-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
With firecfg, how do I configure specific applications to go through firejail? #3665
Comments
#!/bin/bash
apps=(firefox thunderbird libreoffice)
for app in "${apps[@]}"; do
ln -s /usr/bin/firejail "/usr/local/bin/$app"
done
EDIT: added firectl |
Hi thanks for your response,
Sorry but in regards to this step, what should I specifically edit in this file? |
This file specifies for which programs firecfg creates symlinks (if they installed and have a profile). If a program is not listed there (or commented) no symlinks are created. Example (create a backup; only set firefox, thunderbird and libreoffice)
|
Hey man |
That's are bash redirections. Maybe it is easier to understand for you if it uses Both snippets below do the same, replace /usr/lib/firejail/firecfg.config with
cat > /usr/lib/firejail/firecfg.config <<EOF
thunderbird
firefox
libreoffice
EOF multiple rm /usr/lib/firejail/firecfg.config
echo thunderbird >> /usr/lib/firejail/firecfg.config
echo firefox >> /usr/lib/firejail/firecfg.config
echo libreoffice >> /usr/lib/firejail/firecfg.config |
I see mate, thanks :) |
Hi @rusty-snake in your 2nd step, what do I have to edit within |
Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it. If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add |
Ah right now I see mate. |
@rusty-snake As stated on the website I have done all those things but I named it as When I do a # Firejail profile for default
# This file is overwritten after every install/update
# Persistent local customizations
include default.local
# Persistent global definitions
include globals.local
# generic gui profile
# depending on your usage, you can enable some of the commands below:
include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
# include disable-write-mnt.inc
# include disable-xdg.inc
# include whitelist-common.inc
# include whitelist-usr-share-common.inc
# include whitelist-runuser-common.inc
# include whitelist-var-common.inc
# apparmor
caps.drop all
# ipc-namespace
# machine-id
# net none
netfilter
# no3d
# nodvd
# nogroups
nonewprivs
noroot
# nosound
# notv
# nou2f
# novideo
protocol unix,inet,inet6
seccomp
# shell none
# tracelog
# disable-mnt
# private
# private-bin program
# private-cache
# private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
# private-etc alternatives,fonts,machine-id
# private-lib
# private-opt none
# private-tmp
# dbus-user none
# dbus-system none
# memory-deny-write-execute
# read-only ${HOME} I apologise for my lack of technical skills but what would I need to modify in this file to achieve what I need to achieve? |
firefox has already a whitelisting-profile, no need to do so.
firefox does not use any of these (unless you patch it and build your own).
If you name a profile not
If a program has already a profile, it is easier/better to copy it instead of the default.profile. You can the start with whitelisting all path with a |
Oh I am surrpised, I know that chromium based does this for sure so I suppose I want this for chromium based. Maybe as a side note then I want to then experiment/use as an example with
Oh I meant like I copied the file and named it as
Oh ok that is true mate. So I have done this for
# Firejail profile for chromium
# Description: A web browser built for speed, simplicity, and security
# This file is overwritten after every install/update
# Persistent local customizations
include chromium.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf
mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf
# private-bin chromium,chromium-browser,chromedriver
# Redirect
include chromium-common.profile Sorry I am a bit confused, what is the difference between In the |
|
I see mate I get the
If I am understanding this correctly, you mean by default |
Yes. (There is a limitation: |
Sorry mate what do you mean by noblacklist works only for later blacklist commands? |
foobar is not blacklisted
foobar is blacklisted
~/.mozilla is not blacklisted
~/.mozilla is blacklisted
|
noblacklist ${HOME}/foobar
blacklist ${HOME}/foobar Wouldn't it make more sense for it to be blacklisted instead of not being blacklisted? How come it is not blacklisted when the user later specifies he wants it to be blacklisted? Sorry I am just trying to understand a bit better, that is all :) |
Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic. Usage (here you go): The |
Ah I see. Thanks
Just out of curiosity, if I were to have |
right |
Thanks. Sorry I just have one more question. What is the difference between the these two files |
|
I'm closing here due to inactivity, please fell free to request to reopen if you have more questions. |
Sure mate, thanks
…On Thu, Dec 17, 2020 at 5:26 AM rusty-snake ***@***.***> wrote:
I'm closing here due to inactivity, please fell free to request to reopen
if you have more questions.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3665 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AIKO7IJ4574DDZHA5J3VGI3SVD3ULANCNFSM4SN6TPWA>
.
|
@rusty-snake are all four steps in this comment required to firejail only select apps, or are they four different ways of achieving the same thing? asking because this seems to be madly complicated, and firectl has been deprecated. an easy way to include/exclude apps from being firejailed would be very much welcome. thank you for your excellent hard work! |
also, in the script in first step/option, isn't |
@chaserene commented on Aug 24:
Different ways.
Agreed; see #2097. @chaserene commented on Aug 24:
I think it's meant to be used instead of |
This should make it easier for users, and distributions, to customize which programs they want firejail to wrap. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: netblue30#408 Bug: netblue30#2097 Bug: netblue30#2829 Bug: netblue30#3665
This should make it easier for users, and distributions, to customize which programs they want firejail to wrap. Also fixed some firecfg.cfg -> firecfg.config references. Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: netblue30#408 Bug: netblue30#2097 Bug: netblue30#2829 Bug: netblue30#3665
I know that with the command
sudo firecfg
will get all the applications to open through firejail, however I don't want this, I want to only specify specific applications such as chromium etc.How would I achieve this if this is even possible?
The text was updated successfully, but these errors were encountered: