chiraag-nataraj / firejail-profiles Goto Github PK

Config files
~/.Brackets
/opt/brackets
~/Documents (or its name at your language)

p2p its still popular
but with the increased issues with it (censorship/copyright-censorship)

would be extremely good have a firejail profile for amule (protecting you from "misfortunes")

best regards

Hi,

I created a shortcut for keepassxc 'firejail keepassxc %f' or 'firejail --profile=/etc/firejail/keepassxc keepassxc %f' but I don't have keepassxc by checking with 'firejail --list'.
It works if I launch it with 'firejail keepassxc' in a terminal.

Do you have any idea how to make my shortcut work?

I was hoping if possible you may add akregator to your list as I find it simmilar to using firefox & especially since its develpopers have added adblock which has given it the extra security it needs.
Thanks

Name of the program
Tvheadend

Website
https://tvheadend.org/

Already available in stock firejail?
Not present

Additional info

Here is the profile I created. The problem is on the 'private-bin' line. If I decomment it, the program does not start.
I would like to know the programs in "/user/bin" that are essential for the proper functioning of Tvheadend.

# Firejail profile for Tvheadhend
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include tvheadend.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.hts
blacklist ${HOME}/Public

include disable-common.inc
include disable-devel.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-interpreters.inc
include disable-exec.inc
include disable-xdg.inc

mkdir ${HOME}/.hts
whitelist ${HOME}/.hts

apparmor
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
nou2f
#protocol unix,inet,inet6
machine-id

disable-mnt
#private-bin tvheadend,tv_grab_file,sh
private-dev
private-tmp
private-etc alternatives

Thank you very much.

Name of the program
LyX

Website
LyX

Already available in stock firejail?
No

Additional info
You may take a look at my profile. I tested on manjaro.But you may do further testing with other distros & most likely it needs some changes for other distros.

• openvpn
• eddie (for airvpn...A VERY COOL vpn but premium),
• i2p (taking as base the i2prouter with systemd services installed at /opt)
• freenet
• dia (ms visio like)
• geany (a COOL IDE)

would be nice a profile for youtube-dl :D

Please, could you add these profiles:

Kdenlive
Shotcut
Darktable

pd, at some distros is .kde4, sorry.

thanks

Hello,

when i start steam in firejail, i don't see the client anywhere

not even in the icon drawer at the bottom left of the screen, which has dropbox in it (working inside firejail too)

blender doesnt work now

with it
works
https://paste.teknik.io/Raw/Wmkyv

Pidgin is a shit-show, I was hoping someone could step-up and provide a tighter profile.

Thanks!

i've created a natron profile

blacklist /usr/local/bin
blacklist /usr/local/sbin
blacklist /boot
blacklist /media
blacklist /mnt
whitelist ${HOME}/.Natron
whitelist ${HOME}/.cache/INRIA/Natron/
whitelist ${HOME}/.config/INRIA/
whitelist ${HOME}/.gtkrc-2.0
whitelist ${HOME}/.themes
whitelist ${DOWNLOADS}
whitelist ${HOME}/Videos

whitelist /opt/natron/

private-bin natron
private-etc fonts,X11,pulse
whitelist /tmp/.X11-unix/
noexec ${HOME}
noexec /tmp
shell none
ipc-namespace

1 Ricochet: a torified chat app, simmilar to tox,
https://ricochet.im/

2 Tbb, the tor browser bundle itself

http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html

It'd be nice if there was a way to allow discord to only access /tmp/discord.sock, while leaving the rest of /tmp hidden. Right now, discord.profile ignores the private-tmp command, exposing the host's /tmp folder.
I've attempted creating the socket beforehand, and whitelisting it in the discord profile, but it seems discord tries to remove the file on bootup.
To fix this, we'd need to either:

• Modify discord itself to not remove the file (the "base" client doesn't update very often so this might be feasible, but I'm not sure if this is even possible due to how sockets work)
• Allow the file to be removed and re-created, without compromising the entirety of /tmp (don't think this is possible due to the way firejail works)
• Have firejail ignore the unlink syscall, so the program thinks it's "unlinked" the file successfully (requires an update to firejail itself)

I'm opening this issue mostly to open dialogue about this, since there's more applications that do similar things, and you might want to be able to communicate with them over sockets outside of the sandbox, or somehow share the same tmpfs mount. Are there any more possible options for doing such a thing?

could you provide these profiles?
cinelerra
lmms
gimp
inkscape

can you give
profiles for these
https://imagej.nih.gov/ij/
http://hugin.sourceforge.net/
https://sourceforge.net/projects/macrofusion/

Darktable
https://gist.github.com/triceratops1/14ae961633898d50df0123bb32c3f490

Shotcut
https://gist.github.com/triceratops1/464d766db8efcae72735d4e4cdfda688

Zart: A GMIC-based webcam manipu
https://gist.github.com/triceratops1/86e85465358d6fdbe4d1f216008cb28d
https://github.com/dtschump/gmic-community/tree/master/zart

Add Teamviewer profile..

Name of the program
tmate

Website
https://tmate.io/

Already available in stock firejail?
no

Additional info
Tmate is a remote tmux/ssh session sharing tool. There could be different profiles with one that restrict access to the directory where tmate is started.

Name of the program
Asbru

Website
https://github.com/asbru-cm/asbru-cm

Already available in stock firejail?
No

Additional info
Anything else you think I should know before working on this profile.

What's the OS/architecture the profiles were designed for? Latest version of Arch Linux 64-bit? Would be nice to include this information in the README.

Nevermind. XD

is there a reason /media is blacklisted?

would it be possible to whitelist just /media/${USER}

Use this issue to document breakages introduced by 5bcddbe.

@esotericDisciple commented the following in netblue30/firejail#2217:

Still can't figure out how to run a "firejail --private inox" command that allows for copying over an /.config/inox directory from an external hard drive, so that the end result is the ability to run multiple inox/ungoogled-chromium browsers separately like Multiloginapp or Firefox Containers offers, but also lets me use a custom browser profile, settings, extensions and all, for each one...

Thanks, but how do I use is that or any .common script with firejail?

can you make profiles for these apps?

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

2 freecad (a civil-use CAD)

3 dia (an oss alternative to ms visio)

4 fontforge

Hi,
please make a profile for Gradio.
Thanks.

hello,

so i have tried to get signal-desktop to start in firejail

by default, signal installs in /opt/Signal and sets up a symlink in /usr/local/bin/signal-desktop -> /opt/Signal/signal-desktop

when i run the command firejail signal-desktop all i get in return is

~$ firejail signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Parent pid 4752, child pid 4753
Child process initialized

Parent is shutting down, bye...

Name of the program
Name of the program
biscuit.AppImage
Website
Website for the program (if the program is in most major repositories, you can optionally skip this).
https://github.com/agata/dl.biscuit
Already available in stock firejail?
Is the requested profile already available in regular firejail (that is, are you requesting an enhanced profile or a completely new profile?)?
No
Additional info
Anything else you think I should know before working on this profile.
No debugging output given, firejail just shuts down unless "--noprofile" is used....Also running with "--noblacklist=/.config/biscuit --whitelist=/.config/biscuit" doesn't work either (though it does for Rambox)...

Synfigstudio

irejail synfigstudio
Reading profile /etc/firejail/synfigstudio.profile
Warning: user namespaces not available in the current kernel.
Parent pid 4557, child pid 4558
Child process initialized

synfig studio -- starting up application...

** (synfigstudio:7): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-sDCGkevOjL: Conexión rehusada
mlt_repository_init: failed to dlopen /usr/lib/mlt/libmltopengl.so
(libmovit.so.4: no se puede abrir el fichero del objeto compartido: No existe el fichero o el directorio)
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Standard Exception: std::exception
terminate called after throwing an instance of 'std::runtime_error'
what(): Unable to open module list file 'synfig_modules.cfg'

Parent is shutting down, bye...

https://gist.github.com/triceratops1/f34c1b68e535b2c35484810a38a14a70

Hi. Sorry, maybe that's a dumb question. I'm not that versatile with deep linux security. Please provide a little more understandable documemtation for nongeeks ;).
Concrete:
What is the commandline syntax of your script?
What does it do exactly?
And what do you recommend for secure profiles with your script in combination with firejail?
Regards

Hello, just a curious question. Can you explain how to sandbox process with systemd? Creating a unit for every app that i'm running and configure permisions, etc according to https://www.freedesktop.org/software/systemd/man/systemd.exec.html?

Thank you.