[GH-ISSUE #3714] How would it be possible to have specified commands run automatically with firejail? (e.g. youtube-dl becomes firejail youtube-dl) #2339

New issue

Closed

opened 2026-05-05 09:01:32 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 09:01:32 -06:00

Owner

Copy link

Originally created by @mYnDstrEAm on GitHub (Oct 31, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3714

For example instead of having to write firejail youtube-dl for command-line programs or firejail firefox-esr in apps' launch commands I'd like youtube-dl and firefox-esr (the latter also for any other app that might call this command) to automatically use firejail.

So far I think two options for this are using aliases (e.g. reassigning the command firefox-esr) and firecfg. I'm not sure how firecfg works or whether there are additional options - are there any?

Also I'd prefer not having to assign aliases for this, at least not manually (and one problem with aliases is that it disguises and hides the actual command being run). What would be the best way this could be either implemented as an additional feature in firejail/firecfg or used by the user? I'd like to specify which apps should run with firejail by default and for all others to require firejail being put in front of the command. (Maybe at a later point there could be a user-prompt when running a new software for the first time if there is a firejail profile for its name.)

Originally created by @mYnDstrEAm on GitHub (Oct 31, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3714 For example instead of having to write `firejail youtube-dl` for command-line programs or `firejail firefox-esr` in apps' launch commands I'd like `youtube-dl` and `firefox-esr` (the latter also for any other app that might call this command) to automatically use firejail. So far I think two options for this are **using aliases** (e.g. reassigning the command `firefox-esr`) and **`firecfg`**. I'm not sure how firecfg works or whether there are additional options - are there any? Also I'd prefer not having to assign aliases for this, at least not manually (and one problem with aliases is that it disguises and hides the actual command being run). What would be the best way this could be either implemented as an additional feature in firejail/firecfg or used by the user? I'd like to specify which apps should run with firejail by default and for all others to require `firejail` being put in front of the command. (Maybe at a later point there could be a user-prompt when running a new software for the first time if there is a firejail profile for its name.)

gitea-mirror 2026-05-05 09:01:32 -06:00

• closed this issue
• added the
  question_old
  label

gitea-mirror commented 2026-05-05 09:01:35 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 31, 2020):

sudo ln -s /usr/bin/firejail /usr/local/bin/youtube-dl

<!-- gh-comment-id:719957835 --> @SkewedZeppelin commented on GitHub (Oct 31, 2020): sudo ln -s /usr/bin/firejail /usr/local/bin/youtube-dl

gitea-mirror commented 2026-05-05 09:01:36 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 31, 2020):

So far I think two options for this are using aliases

aliases are not applied for desktop starter and non-interactive shells (depending where you set them).

I'm not sure how firecfg works or whether there are additional options - are there any?

On how they work to the user there are some alternatives: https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049.

Under the hud they all do (mostly) the same.

I'd like to specify which apps should run with firejail by default and for all others to require firejail being put in front of the command.

So your goal is that only a few selected programs (e.g. firefox, thunderbird and youtube-dl) are firejailed by default, right?

<!-- gh-comment-id:719958811 --> @rusty-snake commented on GitHub (Oct 31, 2020): > So far I think two options for this are using aliases aliases are not applied for desktop starter and non-interactive shells (depending where you set them). > I'm not sure how firecfg works or whether there are additional options - are there any? On how they work to the user there are some alternatives: https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049. Under the hud they all do (mostly) the same. > I'd like to specify which apps should run with firejail by default and for all others to require firejail being put in front of the command. So your goal is that only a few selected programs (e.g. firefox, thunderbird and youtube-dl) are firejailed by default, right?

gitea-mirror commented 2026-05-05 09:01:37 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Oct 31, 2020):

sudo ln -s /usr/bin/firejail /usr/local/bin/youtube-dl

Wouldn't this make youtube-dl become firejail and not firejail youtube-dl? If the target location of the symbolic can be appended like this: I'd like to use the command youtube-dl and not e.g. fjyoutube-dl.

aliases are not applied for desktop starter and non-interactive shells (depending where you set them).

Couldn't they simply be set in the ~/.bashrc file?

On how they work to the user there are some alternatives

Thanks, this looks very useful for this. Even though it doesn't seem to be very convenient / natively well-supported currently.

So your goal is that only a few selected programs (e.g. firefox, thunderbird and youtube-dl) are firejailed by default, right?

Exactly. And that they don't require firejail to be put in front of the command but are launched via the command of the same name and are guaranteed to only run firejailed.

<!-- gh-comment-id:719990082 --> @mYnDstrEAm commented on GitHub (Oct 31, 2020): > sudo ln -s /usr/bin/firejail /usr/local/bin/youtube-dl Wouldn't this make `youtube-dl` become `firejail` and not `firejail youtube-dl`? If the target location of the symbolic can be appended like this: I'd like to use the command `youtube-dl` and not e.g. `fjyoutube-dl`. > aliases are not applied for desktop starter and non-interactive shells (depending where you set them). Couldn't they simply be set in the `~/.bashrc` file? > On how they work to the user there are some alternatives Thanks, this looks very useful for this. Even though it doesn't seem to be very convenient / natively well-supported currently. > So your goal is that only a few selected programs (e.g. firefox, thunderbird and youtube-dl) are firejailed by default, right? Exactly. And that they don't require `firejail` to be put in front of the command but are launched via the command of the same name and are guaranteed to only run firejailed.

gitea-mirror commented 2026-05-05 09:01:38 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2020):

Couldn't they simply be set in the ~/.bashrc file?

~/.bashrc is only read by interactive non-login shells by default.

Wouldn't this make youtube-dl become firejail

yes, and firejail detects that it is started through a symlink named youtube-dl and will act like firejail youtube-dl.

and are guaranteed to only run firejailed.

You can always start a program by path (=unfirejailed). If you want guarantee, you need to use a LSM like AppArmor or SELinux.

<!-- gh-comment-id:720051258 --> @rusty-snake commented on GitHub (Nov 1, 2020): > Couldn't they simply be set in the ~/.bashrc file? `~/.bashrc` is only read by interactive non-login shells by default. > Wouldn't this make youtube-dl become firejail yes, and firejail detects that it is started through a symlink named youtube-dl and will act like `firejail youtube-dl`. > and are guaranteed to only run firejailed. You can always start a program by path (=unfirejailed). If you want guarantee, you need to use a LSM like AppArmor or SELinux.

gitea-mirror commented 2026-05-05 09:01:38 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Nov 1, 2020):

~/.bashrc is only read by interactive non-login shells by default.

I think that would be sufficient in my case. But why not in other shells? Is there a simply way to make it get read by all shells?

Wouldn't this make youtube-dl become firejail

Great - so that's exactly what I was looking for. There's just a problem with running it like this of course: ln: failed to create symbolic link '/usr/local/bin/youtube-dl': File exists so I guess one has to rename youtube-dl to something else first. The problem with that is that it probably will break the updating procedure because after updating it probably is called youtube-dl again.

You can always start a program by path (=unfirejailed). If you want guarantee, you need to use a LSM like AppArmor or SELinux.

Maybe there's a way to make software not executable when starting it via path but only otherwise. This would be tricky I guess. I'm already using AppArmor.

<!-- gh-comment-id:720069465 --> @mYnDstrEAm commented on GitHub (Nov 1, 2020): > ~/.bashrc is only read by interactive non-login shells by default. I think that would be sufficient in my case. But why not in other shells? Is there a simply way to make it get read by all shells? > Wouldn't this make youtube-dl become firejail Great - so that's exactly what I was looking for. There's just a problem with running it like this of course: `ln: failed to create symbolic link '/usr/local/bin/youtube-dl': File exists` so I guess one has to rename youtube-dl to something else first. The problem with that is that it probably will break the updating procedure because after updating it probably is called `youtube-dl` again. > You can always start a program by path (=unfirejailed). If you want guarantee, you need to use a LSM like AppArmor or SELinux. Maybe there's a way to make software not executable when starting it via path but only otherwise. This would be tricky I guess. I'm already using AppArmor.

gitea-mirror commented 2026-05-05 09:01:39 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2020):

I think that would be sufficient in my case.

This would mean you must start programs in a terminal.

But why not in other shells?

Because bashrc is the starup-file for interactive non-login bash sessions.

Is there a simply way to make it get read by all shells?

There are other starup-files too.

Great - so that's exactly what I was looking for. There's just a problem with running it like this of course: ln: failed to create symbolic link '/usr/local/bin/youtube-dl': File exists so I guess one has to rename youtube-dl to something else first. The problem with that is that it probably will break the updating procedure because after updating it probably is called youtube-dl again.

How did you installed ytdl?

Maybe there's a way to make software not executable when starting it via path but only otherwise.

... and then you make a update and the file is executable again. Uhh, and how should firejail start a program if it is not executable?

<!-- gh-comment-id:720074993 --> @rusty-snake commented on GitHub (Nov 1, 2020): > I think that would be sufficient in my case. This would mean you must start programs in a terminal. > But why not in other shells? Because bashrc is the starup-file for interactive non-login bash sessions. > Is there a simply way to make it get read by all shells? There are other starup-files too. > Great - so that's exactly what I was looking for. There's just a problem with running it like this of course: ln: failed to create symbolic link '/usr/local/bin/youtube-dl': File exists so I guess one has to rename youtube-dl to something else first. The problem with that is that it probably will break the updating procedure because after updating it probably is called youtube-dl again. How did you installed ytdl? > Maybe there's a way to make software not executable when starting it via path but only otherwise. ... and then you make a update and the file is executable again. Uhh, and how should firejail start a program if it is not executable?

gitea-mirror commented 2026-05-05 09:01:40 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Nov 1, 2020):

Alright, thanks for the infos!
It's usually updated with pip sudo pip install --upgrade youtube_dl
I guess there's no good way around renaming the file/command.

... and then you make a update and the file is executable again. Uhh, and how should firejail start a program if it is not executable?

Exactly. Maybe it would be possible for Linux/GNU/Debian/other software to have a table of executables that are allowed to be run on the machine with everything else not getting executed even when the executable flag is set. This table could also define the way that the software is allowed to be called with the default option allowing direct calls and otherwise it only allows e.g. certain commands to launch it. Like this:

| command        | location                  | allowed | hash  | access options 
|----------------|---------------------------|---------|-------|--------------------
| youtube-dl     | /usr/local/bin/youtube-dl | x       | ...   | firejail youtube-dl

That's just one idea. Please let me know what you think of it, whether you know if something like it already exists, if you maybe have suggestions for alternative and if you know of a place to best ask about it.

<!-- gh-comment-id:720079132 --> @mYnDstrEAm commented on GitHub (Nov 1, 2020): Alright, thanks for the infos! It's usually updated with pip `sudo pip install --upgrade youtube_dl` I guess there's no good way around renaming the file/command. > ... and then you make a update and the file is executable again. Uhh, and how should firejail start a program if it is not executable? Exactly. Maybe it would be possible for Linux/GNU/Debian/other software to have a table of executables that are allowed to be run on the machine with _everything_ else not getting executed even when the executable flag is set. This table could also define the way that the software is allowed to be called with the default option allowing direct calls and otherwise it only allows e.g. certain commands to launch it. Like this: ``` | command | location | allowed | hash | access options |----------------|---------------------------|---------|-------|-------------------- | youtube-dl | /usr/local/bin/youtube-dl | x | ... | firejail youtube-dl ``` That's just one idea. Please let me know what you think of it, whether you know if something like it already exists, if you maybe have suggestions for alternative and if you know of a place to best [ask](https://security.stackexchange.com/questions/240321/is-there-a-way-to-specify-in-a-table-which-executables-via-locations-hashes) about it.

gitea-mirror commented 2026-05-05 09:01:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 1, 2020):

https://github.com/linux-application-whitelisting/fapolicyd

sudo pip install --upgrade --target=/usr/bin youtube-dl

<!-- gh-comment-id:720084632 --> @rusty-snake commented on GitHub (Nov 1, 2020): https://github.com/linux-application-whitelisting/fapolicyd `sudo pip install --upgrade --target=/usr/bin youtube-dl`

gitea-mirror commented 2026-05-05 09:01:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Dec 16, 2020):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

<!-- gh-comment-id:746772872 --> @rusty-snake commented on GitHub (Dec 16, 2020): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2339

No description provided.