github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3424] Support bash or AppArmor like variables #2150

New issue

Open

opened 2026-05-05 08:49:32 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 08:49:32 -06:00

Owner

Originally created by @curiosityseeker on GitHub (May 20, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3424

@rusty-snake 's proposal to support aliases gave me the idea to propose the support of variables in Firejail.

I once saw this neat trick in an AppArmor profile for LibreOffice:

@{libo_user_dirs} = @{HOME} /mnt /media
@{libreoffice_ext} = [mM][mM][lL] [tT][iI][fF] [xX][mMsS][lL] {,f,F}[oO][dDtT][tTsSpPbBgGfF] [jJ][pP][eE][gG] [tT][iI][fF][fF] [sS][vV][gG] [pP][dD][fF] [sS][wW][fF] {,x,X}[hH][tT][mM]{,l,L} [pP][pP][tTsS]{,x,X} [rR][tT][fF] [tT][xX][tT] [sS][vV][gG][zZ] [dD][iIbB][fF] [jJ][pP][gG] [pP][nN][gG] [pP][sS][dD] [cCtT][sS][vV] [sS][lL][kK] [sS][dD][wW] [uU][oO][fFtTsSpP] [xX][lL][sSwWtT]{,x,X} [dD][oO][cCtT]{,x,X} [pP][oO][tT]{,m,M}

...
owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts
owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own
owner @{libo_user_dirs}/**~lock.* rw, #lock file support

Since then I'm using a similar approach in several of my AppArmor profiles.

I think supporting something similar in Firejail - in combination with globbing - would make writing profiles easier and, at the same time, more powerful. Above example illustrates how whitelisting files with specific extensions could be facilitated.

Originally created by @curiosityseeker on GitHub (May 20, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3424 @rusty-snake 's [proposal](https://github.com/netblue30/firejail/issues/3412 ) to support aliases gave me the idea to propose the support of variables in Firejail. I once saw this neat trick in an AppArmor profile for LibreOffice: ``` @{libo_user_dirs} = @{HOME} /mnt /media @{libreoffice_ext} = [mM][mM][lL] [tT][iI][fF] [xX][mMsS][lL] {,f,F}[oO][dDtT][tTsSpPbBgGfF] [jJ][pP][eE][gG] [tT][iI][fF][fF] [sS][vV][gG] [pP][dD][fF] [sS][wW][fF] {,x,X}[hH][tT][mM]{,l,L} [pP][pP][tTsS]{,x,X} [rR][tT][fF] [tT][xX][tT] [sS][vV][gG][zZ] [dD][iIbB][fF] [jJ][pP][gG] [pP][nN][gG] [pP][sS][dD] [cCtT][sS][vV] [sS][lL][kK] [sS][dD][wW] [uU][oO][fFtTsSpP] [xX][lL][sSwWtT]{,x,X} [dD][oO][cCtT]{,x,X} [pP][oO][tT]{,m,M} ... owner @{libo_user_dirs}/**.@{libreoffice_ext} rwk, #Open files rw with the right exts owner @{libo_user_dirs}/**/ rw, #allow creating directories that we own owner @{libo_user_dirs}/**~lock.* rw, #lock file support ``` Since then I'm using a similar approach in several of my AppArmor profiles. I think supporting something similar in Firejail - in combination with globbing - would make writing profiles easier and, at the same time, more powerful. Above example illustrates how whitelisting files with specific extensions could be facilitated.

gitea-mirror added the

enhancement

label 2026-05-05 08:49:32 -06:00

gitea-mirror commented

2026-05-05 08:49:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 21, 2020):

I just read @curiosityseeker variable proposal and felt remind to rpm's macros. At the end all three (aliases, variables, macros (not the static once we now have)) are the same, dynamical generated profiles.

@rusty-snake commented on GitHub (May 21, 2020): I just read @curiosityseeker variable proposal and felt remind to rpm's macros. At the end all three (aliases, variables, macros (not the static once we now have)) are the same, dynamical generated profiles.

gitea-mirror commented

2026-05-05 08:49:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 15, 2021):

FWIW: https://github.com/sailfishos/firejail/blob/master/rpm/0004-Implement-template-addition-for-replacing-keys-in-pr.patch

@rusty-snake commented on GitHub (Sep 15, 2021): FWIW: https://github.com/sailfishos/firejail/blob/master/rpm/0004-Implement-template-addition-for-replacing-keys-in-pr.patch

gitea-mirror referenced this issue

2026-05-05 10:25:42 -06:00

[PR #3373] [MERGED] update --build #4739

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2150

No description provided.

Rows
Columns