[GH-ISSUE #421] okular and gwenview profiles

gitea-mirror commented

2026-05-05 05:33:52 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (Apr 9, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/421

I suggest to add profiles for okular and gwenview. The following settings work for me:

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
net none
noroot
shell none

I've chosen net none as reportedly ransomware has also been found in pdf and image files. I think it's worth consideration to also adjust the evince profile accordingly.

Originally created by @curiosity-seeker on GitHub (Apr 9, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/421 I suggest to add profiles for okular and gwenview. The following settings work for me: ``` include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp net none noroot shell none ``` I've chosen _net none_ as reportedly ransomware has also been found in pdf and image files. I think it's worth consideration to also adjust the evince profile accordingly.

gitea-mirror

2026-05-05 05:33:52 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:33:57 -06:00

Author

Owner

@ghost commented on GitHub (Apr 9, 2016):

Personally I think that global profiles that are distributed to everyone should not restrict legitimate uses. Allow whatever the program wants, and no more. It's better that each user tightens his profile to his own needs, than to cut functionality and have users bitch at you.
You can put your own profiles in ~/.config/firejail/ and include the global profile. That's how I do it, and I agree with you that some programs have no business accessing any network.

As for the profile, I would add a noblacklist at the top, with the program's config dir.
You could try blacklisting /etc and private-etc any files that it needs.
Try private-bin with only the program's binary allowed.
Also protocol.

@ghost commented on GitHub (Apr 9, 2016): Personally I think that global profiles that are distributed to everyone should not restrict legitimate uses. Allow whatever the program wants, and no more. It's better that each user tightens his profile to his own needs, than to cut functionality and have users bitch at you. You can put your own profiles in `~/.config/firejail/` and include the global profile. That's how I do it, and I agree with you that some programs have no business accessing any network. As for the profile, I would add a `noblacklist` at the top, with the program's config dir. You could try `blacklist`ing `/etc` and `private-etc` any files that it needs. Try `private-bin` with only the program's binary allowed. Also `protocol`.

gitea-mirror commented

2026-05-05 05:33:59 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 9, 2016):

Personally I think that global profiles that are distributed to everyone should not restrict legitimate uses. Allow whatever the program wants, and no more.

Well, I haven't seen any negative side-effects for both programs by doing this.

You can put your own profiles in ~/.config/firejail/ and include the global profile.

I know, and it's something I'm doing, too.

As for the profile, I would add a noblacklist at the top, with the program's config dir.

Why should I do this if that config dir is not blacklisted by one of the .inc files? It would be a different situation if a whitelist approach were applied - but as long as whitelist globbing (#216) is not yet available, it's difficult to implement this for those 2 programs.

You could try blacklisting /etc and private-etc any files that it needs.
Try private-bin with only the program's binary allowed.

Yes, that's something I could try.

Also protocol.

Not necessary with net none.

@curiosity-seeker commented on GitHub (Apr 9, 2016): > Personally I think that global profiles that are distributed to everyone should not restrict legitimate uses. Allow whatever the program wants, and no more. Well, I haven't seen any negative side-effects for both programs by doing this. > You can put your own profiles in ~/.config/firejail/ and include the global profile. I know, and it's something I'm doing, too. > As for the profile, I would add a noblacklist at the top, with the program's config dir. Why should I do this if that config dir is not blacklisted by one of the .inc files? It would be a different situation if a whitelist approach were applied - but as long as whitelist globbing (#216) is not yet available, it's difficult to implement this for those 2 programs. > You could try blacklisting /etc and private-etc any files that it needs. > Try private-bin with only the program's binary allowed. Yes, that's something I could try. > Also protocol. Not necessary with net none.

gitea-mirror commented

2026-05-05 05:34:01 -06:00

Author

Owner

@ghost commented on GitHub (Apr 9, 2016):

Well, I haven't seen any negative side-effects for both programs by doing this.

You didn't, but maybe someone else would. What does the program need network access for?

As for the profile, I would add a noblacklist at the top, with the program's config dir.

Why should I do this if that config dir is not blacklisted by one of the .inc files?

But it is. As far as I can tell, whenever a new profile is added, its config dir is also added to disable-programs.inc, hence having to noblacklist before.

Also protocol.

Not necessary with net none.

I assumed the case without net none.

Also private-dev and maybe private-tmp.

@ghost commented on GitHub (Apr 9, 2016): > Well, I haven't seen any negative side-effects for both programs by doing this. You didn't, but maybe someone else would. What does the program need network access for? > > As for the profile, I would add a noblacklist at the top, with the program's config dir. > > Why should I do this if that config dir is not blacklisted by one of the .inc files? But it is. As far as I can tell, whenever a new profile is added, its config dir is also added to disable-programs.inc, hence having to noblacklist before. > > Also protocol. > > Not necessary with net none. I assumed the case without `net none`. Also `private-dev` and maybe `private-tmp`.

gitea-mirror commented

2026-05-05 05:34:02 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 10, 2016):

What does the program need network access for?

Good question. Why do a pdf reader and an image viewer need network access? I'd say under normal circumstances they don't.

As far as I can tell, whenever a new profile is added, its config dir is also added to disable-programs.inc, hence having to noblacklist before.

That's incorrect, IMHO. Only the specific entries in the .inc files are blacklisted, e.g., ~/.mozilla or ~/.config/chromium. That's why those directories must be noblacklisted in the Firefox and Chromium profiles, respectively. While other pofiles, e.g. the ones for evince or kmail, do not contain corresponding noblacklist entries for their config dirs - simply because they are not blacklisted in the .inc files.

@curiosity-seeker commented on GitHub (Apr 10, 2016): > What does the program need network access for? Good question. Why do a pdf reader and an image viewer need network access? I'd say under normal circumstances they don't. > As far as I can tell, whenever a new profile is added, its config dir is also added to disable-programs.inc, hence having to noblacklist before. That's incorrect, IMHO. Only the specific entries in the .inc files are blacklisted, e.g., ~/.mozilla or ~/.config/chromium. That's why those directories must be noblacklisted in the Firefox and Chromium profiles, respectively. While other pofiles, e.g. the ones for evince or kmail, do not contain corresponding noblacklist entries for their config dirs - simply because they are not blacklisted in the .inc files.

gitea-mirror commented

2026-05-05 05:34:05 -06:00

Author

Owner

@ghost commented on GitHub (Apr 12, 2016):

Why do a pdf reader and an image viewer need network access? I'd say under normal circumstances they don't.

I agree.

While other pofiles, e.g. the ones for evince or kmail, do not contain corresponding noblacklist entries for their config dirs - simply because they are not blacklisted in the .inc files.

Yes, but the question is why are they not blacklisted in disable-programs.inc? Is it because they are missing, or is that because they don't qualify? I would guess it's because they are missing, but netblue knows better.

@ghost commented on GitHub (Apr 12, 2016): > Why do a pdf reader and an image viewer need network access? I'd say under normal circumstances they don't. I agree. > While other pofiles, e.g. the ones for evince or kmail, do not contain corresponding noblacklist entries for their config dirs - simply because they are not blacklisted in the .inc files. Yes, but the question is why are they not blacklisted in disable-programs.inc? Is it because they are missing, or is that because they don't qualify? I would guess it's because they are missing, but netblue knows better.

gitea-mirror commented

2026-05-05 05:34:08 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 12, 2016):

Yes, but the question is why are they not blacklisted in disable-programs.inc? Is it because they are missing, or is that because they don't qualify?

Because they are missing, we'll have to add them.

@netblue30 commented on GitHub (Apr 12, 2016): > Yes, but the question is why are they not blacklisted in disable-programs.inc? Is it because they are missing, or is that because they don't qualify? Because they are missing, we'll have to add them.

gitea-mirror commented

2026-05-05 05:34:09 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 12, 2016):

FWIW, I've added nogroups and private-* rules for both profiles. For gwenview this seems to work for me:

private-dev
private-bin gwenview
private-etc X11
nogroups

And for okular:

private-dev
private-bin okular,kbuildsycoca4,kbuildsycoca5
private-etc X11
nogroups

So far no problems. But other KDE users might want to try those settings, too.

@curiosity-seeker commented on GitHub (Apr 12, 2016): FWIW, I've added nogroups and private-\* rules for both profiles. For gwenview this seems to work for me: ``` private-dev private-bin gwenview private-etc X11 nogroups ``` And for okular: ``` private-dev private-bin okular,kbuildsycoca4,kbuildsycoca5 private-etc X11 nogroups ``` So far no problems. But other KDE users might want to try those settings, too.

gitea-mirror commented

2026-05-05 05:34:12 -06:00

Author

Owner

@ghost commented on GitHub (Apr 12, 2016):

Lookie here what I got.
I went through every single motherfucking profile and checked whether it's been blacklisted or what. I took note of every profile that was neither blacklisted, nor had any hints as to the ~/.config dirs and I did not have it installed, so couldn't check for myself.

Exclamation marks are daemons, so they probably have no ~/.config dirs.
Wine noblacklists Steam, and I wonder why. Is that supposed to be?
SSH and GnuPG I didn't know whether it should be included in disable-programs, because it's already blacklisted in disable-common.

atril
audacious
bitlbee
cherrytree
clementine
deluge
!dnscrypt-proxy
!dnsmasq
dropbox
empathy
evince
gnome-mplayer
kmail
lxterminal
openbox
polari
qbittorrent
quassel
rhythmbox
rtorrent
totem
!unbound

wine (steam?)

# gnupg
# ssh

@ghost commented on GitHub (Apr 12, 2016): Lookie here what I got. I went through every single motherfucking profile and checked whether it's been blacklisted or what. I took note of every profile that was neither blacklisted, nor had any hints as to the ~/.config dirs and I did not have it installed, so couldn't check for myself. Exclamation marks are daemons, so they probably have no ~/.config dirs. Wine noblacklists Steam, and I wonder why. Is that supposed to be? SSH and GnuPG I didn't know whether it should be included in disable-programs, because it's already blacklisted in disable-common. ``` atril audacious bitlbee cherrytree clementine deluge !dnscrypt-proxy !dnsmasq dropbox empathy evince gnome-mplayer kmail lxterminal openbox polari qbittorrent quassel rhythmbox rtorrent totem !unbound wine (steam?) # gnupg # ssh ```

gitea-mirror commented

2026-05-05 05:34:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 13, 2016):

@avoidr: That was cool, thanks for the patch!

What are the latest okular and gwenview you guys have running, let's bring them in.

@netblue30 commented on GitHub (Apr 13, 2016): @avoidr: That was cool, thanks for the patch! What are the latest okular and gwenview you guys have running, let's bring them in.

gitea-mirror commented

2026-05-05 05:34:16 -06:00

Author

Owner

@ghost commented on GitHub (Apr 13, 2016):

You're welcome! I'm happy it is appreciated.

I don't have gwenview in the repo. I'll look at okular today.

@ghost commented on GitHub (Apr 13, 2016): You're welcome! I'm happy it is appreciated. I don't have gwenview in the repo. I'll look at okular today.

gitea-mirror commented

2026-05-05 05:34:19 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 13, 2016):

@netblue30 : I have gwenview 15.12.3-1 and okular 15.12.3-1 running on Manjaro.

The complete gwenview profile is this one:

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
net none
noroot
nogroups
shell none
private-dev
private-bin gwenview
private-etc X11

And for okular:

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
net none
noroot
nogroups
shell none
private-dev
private-bin okular,kbuildsycoca4,kbuildsycoca5
private-etc X11

@curiosity-seeker commented on GitHub (Apr 13, 2016): @netblue30 : I have gwenview 15.12.3-1 and okular 15.12.3-1 running on Manjaro. The complete gwenview profile is this one: ``` include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp net none noroot nogroups shell none private-dev private-bin gwenview private-etc X11 ``` And for okular: ``` include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp net none noroot nogroups shell none private-dev private-bin okular,kbuildsycoca4,kbuildsycoca5 private-etc X11 ```

gitea-mirror commented

2026-05-05 05:34:21 -06:00

Author

Owner

@ghost commented on GitHub (Apr 13, 2016):

@curiosity-seeker: If you don't include group in private-etc, there is no need for nogroups.

@ghost commented on GitHub (Apr 13, 2016): @curiosity-seeker: If you don't include `group` in `private-etc`, there is no need for `nogroups`.

gitea-mirror commented

2026-05-05 05:34:24 -06:00

Author

Owner

@ghost commented on GitHub (Apr 13, 2016):

Actually, network should be disabled. Documents have no business accessing any network, ever. Shit does more harm than good.

And I won't try okular, because fug it. This profile looks good. Just remember to blacklist config dirs in disable-programs.inc and to noblacklist them in the profiles again.

@ghost commented on GitHub (Apr 13, 2016): Actually, network _should_ be disabled. Documents have no business accessing any network, ever. Shit does more harm than good. And I won't try okular, because fug it. This profile looks good. Just remember to blacklist config dirs in `disable-programs.inc` and to noblacklist them in the profiles again.

gitea-mirror commented

2026-05-05 05:34:26 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 14, 2016):

If you don't include group in private-etc, there is no need for nogroups.

Ah - yes! Thanks, good point.

@curiosity-seeker commented on GitHub (Apr 14, 2016): > If you don't include group in private-etc, there is no need for nogroups. Ah - yes! Thanks, good point.

gitea-mirror commented

2026-05-05 05:34:28 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 16, 2016):

I had to add

lpr

to the private-bin line in the okular profile. Otherwise it wouldn't be able to print. Oddly, this is not necessary for gwenview.

@curiosity-seeker commented on GitHub (Apr 16, 2016): I had to add `lpr` to the private-bin line in the okular profile. Otherwise it wouldn't be able to print. Oddly, this is _not_ necessary for gwenview.

gitea-mirror commented

2026-05-05 05:34:30 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 18, 2016):

OK, I've managed to check okular and gwenview profiles, all credits go to @curiosity-seeker, thanks! This is what I changed:

replaced "no network" with "protocol unix". Somehow, on my Centos 7 "no network" breaks both of them. The effect is similar, no IPv4/IPv6 connections are allowed, and the process is killed by seccomp when such a connection is initiated.
blacklisted the configuration files for both programs in disable-programs.inc, added noblacklists in the profile files
commented out private-bin and private-etc for now - we'll bring them in later, we need some more testing on them.

The profiles are on the master branch.

@netblue30 commented on GitHub (Apr 18, 2016): OK, I've managed to check okular and gwenview profiles, all credits go to @curiosity-seeker, thanks! This is what I changed: 1. replaced "no network" with "protocol unix". Somehow, on my Centos 7 "no network" breaks both of them. The effect is similar, no IPv4/IPv6 connections are allowed, and the process is killed by seccomp when such a connection is initiated. 2. blacklisted the configuration files for both programs in disable-programs.inc, added noblacklists in the profile files 3. commented out private-bin and private-etc for now - we'll bring them in later, we need some more testing on them. The profiles are on the master branch.

gitea-mirror commented

2026-05-05 05:34:33 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 18, 2016):

Thanks, @netblue30 ! It's interesting that distros behave differently ...

@curiosity-seeker commented on GitHub (Apr 18, 2016): Thanks, @netblue30 ! It's interesting that distros behave differently ...

gitea-mirror commented

2026-05-05 05:34:35 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Apr 22, 2016):

Just for the record: I had to add bash to private-bin in both profiles - otherwise pdf files and images wouldn't open when launched in the file manager (krusader).

@curiosity-seeker commented on GitHub (Apr 22, 2016): Just for the record: I had to add `bash` to private-bin in both profiles - otherwise pdf files and images wouldn't open when launched in the file manager (krusader).

gitea-mirror commented

2026-05-05 05:34:36 -06:00

Author

Owner

@Utini2000 commented on GitHub (Aug 19, 2024):

How can I re-enable the capability to open .pdf from a smb share with this standard profile?
Because we life in a world where I need my system to actually let me to work :)

Edit:
okular.local:
protocol unix,inet,inet6,netlink
ignore net

@Utini2000 commented on GitHub (Aug 19, 2024): How can I re-enable the capability to open .pdf from a smb share with this standard profile? Because we life in a world where I need my system to actually let me to work :) Edit: okular.local: protocol unix,inet,inet6,netlink ignore net

gitea-mirror commented

2026-05-05 05:34:38 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 19, 2024):

How can I re-enable the capability to open .pdf from a smb share with this
standard profile? Because we life in a world where I need my system to
actually let me to work :)

Edit: okular.local: protocol unix,inet,inet6,netlink ignore net

This issue is from 8 years ago and is not directly related to your problem.

If a profile is not working, open a new issue and follow the bug report
template:

https://github.com/netblue30/firejail/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=

@kmk3 commented on GitHub (Aug 19, 2024): > How can I re-enable the capability to open .pdf from a smb share with this > standard profile? Because we life in a world where I need my system to > actually let me to work :) > > Edit: okular.local: protocol unix,inet,inet6,netlink ignore net This issue is from 8 years ago and is not directly related to your problem. If a profile is not working, open a new issue and follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=>

gitea-mirror referenced this issue

2026-05-05 10:04:18 -06:00

[PR #304] [MERGED] profile for wesnoth #3593

Rows
Columns

[GH-ISSUE #421] okular and gwenview profiles #304