github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5079] On the fly, request/permission based profile building #2871

New issue
Open
opened 2026-05-05 09:31:51 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 09:31:51 -06:00
Owner
Copy link

Originally created by @romelsalwi on GitHub (Mar 28, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5079

I have been using firejail for couple of months. At first it was quite impressive and was exactly what I was looking for building restriction around applications. But what I lack is the way of finding the exact resource which the application requires and doing my own due diligence to solve various tweaks.

For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly.

What I would like to see is building permissions for a jailed app. If I'm trying to do something which is in conflict with the rules, ask, and update the profile or local file depending on my choice. In this way, building profile would be easy, like using uBO on hard mode, and I don't mind that cumbersome effort as much as how much intuitive it is!

Originally created by @romelsalwi on GitHub (Mar 28, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5079 I have been using firejail for couple of months. At first it was quite impressive and was exactly what I was looking for building restriction around applications. But what I lack is the way of finding the exact resource which the application requires and doing my own due diligence to solve various tweaks. For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly. What I would like to see is building permissions for a jailed app. If I'm trying to do something which is in conflict with the rules, ask, and update the profile or local file depending on my choice. In this way, building profile would be easy, like using uBO on hard mode, and I don't mind that cumbersome effort as much as how much intuitive it is!
gitea-mirror added the
enhancement
 label 2026-05-05 09:31:51 -06:00
gitea-mirror commented 2026-05-05 09:31:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 28, 2022):

For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly.

Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO.

What I would like to see is building permissions for a jailed app.

You can use the --build or --build=profile-file options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet?

<!-- gh-comment-id:1080180131 --> @ghost commented on GitHub (Mar 28, 2022): > For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly. Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO. > What I would like to see is building permissions for a jailed app. You can use the `--build` or `--build=profile-file` options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet?
gitea-mirror commented 2026-05-05 09:31:53 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 28, 2022):

First of all, thanks for responding! It means a lot!

Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO.

I might understand that you guys are trying to build a library for the application. But there are so many of them. My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail.

You can use the --build or --build=profile-file options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet?

They don't work as intended. As a refresher I just tried building new profiles with it. Ultimately I had to copy the template and make the profile from scratch. But then I was expecting to refine the profile through build, which didn't go so well. I'm sure I'm doing something wrong.

For instance:
I made a profile for Joplin
firejail --profile=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage

Which works.
But then doing this:
firejail --build=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage
Gives an error:
Error: cannot open profile file.

P.S.: For some unknown reason only absolute path for appimages is working. Interestingly below mentioned command didn't even read my globals.local

firejail --profile=joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage
Reading profile joplin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5732, child pid 5734

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: skipping none for private /etc
Private /etc installed in 0.08 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 91.08 ms
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
AppImage detached
<!-- gh-comment-id:1080473821 --> @romelsalwi commented on GitHub (Mar 28, 2022): First of all, thanks for responding! It means a lot! > Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO. I might understand that you guys are trying to build a library for the application. But there are so many of them. My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail. > You can use the `--build` or `--build=profile-file` options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet? They don't work as intended. As a refresher I just tried building new profiles with it. Ultimately I had to copy the template and make the profile from scratch. But then I was expecting to refine the profile through build, which didn't go so well. I'm sure I'm doing something wrong. For instance: I made a profile for Joplin `firejail --profile=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage` Which works. But then doing this: `firejail --build=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage` Gives an error: `Error: cannot open profile file.` P.S.: For some unknown reason only absolute path for appimages is working. Interestingly below mentioned command didn't even read my globals.local ``` firejail --profile=joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage Reading profile joplin.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 5732, child pid 5734 ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: skipping none for private /etc Private /etc installed in 0.08 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 91.08 ms Check failed: sys_chroot("/proc/self/fdinfo/") == 0 Parent is shutting down, bye... AppImage detached ```
gitea-mirror commented 2026-05-05 09:31:53 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 28, 2022):

My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail.

Fair enough, no problem.

They don't work as intended.

Noticing your examples are using AppImages, it might be worthwhile to check your Firejail version. The build options got appimage support only recently via https://github.com/netblue30/firejail/pull/4878. Not sure OTOH if that made it into the latest release. To make sure you could give building from git a try.

Regarding your Joplin examples. You can create your own custom profiles in ~/.config/firejail, no problem doing so. But the --build=foo option is not intended to use an already existing profile AFAIK. At least that doesn't make much sense, as its purpose is to create one from scratch. So I'd go for something like;
$ firejail --build=~/Downloads/build-joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage
and then start comparing the output of ~/Downloads/build-joplin.profile with what you already have in ~/.config/firejail/joplin.profile to see if/what you can add to harden it according to your needs. Documentation might be unclear on this I guess.

<!-- gh-comment-id:1080552442 --> @ghost commented on GitHub (Mar 28, 2022): > My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail. Fair enough, no problem. > They don't work as intended. Noticing your examples are using AppImages, it might be worthwhile to check your Firejail version. The build options got appimage support only recently via https://github.com/netblue30/firejail/pull/4878. Not sure OTOH if that made it into the latest release. To make sure you could give [building from git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git) a try. Regarding your Joplin examples. You can create your own custom profiles in ~/.config/firejail, no problem doing so. But the --build=foo option is not intended to use an already existing profile AFAIK. At least that doesn't make much sense, as its purpose is to create one from scratch. So I'd go for something like; `$ firejail --build=~/Downloads/build-joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage` and then start comparing the output of ~/Downloads/build-joplin.profile with what you already have in ~/.config/firejail/joplin.profile to see if/what you can add to harden it according to your needs. Documentation might be unclear on this I guess.
gitea-mirror commented 2026-05-05 09:31:54 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 28, 2022):

I'm using firejail version 0.9.68
https://archlinux.org/packages/community/x86_64/firejail/

I tried out your step:

firejail --build=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage 
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Then ran the appimage with the created profile:


firejail --profile=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage 
Reading profile /home/l3m0r/Downloads/appImages/joplin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4705, child pid 4708

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: skipping none for private /etc
Private /etc installed in 0.13 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 119.39 ms
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
AppImage detached
<!-- gh-comment-id:1080628114 --> @romelsalwi commented on GitHub (Mar 28, 2022): I'm using firejail version 0.9.68 https://archlinux.org/packages/community/x86_64/firejail/ I tried out your step: ``` firejail --build=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage Check failed: sys_chroot("/proc/self/fdinfo/") == 0 `````` Then ran the appimage with the created profile: ``` firejail --profile=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage Reading profile /home/l3m0r/Downloads/appImages/joplin.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 4705, child pid 4708 ** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl ** Mounting appimage type 2 Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: skipping none for private /etc Private /etc installed in 0.13 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 119.39 ms Check failed: sys_chroot("/proc/self/fdinfo/") == 0 Parent is shutting down, bye... AppImage detached ```
gitea-mirror commented 2026-05-05 09:31:54 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 28, 2022):

I also tried using the firetools configuration wizard. No luck

<!-- gh-comment-id:1080634094 --> @romelsalwi commented on GitHub (Mar 28, 2022): I also tried using the firetools configuration wizard. No luck
gitea-mirror commented 2026-05-05 09:31:55 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 28, 2022):

Hmm, KeePassXC-2.7.0-x86_64.AppImage worked! But the profile created is barely restricted.

EDIT:
After few mods, and loading with the generated profile, the application gives an error
Access error for config file /home/*/.config/keepassxc/keepassxc.ini

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
noblacklist ${HOME}/.config/keepassxc
whitelist ${HOME}/.mozilla/native-messaging-hosts
whitelist ${HOME}/.config/chromium/NativeMessagingHosts
whitelist ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc
<!-- gh-comment-id:1080637144 --> @romelsalwi commented on GitHub (Mar 28, 2022): Hmm, KeePassXC-2.7.0-x86_64.AppImage worked! But the profile created is barely restricted. EDIT: After few mods, and loading with the generated profile, the application gives an error `Access error for config file /home/*/.config/keepassxc/keepassxc.ini` ``` ### Home Directory Whitelisting ### ### If something goes wrong, this section is the first one to comment out. ### Instead, you'll have to relay on the basic blacklisting above. noblacklist ${HOME}/.config/keepassxc whitelist ${HOME}/.mozilla/native-messaging-hosts whitelist ${HOME}/.config/chromium/NativeMessagingHosts whitelist ${HOME}/.config/keepassxc whitelist ${HOME}/.cache/keepassxc ```
gitea-mirror commented 2026-05-05 09:31:55 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 28, 2022):

--build

TBH It is out of dated and hasn't seen much development for a long time. IMHO we should just remove it from firejail (the binary) and develop an external tool for profile building (in a language which has friendlier support for string parsing & co like python.

<!-- gh-comment-id:1080871709 --> @rusty-snake commented on GitHub (Mar 28, 2022): > --build TBH It is out of dated and hasn't seen much development for a long time. IMHO we should just remove it from firejail (the binary) and develop an external tool for profile building (in a language which has friendlier support for string parsing & co like python.
gitea-mirror commented 2026-05-05 09:31:55 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 28, 2022):

What I mean is something like

firejail-profile-builder.py 
#!/usr/bin/python3
# SPDX-License-Identifier: ISC

# Copyright © 2022 rusty-snake
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.

import argparse
import os.path
import pathlib
import re
import subprocess
import sys
import tempfile


def get_cli_args(argv: list[str]) -> dict[str, str]:
    parser = argparse.ArgumentParser()
    parser.add_argument("-o", "--output", required=True)
    parser.add_argument("program")
    parser.add_argument("arguments", nargs=argparse.REMAINDER)
    return vars(parser.parse_args(argv[1:]))


def run_program(program: str, arguments: list[str]) -> list[str]:
    with tempfile.NamedTemporaryFile() as tmpf:
        subprocess.run(
            [
                "firejail",
                "--quiet",
                "--noprofile",
                "--private",
                "strace",
                "-e",
                "%file",
                "--quiet=all",
                "--follow-forks",
                "--output",
                tmpf.name,
                "--",
                program,
                *arguments,
            ],
            check=True,
        )
        return list(tmpf.read().decode().splitlines())


def parse_strace_output(strace_output: list[str]) -> dict[str, set[str]]:
    paths = {
        "open": set(),
        "stat": set(),
        "exec": set(),
    }
    for line in strace_output:
        parsed_line = re.match(
            r"\d+\s+(?P<syscall>\w+)\((?P<args>.*)\)", line
        ).groupdict()
        syscall = parsed_line["syscall"]
        args = parsed_line["args"].split(",")
        if syscall == "open":
            paths["open"].add(args[0].strip(' "'))
        elif syscall == "openat":
            paths["open"].add(args[1].strip(' "'))
        elif syscall == "access":
            paths["stat"].add(args[0].strip(' "'))
        elif syscall == "stat":
            paths["stat"].add(args[0].strip(' "'))
        elif syscall == "newfstatat":
            paths["stat"].add(args[1].strip(' "'))
        elif syscall == "execve":
            paths["exec"].add(args[0].strip(' "'))
        else:
            print(
                f"firejail-profile-builder.py: Not Implemented: {syscall=}",
                file=sys.stderr,
            )
    return paths


def build_profile(paths: dict[str, set[str]]) -> str:
    whitelist = []
    private_bin = []
    ignore_noexec_home = False
    for path in paths["open"]:
        if path.startswith(str(pathlib.Path.home())):
            whitelist.append(path.replace(str(pathlib.Path.home()), "${HOME}"))
        elif (
            path.startswith("/bin")
            or path.startswith("/sbin")
            or path.startswith("/usr/bin")
            or path.startswith("/usr/sbin")
        ):
            private_bin.append(os.path.basename(path))
    for path in paths["exec"]:
        if path.startswith(str(pathlib.Path.home())):
            ignore_noexec_home = True
        elif (
            path.startswith("/bin")
            or path.startswith("/sbin")
            or path.startswith("/usr/bin")
            or path.startswith("/usr/sbin")
        ):
            private_bin.append(os.path.basename(path))

    return f"""\
{"ignore noexec ${HOME}" if ignore_noexec_home else "# Uncomment to allow executing programs in ${HOME}.<br>#ignore noexec ${HOME}"}

include disable-common.inc
include disable-exec.inc
include disable-programs.inc

{"<br>".join(f"whitelist {path}" for path in whitelist)}
include whitelist-common.inc

private-bin {",".join(private_bin)}
""".replace(
        "<br>", "\n"
    )


def main(argv: list[str]) -> int:
    args = get_cli_args(argv)
    strace_output = run_program(args["program"], args["arguments"])
    paths = parse_strace_output(strace_output)
    with open(args["output"], "w") as output:
        output.write(build_profile(paths))
    return 0


if __name__ == "__main__":
    try:
        sys.exit(main(sys.argv))
    except KeyboardInterrupt:
        pass
<!-- gh-comment-id:1080983724 --> @rusty-snake commented on GitHub (Mar 28, 2022): What I mean is something like <details><summary><code>firejail-profile-builder.py</code></summary> ```python3 #!/usr/bin/python3 # SPDX-License-Identifier: ISC # Copyright © 2022 rusty-snake # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR # OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. import argparse import os.path import pathlib import re import subprocess import sys import tempfile def get_cli_args(argv: list[str]) -> dict[str, str]: parser = argparse.ArgumentParser() parser.add_argument("-o", "--output", required=True) parser.add_argument("program") parser.add_argument("arguments", nargs=argparse.REMAINDER) return vars(parser.parse_args(argv[1:])) def run_program(program: str, arguments: list[str]) -> list[str]: with tempfile.NamedTemporaryFile() as tmpf: subprocess.run( [ "firejail", "--quiet", "--noprofile", "--private", "strace", "-e", "%file", "--quiet=all", "--follow-forks", "--output", tmpf.name, "--", program, *arguments, ], check=True, ) return list(tmpf.read().decode().splitlines()) def parse_strace_output(strace_output: list[str]) -> dict[str, set[str]]: paths = { "open": set(), "stat": set(), "exec": set(), } for line in strace_output: parsed_line = re.match( r"\d+\s+(?P<syscall>\w+)\((?P<args>.*)\)", line ).groupdict() syscall = parsed_line["syscall"] args = parsed_line["args"].split(",") if syscall == "open": paths["open"].add(args[0].strip(' "')) elif syscall == "openat": paths["open"].add(args[1].strip(' "')) elif syscall == "access": paths["stat"].add(args[0].strip(' "')) elif syscall == "stat": paths["stat"].add(args[0].strip(' "')) elif syscall == "newfstatat": paths["stat"].add(args[1].strip(' "')) elif syscall == "execve": paths["exec"].add(args[0].strip(' "')) else: print( f"firejail-profile-builder.py: Not Implemented: {syscall=}", file=sys.stderr, ) return paths def build_profile(paths: dict[str, set[str]]) -> str: whitelist = [] private_bin = [] ignore_noexec_home = False for path in paths["open"]: if path.startswith(str(pathlib.Path.home())): whitelist.append(path.replace(str(pathlib.Path.home()), "${HOME}")) elif ( path.startswith("/bin") or path.startswith("/sbin") or path.startswith("/usr/bin") or path.startswith("/usr/sbin") ): private_bin.append(os.path.basename(path)) for path in paths["exec"]: if path.startswith(str(pathlib.Path.home())): ignore_noexec_home = True elif ( path.startswith("/bin") or path.startswith("/sbin") or path.startswith("/usr/bin") or path.startswith("/usr/sbin") ): private_bin.append(os.path.basename(path)) return f"""\ {"ignore noexec ${HOME}" if ignore_noexec_home else "# Uncomment to allow executing programs in ${HOME}.<br>#ignore noexec ${HOME}"} include disable-common.inc include disable-exec.inc include disable-programs.inc {"<br>".join(f"whitelist {path}" for path in whitelist)} include whitelist-common.inc private-bin {",".join(private_bin)} """.replace( "<br>", "\n" ) def main(argv: list[str]) -> int: args = get_cli_args(argv) strace_output = run_program(args["program"], args["arguments"]) paths = parse_strace_output(strace_output) with open(args["output"], "w") as output: output.write(build_profile(paths)) return 0 if __name__ == "__main__": try: sys.exit(main(sys.argv)) except KeyboardInterrupt: pass ``` </details>
gitea-mirror commented 2026-05-05 09:31:56 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 28, 2022):

Nice 👍
Is it possible to ask the user before stracer updates the profile?

<!-- gh-comment-id:1081080867 --> @romelsalwi commented on GitHub (Mar 28, 2022): Nice 👍 Is it possible to ask the user before stracer updates the profile?
gitea-mirror commented 2026-05-05 09:31:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 29, 2022):

Python is really much much better than C for tasks like this.

https://github.com/rusty-snake/firejail-profile-builder

<!-- gh-comment-id:1082252485 --> @rusty-snake commented on GitHub (Mar 29, 2022): Python is really much much better than C for tasks like this. https://github.com/rusty-snake/firejail-profile-builder
gitea-mirror commented 2026-05-05 09:31:57 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 30, 2022):

Hi @rusty-snake !
I tried out the script. It didn't created the desired effect. It started out at ease while building but when used as a profile it didn't worked out. I used it on turtlapp https://turtlapp.com/

When you use build to create profile, firejail gives access to file during the process.

./firejail-profile-builder.py -o turtl.profile turtl

# Firejail profile for turtl (generated by firejail-profile-builder.py)
#quiet
# Persistent local customizations
#include <FIXME>.local
# Persistent global definitions
include globals.local

# Uncomment to allow executing programs in ${HOME}.
#ignore noexec ${HOME}
# Uncomment to allow executing programs in /tmp.
#ignore noexec /tmp

#noblacklist PATH

# Allow /bin/sh (blacklisted by disable-shell.inc)
#include allow-bin-sh.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
#blacklist ${RUNUSER}
blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-X11.inc
#include disable-xdg.inc

#mkdir PATH
#mkfile PATH
whitelist ${HOME}/.Xauthority
whitelist ${HOME}/.Xdefaults
whitelist ${HOME}/.Xdefaults-bitesthedust
whitelist ${HOME}/.cache/nvidia
whitelist ${HOME}/.config
whitelist ${HOME}/.config/Turtl
whitelist ${HOME}/.config/Turtl/.org.chromium.Chromium.cv7p5m
whitelist ${HOME}/.config/Turtl/Cookies
whitelist ${HOME}/.config/Turtl/Cookies-journal
whitelist ${HOME}/.config/Turtl/DevTools Extensions
whitelist ${HOME}/.config/Turtl/File System/primary.origin
whitelist ${HOME}/.config/Turtl/GPUCache
whitelist ${HOME}/.config/Turtl/GPUCache/data_0
whitelist ${HOME}/.config/Turtl/GPUCache/data_1
whitelist ${HOME}/.config/Turtl/GPUCache/data_2
whitelist ${HOME}/.config/Turtl/GPUCache/data_3
whitelist ${HOME}/.config/Turtl/GPUCache/index
whitelist ${HOME}/.config/Turtl/Local Storage
whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage
whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage-journal
whitelist ${HOME}/.config/Turtl/Preferences
whitelist ${HOME}/.config/Turtl/core
whitelist ${HOME}/.config/Turtl/core/core.log
whitelist ${HOME}/.config/Turtl/core/run.lock
whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite
whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite-journal
whitelist ${HOME}/.config/Turtl/you-meddling-kids.json
whitelist ${HOME}/.config/Turtl/you-meddling-kids.json.2647574618
whitelist ${HOME}/.config/pulse
whitelist ${HOME}/.config/pulse/client.conf
whitelist ${HOME}/.config/pulse/cookie
whitelist ${HOME}/.nv/nvidia-application-profile-globals-rc
whitelist ${HOME}/.nv/nvidia-application-profiles-rc
whitelist ${HOME}/.nv/nvidia-application-profiles-rc.d
whitelist ${HOME}/.pki
whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.pki/nssdb/cert9.db
whitelist ${HOME}/.pki/nssdb/cert9.db-journal
whitelist ${HOME}/.pki/nssdb/key4.db
whitelist ${HOME}/.pki/nssdb/key4.db-journal
whitelist ${HOME}/.pki/nssdb/libnssckbi.so
whitelist ${HOME}/.pki/nssdb/pkcs11.txt
whitelist ${HOME}/.pulse-cookie
whitelist ${HOME}/.pulse/client.conf
whitelist /run/user/1000/pulse
whitelist /usr/share/nvidia/nvidia-application-profiles-510.54-rc
whitelist /usr/share/nvidia/nvidia-application-profiles-rc
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
#ipc-namespace
#machine-id
net none
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
noroot
#nosound
notv
nou2f
novideo
protocol unix,inet6,netlink
seccomp
seccomp.block-secondary
#seccomp.keep
shell none
tracelog
##x11 none

# Uncomment to blacklist /mnt, /run/mnt, /media, /run/media.
#disable-mnt
private-bin turtl
private-cache
private-dev
private-etc ca-certificates/trust-source,fonts/conf.d,fonts/fonts.conf,host.conf,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,nvidia/nvidia-application-profiles-rc,pulse/client.conf,resolv.conf
private-tmp

#dbus-user none
dbus-system none


#read-only ${HOME}
<!-- gh-comment-id:1083741845 --> @romelsalwi commented on GitHub (Mar 30, 2022): Hi @rusty-snake ! I tried out the script. It didn't created the desired effect. It started out at ease while building but when used as a profile it didn't worked out. I used it on turtlapp https://turtlapp.com/ When you use `build` to create profile, firejail gives access to file during the process. `./firejail-profile-builder.py -o turtl.profile turtl` ``` # Firejail profile for turtl (generated by firejail-profile-builder.py) #quiet # Persistent local customizations #include <FIXME>.local # Persistent global definitions include globals.local # Uncomment to allow executing programs in ${HOME}. #ignore noexec ${HOME} # Uncomment to allow executing programs in /tmp. #ignore noexec /tmp #noblacklist PATH # Allow /bin/sh (blacklisted by disable-shell.inc) #include allow-bin-sh.inc # Allows files commonly used by IDEs #include allow-common-devel.inc # Allow gjs (blacklisted by disable-interpreters.inc) #include allow-gjs.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc # Allow perl (blacklisted by disable-interpreters.inc) #include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc # Allow ssh (blacklisted by disable-common.inc) #include allow-ssh.inc # Disable Wayland #blacklist ${RUNUSER}/wayland-* #blacklist ${RUNUSER} blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc #include disable-shell.inc #include disable-X11.inc #include disable-xdg.inc #mkdir PATH #mkfile PATH whitelist ${HOME}/.Xauthority whitelist ${HOME}/.Xdefaults whitelist ${HOME}/.Xdefaults-bitesthedust whitelist ${HOME}/.cache/nvidia whitelist ${HOME}/.config whitelist ${HOME}/.config/Turtl whitelist ${HOME}/.config/Turtl/.org.chromium.Chromium.cv7p5m whitelist ${HOME}/.config/Turtl/Cookies whitelist ${HOME}/.config/Turtl/Cookies-journal whitelist ${HOME}/.config/Turtl/DevTools Extensions whitelist ${HOME}/.config/Turtl/File System/primary.origin whitelist ${HOME}/.config/Turtl/GPUCache whitelist ${HOME}/.config/Turtl/GPUCache/data_0 whitelist ${HOME}/.config/Turtl/GPUCache/data_1 whitelist ${HOME}/.config/Turtl/GPUCache/data_2 whitelist ${HOME}/.config/Turtl/GPUCache/data_3 whitelist ${HOME}/.config/Turtl/GPUCache/index whitelist ${HOME}/.config/Turtl/Local Storage whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage-journal whitelist ${HOME}/.config/Turtl/Preferences whitelist ${HOME}/.config/Turtl/core whitelist ${HOME}/.config/Turtl/core/core.log whitelist ${HOME}/.config/Turtl/core/run.lock whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite-journal whitelist ${HOME}/.config/Turtl/you-meddling-kids.json whitelist ${HOME}/.config/Turtl/you-meddling-kids.json.2647574618 whitelist ${HOME}/.config/pulse whitelist ${HOME}/.config/pulse/client.conf whitelist ${HOME}/.config/pulse/cookie whitelist ${HOME}/.nv/nvidia-application-profile-globals-rc whitelist ${HOME}/.nv/nvidia-application-profiles-rc whitelist ${HOME}/.nv/nvidia-application-profiles-rc.d whitelist ${HOME}/.pki whitelist ${HOME}/.pki/nssdb whitelist ${HOME}/.pki/nssdb/cert9.db whitelist ${HOME}/.pki/nssdb/cert9.db-journal whitelist ${HOME}/.pki/nssdb/key4.db whitelist ${HOME}/.pki/nssdb/key4.db-journal whitelist ${HOME}/.pki/nssdb/libnssckbi.so whitelist ${HOME}/.pki/nssdb/pkcs11.txt whitelist ${HOME}/.pulse-cookie whitelist ${HOME}/.pulse/client.conf whitelist /run/user/1000/pulse whitelist /usr/share/nvidia/nvidia-application-profiles-510.54-rc whitelist /usr/share/nvidia/nvidia-application-profiles-rc include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all #ipc-namespace #machine-id net none netfilter no3d nodvd nogroups noinput nonewprivs noprinters noroot #nosound notv nou2f novideo protocol unix,inet6,netlink seccomp seccomp.block-secondary #seccomp.keep shell none tracelog ##x11 none # Uncomment to blacklist /mnt, /run/mnt, /media, /run/media. #disable-mnt private-bin turtl private-cache private-dev private-etc ca-certificates/trust-source,fonts/conf.d,fonts/fonts.conf,host.conf,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,nvidia/nvidia-application-profiles-rc,pulse/client.conf,resolv.conf private-tmp #dbus-user none dbus-system none #read-only ${HOME} ```
gitea-mirror commented 2026-05-05 09:31:57 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Mar 30, 2022):

This is the profile I created for scratch:

# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION OF THE PROGRAM
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you create profiles.
# PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e.g. a program that is unable to save user's work is considered bad practice)
#  - dedicate ample time (based on the complexity of the application) to profile testing before
#    submitting a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH env var)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include turtl.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/Turtl
noblacklist ${HOME}/Sync/Arch/
whitelist ${HOME}/.config/Turtl
whitelist ${HOME}/Sync/Arch/

##ignore noexec ${HOME}
##ignore noexec /tmp

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allow /bin/sh (blacklisted by disable-shell.inc)
#include allow-bin-sh.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

##blacklist PATH
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only; supersedes Disable Wayland)
#blacklist ${RUNUSER}
# Remove the next blacklist if you system has no /usr/libexec dir,
# otherwise try to add it.
#blacklist /usr/libexec

# disable-*.inc includes
# remove disable-write-mnt.inc if you set disable-mnt
#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-proc.inc
#include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
#include disable-X11.inc
#include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (e.g. unable to save files into
# home directory) they may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-run-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
apparmor
#caps.drop all
##caps.keep CAPS
#hostname turtl
# CLI only
##ipc-namespace
# breaks audio and sometimes dbus related functions
#machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups
#noinput
#nonewprivs
#noprinters
#noroot
#nosound
#notv
#nou2f
#novideo
# Remove each unneeded protocol:
#  - unix is usually needed
#  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
#  - netlink is rarely needed
#  - packet and bluetooth almost never
#protocol unix,inet,inet6,netlink,packet,bluetooth
#seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
##seccomp-error-action log (only for debugging seccomp issues)
#shell none
#tracelog
# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
##x11 none

#disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: group,magic,magic.mgc,passwd
#  3D: bumblebee,drirc,glvnd,nvidia
#  Audio: alsa,asound.conf,machine-id,pulse
#  D-Bus: dbus-1,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  KDE: kde4rc,kde5rc
#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
#    Extra: gai.conf,proxychains.conf
#  Qt: Trolltech.conf
##private-lib LIBS
##private-opt NAME
#private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
# check with flatpak (when the application is distributed that way):
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - Some features like native notifications are implemented as portal too.
#  - In order to make dconf work (when used by the app) you need to allow
#    'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and policies about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##deterministic-shutdown
##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##read-write ${HOME}
<!-- gh-comment-id:1083750739 --> @romelsalwi commented on GitHub (Mar 30, 2022): This is the profile I created for scratch: ``` # Firejail profile for PROGRAM_NAME # Description: DESCRIPTION OF THE PROGRAM # This file is overwritten after every install/update # --- CUT HERE --- # This is a generic template to help you create profiles. # PRs welcome at https://github.com/netblue30/firejail/. # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful # (e.g. a program that is unable to save user's work is considered bad practice) # - dedicate ample time (based on the complexity of the application) to profile testing before # submitting a pull request # - keep the sections structure, use a single empty line as separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware # to not do this for essential utilities as this may *break* your OS! (related discussion: # https://github.com/netblue30/firejail/issues/2507) # - remove this comment section and any generic comment past 'Persistent global definitions' # # Sections structure # HEADER # COMMENTS # IGNORES # NOBLACKLISTS # ALLOW INCLUDES # BLACKLISTS # DISABLE INCLUDES # NOWHITELISTS # MKDIRS # WHITELISTS # WHITELIST INCLUDES # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) # DBUS FILTER # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES # # The following macros may be used in path names to substitute common locations: # ${DESKTOP} # ${DOCUMENTS} # ${DOWNLOADS} # ${HOME} (user's home) # ${PATH} (contents of PATH env var) # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} # # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. # # --- CUT HERE --- ##quiet # Persistent local customizations include turtl.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/Turtl noblacklist ${HOME}/Sync/Arch/ whitelist ${HOME}/.config/Turtl whitelist ${HOME}/Sync/Arch/ ##ignore noexec ${HOME} ##ignore noexec /tmp # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. # One way to retrieve the files a program uses is: # - launch binary with --private naming a sandbox # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` # - work with the program, make some configuration changes and save them, open new documents, # install plugins if they exists, etc. # - join the sandbox with bash: # `firejail --join=test bash` # - look what has changed and use that information to populate blacklist and whitelist sections # `ls -aR` #noblacklist PATH # Allow /bin/sh (blacklisted by disable-shell.inc) #include allow-bin-sh.inc # Allows files commonly used by IDEs #include allow-common-devel.inc # Allow gjs (blacklisted by disable-interpreters.inc) #include allow-gjs.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc # Allow perl (blacklisted by disable-interpreters.inc) #include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc # Allow ssh (blacklisted by disable-common.inc) #include allow-ssh.inc ##blacklist PATH # Disable Wayland #blacklist ${RUNUSER}/wayland-* # Disable RUNUSER (cli only; supersedes Disable Wayland) #blacklist ${RUNUSER} # Remove the next blacklist if you system has no /usr/libexec dir, # otherwise try to add it. #blacklist /usr/libexec # disable-*.inc includes # remove disable-write-mnt.inc if you set disable-mnt #include disable-common.inc #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc #include disable-proc.inc #include disable-programs.inc #include disable-shell.inc #include disable-write-mnt.inc #include disable-X11.inc #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is # that if a user feels too restricted (e.g. unable to save files into # home directory) they may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section # (explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH ##mkfile PATH #whitelist PATH #include whitelist-common.inc #include whitelist-run-common.inc #include whitelist-runuser-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc ##allusers apparmor #caps.drop all ##caps.keep CAPS #hostname turtl # CLI only ##ipc-namespace # breaks audio and sometimes dbus related functions #machine-id # 'net none' or 'netfilter' #net none #netfilter #no3d ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) #nodvd #nogroups #noinput #nonewprivs #noprinters #noroot #nosound #notv #nou2f #novideo # Remove each unneeded protocol: # - unix is usually needed # - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above) # - netlink is rarely needed # - packet and bluetooth almost never #protocol unix,inet,inet6,netlink,packet,bluetooth #seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) #seccomp.block-secondary ##seccomp-error-action log (only for debugging seccomp issues) #shell none #tracelog # Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set ##x11 none #disable-mnt ##private # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 #private-bin PROGRAMS #private-cache #private-dev #private-etc FILES # private-etc templates (see also #1734, #2093) # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg # Extra: group,magic,magic.mgc,passwd # 3D: bumblebee,drirc,glvnd,nvidia # Audio: alsa,asound.conf,machine-id,pulse # D-Bus: dbus-1,machine-id # GUI: fonts,pango,X11 # GTK: dconf,gconf,gtk-2.0,gtk-3.0 # KDE: kde4rc,kde5rc # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl # Extra: gai.conf,proxychains.conf # Qt: Trolltech.conf ##private-lib LIBS ##private-opt NAME #private-tmp ##writable-etc ##writable-run-user ##writable-var ##writable-var-log # Since 0.9.63 also a more granular control of dbus is supported. # To get the dbus-addresses an application needs access to you can # check with flatpak (when the application is distributed that way): # flatpak remote-info --show-metadata flathub <APP-ID> # Notes: # - flatpak implicitly allows an app to own <APP-ID> on the session bus # - Some features like native notifications are implemented as portal too. # - In order to make dconf work (when used by the app) you need to allow # 'ca.desrt.dconf' even when not allowed by flatpak. # Notes and policies about addresses can be found at # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> #dbus-user filter #dbus-user.own com.github.netblue30.firejail #dbus-user.talk ca.desrt.dconf #dbus-user.talk org.freedesktop.Notifications #dbus-system none ##deterministic-shutdown ##env VAR=VALUE ##join-or-start NAME #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} ##read-write ${HOME} ```
gitea-mirror commented 2026-05-05 09:31:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 31, 2022):

I tried out the script. It didn't created the desired effect.

It's still in development.

It started out at ease while building but when used as a profile it didn't worked out.

It will never get the quality of a handwritten profile.

turtlapp

is an electron app, this will need special handling. We will need to detect this.

<!-- gh-comment-id:1085030451 --> @rusty-snake commented on GitHub (Mar 31, 2022): > I tried out the script. It didn't created the desired effect. It's still in development. > It started out at ease while building but when used as a profile it didn't worked out. It will never get the quality of a handwritten profile. > turtlapp is an electron app, this will need special handling. We will need to detect this.
gitea-mirror commented 2026-05-05 09:31:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Apr 2, 2022):

If you did not disable unprivileged userns, it may work now with electron programs.

<!-- gh-comment-id:1086646260 --> @rusty-snake commented on GitHub (Apr 2, 2022): If you did not disable unprivileged userns, it may work now with electron programs.
gitea-mirror commented 2026-05-05 09:31:59 -06:00
Author
Owner
Copy link

@romelsalwi commented on GitHub (Apr 8, 2022):

Here's something I found relevant:
https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference
Apparmor uses a profile language, and with the help of auditd, you can trace what the confined app is trying to access.

The interesting and the interactive part I found was globbing. You can glob the directory and tell apparmor how much access the application has, and apply it to the profile using logprof.

By far I have tried it on Firefox and few other frequently used applications and the process when implemented correctly can provide finer result

I followed these pages:
https://wiki.archlinux.org/title/AppArmor#Configuration
https://wiki.archlinux.org/title/Audit_framework#Adding_rules

During the profile generating process genprof, apparmor is going through the audit reports. It notifies (through aa-notify) what files were accessed, and when you are finished, it creates a profile. It is not compulsive for the application to run as expected and that is why it allows you to run the application in complain mode so that you can refine those edges. When convinced, you can make the rules strict by enabling enforce mode.

<!-- gh-comment-id:1092361536 --> @romelsalwi commented on GitHub (Apr 8, 2022): Here's something I found relevant: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference Apparmor uses a profile language, and with the help of _auditd_, you can trace what the confined app is trying to access. The interesting and the interactive part I found was **globbing**. You can glob the directory and tell apparmor how much access the application has, and apply it to the profile using `logprof`. By far I have tried it on Firefox and few other frequently used applications and the process when implemented correctly can provide finer result I followed these pages: https://wiki.archlinux.org/title/AppArmor#Configuration https://wiki.archlinux.org/title/Audit_framework#Adding_rules During the profile generating process `genprof`, apparmor is going through the audit reports. It notifies (through `aa-notify`) what files were accessed, and when you are finished, it creates a profile. It is not compulsive for the application to run as expected and that is why it allows you to run the application in complain mode so that you can refine those edges. When convinced, you can make the rules strict by enabling enforce mode.
gitea-mirror commented 2026-05-05 09:31:59 -06:00
Author
Owner
Copy link

@sudoAlphaX commented on GitHub (Feb 26, 2025):

The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO.

@glitsj16 this doesnt work for me. I have added mpv and yt-dlp to private-etc in freetube.local. Any recommendations?

<!-- gh-comment-id:2684196899 --> @sudoAlphaX commented on GitHub (Feb 26, 2025): > The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO. @glitsj16 this doesnt work for me. I have added mpv and yt-dlp to private-etc in freetube.local. Any recommendations?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2871
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?