github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #754] Firejail.service #512

New issue
Closed
opened 2026-05-05 06:01:20 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 06:01:20 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Aug 30, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/754

Hello Netblue,

With intentions of making Linux more secure for everyone, I'd like to know if it's possible to create a firejail service that automatically firejails every executable opened, since your profiles have been proven to work very well for everyone, and because new users don't find it attractive to edit launchers. This way, distros could enable such service and make it automatic start/enable upon firejail installation.

Cheers,
Amarildo

Originally created by @ghost on GitHub (Aug 30, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/754 Hello Netblue, With intentions of making Linux more secure for everyone, I'd like to know if it's possible to create a firejail service that automatically firejails every executable opened, since your profiles have been proven to work very well for everyone, and because new users don't find it attractive to edit launchers. This way, distros could enable such service and make it automatic start/enable upon firejail installation. Cheers, Amarildo
gitea-mirror 2026-05-05 06:01:20 -06:00
gitea-mirror commented 2026-05-05 06:01:27 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Aug 30, 2016):

Would firecfg be what you're looking for?
It "allows the user to sandbox applications automatically, just by clicking on a regular desktop menus and icons."

See man firecfg for details on how to use it.

<!-- gh-comment-id:243540366 --> @Fred-Barclay commented on GitHub (Aug 30, 2016): Would `firecfg` be what you're looking for? It "allows the user to sandbox applications automatically, just by clicking on a regular desktop menus and icons." See `man firecfg` for details on how to use it.
gitea-mirror commented 2026-05-05 06:01:31 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Aug 30, 2016):

Thanks, but this suggestion is not for my use :) Most newcomers don't even want a Terminal to work on, much less understand how to work with Firejail or Firecfg. That's why I think that a trully automated "firejail.service" (similar in operation to firecfg) would be a good idea. This service wouldn't require any user intervention.

<!-- gh-comment-id:243583290 --> @ghost commented on GitHub (Aug 30, 2016): Thanks, but this suggestion is not for _my_ use :) Most newcomers don't even want a Terminal to work on, much less understand how to work with Firejail or Firecfg. That's why I think that a trully automated "firejail.service" (similar in operation to firecfg) would be a good idea. This service wouldn't require any user intervention.
gitea-mirror commented 2026-05-05 06:01:33 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Aug 31, 2016):

This wouldnt be a service, just some symlinks. you could make something for a settings panel like "auto firejail: on off" that runs the same command.

this is a bad idea, unless the user is aware that firejail is running. for example, if you save an image from the browser to your home folder, it will only exist in the context of the firejail. the browser will not tell the user otherwise. the profiles would need to change to explicit about what browsers can and can't do, but those changes could break cases where the browser should think it can write somewhere.

[edit] just tried this with a private home, and the file does persist, so its a bad example

you could borrow from qubes-os and bring the window manager into the picture, making different borders. for example, a fire themed window decorations, maybe of different colors if your separating contexts.

<!-- gh-comment-id:243632502 --> @xahare commented on GitHub (Aug 31, 2016): This wouldnt be a service, just some symlinks. you could make something for a settings panel like "auto firejail: on off" that runs the same command. this is a bad idea, unless the user is aware that firejail is running. for example, if you save an image from the browser to your home folder, it will only exist in the context of the firejail. the browser will not tell the user otherwise. the profiles would need to change to explicit about what browsers can and can't do, but those changes could break cases where the browser should think it can write somewhere. [edit] just tried this with a private home, and the file does persist, so its a bad example you could borrow from qubes-os and bring the window manager into the picture, making different borders. for example, a fire themed window decorations, maybe of different colors if your separating contexts.
gitea-mirror commented 2026-05-05 06:01:36 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Aug 31, 2016):

@amarildojr I see. Well, since firejail is a terminal program 😉 anyone who uses it is probably at least somewhat comfortable with the terminal.
I wonder if firecfg could be integrated with firetools so that you could have a graphical interface to initially launch firecfg? Of course, after the initial firecfg (or whatever the graphical equivalent would be when launched from firetools) the user will never have to do any intervention--all programs with a firejail profile will start automatically in firejail under most circumstances.

<!-- gh-comment-id:243641390 --> @Fred-Barclay commented on GitHub (Aug 31, 2016): @amarildojr I see. Well, since firejail _is_ a terminal program :wink: anyone who uses it is probably at least somewhat comfortable with the terminal. I wonder if `firecfg` could be integrated with [firetools](https://github.com/netblue30/firetools) so that you could have a graphical interface to initially launch firecfg? Of course, after the initial `firecfg` (or whatever the graphical equivalent would be when launched from firetools) the user will never have to do any intervention--all programs with a firejail profile will start automatically in firejail under most circumstances.
gitea-mirror commented 2026-05-05 06:01:38 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 1, 2016):

The closest you can get to this, would be an x11 Xephyr setting, where you start in firejail a light window manager like openbox - https://firejail.wordpress.com/documentation-2/x11-guide/#configurexephyr

Then, all the applications started by Xephyr would be automatically sandboxed.

<!-- gh-comment-id:244101643 --> @netblue30 commented on GitHub (Sep 1, 2016): The closest you can get to this, would be an x11 Xephyr setting, where you start in firejail a light window manager like openbox - https://firejail.wordpress.com/documentation-2/x11-guide/#configurexephyr Then, all the applications started by Xephyr would be automatically sandboxed.
gitea-mirror commented 2026-05-05 06:01:40 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 2, 2016):

@netblue30 So distros could already implement this if they wanted?

<!-- gh-comment-id:244298833 --> @ghost commented on GitHub (Sep 2, 2016): @netblue30 So distros could already implement this if they wanted?
gitea-mirror commented 2026-05-05 06:01:41 -06:00
Author
Owner
Copy link

@xahare commented on GitHub (Sep 2, 2016):

one distro, subgraphos https://subgraph.com/sgos/ already does this. they use their own sandbox, which is similar to firejail.

<!-- gh-comment-id:244299604 --> @xahare commented on GitHub (Sep 2, 2016): one distro, subgraphos https://subgraph.com/sgos/ already does this. they use their own sandbox, which is similar to firejail.
gitea-mirror commented 2026-05-05 06:01:43 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 3, 2016):

So distros could already implement this if they wanted?

Yes.

<!-- gh-comment-id:244547386 --> @netblue30 commented on GitHub (Sep 3, 2016): > So distros could already implement this if they wanted? Yes.
gitea-mirror commented 2026-05-05 06:01:45 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Sep 3, 2016):

Thanks. I'm closing this issue then.

<!-- gh-comment-id:244557634 --> @ghost commented on GitHub (Sep 3, 2016): Thanks. I'm closing this issue then.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#512
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?