github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1510] Question: ‘program.local’ ‘global.local’ and ‘program.profile’? #1011

New issue

Closed

opened 2026-05-05 07:18:16 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:18:16 -06:00

Owner

Originally created by @Irvinehimself on GitHub (Aug 31, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1510

I would like to enable ‘apparmor’ and disable the internet, (protocol unix’[?],) globally, yet selectively disable ‘apparmor’ and/or enable the internet on a per program basis.

Can this be done by using an appropriate combination of ‘global.local’ and ‘program.local’ profiles?

For example,a neat/tidy solution would be something like:

global.local: {enable apparmor, disable internet connectivity}

protocol unix
apparmor

program.local: {selectively enable internet connectivity}

protocol unix,inet,inet6,netlink

Further, if the above did in fact work!!!, would it be possible to selectively disable apparmor in the ‘program.local’ profile?

A less neat solution, (if the ‘program.local’ setting overrides the profile setting,) would be to run the following bash and edit the created '.local' files as needed:

#!/bin/bash

ls /etc/firejail |\
    ( 
    suffix="profile"
    while read Line ; do
        tmp=${line%$suffix}"local"
        echo "apparmor" >> "/etc/firejail/$tmp"
        echo "protocol unix" >> "/etc/firejail/$tmp"
    done
    )

I would be grateful to hear your thoughts

Irvine

Originally created by @Irvinehimself on GitHub (Aug 31, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1510 I would like to enable ‘apparmor’ and disable the internet, (protocol unix’[?],) globally, yet selectively disable ‘apparmor’ and/or enable the internet on a per program basis. Can this be done by using an appropriate combination of ‘global.local’ and ‘program.local’ profiles? For example,a neat/tidy solution would be something like: global.local: {enable apparmor, disable internet connectivity} ``` protocol unix apparmor ``` program.local: {selectively enable internet connectivity} ``` protocol unix,inet,inet6,netlink ``` Further, if the above did in fact work!!!, would it be possible to selectively disable apparmor in the ‘program.local’ profile? A less neat solution, (if the ‘program.local’ setting overrides the profile setting,) would be to run the following bash and edit the created '.local' files as needed: ``` #!/bin/bash ls /etc/firejail |\ ( suffix="profile" while read Line ; do tmp=${line%$suffix}"local" echo "apparmor" >> "/etc/firejail/$tmp" echo "protocol unix" >> "/etc/firejail/$tmp" done ) ``` I would be grateful to hear your thoughts Irvine

gitea-mirror closed this issue

2026-05-05 07:18:17 -06:00

gitea-mirror commented

2026-05-05 07:18:20 -06:00

Author

Owner

@Ferroin commented on GitHub (Aug 31, 2017):

There are better, more reliable, and more well documented methods of achieving what you want on the networking side. Take a look at the iptables documentation, you can achieve similar things with at least the 'owner' match or the 'cgroup' match, and possibly other ways too. Alternatively, don't configure the network in the main network namespace, then configure it explicitly in dedicated namespaces.

As far as whether or not any of this is possible with Firejail, I'd be willing to bet the answer is probably no, as making this possible would provide a trivial method of escaping the isolation firejail provides.

@Ferroin commented on GitHub (Aug 31, 2017): There are better, more reliable, and more well documented methods of achieving what you want on the networking side. Take a look at the iptables documentation, you can achieve similar things with at least the 'owner' match or the 'cgroup' match, and possibly other ways too. Alternatively, don't configure the network in the main network namespace, then configure it explicitly in dedicated namespaces. As far as whether or not any of this is possible with Firejail, I'd be willing to bet the answer is probably no, as making this possible would provide a trivial method of escaping the isolation firejail provides.

gitea-mirror commented

2026-05-05 07:18:22 -06:00

Author

Owner

@ghost commented on GitHub (Aug 31, 2017):

You can disable apparmor by adding ignore apparmor line in program.local.
program.local is loaded first so it takes precedence over global.local and program.profile.
You can use net none instead of protocol unix (disable by ignore net) which is stronger but can break more things.

@ghost commented on GitHub (Aug 31, 2017): You can disable apparmor by adding `ignore apparmor` line in `program.local`. `program.local` is loaded first so it takes precedence over `global.local` and `program.profile`. You can use `net none` instead of `protocol unix` (disable by` ignore net`) which is stronger but can break more things.

gitea-mirror commented

2026-05-05 07:18:24 -06:00

Author

Owner

@Irvinehimself commented on GitHub (Aug 31, 2017):

Thank you for a very complete answer. The order of precedence combined with the 'ignore' flag is exactly what I have been trying to figure out.

When I read the manual, I noted the 'ignore' flag's existence, but then lost the reference. Similarly, WRT 'net' flag, the manual, (which in retrospect was obviously referring to the .desktop launcher,) suggested 'net=none' . When I tried to put that into a profile, it crashed!

@Irvinehimself commented on GitHub (Aug 31, 2017): Thank you for a very complete answer. The order of precedence combined with the 'ignore' flag is exactly what I have been trying to figure out. When I read the manual, I noted the 'ignore' flag's existence, but then lost the reference. Similarly, WRT 'net' flag, the manual, (which in retrospect was obviously referring to the .desktop launcher,) suggested 'net=none' . When I tried to put that into a profile, it crashed!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1011

No description provided.

Rows
Columns