github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2397] Nix, snap, appimage support #1598

New issue
Closed
opened 2026-05-05 08:15:14 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 08:15:14 -06:00
Owner
Copy link

Originally created by @jackTaw88 on GitHub (Feb 10, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2397

Hi,

It would be great if we have nix, appimage and snap builds. So we don't need to install firejail to OS.

I found a nix package of firejail. I installed it but it gives error on any command I type:

firejail firefox

Error mkdir: util.c:936 create_empty_dir_as_root: Permission denied

sudo firejail firefox

[sudo] password: 
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/firefox.profile
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/firefox-common.profile
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-common.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-devel.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-interpreters.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-programs.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/whitelist-common.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/whitelist-var-common.inc
Warning: noroot option is not available
Parent pid 23082, child pid 23087
The new log directory is /proc/23087/root/var/log
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
***
*** Warning: cannot whitelist ${DOWNLOADS} directory
*** Any file saved in this directory will be lost when the sandbox is closed.
***
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 112.96 ms
No protocol specified
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :1

Parent is shutting down, bye...

sudo ./firejail nautilus

Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/nautilus.profile
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-common.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-devel.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-interpreters.inc
Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-passwdmgr.inc
Warning: noroot option is not available
Parent pid 23108, child pid 23109
The new log directory is /proc/23109/root/var/log
Blacklist violations are logged to syslog
Child process initialized in 103.88 ms
No protocol specified
Unable to init server: Could not connect: Connection refused

(nautilus:4): Gtk-WARNING **: 17:57:25.846: cannot open display: :1

Parent is shutting down, bye...

I could not open nautilus or firefox.

firejail --list

Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted
Error: failed to run /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/bin/firemon

Than I installed firejail with apt-get. It worked.

But now it does not work for snap applications. For example I can not start the chromium which is installed as 'snap':

firejail chromium

Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 27993, child pid 27994
Child process initialized in 52.12 ms
internal error, please report: running "chromium" failed: cannot find installed snap "chromium" at revision 566: missing file /var/lib/snapd/snaps/chromium_566.snap

Parent is shutting down, bye...

It would be great to have snap support like appimage.

Thanks in advance

Originally created by @jackTaw88 on GitHub (Feb 10, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2397 Hi, It would be great if we have nix, appimage and snap builds. So we don't need to install firejail to OS. I found a nix package of firejail. I installed it but it gives error on any command I type: > firejail firefox ``` Error mkdir: util.c:936 create_empty_dir_as_root: Permission denied ``` > sudo firejail firefox ``` [sudo] password: Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/firefox.profile Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/firefox-common.profile Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-common.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-devel.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-interpreters.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-programs.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/whitelist-common.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/whitelist-var-common.inc Warning: noroot option is not available Parent pid 23082, child pid 23087 The new log directory is /proc/23087/root/var/log Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. *** *** Warning: cannot whitelist ${DOWNLOADS} directory *** Any file saved in this directory will be lost when the sandbox is closed. *** Post-exec seccomp protector enabled Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Child process initialized in 112.96 ms No protocol specified Unable to init server: Could not connect: Connection refused Error: cannot open display: :1 Parent is shutting down, bye... ``` > sudo ./firejail nautilus ``` Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/nautilus.profile Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-common.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-devel.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-interpreters.inc Reading profile /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/etc/firejail/disable-passwdmgr.inc Warning: noroot option is not available Parent pid 23108, child pid 23109 The new log directory is /proc/23109/root/var/log Blacklist violations are logged to syslog Child process initialized in 103.88 ms No protocol specified Unable to init server: Could not connect: Connection refused (nautilus:4): Gtk-WARNING **: 17:57:25.846: cannot open display: :1 Parent is shutting down, bye... ``` I could not open nautilus or firefox. > firejail --list ``` Error PR_CAPBSET_DROP: caps.c:323 caps_drop_all: Operation not permitted Error: failed to run /nix/store/b9q90zz31jp255qhr83b57j0vaaqlinw-firejail-0.9.56/bin/firemon ``` Than I installed firejail with apt-get. It worked. But now it does not work for snap applications. For example I can not start the chromium which is installed as 'snap': > firejail chromium ``` Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 27993, child pid 27994 Child process initialized in 52.12 ms internal error, please report: running "chromium" failed: cannot find installed snap "chromium" at revision 566: missing file /var/lib/snapd/snaps/chromium_566.snap Parent is shutting down, bye... ``` It would be great to have snap support like appimage. Thanks in advance
gitea-mirror commented 2026-05-05 08:15:17 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 10, 2019):

Hi @jackTaw88 I'm not too familiar with snap packages, but did you try the /etc/firejail/snap.profile with your chromium snap yet? Allthough it has an erroneous Description (see https://github.com/netblue30/firejail/pull/2398 for a fixI), it might be the way you need to start snaps with firejail, very much like the --appimage option for AppImages:

$ firejail --profile=snap chromium

<!-- gh-comment-id:462161585 --> @ghost commented on GitHub (Feb 10, 2019): Hi @jackTaw88 I'm not too familiar with snap packages, but did you try the `/etc/firejail/snap.profile` with your chromium snap yet? Allthough it has an erroneous Description (see https://github.com/netblue30/firejail/pull/2398 for a fixI), it might be the way you need to start snaps with firejail, very much like the --appimage option for AppImages: $ firejail --profile=snap chromium
gitea-mirror commented 2026-05-05 08:15:17 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 11, 2019):

snaps have their own sandbox so I don't think it's useful or even possible to run them with firejail. Creating snap for firejail itself is something different though.

<!-- gh-comment-id:462369914 --> @Vincent43 commented on GitHub (Feb 11, 2019): snaps have their own sandbox so I don't think it's useful or even possible to run them with firejail. Creating snap for firejail itself is something different though.
gitea-mirror commented 2026-05-05 08:15:18 -06:00
Author
Owner
Copy link

@jackTaw88 commented on GitHub (Feb 11, 2019):

@glitsj16

firejail --profile=/etc/firejail/snap.profile chromium

Reading profile /etc/firejail/snap.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 3757, child pid 3758
Child process initialized in 44.96 ms
cannot execute snapd tool snap-update-ns: Permission denied
snap-update-ns failed with code 1: Permission denied

Parent is shutting down, bye...

Also opera snap gives the same output error :( Is there another thing I can try?

@Vincent43 can someone give support for snap packages?
For example 'nix' packages works with firejail.

<!-- gh-comment-id:462390972 --> @jackTaw88 commented on GitHub (Feb 11, 2019): @glitsj16 > firejail --profile=/etc/firejail/snap.profile chromium ``` Reading profile /etc/firejail/snap.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Parent pid 3757, child pid 3758 Child process initialized in 44.96 ms cannot execute snapd tool snap-update-ns: Permission denied snap-update-ns failed with code 1: Permission denied Parent is shutting down, bye... ``` Also opera snap gives the same output error :( Is there another thing I can try? @Vincent43 can someone give support for snap packages? For example 'nix' packages works with firejail.
gitea-mirror commented 2026-05-05 08:15:19 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 11, 2019):

@jackTaw88 I'm afraid that was just about all I could track down on firejailing snap packages.

@Vincent43 That makes sense, the part about it not being useful to run snap packages with firejail I mean. In that context it might only be confusing users if they see a snap.profile don't you think? Besides considering dropping that, I wonder if anyone knowledgeable is considering adding a section to the firejail man on AppImages, Snaps, Flatpaks and the likes?

<!-- gh-comment-id:462424822 --> @ghost commented on GitHub (Feb 11, 2019): @jackTaw88 I'm afraid that was just about all I could track down on firejailing snap packages. @Vincent43 That makes sense, the part about it not being useful to run snap packages with firejail I mean. In that context it might only be confusing users if they see a `snap.profile` don't you think? Besides considering dropping that, I wonder if anyone knowledgeable is considering adding a section to the firejail man on AppImages, Snaps, Flatpaks and the likes?
gitea-mirror commented 2026-05-05 08:15:20 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 12, 2019):

can someone give support for snap packages? For example 'nix' packages works with firejail.

@jackTaw88 AFAIK nix packages aren't sandboxed while snaps are. That's why one work and other don't. Snap daemon needs similar privileges as firejal so it's not possible to combine them together.

In that context it might only be confusing users if they see a snap.profile don't you think? Besides considering dropping that, I wonder if anyone knowledgeable is considering adding a section to the firejail man on AppImages, Snaps, Flatpaks and the likes?

@glitsj16 I agree that snap.profile is confusing and doesn't have a chance to work so it should be dropped. AppImages are already documented. For snap and flatpak we could add a line that they won't work.

<!-- gh-comment-id:462709243 --> @Vincent43 commented on GitHub (Feb 12, 2019): > can someone give support for snap packages? For example 'nix' packages works with firejail. @jackTaw88 AFAIK nix packages aren't sandboxed while snaps are. That's why one work and other don't. Snap daemon needs similar privileges as firejal so it's not possible to combine them together. > In that context it might only be confusing users if they see a snap.profile don't you think? Besides considering dropping that, I wonder if anyone knowledgeable is considering adding a section to the firejail man on AppImages, Snaps, Flatpaks and the likes? @glitsj16 I agree that snap.profile is confusing and doesn't have a chance to work so it should be dropped. [AppImages are already documented](https://github.com/netblue30/firejail/blob/master/src/man/firejail.txt#L102). For snap and flatpak we could add a line that they won't work.
gitea-mirror commented 2026-05-05 08:15:21 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Feb 12, 2019):

@Vincent43

snaps have their own sandbox so I don't think it's useful or even possible to run them with firejail. Creating snap for firejail itself is something different though.

I must admit that I've never used snaps. But according to this site there are not only snaps with a strict confinement but also with a classic confinement which "Allows access to your system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument."

So perhaps for this second confinement level it makes still sense to sandbox them with Firejail?

<!-- gh-comment-id:462855713 --> @curiosity-seeker commented on GitHub (Feb 12, 2019): @Vincent43 > snaps have their own sandbox so I don't think it's useful or even possible to run them with firejail. Creating snap for firejail itself is something different though. I must admit that I've never used snaps. But according to [this](https://docs.snapcraft.io/snap-confinement/6233) site there are not only snaps with a _strict_ confinement but also with a _classic_ confinement which "Allows access to your system’s resources in much the same way traditional packages do. To safeguard against abuse, publishing a classic snap requires manual approval, and installation requires the --classic command line argument." So perhaps for this second confinement level it makes still sense to sandbox them with Firejail?
gitea-mirror commented 2026-05-05 08:15:21 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 12, 2019):

It may vary across specific snaps but those may need system wide access (that's supposedly the reason they couldn't be sandboxed with snap). There's also problem how well firejail will co-operate with snap daemon (not very well, I assume 😄 ).

<!-- gh-comment-id:462915236 --> @Vincent43 commented on GitHub (Feb 12, 2019): It may vary across specific snaps but those may need system wide access (that's supposedly the reason they couldn't be sandboxed with snap). There's also problem how well firejail will co-operate with snap daemon (not very well, I assume 😄 ).
gitea-mirror commented 2026-05-05 08:15:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2019):

After reading up on snaps at https://docs.snapcraft.io/, it's only fair to try and clear up any initial confusion I introduced in this thread (see above). The /etc/firejail/snap.profile is solely about sandboxing the snap tool that interacts with snap packages and gets installed with snapd.

As @Vincent43 already stated a few times, confining individual snap packages is in the hands of snapd and out of firejail's reach. Hence the command I suggested @jackTaw88 was never going to work (what was I thinking?). Too make matters worse I jumped the gun, and suggested to drop /etc/firejail/snap.profile alltogether.

@glitsj16 I agree that snap.profile is confusing and doesn't have a chance to work so it should be dropped. AppImages are already documented. For snap and flatpak we could add a line that they won't work.

I was mistaken here, very much so even. @Vincent43: if my understanding is correct, there is nothing in this thread yet to conclude the snap.profile doesn't have a chance to work. A refactored version in fact now works as expected, like any other application profile. Simply put: firejail the snap tool, sure - firejail a snap package, not feasible. At least that is what my tests suggest after seriously redoing snap.profile.

@jackTaw88 I hope this clears up some of the confusion. You can use firejail protection on any snap command just fine:
$ firejail snap list
$ sudo firejail snap install chromium
$ sudo firejail snap remove chromium

To actually start a snap app version of chromium after installation you need to use a command where firejail doesn't enter the picture:
$ env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /var/lib/snapd/snap/bin/chromium

Phjew, hope this helps. Time for some none-snapping recreation :-)

<!-- gh-comment-id:463417814 --> @ghost commented on GitHub (Feb 13, 2019): After reading up on snaps at https://docs.snapcraft.io/, it's only fair to try and clear up any initial confusion I introduced in this thread (see above). The `/etc/firejail/snap.profile` is solely about sandboxing the `snap` tool that interacts with snap packages and gets installed with `snapd`. As @Vincent43 already stated a few times, confining individual snap packages is in the hands of snapd and out of firejail's reach. Hence the command I suggested @jackTaw88 was never going to work (what was I thinking?). Too make matters worse I jumped the gun, and suggested to drop /etc/firejail/snap.profile alltogether. > @glitsj16 I agree that snap.profile is confusing and doesn't have a chance to work so it should be dropped. AppImages are already documented. For snap and flatpak we could add a line that they won't work. I was mistaken here, very much so even. @Vincent43: if my understanding is correct, there is nothing in this thread **yet** to conclude the snap.profile doesn't have a chance to work. A [refactored version](https://github.com/netblue30/firejail/pull/2402) in fact now works as expected, like any other application profile. Simply put: firejail the snap tool, sure - firejail a snap package, not feasible. At least that is what my tests suggest after seriously redoing snap.profile. @jackTaw88 I hope this clears up some of the confusion. You can use firejail protection on any `snap` command just fine: $ firejail snap list $ sudo firejail snap install chromium $ sudo firejail snap remove chromium To actually start a snap app version of chromium after installation you need to use a command where firejail doesn't enter the picture: $ env BAMF_DESKTOP_FILE_HINT=/var/lib/snapd/desktop/applications/chromium_chromium.desktop /var/lib/snapd/snap/bin/chromium Phjew, hope this helps. Time for some none-snapping recreation :-)
gitea-mirror commented 2026-05-05 08:15:23 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Feb 14, 2019):

$ sudo firejail snap install chromium
$ sudo firejail snap remove chromium

I'm not sure if there is security benefit for executing snap like this as without firejail it should work without sudo (it asks for auth through polkit but the process run as unprivileged user) . Sandboxing things while having to run them as root isn't much security wise.

Did you tested that there are no regressions when installing/removing snaps with firejail? For example it should create apparmor rules dynamically during install/remove packages.

Even if sandboxing snap command with firejail can technically work I don't see it as being relevant for security and there is a risk it could break things. That's why I would still opt for removing snap.profile completely.

<!-- gh-comment-id:463622671 --> @Vincent43 commented on GitHub (Feb 14, 2019): ``` $ sudo firejail snap install chromium $ sudo firejail snap remove chromium ``` I'm not sure if there is security benefit for executing snap like this as without firejail it should work without sudo (it asks for auth through polkit but the process run as unprivileged user) . Sandboxing things while having to run them as root isn't much security wise. Did you tested that there are no regressions when installing/removing snaps with firejail? For example it should create apparmor rules dynamically during install/remove packages. Even if sandboxing snap command with firejail can technically work I don't see it as being relevant for security and there is a risk it could break things. That's why I would still opt for removing `snap.profile` completely.
gitea-mirror commented 2026-05-05 08:15:23 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 14, 2019):

Hi @Vincent43 Yes I tested quite extensively and as far as I could tell there were no such regressions. Apparmor rules get created/destroyed exactly like when running vanilla snap commands without firejail. I retested and the sudo indeed is not needed. But I do see the validity of your points. Taking out the snap.profile it is.

<!-- gh-comment-id:463677739 --> @ghost commented on GitHub (Feb 14, 2019): Hi @Vincent43 Yes I tested quite extensively and as far as I could tell there were no such regressions. Apparmor rules get created/destroyed exactly like when running vanilla snap commands without firejail. I retested and the sudo indeed is not needed. But I do see the validity of your points. Taking out the snap.profile it is.
gitea-mirror commented 2026-05-05 08:15:24 -06:00
Author
Owner
Copy link

@jackTaw88 commented on GitHub (Feb 15, 2019):

Thank you :)

<!-- gh-comment-id:464160583 --> @jackTaw88 commented on GitHub (Feb 15, 2019): Thank you :)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1598
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?