[GH-ISSUE #3665] With firecfg, how do I configure specific applications to go through firejail?

gitea-mirror commented

2026-05-05 08:59:52 -06:00

Owner

Originally created by @Joe23232 on GitHub (Oct 13, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3665

I know that with the command sudo firecfg will get all the applications to open through firejail, however I don't want this, I want to only specify specific applications such as chromium etc.

How would I achieve this if this is even possible?

Originally created by @Joe23232 on GitHub (Oct 13, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3665 I know that with the command `sudo firecfg` will get all the applications to open through firejail, however I don't want this, I want to only specify specific applications such as chromium etc. How would I achieve this if this is even possible?

gitea-mirror

2026-05-05 08:59:52 -06:00

closed this issue
added the
question_old
label

gitea-mirror commented

2026-05-05 08:59:54 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 13, 2020):

https://github.com/netblue30/firejail/issues/3213 extended with a script (with is started as root). You must verify the .desktop files yourself.

#!/bin/bash
apps=(firefox thunderbird libreoffice)
for app in "${apps[@]}"; do
	ln -s /usr/bin/firejail "/usr/local/bin/$app"
done

Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.
Use firecfg.py with custom groups (I work on more group control via command-line and config-file).
https://github.com/rahiel/firectl.

EDIT: added firectl

@rusty-snake commented on GitHub (Oct 13, 2020): 1. https://github.com/netblue30/firejail/issues/3213 extended with a script (with is started as root). You must verify the .desktop files yourself. ```bash #!/bin/bash apps=(firefox thunderbird libreoffice) for app in "${apps[@]}"; do ln -s /usr/bin/firejail "/usr/local/bin/$app" done ``` 2. Edit `/usr/lib/firejail/firecfg.config` (path differs from distro and configure; use `locate firecfg.config`). You should first create a backup of it. 3. Use [firecfg.py](https://github.com/rusty-snake/firecfg.py) with custom groups (I work on more group control via command-line and config-file). 4. https://github.com/rahiel/firectl. **EDIT:** added firectl

gitea-mirror commented

2026-05-05 08:59:54 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 14, 2020):

Hi thanks for your response,

Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.

Sorry but in regards to this step, what should I specifically edit in this file?

@Joe23232 commented on GitHub (Oct 14, 2020): Hi thanks for your response, > 2. Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it. Sorry but in regards to this step, what should I specifically edit in this file?

gitea-mirror commented

2026-05-05 08:59:55 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 14, 2020):

This file specifies for which programs firecfg creates symlinks (if they installed and have a profile). If a program is not listed there (or commented) no symlinks are created.

Example (create a backup; only set firefox, thunderbird and libreoffice)

$ mv /usr/lib/firejail/firecfg.config /usr/lib/firejail/firecfg.config.bak
$ cat > /usr/lib/firejail/firecfg.config <<EOF
thunderbird
firefox
libreoffice
EOF

@rusty-snake commented on GitHub (Oct 14, 2020): This file specifies for which programs firecfg creates symlinks (if they installed and have a profile). If a program is not listed there (or commented) no symlinks are created. Example (create a backup; only set firefox, thunderbird and libreoffice) ``` $ mv /usr/lib/firejail/firecfg.config /usr/lib/firejail/firecfg.config.bak $ cat > /usr/lib/firejail/firecfg.config <<EOF thunderbird firefox libreoffice EOF ```

gitea-mirror commented

2026-05-05 08:59:56 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 15, 2020):

Hey man cat > /usr/lib/firejail/firecfg.config <<EOF sorry what does cat > and <<EOF mean? I know what cat means but does this > do after the cat?

@Joe23232 commented on GitHub (Oct 15, 2020): Hey man `cat > /usr/lib/firejail/firecfg.config <<EOF` sorry what does `cat >` and `<<EOF` mean? I know what `cat` means but does this `>` do after the `cat`?

gitea-mirror commented

2026-05-05 08:59:57 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 15, 2020):

That's are bash redirections.
https://www.cyberciti.biz/faq/using-heredoc-rediection-in-bash-shell-script-to-write-to-file/
https://wiki.bash-hackers.org/syntax/redirection
https://www.gnu.org/software/bash/manual/html_node/Redirections.html

Maybe it is easier to understand for you if it uses echo. However, you do not need to understand them. It is enough to know what they do (replace /usr/lib/firejail/firecfg.config with thunderbird, firefox, libreoffice (see below)).

Both snippets below do the same, replace /usr/lib/firejail/firecfg.config with

thunderbird
firefox
libreoffice

cat with a HERE-document

cat > /usr/lib/firejail/firecfg.config <<EOF
thunderbird
firefox
libreoffice
EOF

multiple echos

rm /usr/lib/firejail/firecfg.config
echo thunderbird >> /usr/lib/firejail/firecfg.config
echo firefox >> /usr/lib/firejail/firecfg.config 
echo libreoffice >> /usr/lib/firejail/firecfg.config

@rusty-snake commented on GitHub (Oct 15, 2020): That's are bash redirections. https://www.cyberciti.biz/faq/using-heredoc-rediection-in-bash-shell-script-to-write-to-file/ https://wiki.bash-hackers.org/syntax/redirection https://www.gnu.org/software/bash/manual/html_node/Redirections.html --- Maybe it is easier to understand for you if it uses `echo`. However, you do not need to understand them. It is enough to know what they do (replace /usr/lib/firejail/firecfg.config with thunderbird, firefox, libreoffice (see below)). Both snippets below do the same, replace /usr/lib/firejail/firecfg.config with ``` thunderbird firefox libreoffice ``` `cat` with a HERE-document ```bash cat > /usr/lib/firejail/firecfg.config <<EOF thunderbird firefox libreoffice EOF ``` multiple `echo`s ```bash rm /usr/lib/firejail/firecfg.config echo thunderbird >> /usr/lib/firejail/firecfg.config echo firefox >> /usr/lib/firejail/firecfg.config echo libreoffice >> /usr/lib/firejail/firecfg.config ```

gitea-mirror commented

2026-05-05 08:59:57 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 15, 2020):

I see mate, thanks :)

@Joe23232 commented on GitHub (Oct 15, 2020): I see mate, thanks :)

gitea-mirror commented

2026-05-05 08:59:58 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

#3213 extended with a script (with is started as root). You must verify the .desktop files yourself.
#!/bin/bash
apps=(firefox thunderbird libreoffice)
for app in "${apps[@]}"; do
	ln -s /usr/bin/firejail "/usr/local/bin/$app"
done
Edit /usr/lib/firejail/firecfg.config (path differs from distro and configure; use locate firecfg.config). You should first create a backup of it.

Use firecfg.py with custom groups (I work on more group control via command-line and config-file).

Hi @rusty-snake in your 2nd step, what do I have to edit within /usr/lib/firejail/firecfg.config for firefox as an example? Am I supposed to just add firefox to it via echo firefox >> /usr/lib/firejail/firecfg.config?

@Joe23232 commented on GitHub (Oct 27, 2020): > 1. #3213 extended with a script (with is started as root). You must verify the .desktop files yourself. > > ``` > #!/bin/bash > apps=(firefox thunderbird libreoffice) > for app in "${apps[@]}"; do > ln -s /usr/bin/firejail "/usr/local/bin/$app" > done > ``` > > 2. Edit `/usr/lib/firejail/firecfg.config` (path differs from distro and configure; use `locate firecfg.config`). You should first create a backup of it. > 3. Use [firecfg.py](https://github.com/rusty-snake/firecfg.py) with custom groups (I work on more group control via command-line and config-file). Hi @rusty-snake in your 2nd step, what do I have to edit within `/usr/lib/firejail/firecfg.config` for `firefox` as an example? Am I supposed to just add `firefox` to it via `echo firefox >> /usr/lib/firejail/firecfg.config`?

gitea-mirror commented

2026-05-05 08:59:58 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it.

If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add firefox as first line and thunderbird as second line. No other lines.

@rusty-snake commented on GitHub (Oct 27, 2020): Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it. If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add `firefox` as first line and `thunderbird` as second line. No other lines.

gitea-mirror commented

2026-05-05 08:59:58 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it.

If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add firefox as first line and thunderbird as second line. No other lines.

Ah right now I see mate.

@Joe23232 commented on GitHub (Oct 27, 2020): > Firecfg will only create symlink for programs listed in firecfg.config. If you want to exclude a program from firecfg, just comment it. > > If you want to create symlink only for a few selected programs, remove (or better rename it to something like firecfg.config.orig) it and create a new with only the program you want (one per line). So to make firecfg only create symlinks for firefox and thunderbird, add `firefox` as first line and `thunderbird` as second line. No other lines. Ah right now I see mate.

gitea-mirror commented

2026-05-05 08:59:59 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

@rusty-snake
Sorry to bother you again but In regards to another question, I looked at this part of the firejail article https://firejail.wordpress.com/documentation-2/building-custom-profiles/ and like wanted to create a whitelist profile for firefox but the only directory that is not private is the ~/.config/firefox, ~/.cache/firefox and ~/Downloads and to those directories it has full read and write access rights.

As stated on the website I have done all those things but I named it as firefox.config.

When I do a cat firefox.config I get this output:

# Firejail profile for default
# This file is overwritten after every install/update
# Persistent local customizations
include default.local
# Persistent global definitions
include globals.local

# generic gui profile
# depending on your usage, you can enable some of the commands below:

include disable-common.inc
# include disable-devel.inc
# include disable-exec.inc
# include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
# include disable-write-mnt.inc
# include disable-xdg.inc

# include whitelist-common.inc
# include whitelist-usr-share-common.inc
# include whitelist-runuser-common.inc
# include whitelist-var-common.inc

# apparmor
caps.drop all
# ipc-namespace
# machine-id
# net none
netfilter
# no3d
# nodvd
# nogroups
nonewprivs
noroot
# nosound
# notv
# nou2f
# novideo
protocol unix,inet,inet6
seccomp
# shell none
# tracelog

# disable-mnt
# private
# private-bin program
# private-cache
# private-dev
# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
# private-etc alternatives,fonts,machine-id
# private-lib
# private-opt none
# private-tmp

# dbus-user none
# dbus-system none

# memory-deny-write-execute
# read-only ${HOME}

I apologise for my lack of technical skills but what would I need to modify in this file to achieve what I need to achieve?

@Joe23232 commented on GitHub (Oct 27, 2020): @rusty-snake Sorry to bother you again but In regards to another question, I looked at this part of the `firejail` article [https://firejail.wordpress.com/documentation-2/building-custom-profiles/](https://firejail.wordpress.com/documentation-2/building-custom-profiles/) and like wanted to create a `whitelist` profile for `firefox` but the only directory that is not private is the `~/.config/firefox`, `~/.cache/firefox` and `~/Downloads` and to those directories it has full read and write access rights. ![image](https://user-images.githubusercontent.com/34926497/97293583-fb025480-18a0-11eb-814b-87669c4d9d87.png) As stated on the website I have done all those things but I named it as `firefox.config`. When I do a `cat firefox.config` I get this output: ```bash # Firejail profile for default # This file is overwritten after every install/update # Persistent local customizations include default.local # Persistent global definitions include globals.local # generic gui profile # depending on your usage, you can enable some of the commands below: include disable-common.inc # include disable-devel.inc # include disable-exec.inc # include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc # include disable-write-mnt.inc # include disable-xdg.inc # include whitelist-common.inc # include whitelist-usr-share-common.inc # include whitelist-runuser-common.inc # include whitelist-var-common.inc # apparmor caps.drop all # ipc-namespace # machine-id # net none netfilter # no3d # nodvd # nogroups nonewprivs noroot # nosound # notv # nou2f # novideo protocol unix,inet,inet6 seccomp # shell none # tracelog # disable-mnt # private # private-bin program # private-cache # private-dev # see /usr/share/doc/firejail/profile.template for more common private-etc paths. # private-etc alternatives,fonts,machine-id # private-lib # private-opt none # private-tmp # dbus-user none # dbus-system none # memory-deny-write-execute # read-only ${HOME} ``` I apologise for my lack of technical skills but what would I need to modify in this file to achieve what I need to achieve?

gitea-mirror commented

2026-05-05 08:59:59 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

wanted to create a whitelist profile for firefox

firefox has already a whitelisting-profile, no need to do so.

~/.config/firefox, ~/.cache/firefox

firefox does not use any of these (unless you patch it and build your own).

but I named it as firefox.config

If you name a profile not <binary>.profile, you need to provide a full path to it.

As stated on the website I have done all those things

If a program has already a profile, it is easier/better to copy it instead of the default.profile. You can the start with whitelisting all path with a noblacklist. However, the most profiles are whitelisting-profiles if it is possible. And some are opt-in i.e. the have a commented whitelist section that just must be uncommented.

@rusty-snake commented on GitHub (Oct 27, 2020): > wanted to create a whitelist profile for firefox **firefox has already a whitelisting-profile, no need to do so.** > ~/.config/firefox, ~/.cache/firefox firefox does not use any of these (unless you patch it and build your own). > but I named it as firefox.config If you name a profile not `<binary>.profile`, you need to provide a full path to it. > As stated on the website I have done all those things If a program has already a profile, it is easier/better to copy it instead of the default.profile. You can the start with whitelisting all path with a `noblacklist`. However, the most profiles are whitelisting-profiles if it is possible. And some are opt-in i.e. the have a commented whitelist section that just must be uncommented.

gitea-mirror commented

2026-05-05 09:00:00 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

firefox does not use any of these (unless you patch it and build your own).

Oh I am surrpised, I know that chromium based does this for sure so I suppose I want this for chromium based. Maybe as a side note then I want to then experiment/use as an example with chromium instead of firefox.

If you name a profile not .profile, you need to provide a full path to it.

Oh I meant like I copied the file and named it as firefox.profile and this file is located inside this directory ~/.config/firejail.

If a program has already a profile, it is easier/better to copy it instead of the default.profile.

Oh ok that is true mate. So I have done this for chromium via this command cp /etc/firejail/chromium.profile chromium.profile

You can the start with whitelisting all path with a noblacklist.

# Firejail profile for chromium
# Description: A web browser built for speed, simplicity, and security
# This file is overwritten after every install/update
# Persistent local customizations
include chromium.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/chromium
noblacklist ${HOME}/.config/chromium
noblacklist ${HOME}/.config/chromium-flags.conf

mkdir ${HOME}/.cache/chromium
mkdir ${HOME}/.config/chromium
whitelist ${HOME}/.cache/chromium
whitelist ${HOME}/.config/chromium
whitelist ${HOME}/.config/chromium-flags.conf

# private-bin chromium,chromium-browser,chromedriver

# Redirect
include chromium-common.profile

Sorry I am a bit confused, what is the difference between noblacklist and whitelist ?

In the chromium.profile file, it has this line whitelist ${HOME}/.config/chromium and noblacklist ${HOME}/.config/chromium?

@Joe23232 commented on GitHub (Oct 27, 2020): > firefox does not use any of these (unless you patch it and build your own). Oh I am surrpised, I know that chromium based does this for sure so I suppose I want this for chromium based. Maybe as a side note then I want to then experiment/use as an example with `chromium` instead of `firefox`. > If you name a profile not <binary>.profile, you need to provide a full path to it. Oh I meant like I copied the file and named it as `firefox.profile` and this file is located inside this directory `~/.config/firejail`. > If a program has already a profile, it is easier/better to copy it instead of the default.profile. Oh ok that is true mate. So I have done this for `chromium` via this command `cp /etc/firejail/chromium.profile chromium.profile` > You can the start with whitelisting all path with a noblacklist. ```bash # Firejail profile for chromium # Description: A web browser built for speed, simplicity, and security # This file is overwritten after every install/update # Persistent local customizations include chromium.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/chromium noblacklist ${HOME}/.config/chromium noblacklist ${HOME}/.config/chromium-flags.conf mkdir ${HOME}/.cache/chromium mkdir ${HOME}/.config/chromium whitelist ${HOME}/.cache/chromium whitelist ${HOME}/.config/chromium whitelist ${HOME}/.config/chromium-flags.conf # private-bin chromium,chromium-browser,chromedriver # Redirect include chromium-common.profile ``` Sorry I am a bit confused, what is the difference between `noblacklist` and `whitelist `? In the `chromium.profile` file, it has this line `whitelist ${HOME}/.config/chromium` and `noblacklist ${HOME}/.config/chromium`?

gitea-mirror commented

2026-05-05 09:00:00 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

noblacklist ${HOME}/.config/chromium: ignore all later blacklist ${HOME}/.config/chromium commands. ${HOME}/.config/chromium is blacklisted in disable-programs.inc and would be inaccessible w/o this.

whitelist ${HOME}/.config/chromium: enable whitelisting in ${HOME} and whitelist ${HOME}/.config/chromium.

@rusty-snake commented on GitHub (Oct 27, 2020): `noblacklist ${HOME}/.config/chromium`: ignore all later `blacklist ${HOME}/.config/chromium` commands. `${HOME}/.config/chromium` is blacklisted in disable-programs.inc and would be inaccessible w/o this. `whitelist ${HOME}/.config/chromium`: enable whitelisting in ${HOME} and whitelist `${HOME}/.config/chromium`.

gitea-mirror commented

2026-05-05 09:00:01 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

whitelist ${HOME}/.config/chromium: enable whitelisting in ${HOME} and whitelist ${HOME}/.config/chromium.

I see mate I get the whitelist part now.

noblacklist ${HOME}/.config/chromium: ignore all later blacklist ${HOME}/.config/chromium commands. ${HOME}/.config/chromium is blacklisted in disable-programs.inc and would be inaccessible w/o this.

If I am understanding this correctly, you mean by default ${HOME}/.config/chromium would be disabled through some external profile (via disable-programs.inc) so stating noblacklist overrides the blacklisting stated by disable-programs.inc?

@Joe23232 commented on GitHub (Oct 27, 2020): > whitelist ${HOME}/.config/chromium: enable whitelisting in ${HOME} and whitelist ${HOME}/.config/chromium. I see mate I get the `whitelist` part now. > noblacklist ${HOME}/.config/chromium: ignore all later blacklist ${HOME}/.config/chromium commands. ${HOME}/.config/chromium is blacklisted in disable-programs.inc and would be inaccessible w/o this. If I am understanding this correctly, you mean by default `${HOME}/.config/chromium` would be disabled through some external profile (via `disable-programs.inc`) so stating `noblacklist` overrides the blacklisting stated by `disable-programs.inc`?

gitea-mirror commented

2026-05-05 09:00:01 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

If I am understanding this correctly, you mean by default ${HOME}/.config/chromium would be disabled through some external profile (via disable-programs.inc) so stating noblacklist overrides the blacklisting stated by disable-programs.inc?

Yes. (There is a limitation: noblacklist works only for later blacklist commands).

@rusty-snake commented on GitHub (Oct 27, 2020): > If I am understanding this correctly, you mean by default ${HOME}/.config/chromium would be disabled through some external profile (via disable-programs.inc) so stating noblacklist overrides the blacklisting stated by disable-programs.inc? Yes. (There is a limitation: `noblacklist` works only for later `blacklist` commands).

gitea-mirror commented

2026-05-05 09:00:02 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

noblacklist works only for later blacklist commands).

Sorry mate what do you mean by noblacklist works only for later blacklist commands?

@Joe23232 commented on GitHub (Oct 27, 2020): > noblacklist works only for later blacklist commands). Sorry mate what do you mean by _noblacklist works only for later blacklist commands_?

gitea-mirror commented

2026-05-05 09:00:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

foobar is not blacklisted

noblacklist ${HOME}/foobar
blacklist ${HOME}/foobar

foobar is blacklisted

blacklist ${HOME}/foobar
noblacklist ${HOME}/foobar

~/.mozilla is not blacklisted

noblacklist ${HOME}/.mozilla
include disable-programs.inc

~/.mozilla is blacklisted

include disable-programs.inc
noblacklist ${HOME}/.mozilla

@rusty-snake commented on GitHub (Oct 27, 2020): foobar is not blacklisted ``` noblacklist ${HOME}/foobar blacklist ${HOME}/foobar ``` foobar is blacklisted ``` blacklist ${HOME}/foobar noblacklist ${HOME}/foobar ``` ~/.mozilla is not blacklisted ``` noblacklist ${HOME}/.mozilla include disable-programs.inc ``` ~/.mozilla is blacklisted ``` include disable-programs.inc noblacklist ${HOME}/.mozilla ```

gitea-mirror commented

2026-05-05 09:00:03 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 27, 2020):

noblacklist ${HOME}/foobar
blacklist ${HOME}/foobar

Wouldn't it make more sense for it to be blacklisted instead of not being blacklisted? How come it is not blacklisted when the user later specifies he wants it to be blacklisted? Sorry I am just trying to understand a bit better, that is all :)

@Joe23232 commented on GitHub (Oct 27, 2020): ```bash noblacklist ${HOME}/foobar blacklist ${HOME}/foobar ``` Wouldn't it make more sense for it to be blacklisted instead of not being blacklisted? How come it is not blacklisted when the user later specifies he wants it to be blacklisted? Sorry I am just trying to understand a bit better, that is all :)

gitea-mirror commented

2026-05-05 09:00:03 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 27, 2020):

Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic.

Usage (here you go): The <profile-name>.local and globals.local overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add noblacklist ${HOME}/.config/chromium (and a whitelist).

@rusty-snake commented on GitHub (Oct 27, 2020): Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic. Usage (here you go): The `<profile-name>.local` and `globals.local` overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add `noblacklist ${HOME}/.config/chromium` (and a whitelist).

gitea-mirror commented

2026-05-05 09:00:03 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 28, 2020):

Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic.

Ah I see. Thanks

The .local and globals.local overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add noblacklist ${HOME}/.config/chromium (and a whitelist).

Just out of curiosity, if I were to have noblacklist inside the chromium.profile file but I did not have whitelist, the directories would still not be whitelisted, right? All noblacklist tells the global file is to simply ignore the blacklist?

@Joe23232 commented on GitHub (Oct 28, 2020): > Internal (ignore if you do not understand): firejail applies option when they are read. Undoing a option is not always easy, so a first-will-win semantic is simpler to implement. But there are exceptions, read-only/read-write have a last-will-win semantic. Ah I see. Thanks > The <profile-name>.local and globals.local overrides are included at the top of profiles. So if you want that your firefox for example can read .config/chromium, you just need to add noblacklist ${HOME}/.config/chromium (and a whitelist). Just out of curiosity, if I were to have `noblacklist` inside the `chromium.profile` file but I did not have `whitelist`, the directories would still not be whitelisted, right? All `noblacklist` tells the global file is to simply _ignore_ the `blacklist`?

gitea-mirror commented

2026-05-05 09:00:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 28, 2020):

Just out of curiosity, if I were to have noblacklist inside the chromium.profile file but I did not have whitelist, the directories would still not be whitelisted, right? All noblacklist tells the global file is to simply ignore the blacklist?

right

@rusty-snake commented on GitHub (Oct 28, 2020): > Just out of curiosity, if I were to have noblacklist inside the chromium.profile file but I did not have whitelist, the directories would still not be whitelisted, right? All noblacklist tells the global file is to simply ignore the blacklist? right

gitea-mirror commented

2026-05-05 09:00:04 -06:00

Author

Owner

@Joe23232 commented on GitHub (Oct 29, 2020):

Thanks.

Sorry I just have one more question.

What is the difference between the these two files chromium.local and globals.local?

@Joe23232 commented on GitHub (Oct 29, 2020): Thanks. Sorry I just have one more question. What is the difference between the these two files `chromium.local` and `globals.local`?

gitea-mirror commented

2026-05-05 09:00:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 29, 2020):

chromium.local/<NAME>.profile: override for this profile only

globals.local: overrides for all profiles

@rusty-snake commented on GitHub (Oct 29, 2020): `chromium.local`/`<NAME>.profile`: override for this profile only `globals.local`: overrides for **all** profiles

gitea-mirror commented

2026-05-05 09:00:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 16, 2020):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Dec 16, 2020): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

gitea-mirror commented

2026-05-05 09:00:06 -06:00

Author

Owner

@Joe23232 commented on GitHub (Dec 16, 2020):

Sure mate, thanks

On Thu, Dec 17, 2020 at 5:26 AM rusty-snake notifications@github.com
wrote:

I'm closing here due to inactivity, please fell free to request to reopen
if you have more questions.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/3665#issuecomment-746777680,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AIKO7IJ4574DDZHA5J3VGI3SVD3ULANCNFSM4SN6TPWA
.

@Joe23232 commented on GitHub (Dec 16, 2020): Sure mate, thanks On Thu, Dec 17, 2020 at 5:26 AM rusty-snake <notifications@github.com> wrote: > I'm closing here due to inactivity, please fell free to request to reopen > if you have more questions. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > <https://github.com/netblue30/firejail/issues/3665#issuecomment-746777680>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIKO7IJ4574DDZHA5J3VGI3SVD3ULANCNFSM4SN6TPWA> > . >

gitea-mirror commented

2026-05-05 09:00:06 -06:00

Author

Owner

@chaserene commented on GitHub (Aug 24, 2021):

[Question] How to use firejail only for certain apps? #3213 extended with a script (with is started as root). You must verify the .desktop files yourself.
...

@rusty-snake are all four steps in this comment required to firejail only select apps, or are they four different ways of achieving the same thing? asking because this seems to be madly complicated, and firectl has been deprecated.

an easy way to include/exclude apps from being firejailed would be very much welcome. thank you for your excellent hard work!

@chaserene commented on GitHub (Aug 24, 2021): >1. [[Question] How to use firejail only for certain apps? #3213](https://github.com/netblue30/firejail/issues/3213) extended with a script (with is started as root). You must verify the .desktop files yourself. > ... @rusty-snake are all four steps in [this comment](https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049) required to firejail only select apps, or are they four different ways of achieving the same thing? asking because this seems to be madly complicated, and firectl has been deprecated. an easy way to include/exclude apps from being firejailed would be very much welcome. thank you for your excellent hard work!

gitea-mirror commented

2026-05-05 09:00:07 -06:00

Author

Owner

@chaserene commented on GitHub (Aug 24, 2021):

also, in the script in first step/option, isn't firecfg --clean missing?

@chaserene commented on GitHub (Aug 24, 2021): also, in the script in first step/option, isn't `firecfg --clean` missing?

gitea-mirror commented

2026-05-05 09:00:07 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 24, 2021):

@chaserene commented on Aug 24:

[Question] How to use firejail only for certain apps?
#3213 extended with
a script (with is started as root). You must verify the .desktop files
yourself. ...

@rusty-snake are all four steps in this
comment
required to firejail only select apps, or are they four different ways of
achieving the same thing? asking because this seems to be madly complicated,
and firectl has been deprecated.

Different ways.

an easy way to include/exclude apps from being firejailed would be very much
welcome. thank you for your excellent hard work!

Agreed; see #2097.

@chaserene commented on Aug 24:

also, in the script in first step/option, isn't firecfg --clean missing?

I think it's meant to be used instead of firecfg, as it does the same thing,
but only for the programs specified in the apps array. So yes, if you had
already run firecfg and want to undo it, then first run firecfg --clean
before following that step.

@kmk3 commented on GitHub (Aug 24, 2021): @chaserene commented on [Aug 24](https://github.com/netblue30/firejail/issues/3665#issuecomment-904982962): > > 1. [[Question] How to use firejail only for certain apps? > > #3213](https://github.com/netblue30/firejail/issues/3213) extended with > > a script (with is started as root). You must verify the .desktop files > > yourself. ... > > @rusty-snake are all four steps in [this > comment](https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049) > required to firejail only select apps, or are they four different ways of > achieving the same thing? asking because this seems to be madly complicated, > and firectl has been deprecated. Different ways. > an easy way to include/exclude apps from being firejailed would be very much > welcome. thank you for your excellent hard work! Agreed; see #2097. @chaserene commented on [Aug 24](https://github.com/netblue30/firejail/issues/3665#issuecomment-904985451): > also, in the script in first step/option, isn't `firecfg --clean` missing? I think it's meant to be used instead of `firecfg`, as it does the same thing, but only for the programs specified in the `apps` array. So yes, if you had already run `firecfg` and want to undo it, then first run `firecfg --clean` before following that step.

gitea-mirror referenced this issue

2026-05-05 10:32:11 -06:00

[PR #4273] [MERGED] Try to fix #2310 -- Can't create run directory without suid-root #5094

Rows
Columns

[GH-ISSUE #3665] With firecfg, how do I configure specific applications to go through firejail? #2310