mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #573] Using Firejail by Default #408
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#408
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ghost on GitHub (Jun 15, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/573
@reinerh commented on GitHub (Jun 15, 2016):
Try firecfg which is available since 0.9.40.
It creates symlinks for your profiles in /usr/local/bin, which causes them to get started with firejail automatically.
@reinerh commented on GitHub (Jun 15, 2016):
Yes, it's installed by default.
It works when the tools are started by name (via menu/desktop files, etc.), not by absolute path.
When the absolute path is in the desktop file, firejail will not be called.
@reinerh commented on GitHub (Jun 15, 2016):
You put your config like
net eth0into your profile.Calling firejail over a symlink is like starting firejail with the profile.
But I just see that x11 is not supported for profiles.
@reinerh commented on GitHub (Jun 15, 2016):
The command line is not affected at all.
If you edit profile files (the default behavior of sandboxed applications in /etc/firejail), you can put
net eth0in, but X11 sandboxing is currently not possible via profiles.@reinerh commented on GitHub (Jun 16, 2016):
When launching it with additional parameters you can still see
Reading profile /etc/firejail/firefox.profile, so your profile will still be honored.@reinerh commented on GitHub (Jun 16, 2016):
It means that you can not configure X11 sandboxing in profiles, see also:
https://firejail.wordpress.com/features-3/man-firejail-profile/
@reinerh commented on GitHub (Jun 16, 2016):
Yes, that works too.
But I find the symlink solution more elegant (if X11 sandboxing is not important).
@reinerh commented on GitHub (Jun 16, 2016):
It probably depends on the file manager and/or the .desktop files, but in general opening files sandboxed in Evince is possible with the symlink approach (assuming Evince is not started by absolute path).
@netblue30 commented on GitHub (Jun 17, 2016):
We don't have support for file managers in this moment. They use full paths to start executables.
@netblue30 commented on GitHub (Jun 18, 2016):
It depends on the file manager. Some of them allow you to handle a specific file type with a specific executable. For example for .pdf files, it opens a window where you can choose the executable. In this window you would go an choose /usr/local/bin/evince instead of the regular /usr/bin/evince.
@ghost commented on GitHub (Jun 20, 2016):
I only skimmed this thread, but you can also put a bash alias with your firejail and options prepended to the program name, but that obviously only works for programs started from the shell. Just as another tip.
Or I have some symlinks to firejail in
~/.bin/. (Easier to set symlinks because no root perms are required and I use~/.bin/anyway.)@netblue30 commented on GitHub (Jun 23, 2016):
There is no clean solution at the moment, you will have to do it for each file type. What distro and desktop environment are you using?
@netblue30 commented on GitHub (Jun 26, 2016):
Yes, do "sudo apt-get install firejail"