui profile
# depending on your usage, you can enable some of the commands below:

include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
# include disable-write-mnt.inc
# include disable-xdg.inc

# include whitelist-common.inc
# include whitelist-usr-share-common.inc
# include whitelist-runuser-common.inc
# include whitelist-var-common.inc

# apparmor
caps.drop all
# ipc-namespace
# machine-id
# net none
netfilter
# no3d
# nodvd
# nogroups
nonewprivs
noroot
# nosound
# notv
# nou2f
# novideo
protocol unix,inet,inet6
seccomp
# shell none
# tracelog

# disable-mnt
# private
# private-bin program
# private-cache
# private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
# private-etc alternatives,fonts,machine-id
# private-lib
# private-opt none
# private-tmp

# dbus-user none
# dbus-system none

# memory-deny-write-execute
# read-only ${HOME}

I apologise for my lack of technical skills but what would I need to modify in this file to achieve what I need to achieve?

[rusty-snake]

wanted to create a whitelist profile for firefox

firefox has already a whitelisting-profile, no need to do so.

~/.config/firefox, ~/.cache/firefox

firefox does not use any of these (unless you patch it and build your own).

but I named it as firefox.config

If you name a profile not <binary>.profile, you need to provide a full path to it.

As stated on the website I have done all those things

If a program has already a profile, it is easier/better to copy it instead of the default.profile. You can the start with whitelisting all path with a noblacklist. However, the most profiles are whitelisting-profiles if it is possible. And some are opt-in i.e. the have a commented whitelist section that just must be uncommented.

[Joe23232]

firefox does not use any of these (unless you patch it and build your own).

Oh I am surrpised, I know that chromium based does this for sure so I suppose I want this for chromium based. Maybe as a side note then I want to then experiment/use as an example with chromium instead of firefox.

If you name a profile not .profile, you need to provide a full path to it.

Oh I meant like I copied the file and named it as firefox.profile and this file is located inside this directory ~/.config/firejail.

If a program has already a profile, it is easier/better to copy it instead of the default.profile.

Oh ok that is true mate. So I have done this for chromium via this command cp /etc/firejail/chromium.profile chromium.profile

You can the start with whitelisting all path with a noblacklist.

# Firejail profile for chromium
# Description: A web browser built for speed, simplicity, and security
# This file is overwritten after every install/update
# Persistent local customizations
include chromium.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf

# private-bin chromium,chromium-browser,chromedriver

# Redirect
include chromium-common.profile

Sorry I am a bit confused, what is the difference between noblacklist and whitelist ?

In the chromium.profile file, it has this line whitelist ${HOME}/.config/chromium and noblacklist ${HOME}/.config/chromium?

[rusty-snake]

noblacklist ${HOME}/.config/chromium: ignore all later blacklist ${HOME}/.config/chromium commands. ${HOME}/.config/chromium is blacklisted in disable-programs.inc and would be inaccessible w/o this.

whitelist ${HOME}/.config/chromium: enable whitelisting in ${HOME} and whitelist ${HOME}/.config/chromium.

[Joe23232]

whitelist ${HOME}/.config/chromium: enable whitelisting in ${HOME} and whitelist ${HOME}/.config/chromium.

I see mate I get the whitelist part now.

noblacklist ${HOME}/.config/chromium: ignore all later blacklist ${HOME}/.config/chromium commands. ${HOME}/.config/chromium is blacklisted in disable-programs.inc and would be inaccessible w/o this.

If I am understanding this correctly, you mean by default ${HOME}/.config/chromium would be disabled through some external profile (via disable-programs.inc) so stating noblacklist overrides the blacklisting stated by disable-programs.inc?

[rusty-snake]

If I am understanding this correctly, you mean by default ${HOME}/.config/chromium would be disabled through some external profile (via disable-programs.inc) so stating noblacklist overrides the blacklisting stated by disable-programs.inc?

Yes. (There is a limitation: noblacklist works only for later blacklist commands).

[Joe23232]

noblacklist works only for later blacklist commands).

Sorry mate what do you mean by noblacklist works only for later blacklist commands?

[rusty-snake]

foobar is not blacklisted

noblacklist ${HOME}/foobar
blacklist ${HOME}/foobar

foobar is blacklisted

blacklist ${HOME}/foobar
noblacklist ${HOME}/foobar

~/.mozilla is not blacklisted

noblacklist ${HOME}/.mozilla
include disable-programs.inc

~/.mozilla is blacklisted

include disable-programs.inc
noblacklist ${HOME}/.mozilla

[Joe23232]

noblacklist ${HOME}/foobar
blacklist ${HOME}/foobar

Wouldn't it make more sense for it to be blacklisted instead of not being blacklisted? How come it is not blacklisted when the user later specifies he wants it to be blacklisted? Sorry I am just trying to understand a bit better, that is all :)

[rusty-snake]

Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic.

Usage (here you go): The <profile-name>.local and globals.local overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add noblacklist ${HOME}/.config/chromium (and a whitelist).

[Joe23232]

Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic.

Ah I see. Thanks

The .local and globals.local overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add noblacklist ${HOME}/.config/chromium (and a whitelist).

Just out of curiosity, if I were to have noblacklist inside the chromium.profile file but I did not have whitelist, the directories would still not be whitelisted, right? All noblacklist tells the global file is to simply ignore the blacklist?

[rusty-snake]

Just out of curiosity, if I were to have noblacklist inside the chromium.profile file but I did not have whitelist, the directories would still not be whitelisted, right? All noblacklist tells the global file is to simply ignore the blacklist?

right

[Joe23232]

Thanks.

Sorry I just have one more question.

What is the difference between the these two files chromium.local and globals.local?

[rusty-snake]

chromium.local/<NAME>.profile: override for this profile only

globals.local: overrides for all profiles

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

[Joe23232]

Sure mate, thanks

…

On Thu, Dec 17, 2020 at 5:26 AM rusty-snake ***@***.***> wrote: I'm closing here due to inactivity, please fell free to request to reopen if you have more questions. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#3665 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIKO7IJ4574DDZHA5J3VGI3SVD3ULANCNFSM4SN6TPWA> .

[chaserene]

1. [Question] How to use firejail only for certain apps? #3213 extended with a script (with is started as root). You must verify the .desktop files yourself.
   ...

@rusty-snake are all four steps in this comment required to firejail only select apps, or are they four different ways of achieving the same thing? asking because this seems to be madly complicated, and firectl has been deprecated.

an easy way to include/exclude apps from being firejailed would be very much welcome. thank you for your excellent hard work!

[chaserene]

also, in the script in first step/option, isn't firecfg --clean missing?

[kmk3]

@chaserene commented on Aug 24:

1. [Question] How to use firejail only for certain apps?
   #3213 extended with
   a script (with is started as root). You must verify the .desktop files
   yourself. ...

@rusty-snake are all four steps in this
comment
required to firejail only select apps, or are they four different ways of
achieving the same thing? asking because this seems to be madly complicated,
and firectl has been deprecated.

Different ways.

an easy way to include/exclude apps from being firejailed would be very much
welcome. thank you for your excellent hard work!

Agreed; see #2097.

@chaserene commented on Aug 24:

also, in the script in first step/option, isn't firecfg --clean missing?

I think it's meant to be used instead of firecfg, as it does the same thing,
but only for the programs specified in the apps array. So yes, if you had
already run firecfg and want to undo it, then first run firecfg --clean
before following that step.