chiraag-nataraj / firejail-profiles Goto Github PK
View Code? Open in Web Editor NEWTight Firejail profiles
License: GNU General Public License v2.0
Tight Firejail profiles
License: GNU General Public License v2.0
Config files
~/.Brackets
/opt/brackets
~/Documents (or its name at your language)
p2p its still popular
but with the increased issues with it (censorship/copyright-censorship)
would be extremely good have a firejail profile for amule (protecting you from "misfortunes")
best regards
Hi,
I created a shortcut for keepassxc 'firejail keepassxc %f' or 'firejail --profile=/etc/firejail/keepassxc keepassxc %f' but I don't have keepassxc by checking with 'firejail --list'.
It works if I launch it with 'firejail keepassxc' in a terminal.
Do you have any idea how to make my shortcut work?
I was hoping if possible you may add akregator to your list as I find it simmilar to using firefox & especially since its develpopers have added adblock which has given it the extra security it needs.
Thanks
Name of the program
Tvheadend
Website
https://tvheadend.org/
Already available in stock firejail?
Not present
Additional info
Here is the profile I created. The problem is on the 'private-bin' line. If I decomment it, the program does not start.
I would like to know the programs in "/user/bin" that are essential for the proper functioning of Tvheadend.
# Firejail profile for Tvheadhend
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include tvheadend.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.hts
blacklist ${HOME}/Public
include disable-common.inc
include disable-devel.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-interpreters.inc
include disable-exec.inc
include disable-xdg.inc
mkdir ${HOME}/.hts
whitelist ${HOME}/.hts
apparmor
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
nou2f
#protocol unix,inet,inet6
machine-id
disable-mnt
#private-bin tvheadend,tv_grab_file,sh
private-dev
private-tmp
private-etc alternatives
Thank you very much.
would be nice a profile for youtube-dl :D
Please, could you add these profiles:
Kdenlive
Shotcut
Darktable
pd, at some distros is .kde4, sorry.
thanks
Hello,
when i start steam in firejail, i don't see the client anywhere
not even in the icon drawer at the bottom left of the screen, which has dropbox in it (working inside firejail too)
blender doesnt work now
with it
works
https://paste.teknik.io/Raw/Wmkyv
Pidgin is a shit-show, I was hoping someone could step-up and provide a tighter profile.
Thanks!
i've created a natron profile
blacklist /usr/local/bin
blacklist /usr/local/sbin
blacklist /boot
blacklist /media
blacklist /mnt
whitelist ${HOME}/.Natron
whitelist ${HOME}/.cache/INRIA/Natron/
whitelist ${HOME}/.config/INRIA/
whitelist ${HOME}/.gtkrc-2.0
whitelist ${HOME}/.themes
whitelist ${DOWNLOADS}
whitelist ${HOME}/Videos
whitelist /opt/natron/
private-bin natron
private-etc fonts,X11,pulse
whitelist /tmp/.X11-unix/
noexec ${HOME}
noexec /tmp
shell none
ipc-namespace
1 Ricochet: a torified chat app, simmilar to tox,
https://ricochet.im/
2 Tbb, the tor browser bundle itself
http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html
It'd be nice if there was a way to allow discord to only access /tmp/discord.sock, while leaving the rest of /tmp hidden. Right now, discord.profile ignores the private-tmp
command, exposing the host's /tmp folder.
I've attempted creating the socket beforehand, and whitelisting it in the discord profile, but it seems discord tries to remove the file on bootup.
To fix this, we'd need to either:
I'm opening this issue mostly to open dialogue about this, since there's more applications that do similar things, and you might want to be able to communicate with them over sockets outside of the sandbox, or somehow share the same tmpfs mount. Are there any more possible options for doing such a thing?
could you provide these profiles?
cinelerra
lmms
gimp
inkscape
can you give
profiles for these
https://imagej.nih.gov/ij/
http://hugin.sourceforge.net/
https://sourceforge.net/projects/macrofusion/
Darktable
https://gist.github.com/triceratops1/14ae961633898d50df0123bb32c3f490
Shotcut
https://gist.github.com/triceratops1/464d766db8efcae72735d4e4cdfda688
Zart: A GMIC-based webcam manipu
https://gist.github.com/triceratops1/86e85465358d6fdbe4d1f216008cb28d
https://github.com/dtschump/gmic-community/tree/master/zart
Add Teamviewer profile..
Name of the program
tmate
Website
https://tmate.io/
Already available in stock firejail?
no
Additional info
Tmate is a remote tmux/ssh session sharing tool. There could be different profiles with one that restrict access to the directory where tmate is started.
Name of the program
Asbru
Website
https://github.com/asbru-cm/asbru-cm
Already available in stock firejail?
No
Additional info
Anything else you think I should know before working on this profile.
What's the OS/architecture the profiles were designed for? Latest version of Arch Linux 64-bit? Would be nice to include this information in the README.
Nevermind. XD
is there a reason /media is blacklisted?
would it be possible to whitelist just /media/${USER}
Use this issue to document breakages introduced by 5bcddbe.
@esotericDisciple commented the following in netblue30/firejail#2217:
Still can't figure out how to run a "firejail --private inox" command that allows for copying over an /.config/inox directory from an external hard drive, so that the end result is the ability to run multiple inox/ungoogled-chromium browsers separately like Multiloginapp or Firefox Containers offers, but also lets me use a custom browser profile, settings, extensions and all, for each one...
Thanks, but how do I use is that or any .common script with firejail?
can you make profiles for these apps?
1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
2 freecad (a civil-use CAD)
3 dia (an oss alternative to ms visio)
4 fontforge
Hi,
please make a profile for Gradio.
Thanks.
hello,
so i have tried to get signal-desktop to start in firejail
by default, signal installs in /opt/Signal and sets up a symlink in /usr/local/bin/signal-desktop -> /opt/Signal/signal-desktop
when i run the command firejail signal-desktop
all i get in return is
~$ firejail signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Parent pid 4752, child pid 4753
Child process initialized
Parent is shutting down, bye...
Name of the program
Name of the program
biscuit.AppImage
Website
Website for the program (if the program is in most major repositories, you can optionally skip this).
https://github.com/agata/dl.biscuit
Already available in stock firejail?
Is the requested profile already available in regular firejail (that is, are you requesting an enhanced profile or a completely new profile?)?
No
Additional info
Anything else you think I should know before working on this profile.
No debugging output given, firejail just shuts down unless "--noprofile" is used....Also running with "--noblacklist=/.config/biscuit --whitelist=/.config/biscuit" doesn't work either (though it does for Rambox)...
Synfigstudio
irejail synfigstudio
Reading profile /etc/firejail/synfigstudio.profile
Warning: user namespaces not available in the current kernel.
Parent pid 4557, child pid 4558
Child process initialized
synfig studio -- starting up application...
** (synfigstudio:7): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-sDCGkevOjL: Conexión rehusada
mlt_repository_init: failed to dlopen /usr/lib/mlt/libmltopengl.so
(libmovit.so.4: no se puede abrir el fichero del objeto compartido: No existe el fichero o el directorio)
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Standard Exception: std::exception
terminate called after throwing an instance of 'std::runtime_error'
what(): Unable to open module list file 'synfig_modules.cfg'
Parent is shutting down, bye...
Hi. Sorry, maybe that's a dumb question. I'm not that versatile with deep linux security. Please provide a little more understandable documemtation for nongeeks ;).
Concrete:
What is the commandline syntax of your script?
What does it do exactly?
And what do you recommend for secure profiles with your script in combination with firejail?
Regards
Hello, just a curious question. Can you explain how to sandbox process with systemd? Creating a unit for every app that i'm running and configure permisions, etc according to https://www.freedesktop.org/software/systemd/man/systemd.exec.html?
Thank you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.