github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #254] [Discuss] Improve profiles #178

New issue

Closed

opened 2026-05-05 05:15:27 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 05:15:27 -06:00

Owner

Originally created by @genodeftest on GitHub (Jan 22, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/254

While support for more and more applications is added, they are getting more complex. Some profiles use outdated features. When #225 is being implemented, profiles should be reworked, this should include some documentation.

I suggest creating a more hierarchical structure.
Motivation: reduce duplicated configuration options. Ideally, each software type (Toolkit: Gtk/Qt/…, category: Browser/PDF Reader/…, programming language: python/java/…, …) gets its own template so all of these applications can be "fixed" at once. I'd like to reuse the "old" file extensions .profile and .inc if you don't mind.

A hierarchy could look like this:

generic-app.inc -> allow ~/.cache (?)
    generic-gui.inc -> allow X11, Wayland files: ~/.Xauthority, TODO; allow ~/.local/share/recently-used.xbel
        generic-gtk.inc -> allow ~/.gtkrc-2.0, ~/.gtkrc-2.0-kde4, ~/.config/gtk-2.0, ~/.config/gtk-3.0, ~/.config/gtkrc, ~/.config/gtkrc-2.0
            firefox.profile
            thunderbird.profile
            deluge.profile
            generic-gnome.inc
                evince.profile
                empathy.profile
        generic-qt.inc -> allow ~/.config/Trolltech.conf, ~/.config/QtProject.conf
            vlc.profile
            transmission-qt.profile
            generic-kde.inc -> allow ~/.kde
                okular.profile
                kmail.profile
        generic-webbrowser.inc
            firefox.profile
            torbrowser.profile
            chromium.profile
            google-chrome…
            midori.profile
            opera.profile
            …
        generic-rssreader.inc
            liferea.profile
            akregator.profile
            quiterss.profile
            …
        generic-pdfreader.inc
            evince.profile
            okular.profile
        generic-im.inc
            skype.profile
            hexchat.profile
            empathy.profile
            xchat.profile
        generic-mail.inc
            thunderbird.profile
            kmail.profile
        generic-mediaplayer.inc
            vlc.profile
        generic-torrent.inc
            transmission.inc
                transmission-gtk.profile
                transmission-qt.profile
            deluge.profile
    generic-java.inc -> allow ~/.java
        java.profile // might be merged with the one above
    generic-python.inc
        deluge.profile
disable-network.inc
disable-mgmt.inc
disable-devel.inc
disable-common.inc
template.profile -> contains sample code to standardize applications

I'd do the work (except someone else wants to), but I posted here to enable a discussion if necessary. Thoughts? Comments?

Originally created by @genodeftest on GitHub (Jan 22, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/254 While support for more and more applications is added, they are getting more complex. Some profiles use outdated features. When #225 is being implemented, profiles should be reworked, this should include some documentation. I suggest creating a more hierarchical structure. Motivation: reduce duplicated configuration options. Ideally, each software type (Toolkit: Gtk/Qt/…, category: Browser/PDF Reader/…, programming language: python/java/…, …) gets its own template so all of these applications can be "fixed" at once. I'd like to reuse the "old" file extensions `.profile` and `.inc` if you don't mind. A hierarchy could look like this: ``` generic-app.inc -> allow ~/.cache (?) generic-gui.inc -> allow X11, Wayland files: ~/.Xauthority, TODO; allow ~/.local/share/recently-used.xbel generic-gtk.inc -> allow ~/.gtkrc-2.0, ~/.gtkrc-2.0-kde4, ~/.config/gtk-2.0, ~/.config/gtk-3.0, ~/.config/gtkrc, ~/.config/gtkrc-2.0 firefox.profile thunderbird.profile deluge.profile generic-gnome.inc evince.profile empathy.profile generic-qt.inc -> allow ~/.config/Trolltech.conf, ~/.config/QtProject.conf vlc.profile transmission-qt.profile generic-kde.inc -> allow ~/.kde okular.profile kmail.profile generic-webbrowser.inc firefox.profile torbrowser.profile chromium.profile google-chrome… midori.profile opera.profile … generic-rssreader.inc liferea.profile akregator.profile quiterss.profile … generic-pdfreader.inc evince.profile okular.profile generic-im.inc skype.profile hexchat.profile empathy.profile xchat.profile generic-mail.inc thunderbird.profile kmail.profile generic-mediaplayer.inc vlc.profile generic-torrent.inc transmission.inc transmission-gtk.profile transmission-qt.profile deluge.profile generic-java.inc -> allow ~/.java java.profile // might be merged with the one above generic-python.inc deluge.profile disable-network.inc disable-mgmt.inc disable-devel.inc disable-common.inc template.profile -> contains sample code to standardize applications ``` I'd do the work (except someone else wants to), but I posted here to enable a discussion if necessary. Thoughts? Comments?

gitea-mirror

2026-05-05 05:15:27 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:15:36 -06:00

Author

Owner

@yjftsjthsd-g commented on GitHub (Jan 22, 2016):

I wonder if media players should be divided into audio only and audio+video? For some it might come out in the wash, but I expect that MOC needs less access than VLC, for instance.

@yjftsjthsd-g commented on GitHub (Jan 22, 2016): I wonder if media players should be divided into audio only and audio+video? For some it might come out in the wash, but I _expect_ that MOC needs less access than VLC, for instance.

gitea-mirror commented

2026-05-05 05:15:38 -06:00

Author

Owner

@genodeftest commented on GitHub (Jan 22, 2016):

Hm, interesting thought. What is the difference? I'll call them music player for e.g. amarok, clementine, banshee, exaile, … and media player for e.g. vlc, totem, mplayer.
Both, music player and media player need access to sound devices.
Music player don't need access to videos, media player might need access to music files, so there is no good way to distinguish.
Media player need access to OpenGL devices for video rendering, music players might need that too, e.g. for visualizations. Without a deeper look into this topic I don't see enough differences between those categories to have a separate profile. Do you? Btw: what is MOC?

@genodeftest commented on GitHub (Jan 22, 2016): Hm, interesting thought. What is the difference? I'll call them _music player_ for e.g. amarok, clementine, banshee, exaile, … and _media player_ for e.g. vlc, totem, mplayer. Both, music player and media player need access to sound devices. Music player don't need access to videos, media player might need access to music files, so there is no good way to distinguish. Media player need access to OpenGL devices for video rendering, music players might need that too, e.g. for visualizations. Without a deeper look into this topic I don't see enough differences between those categories to have a separate profile. Do you? Btw: what is MOC?

gitea-mirror commented

2026-05-05 05:15:40 -06:00

Author

Owner

@yjftsjthsd-g commented on GitHub (Jan 22, 2016):

Ah, sorry, I'd forgotten about visualizations. Yes, given that, there probably isn't a difference.
MOC, Music On Console, is a ncurses music player; it doesn't need X, OpenGL, or anything else except music files and audio out, which is what I was thinking of when I separated audio and video players.

@yjftsjthsd-g commented on GitHub (Jan 22, 2016): Ah, sorry, I'd forgotten about visualizations. Yes, given that, there probably isn't a difference. [MOC](http://moc.daper.net/node/374), Music On Console, is a ncurses music player; it doesn't need X, OpenGL, or anything else except music files and audio out, which is what I was thinking of when I separated audio and video players.

gitea-mirror commented

2026-05-05 05:15:42 -06:00

Author

Owner

@genodeftest commented on GitHub (Mar 6, 2016):

@netblue30 Can you please explain why you closed this issue? Is it because you don't see any need for discussion or this is the wrong place or you don't need this?

@genodeftest commented on GitHub (Mar 6, 2016): @netblue30 Can you please explain why you closed this issue? Is it because you don't see any need for discussion or this is the wrong place or you don't need this?

gitea-mirror commented

2026-05-05 05:15:44 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 7, 2016):

I think we are going in the wrong direction. Just classifying each application will not help. You have player using X11, and players without X11. Some go out on the network, others run locally.

@netblue30 commented on GitHub (Mar 7, 2016): I think we are going in the wrong direction. Just classifying each application will not help. You have player using X11, and players without X11. Some go out on the network, others run locally.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#178

No description provided.

Rows
Columns