[GH-ISSUE #3509] firejail with wine

gitea-mirror commented

2026-05-05 08:53:35 -06:00

Owner

Originally created by @Joe23232 on GitHub (Jul 15, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3509

Is it possible to configure wine to always launch through firejail so that if I type wine, it will simply by default go through firejail?

When I install a game through wine and it creates a shortcut, it creates it as *.desktop rather than *.lnk that is typically done on Windows. I guess the *.desktop is set to point to wine but if I can somehow figure out how to by default get wine to go through firejail instead, I guess the game will by defauly also launch through firejail before going through wine, am I correct?

Originally created by @Joe23232 on GitHub (Jul 15, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3509 Is it possible to configure `wine` to always launch through `firejail` so that if I type `wine`, it will simply by default go through `firejail`? When I install a game through `wine` and it creates a shortcut, it creates it as `*.desktop` rather than `*.lnk` that is typically done on Windows. I guess the `*.desktop` is set to point to `wine` but if I can somehow figure out how to by default get `wine` to go through `firejail` instead, I guess the game will by defauly also launch through `firejail` before going through `wine`, am I correct?

gitea-mirror closed this issue

2026-05-05 08:53:36 -06:00

gitea-mirror commented

2026-05-05 08:53:38 -06:00

Author

Owner

@bbhtt commented on GitHub (Jul 16, 2020):

Wine has a profile https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/wine.profile
If you've set up Firejail using sudo firecfg,it'll launch through Firejail

:~$ wine --version
Reading profile /etc/firejail/wine.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 43568, child pid 43569
Child process initialized in 157.03 ms
wine-5.0 (Ubuntu 5.0-3ubuntu1)

Parent is shutting down, bye...

Not sure about your second question. You can launch a desktop file on a terminal using gtk-launch abcd.desktop provided it's in default locations.

@bbhtt commented on GitHub (Jul 16, 2020): Wine has a profile https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/wine.profile If you've set up Firejail using `sudo firecfg`,it'll launch through Firejail ``` :~$ wine --version Reading profile /etc/firejail/wine.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 43568, child pid 43569 Child process initialized in 157.03 ms wine-5.0 (Ubuntu 5.0-3ubuntu1) Parent is shutting down, bye... ``` Not sure about your second question. You can launch a desktop file on a terminal using `gtk-launch abcd.desktop` provided it's in default locations.

gitea-mirror commented

2026-05-05 08:53:39 -06:00

Author

Owner

@Joe23232 commented on GitHub (Jul 16, 2020):

Hey mate, so like does firecfg force all applications to go through firejail as it seems that is what that command does? I want to force only specific applications such as wine to go through firejail. Would you happen to know how I would do this?

@Joe23232 commented on GitHub (Jul 16, 2020): Hey mate, so like does `firecfg` force all applications to go through `firejail` as it seems that is what that command does? I want to force only specific applications such as `wine` to go through `firejail`. Would you happen to know how I would do this?

gitea-mirror commented

2026-05-05 08:53:40 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 16, 2020):

# Make sure /usr/local/bin is the first directory in $PATH:
$ echo $PATH
/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
# Create it if it does not exists yet
$ sudo mkdir -p -m0755 /usr/local/bin
# Create a symlink for the program you want
# sudo ln -s /usr/bin/firejail /usr/local/bin/<PROGRAM NAME>
$ sudo ln -s /usr/bin/firejail /usr/local/bin/wine
# Check the .desktop file of the program (if it has one)
# Make sure that the value of the `Exec` key looks like `foo` and not `/ust/bin/foo`
# Make sure it does not contain `DBusActivatable=true`
$ less /usr/share/applications/XXX.desktop
# If necessary copy it to your $HOME and edit
$ cp /usr/share/applications/XXX.desktop ~/.local/share/applications/XXX.desktop
$ vim  ~/.local/share/applications/XXX.desktop

@rusty-snake commented on GitHub (Jul 16, 2020): ``` # Make sure /usr/local/bin is the first directory in $PATH: $ echo $PATH /usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin # Create it if it does not exists yet $ sudo mkdir -p -m0755 /usr/local/bin # Create a symlink for the program you want # sudo ln -s /usr/bin/firejail /usr/local/bin/<PROGRAM NAME> $ sudo ln -s /usr/bin/firejail /usr/local/bin/wine # Check the .desktop file of the program (if it has one) # Make sure that the value of the `Exec` key looks like `foo` and not `/ust/bin/foo` # Make sure it does not contain `DBusActivatable=true` $ less /usr/share/applications/XXX.desktop # If necessary copy it to your $HOME and edit $ cp /usr/share/applications/XXX.desktop ~/.local/share/applications/XXX.desktop $ vim ~/.local/share/applications/XXX.desktop ```

gitea-mirror commented

2026-05-05 08:53:41 -06:00

Author

Owner

@Joe23232 commented on GitHub (Jul 20, 2020):

Hey man thanks for the help. One other thing how would I create different profiles. So I can restrict wine having certain access to certain parts of my system (such as only being able to write to my ~/Desktop folder but not read from ~/Desktop but maybe for something like Chromium, it can have read and write rights to ~/Desktop?

@Joe23232 commented on GitHub (Jul 20, 2020): Hey man thanks for the help. One other thing how would I create different profiles. So I can restrict wine having certain access to certain parts of my system (such as only being able to write to my `~/Desktop` folder but not read from `~/Desktop` but maybe for something like Chromium, it can have read and write rights to `~/Desktop`?

gitea-mirror commented

2026-05-05 08:53:42 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2020):

such as only being able to write to my ~/Desktop folder but not read from ~/Desktop

A write only access is not possible. There a two ways to workaround:

Use a subfolder (e.g. ~/Desktop/wine). This is the preferred workaround, but not really handy for the desktop.
blacklist ${HOME}/Desktop/* This allows to create/read/write files in ~/Desktop which are created after the sandbox was started.

One other thing how would I create different profiles.

mkdir -p ~/.config/firejail
vim ~/.config/firejail/restricted-wine.profile

blacklist ${HOME}/foo
read-only ${HOME}/far
env WINEPREFIX=~/baz

include ${CFG}/wine.profile

firejail --profile=restricted-wine wine 'C:\…'

@rusty-snake commented on GitHub (Jul 20, 2020): > such as only being able to write to my ~/Desktop folder but not read from ~/Desktop A write only access is not possible. There a two ways to workaround: 1. Use a subfolder (e.g. ~/Desktop/wine). This is the preferred workaround, but not really handy for the desktop. 2. `blacklist ${HOME}/Desktop/*` This allows to create/read/write files in ~/Desktop which are created after the sandbox was started. > One other thing how would I create different profiles. `mkdir -p ~/.config/firejail` `vim ~/.config/firejail/restricted-wine.profile` ``` blacklist ${HOME}/foo read-only ${HOME}/far env WINEPREFIX=~/baz include ${CFG}/wine.profile ``` `firejail --profile=restricted-wine wine 'C:\…'`

gitea-mirror commented

2026-05-05 08:53:42 -06:00

Author

Owner

@Joe23232 commented on GitHub (Jul 20, 2020):

A write only access is not possible. There a two ways to workaround:

So you can only do read-only but not write-only? Cause you typed read-only ${HOME}/far so I guess I can't type write-only?

blacklist ${HOME}/Desktop/* This allows to create/read/write files in ~/Desktop which are created after the sandbox was started.

If I am understanding this correctly, this allows wine to have read and write permissions? Cause blacklist would normally mean having no access rights at all if I am understanding this correctly?

env WINEPREFIX=~/baz Sorry mate what does evn even mean?

include ${CFG}/wine.profile I am a bit confused as to why this line needs to be added in. I thought that if I am telling firejail to use the restricted-win profile (as shown in firejail --profile=restricted-wine wine 'C:\…') then wouldn't wine know that it has to use from this drectory ~/.config/firejail/restricted-wine.profile? Maybe I am failing to understand what $(CFG) means?

@Joe23232 commented on GitHub (Jul 20, 2020): > A write only access is not possible. There a two ways to workaround: So you can only do read-only but not write-only? Cause you typed `read-only ${HOME}/far` so I guess I can't type `write-only`? > `blacklist ${HOME}/Desktop/*` This allows to create/read/write files in ~/Desktop which are created after the sandbox was started. If I am understanding this correctly, this allows wine to have read and write permissions? Cause `blacklist` would normally mean having no access rights at all if I am understanding this correctly? `env WINEPREFIX=~/baz` Sorry mate what does `evn` even mean? `include ${CFG}/wine.profile` I am a bit confused as to why this line needs to be added in. I thought that if I am telling `firejail` to use the `restricted-win` profile (as shown in `firejail --profile=restricted-wine wine 'C:\…'`) then wouldn't `wine` know that it has to use from this drectory `~/.config/firejail/restricted-wine.profile`? Maybe I am failing to understand what `$(CFG)` means?

gitea-mirror commented

2026-05-05 08:53:43 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2020):

A write only access is not possible. There a two ways to workaround:

So you can only do read-only but not write-only?

What do you mean exactly with write-only?

Allow to write to new and existing files but not read new/existsing files.
Allow to create new file but deny access to existing files.

env WINEPREFIX=~/baz Sorry mate what does evn even mean?

The second part is just an example on how to use a custom profile. Using a different WINEPREFIX is common if you use different profiles.

include ${CFG}/wine.profile I am a bit confused as to why this line needs to be added in. … then wouldn't wine know that it has to use from this drectory ~/.config/firejail/restricted-wine.profile?

Not wine, firejail. This usually expands to include /etc/firejail/wine.profile. Without it the restricted-wine is more permissive then the wine.profile.

@rusty-snake commented on GitHub (Jul 20, 2020): > >A write only access is not possible. There a two ways to workaround: > > So you can only do read-only but not write-only? What do you mean exactly with write-only? 1. Allow to write to new and existing files but not read new/existsing files. 2. Allow to create new file but deny access to existing files. > env WINEPREFIX=~/baz Sorry mate what does evn even mean? The second part is just an example on how to use a custom profile. Using a different WINEPREFIX is common if you use different profiles. > include ${CFG}/wine.profile I am a bit confused as to why this line needs to be added in. … then wouldn't wine know that it has to use from this drectory ~/.config/firejail/restricted-wine.profile? Not wine, firejail. This usually expands to `include /etc/firejail/wine.profile`. Without it the restricted-wine is more permissive then the wine.profile.

gitea-mirror commented

2026-05-05 08:53:44 -06:00

Author

Owner

@Joe23232 commented on GitHub (Jul 20, 2020):

What do you mean exactly with write-only?

I mean like the application can write to the directory but it can't read from the directory. So the first option.

The second part is just an example on how to use a custom profile. Using a different WINEPREFIX is common if you use different profiles.

I understand how WINEPREFIX works but I am a bit confused with the evn part. Is this part of wine or firejail?

Not wine, firejail. This usually expands to include /etc/firejail/wine.profile. Without it the restricted-wine is more permissive then the wine.profile.

Forgive me for my lack of understanding but if you already have a file ~/.config/firejail/restricted-wine.profile which essentially tells firejail to what restrictions you need etc, how does include ${CFG}/wine.profile this line make it more restrictive?

@Joe23232 commented on GitHub (Jul 20, 2020): > What do you mean exactly with write-only? I mean like the application can write to the directory but it can't read from the directory. So the first option. > The second part is just an example on how to use a custom profile. Using a different WINEPREFIX is common if you use different profiles. I understand how `WINEPREFIX` works but I am a bit confused with the `evn` part. Is this part of `wine` or `firejail`? > Not wine, firejail. This usually expands to include /etc/firejail/wine.profile. Without it the restricted-wine is more permissive then the wine.profile. Forgive me for my lack of understanding but if you already have a file `~/.config/firejail/restricted-wine.profile` which essentially tells `firejail` to what restrictions you need etc, how does `include ${CFG}/wine.profile` this line make it more restrictive?

gitea-mirror commented

2026-05-05 08:53:44 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2020):

I mean like the application can write to the directory but it can't read from the directory. So the first option.

What is your goal? I don't see why this is useful.

I understand how WINEPREFIX works but I am a bit confused with the evn part. Is this part of wine or firejail?

man firejail-profile:

env name=value
Set environment variable. Examples:
env LD_LIBRARY_PATH=/opt/test/lib
env CFLAGS="-W -Wall -Werror"

Forgive me for my lack of understanding but if you already have a file ~/.config/firejail/restricted-wine.profile which essentially tells firejail to what restrictions you need etc, how does include ${CFG}/wine.profile this line make it more restrictive?

Its easier to set the extra restrictions for ~/Desktop in this profile and use the rest form wine.profile then coping the restrictions from wine.profile to restricted-wine.profile. If you just set these few read-only/blacklist commands and not include disable-common.inc, set nonewprivs, seccomp, ... your "restricted-wine" is not restricted.

@rusty-snake commented on GitHub (Jul 20, 2020): > I mean like the application can write to the directory but it can't read from the directory. So the first option. What is your goal? I don't see why this is useful. > I understand how WINEPREFIX works but I am a bit confused with the evn part. Is this part of wine or firejail? `man firejail-profile`: > **env name=value** > Set environment variable. Examples: > env LD_LIBRARY_PATH=/opt/test/lib > env CFLAGS="-W -Wall -Werror" > Forgive me for my lack of understanding but if you already have a file ~/.config/firejail/restricted-wine.profile which essentially tells firejail to what restrictions you need etc, how does include ${CFG}/wine.profile this line make it more restrictive? Its easier to set the extra restrictions for ~/Desktop in this profile and use the rest form wine.profile then coping the restrictions from wine.profile to restricted-wine.profile. If you just set these few read-only/blacklist commands and not include disable-common.inc, set nonewprivs, seccomp, ... your "restricted-wine" is not restricted.

gitea-mirror commented

2026-05-05 08:53:45 -06:00

Author

Owner

@Joe23232 commented on GitHub (Jul 20, 2020):

What is your goal? I don't see why this is useful.

Ok so like on the ~/Desktop, when installing a game, it puts a *.desktop file inside the ~/Desktop directory. Therefore I want it to have write permissions (so it can write such files) but no reading permissions.

man firejail-profile:

Ah I see thanks mate :)

Its easier to set the extra restrictions for ~/Desktop in this profile and use the rest form wine.profile then coping the restrictions from wine.profile to restricted-wine.profile. If you just set these few read-only/blacklist commands and not include disable-common.inc, set nonewprivs, seccomp, ... your "restricted-wine" is not restricted.

Ah I see it just essentially imports the restrictions from a default config file. I get it now.

@Joe23232 commented on GitHub (Jul 20, 2020): > What is your goal? I don't see why this is useful. Ok so like on the `~/Desktop`, when installing a game, it puts a `*.desktop` file inside the `~/Desktop` directory. Therefore I want it to have write permissions (so it can write such files) but no reading permissions. > man firejail-profile: Ah I see thanks mate :) > Its easier to set the extra restrictions for ~/Desktop in this profile and use the rest form wine.profile then coping the restrictions from wine.profile to restricted-wine.profile. If you just set these few read-only/blacklist commands and not include disable-common.inc, set nonewprivs, seccomp, ... your "restricted-wine" is not restricted. Ah I see it just essentially imports the restrictions from a default config file. I get it now.

gitea-mirror commented

2026-05-05 08:53:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jul 20, 2020):

Ok so like on the ~/Desktop, when installing a game, it puts a *.desktop file inside the ~/Desktop directory. Therefore I want it to have write permissions (so it can write such files) but no reading permissions.

Using mkfile + whitelist would be the best, if not use blacklist ${HOME}/Desktop/*.

@rusty-snake commented on GitHub (Jul 20, 2020): > Ok so like on the ~/Desktop, when installing a game, it puts a *.desktop file inside the ~/Desktop directory. Therefore I want it to have write permissions (so it can write such files) but no reading permissions. Using `mkfile` + `whitelist` would be the best, if not use `blacklist ${HOME}/Desktop/*`.

gitea-mirror commented

2026-05-05 08:53:46 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 1, 2020):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Oct 1, 2020): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

gitea-mirror commented

2026-05-05 08:53:46 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 2, 2020):

Cool, thank you.

On Fri, Oct 2, 2020 at 4:11 AM rusty-snake notifications@github.com wrote:

I'm closing here due to inactivity, please fell free to request to reopen
if you have more questions.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/3509#issuecomment-702308944,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AIKO7IL6HPBRSC46GEFR3ALSITA3ZANCNFSM4O2G2XPA
.

@Joe23232 commented on GitHub (Oct 2, 2020): Cool, thank you. On Fri, Oct 2, 2020 at 4:11 AM rusty-snake <notifications@github.com> wrote: > I'm closing here due to inactivity, please fell free to request to reopen > if you have more questions. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/3509#issuecomment-702308944>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIKO7IL6HPBRSC46GEFR3ALSITA3ZANCNFSM4O2G2XPA> > . >

Rows
Columns

[GH-ISSUE #3509] firejail with wine #2208