github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #446] Tightening the wine.profile #319

New issue
Closed
opened 2026-05-05 05:35:43 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 05:35:43 -06:00
Owner
Copy link

Originally created by @curiosity-seeker on GitHub (Apr 16, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/446

This is a tentative wine.profile which attempts to tighten the existing one.

Notes:

  1. seccomp doesn't work for me (on Manjaro).
  2. Steam rules are missing as I don't use it.
  3. Whitelisting ~/.local/share/applications and ~/.local/share/mime is not necessary for launching Windows applications under Wine, but it seems to be necessary when installing new ones.
  4. Uncommenting the private-bin line doesn't work for me. Quite obviously some necessary files are missing.
noblacklist ${HOME}/.wine
mkdir ${HOME}/.wine
whitelist ${HOME}/.wine
mkdir ${HOME}/.local
mkdir ${HOME}/.local/share
mkdir ${HOME}/.local/share/applications
whitelist ${HOME}/.local/share/applications
mkdir ${HOME}/.local/share/mime
whitelist ${HOME}/.local/share/mime
whitelist ${HOME}/.local/share/applications/wine*.desktop

include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-terminals.inc
caps.drop all
netfilter
noroot
#seccomp

private-dev
#private-bin wine,wine-preloader,wine64,wine64-preloader,wineboot,winebuild,winecfg,wineconsole,winecpp,winedbg,winedump,winefile,wineg++,winegcc,winemaker,winemine,winepath,wineserver,winetricks,xdg-open,update-desktop-database,sh,dirname,grep,uname,ls,sed,pwd,basename
private-etc X11

include /etc/firejail/whitelist-common.inc

Suggestions/ideas are highly welcome!

Originally created by @curiosity-seeker on GitHub (Apr 16, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/446 This is a tentative wine.profile which attempts to tighten the existing one. Notes: 1. seccomp doesn't work for me (on Manjaro). 2. Steam rules are missing as I don't use it. 3. Whitelisting ~/.local/share/applications and ~/.local/share/mime is not necessary for launching Windows applications under Wine, but it seems to be necessary when installing new ones. 4. Uncommenting the private-bin line doesn't work for me. Quite obviously some necessary files are missing. ``` noblacklist ${HOME}/.wine mkdir ${HOME}/.wine whitelist ${HOME}/.wine mkdir ${HOME}/.local mkdir ${HOME}/.local/share mkdir ${HOME}/.local/share/applications whitelist ${HOME}/.local/share/applications mkdir ${HOME}/.local/share/mime whitelist ${HOME}/.local/share/mime whitelist ${HOME}/.local/share/applications/wine*.desktop include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-terminals.inc caps.drop all netfilter noroot #seccomp private-dev #private-bin wine,wine-preloader,wine64,wine64-preloader,wineboot,winebuild,winecfg,wineconsole,winecpp,winedbg,winedump,winefile,wineg++,winegcc,winemaker,winemine,winepath,wineserver,winetricks,xdg-open,update-desktop-database,sh,dirname,grep,uname,ls,sed,pwd,basename private-etc X11 include /etc/firejail/whitelist-common.inc ``` Suggestions/ideas are highly welcome!
gitea-mirror 2026-05-05 05:35:43 -06:00
gitea-mirror commented 2026-05-05 05:35:48 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Apr 16, 2016):

Without using private-bin, run sudo firemon and then run firejail wine ... and see which binaries are called - that will give you an idea of which programs you need to add to your private-bin list. I would also suggest using net none unless you routinely use Windows programs that need access to the interwebz - if you need to run a program once with internet, you can use --ignore=net on the command line to grant it one-time access.

<!-- gh-comment-id:210882725 --> @chiraag-nataraj commented on GitHub (Apr 16, 2016): Without using `private-bin`, run `sudo firemon` and then run `firejail wine ...` and see which binaries are called - that will give you an idea of which programs you need to add to your private-bin list. I would also suggest using `net none` unless you routinely use Windows programs that need access to the interwebz - if you need to run a program once with internet, you can use `--ignore=net` on the command line to grant it one-time access.
gitea-mirror commented 2026-05-05 05:35:49 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Apr 17, 2016):

I had actually been running sudo firemon before but when I had launched specific Windows applications - and it hadn't shown me other necessary executables. I hadn't thought of simply running firejail wine in the console - thanks! I found that bash was missing.

So the list that's working for me is:

private-bin wine,wine-preloader,wine64,wine64-preloader,wineboot,winebuild,winecfg,wineconsole,winecpp,winedbg,winedump,winefile,wineg++,winegcc,winemaker,winemine,winepath,wineserver,winetricks,xdg-open,update-desktop-database,bash

<!-- gh-comment-id:210990462 --> @curiosity-seeker commented on GitHub (Apr 17, 2016): I had actually been running `sudo firemon` before but when I had launched specific Windows applications - and it hadn't shown me other necessary executables. I hadn't thought of simply running `firejail wine` in the console - thanks! I found that bash was missing. So the list that's working for me is: `private-bin wine,wine-preloader,wine64,wine64-preloader,wineboot,winebuild,winecfg,wineconsole,winecpp,winedbg,winedump,winefile,wineg++,winegcc,winemaker,winemine,winepath,wineserver,winetricks,xdg-open,update-desktop-database,bash`
gitea-mirror commented 2026-05-05 05:35:51 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 17, 2016):

I am more worried about seccomp. It means some syscall is rejected and the process is trashed. Do you have any messages in syslog? In your case is handled by systemd. This is an example:

$ firejail  --seccomp.drop=mkdir mkdir ttt

In syslog you would get:

Apr 17 08:33:45 debian kernel: [  787.081623] audit: type=1326 audit(1460896425.118:2): auid=1000 uid=1000 gid=1000 ses=1 pid=1591 comm="mkdir" exe="/bin/mkdir" sig=31 arch=c000003e syscall=83 compat=0 ip=0x7f03cbba5b97 code=0x0

where syscall 83 is mkdir:

$ firejail --debug-syscalls | grep 83
183 - afs_syscall
83  - mkdir
283 - timerfd_create
<!-- gh-comment-id:211012414 --> @netblue30 commented on GitHub (Apr 17, 2016): I am more worried about seccomp. It means some syscall is rejected and the process is trashed. Do you have any messages in syslog? In your case is handled by systemd. This is an example: ``` $ firejail --seccomp.drop=mkdir mkdir ttt ``` In syslog you would get: ``` Apr 17 08:33:45 debian kernel: [ 787.081623] audit: type=1326 audit(1460896425.118:2): auid=1000 uid=1000 gid=1000 ses=1 pid=1591 comm="mkdir" exe="/bin/mkdir" sig=31 arch=c000003e syscall=83 compat=0 ip=0x7f03cbba5b97 code=0x0 ``` where syscall 83 is mkdir: ``` $ firejail --debug-syscalls | grep 83 183 - afs_syscall 83 - mkdir 283 - timerfd_create ```
gitea-mirror commented 2026-05-05 05:35:52 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Apr 17, 2016):

Unfortunately seccomp doesn't work for me even in the default wine.profile so it's not related to mkdir.

Strangely journalctl | grep audit or journalctl | grep syscall doesn't yield any results.

If I execute a Windows program (using the default wine.profile) it's shown in firejail --tree like

2338:hank:/usr/bin/firejail /usr/bin/wine C:\windows\command\start.exe /Unix /home/hank/.wine/dosdevices/c:/users/Public/Start Menu/Programs/Tai-Pan Windows 14.0/Tai-Pan Windows 14.0.lnk 
  2339:hank:/usr/bin/firejail /usr/bin/wine C:\windows\command\start.exe /Unix /home/hank/.wine/dosdevices/c:/users/Public/Start Menu/Programs/Tai-Pan Windows 14.0/Tai-Pan Windows 14.0.lnk 
    2349:hank:C:\windows\system32\services.exe                                       
    2353:hank:C:\windows\system32\winedevice.exe MountMgr                                       
    2361:hank:C:\windows\system32\plugplay.exe                                       
    2368:hank:C:\PROG~FBU\LENZ~VPP\TAI-~NSA\14.0\TPSVC.EXE                                       
    2370:hank:C:\windows\system32\explorer.exe /desktop

but the program doesn't launch.

The --debug option didn't reveal anything, either. I will try to find something with strace.

<!-- gh-comment-id:211067183 --> @curiosity-seeker commented on GitHub (Apr 17, 2016): Unfortunately seccomp doesn't work for me even in the default wine.profile so it's not related to mkdir. Strangely `journalctl | grep audit` or `journalctl | grep syscall` doesn't yield any results. If I execute a Windows program (using the default wine.profile) it's shown in `firejail --tree` like ``` 2338:hank:/usr/bin/firejail /usr/bin/wine C:\windows\command\start.exe /Unix /home/hank/.wine/dosdevices/c:/users/Public/Start Menu/Programs/Tai-Pan Windows 14.0/Tai-Pan Windows 14.0.lnk 2339:hank:/usr/bin/firejail /usr/bin/wine C:\windows\command\start.exe /Unix /home/hank/.wine/dosdevices/c:/users/Public/Start Menu/Programs/Tai-Pan Windows 14.0/Tai-Pan Windows 14.0.lnk 2349:hank:C:\windows\system32\services.exe 2353:hank:C:\windows\system32\winedevice.exe MountMgr 2361:hank:C:\windows\system32\plugplay.exe 2368:hank:C:\PROG~FBU\LENZ~VPP\TAI-~NSA\14.0\TPSVC.EXE 2370:hank:C:\windows\system32\explorer.exe /desktop ``` but the program doesn't launch. The --debug option didn't reveal anything, either. I will try to find something with strace.
gitea-mirror commented 2026-05-05 05:35:53 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Apr 18, 2016):

Using strace -qcf I got the following list syscalls:

seccomp.keep access,bind,brk,chdir,clock_getres,clock_gettime,clone,close,connect,dup,dup2,execve,fadvise64_64,fchdir,fchmod,fcntl64,fstat64,fstatfs64,ftruncate64,futex,getcwd,getdents64,getegid,getegid32,geteuid,geteuid32,getgid,getgid32,getpeername,getresgid32,getresuid32,getrusage,getsockname,getsockopt,gettid,getuid,getuid32,ioctl,_llseek,lstat64,madvise,mkdir,mmap,mmap2,mprotect,mremap,munmap,_newselect,open,pipe2,poll,prctl,pread64,prlimit64,read,readlink,recv,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_yield,send,sendmsg,sendto,set_robust_list,setsid,setsockopt,set_thread_area,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,sigaltstack,socket,socketpair,stat64,statfs64,sysinfo,time,times,ugetrlimit,umask,uname,unlink,utimensat,waitpid,write,writev

Unfortunately, even with this long list my Windows programs don't launch. And as said above, journalctl doesn't report any syscalls. It might be necessary to install syslog-ng.

<!-- gh-comment-id:211483884 --> @curiosity-seeker commented on GitHub (Apr 18, 2016): Using `strace -qcf` I got the following list syscalls: ``` seccomp.keep access,bind,brk,chdir,clock_getres,clock_gettime,clone,close,connect,dup,dup2,execve,fadvise64_64,fchdir,fchmod,fcntl64,fstat64,fstatfs64,ftruncate64,futex,getcwd,getdents64,getegid,getegid32,geteuid,geteuid32,getgid,getgid32,getpeername,getresgid32,getresuid32,getrusage,getsockname,getsockopt,gettid,getuid,getuid32,ioctl,_llseek,lstat64,madvise,mkdir,mmap,mmap2,mprotect,mremap,munmap,_newselect,open,pipe2,poll,prctl,pread64,prlimit64,read,readlink,recv,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_yield,send,sendmsg,sendto,set_robust_list,setsid,setsockopt,set_thread_area,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,sigaltstack,socket,socketpair,stat64,statfs64,sysinfo,time,times,ugetrlimit,umask,uname,unlink,utimensat,waitpid,write,writev ``` Unfortunately, even with this long list my Windows programs don't launch. And as said above, journalctl doesn't report any syscalls. It might be necessary to install [syslog-ng](https://wiki.archlinux.org/index.php/Syslog-ng).
gitea-mirror commented 2026-05-05 05:35:54 -06:00
Author
Owner
Copy link

@mulecat commented on GitHub (May 26, 2016):

Adding to this that seccomp prevents some Wine programs from working. I'm running on Firejail 0.9.36 and custom profile for PlayOnLinux with --private=/myfolder. Looking through logs it seems that Race Driver: Grid crashes because ptrace is blacklisted.
Linux Mint 17.3 PlayOnLinux 4.2.2 using Wine version 1.9.1-staging.

<!-- gh-comment-id:221831601 --> @mulecat commented on GitHub (May 26, 2016): Adding to this that seccomp prevents some Wine programs from working. I'm running on Firejail 0.9.36 and custom profile for PlayOnLinux with --private=/myfolder. Looking through logs it seems that Race Driver: Grid crashes because **ptrace** is blacklisted. Linux Mint 17.3 PlayOnLinux 4.2.2 using Wine version 1.9.1-staging.
gitea-mirror commented 2026-05-05 05:35:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 10, 2018):

I know this is an old issue, but wanted to report that seccomp doesn't work for me either with wine in Arch linux (I had to comment it out in wine.profile).

<!-- gh-comment-id:364645313 --> @ghost commented on GitHub (Feb 10, 2018): I know this is an old issue, but wanted to report that seccomp doesn't work for me either with wine in Arch linux (I had to comment it out in wine.profile).
gitea-mirror commented 2026-05-05 05:35:56 -06:00
Author
Owner
Copy link

@AitBits commented on GitHub (Mar 30, 2018):

I tried to run World of Tanks using wine, and the launcher was executing without problem. But the actual game client just went silent, and I searched it out to find the solution, then stumbled on this issue. I copied wine.profile from /etc/firejail to .config/firejail. Editing the file, I replaced seccomp with seccomp.drop to build default blacklist for seccomp explicitly as follows in the profile.
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old,afs_syscall,bdflush,break,ftime,getpmsg,gtty,lock,mpx,pciconfig_iobase,pciconfig_read,pciconfig_write,prof,profil,putpmsg,rtas,s390_runtime_instr,s390_mmio_read,s390_mmio_write,security,setdomainname,sethostname,sgetmask,ssetmask,stty,subpage_prot,switch_endian,ulimit,vhangup,vserver

then, as hinted by @mulecat, opted out ptrace from the list, and the game executed smoothly.

<!-- gh-comment-id:377537218 --> @AitBits commented on GitHub (Mar 30, 2018): I tried to run World of Tanks using wine, and the launcher was executing without problem. But the actual game client just went silent, and I searched it out to find the solution, then stumbled on this issue. I copied wine.profile from /etc/firejail to .config/firejail. Editing the file, I replaced seccomp with seccomp.drop to build default blacklist for seccomp explicitly as follows in the profile. `seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,ioprio_set,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old,afs_syscall,bdflush,break,ftime,getpmsg,gtty,lock,mpx,pciconfig_iobase,pciconfig_read,pciconfig_write,prof,profil,putpmsg,rtas,s390_runtime_instr,s390_mmio_read,s390_mmio_write,security,setdomainname,sethostname,sgetmask,ssetmask,stty,subpage_prot,switch_endian,ulimit,vhangup,vserver` then, as hinted by @mulecat, opted out ptrace from the list, and the game executed smoothly.
gitea-mirror commented 2026-05-05 05:35:58 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Mar 30, 2018):

I haven't used wine recently so I haven't tried to solve the problem. However, as a general suggestion it might be worth trying perf to get the syscalls used by a specific application.

For the specified PID execute

sudo perf stat -e 'syscalls:sys_enter_*' -p PID

The used syscalls are now counted until you press Ctrl-C. My impression is that this method is superior compared to using strace -qcf.

<!-- gh-comment-id:377571612 --> @curiosity-seeker commented on GitHub (Mar 30, 2018): I haven't used wine recently so I haven't tried to solve the problem. However, as a general suggestion it might be worth trying `perf` to get the syscalls used by a specific application. For the specified PID execute `sudo perf stat -e 'syscalls:sys_enter_*' -p PID` The used syscalls are now counted until you press Ctrl-C. My impression is that this method is superior compared to using `strace -qcf`.
gitea-mirror commented 2026-05-05 05:35:59 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (May 20, 2019):

If someone is interested in tightening the Wine profile, please submit a pull request! I'm going to go ahead and close this old thread since @curiosity-seeker stopped using wine ;P

<!-- gh-comment-id:494029809 --> @chiraag-nataraj commented on GitHub (May 20, 2019): If someone is interested in tightening the Wine profile, please submit a pull request! I'm going to go ahead and close this old thread since @curiosity-seeker stopped using wine ;P
gitea-mirror commented 2026-05-05 05:36:00 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Dec 12, 2019):

I took the liberty to upstream some of the ideas from this thread (also in dcda92c278).

Would be good to have the whitelisting, too, but I'm not familiar with wine myself, so didn't touch it.

<!-- gh-comment-id:564945883 --> @smitsohu commented on GitHub (Dec 12, 2019): I took the liberty to upstream some of the ideas from this thread (also in dcda92c278ddea8c6e88b16b84f84c1314ac918a). Would be good to have the whitelisting, too, but I'm not familiar with wine myself, so didn't touch it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#319
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?