github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3874] What's are currently the best ways to configure apps to run sandboxed with firejail? (Modified .desktop files can change after updates) #2436

New issue

Closed

opened 2026-05-05 09:06:42 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:06:42 -06:00

Owner

Originally created by @mYnDstrEAm on GitHub (Jan 6, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3874

I used to modify applications' start commands by changing .desktop files in /usr/share/applications or sometimes copying it there for a separate version that uses firejail in Debian/KDE. This can also be done by right clicking application icons->Application->changing the Command. I'm sure many users configure apps to use firejail in like this or in similar ways - for example it's also recommended in the InstallGentooWiki

The problem with that is that after package updates the Commands can be overwritten - so theoretically one would need to check every package's .desktop entry in that folder for a change to Exec in the .desktop file after it's been updated if it's firejailed.

What would be more reliable ways to configure apps to always be sandboxed with firejail?

I don't want to run firecfg to sandbox all applications with firejail.

Would moving all .desktop files from /usr/share/applications/ to ~/.local/share/applications and modifying the commands there be a good way? Edit: a complication with this would be that software could still call the binaries in /usr/bin directly (for example web-ext run tries opening a new firefox instance.) Edit 2: related discussion at #3191

Originally created by @mYnDstrEAm on GitHub (Jan 6, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3874 I used to modify applications' start commands by changing .desktop files in /usr/share/applications or sometimes copying it there for a separate version that uses firejail in Debian/KDE. This can also be done by right clicking application icons->Application->changing the Command. I'm sure many users configure apps to use firejail in like this or in similar ways - for example it's also recommended [in the InstallGentooWiki](https://wiki.installgentoo.com/index.php/Firejail#Usage) The problem with that is that after package updates the Commands can be overwritten - so theoretically one would need to check every package's .desktop entry in that folder for a change to Exec in the .desktop file after it's been updated if it's firejailed. What would be more reliable ways to configure apps to always be sandboxed with firejail? I don't want to run firecfg to sandbox all applications with firejail. Would moving all .desktop files from /usr/share/applications/ to ~/.local/share/applications and modifying the commands there be a good way? Edit: a complication with this would be that software could still call the binaries in /usr/bin directly (for example `web-ext run` tries opening a new firefox instance.) Edit 2: related discussion at #3191

gitea-mirror

2026-05-05 09:06:42 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 09:06:45 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jan 6, 2021):

You can run sudo ln -s /usr/bin/<x> /usr/local/bin/firejail to ensure that the program is always started with firejail (it's basically the manual version of firecfg and you can select the programs that are sandboxed by default).

@chiraag-nataraj commented on GitHub (Jan 6, 2021): You can run `sudo ln -s /usr/bin/<x> /usr/local/bin/firejail` to ensure that the program is always started with firejail (it's basically the manual version of `firecfg` and you can select the programs that are sandboxed by default).

gitea-mirror commented

2026-05-05 09:06:46 -06:00

Author

Owner

@kris7t commented on GitHub (Jan 7, 2021):

@chiraag-nataraj Be on the lookout that some .desktop files refer to the binary with its full path, i.e., merely linking the binary in /usr/local/bin won't to the trick. However, If you also copy the .desktop file from /usr/share/applications to /usr/local/share/applications or $HOME/.local/share/applications and modify it appropriately (to invoke the symlinked binary from /usr/local/bin), then the application will run sandboxed both when started from the command line and when started from the application launcher.

@kris7t commented on GitHub (Jan 7, 2021): @chiraag-nataraj Be on the lookout that some .desktop files refer to the binary with its full path, i.e., merely linking the binary in `/usr/local/bin` won't to the trick. However, If you also copy the .desktop file from `/usr/share/applications` to `/usr/local/share/applications` or `$HOME/.local/share/applications` and modify it appropriately (to invoke the symlinked binary from `/usr/local/bin`), then the application will run sandboxed both when started from the command line and when started from the application launcher.

gitea-mirror commented

2026-05-05 09:06:47 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jan 7, 2021):

@kris7t You're right. My setup is so drastically divorced from more 'mainstream' setups that I completely forgot that some .desktop files refer to the full path 😜 I mostly run things from the $PATH, so everything's generally quite consistent as long as everything sees the same $PATH variable 😂

@chiraag-nataraj commented on GitHub (Jan 7, 2021): @kris7t You're right. My setup is so drastically divorced from more 'mainstream' setups that I completely forgot that some `.desktop` files refer to the full path :stuck_out_tongue_winking_eye: I mostly run things from the `$PATH`, so everything's generally quite consistent as long as everything sees the same `$PATH` variable :joy:

gitea-mirror commented

2026-05-05 09:06:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 7, 2021):

I don't want to run firecfg to sandbox all applications with firejail.

Options for a selective firecfg: https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049

@rusty-snake commented on GitHub (Jan 7, 2021): > I don't want to run firecfg to sandbox all applications with firejail. Options for a selective firecfg: https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049

gitea-mirror commented

2026-05-05 09:06:49 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 8, 2021):

Forgot https://github.com/rahiel/firectl.

@rusty-snake commented on GitHub (Jan 8, 2021): Forgot https://github.com/rahiel/firectl.

gitea-mirror commented

2026-05-05 09:06:50 -06:00

Author

Owner

@rusty-snake commented on GitHub (Apr 6, 2021):

I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

@rusty-snake commented on GitHub (Apr 6, 2021): I'm closing here due to inactivity, please fell free to request to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:17:40 -06:00

[PR #2436] [MERGED] Add machine-id comment #4308

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2436

No description provided.

Rows
Columns