github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #173] idea: implement a pseudo variable "global" for profiles #123

New issue

Closed

opened 2026-05-05 05:06:03 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 05:06:03 -06:00

Owner

Originally created by @ghost on GitHub (Nov 29, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/173

Somewhat related to #170.

Local user profiles (~/.conf/firejail/) may want to make global profiles more restrictive. So they would include the profiles from /etc/ and then add their own rules. But the global profiles are not always in /etc/, as in the case that firejail has been installed from git.
Have a pseudo variable for profiles in order to allow including the correct global profiles, no matter how it has been installed. Let the variable be called "global" or "globalconf" or something like that. Maybe in bash notation like this: ${globalconf}.

I hope it's clear what I mean.

Originally created by @ghost on GitHub (Nov 29, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/173 Somewhat related to #170. Local user profiles (~/.conf/firejail/) may want to make global profiles more restrictive. So they would include the profiles from /etc/ and then add their own rules. But the global profiles are not always in /etc/, as in the case that firejail has been installed from git. Have a pseudo variable for profiles in order to allow including the correct global profiles, no matter how it has been installed. Let the variable be called "global" or "globalconf" or something like that. Maybe in bash notation like this: ${globalconf}. I hope it's clear what I mean.

gitea-mirror

2026-05-05 05:06:03 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:06:10 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 3, 2015):

I can add an option that allows you to set the directory where profiles are stored, something like:

$ firejail --profile-dir=/opt/profiles ...

Would this help in your case?

@netblue30 commented on GitHub (Dec 3, 2015): I can add an option that allows you to set the directory where profiles are stored, something like: ``` $ firejail --profile-dir=/opt/profiles ... ``` Would this help in your case?

gitea-mirror commented

2026-05-05 05:06:12 -06:00

Author

Owner

@ghost commented on GitHub (Dec 3, 2015):

It would help, if this option was available in the profile, too.
But in this case you'd still need to know some path. In the case of some pseudo variable, the executable would be able to take its global config path, that's been hardcoded, since it's aware of that anyway, isn't it?

But, actually, both things can be done.
Let me show some example:

# ${GLOBAL} is /etc/firejail or /usr/local/etc/firejail or wherever the prefix was.
# This is immutable.
include ${GLOBAL}/generic.profile

# includes from CWD
include a.profile

profile-dir /opt/firejail
# includes from /opt/firejail
include a.profile

# absolute path, ignore profile-dir
include ~/.conf/firejail/b.profile

# at this point, ${GLOBAL} still points to whatever it was before. The hardcoded prefix.

This is what I'm thinking of. The idea is to be able to extend on global profiles without having to know, how firejail has been installed, so local profiles would work on every installation, without having to readjust paths.

@ghost commented on GitHub (Dec 3, 2015): It would help, if this option was available in the profile, too. But in this case you'd still need to know _some_ path. In the case of some pseudo variable, the executable would be able to take its global config path, that's been hardcoded, since it's aware of that anyway, isn't it? But, actually, both things can be done. Let me show some example: ``` # ${GLOBAL} is /etc/firejail or /usr/local/etc/firejail or wherever the prefix was. # This is immutable. include ${GLOBAL}/generic.profile # includes from CWD include a.profile profile-dir /opt/firejail # includes from /opt/firejail include a.profile # absolute path, ignore profile-dir include ~/.conf/firejail/b.profile # at this point, ${GLOBAL} still points to whatever it was before. The hardcoded prefix. ``` This is what I'm thinking of. The idea is to be able to extend on global profiles without having to know, how firejail has been installed, so local profiles would work on every installation, without having to readjust paths.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#123

No description provided.

Rows
Columns