[GH-ISSUE #1139] Profile requests #789

New issue

Open

opened 2026-05-05 06:40:09 -06:00 by gitea-mirror · 308 comments

gitea-mirror commented 2026-05-05 06:40:09 -06:00

Owner

Copy link

Originally created by @netblue30 on GitHub (Mar 10, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1139

Issue to ask for and discuss about new profiles.

Progress is tracked in: https://github.com/users/netblue30/projects/7

• command line document converter (e.g. latex2*, pdf*, rst2*, pod2, pcp2pdf, wkhtmltopdf, ...)
• disable-sys.inc to restrict access to files in /sys/{block,bus,class,dev,devices,kernel}
• KVM
• jmemorize
• KTnef,
• KRDC
• discover
• KWalletManager,
• brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
• https://sourceforge.net/projects/animationmaker/
• jdownloader2
• InSync
• variety
• KDE connect
• autotrace
• Y PPA Manager
• Adobe reader
• standalone flashplayer
• Adobe AIR
• cinepaint
• jahshakavr
• soulseekqt
• Tribler
• Leonflix
• upwork desktop
• Quake3
• UrbanTerror
• Citra
• makemkv
• Mellowplayer
• Stubby
• SpamAssassin
• Kile
• llpp
• zotero
• neovim
• Sia-UI
• Calculator (io.elementary.calculator)
• Calendar
  • io.elementary.calendar
  • io.elementary.calendar-daemon
• Camera (io.elementary.camera)
• Captive Portal Assistant (io.elementary.capnet-assist)
• Code (io.elementary.code)
• Files
  • io.elementary.files
  • io.elementary.files-daemon
  • io.elementary.files-pkexec
• Music (io.elementary.music)
• Photos (io.elementary.photos) - Based on the old Shotwell code
• Terminal (io.elementary.terminal)
• Videos (io.elementary.videos)
• GNOME Podcasts (gnome-podcasts)
• pass / gopass
  • pass
  • gopass
• Keybase
  • kbfsfuse (not sure if this one makes sense...)
  • keybase
  • keybase-gui
• Yubikey Manager
  • ykman
  • ykman-gui
• GZDoom (gzdoom)
• QuakeSpasm (quake)
• rRootage (rrootage)
• Renames TV Series
• deepin-screen-recorder
• Joplin
• mate-terminal
• asbru
• socat
• cordless
• Unity/Unity Hub
• pcloud
• lens
• Obsidian
• luarocks
• Stremio
• cointop
• irssi
• easytag
• mbsync
• Bitwig Studio
• radicale
• solvespace
• screen
• khard
• vdirsyncer
• cryptomator
• SRBMiner
• NBMiner
• Hypnotix
• Fwknop
• Sublime Text 4
• Hamsket
• webex
• Veloren and Airshipper
• openstego
• etcher and Ventoy
• waifu2x-converter-cpp
• MEGAsync
• seafile-client
• retroshare
• Aether
• rust-analyzer
• FireDM
• xournal-thumbnailer
• blender-thumbnailer.py
• rustup
• scour
• gnome-extensions-app
• gnome-extensions
• gnome-games
• gnome-do
• gnome-epub-thumbnailer
• gnome-kra-ora-thumbnailer
• gnome-dictionary
• gnome-translate
• x2goserver

Resolved

strikethrough means won't fix

• kwrite
• Jerry chess
• Riot.im (desktop)
• freemind
• tshark
• tcpdump
• freecad
• geary
• imagej
• macrofusion
• discord
• rambox
• gnome-online-miners
• gnome-sound-recorder
• Natron
• Cinelerra
• amule
• Calligra
• Ghetto-skype
• Blender
• Google Earth
• shotcut
• Tbb PPA
• Gnome-boxes
• Tor Messenger
• amuled
• shortwave
• WPS-Office
• Temaviewer https://github.com/netblue30/firejail/issues/825#issuecomment-250977527
• Ricochet
• tvbrowser
• foliate
• RTV
• homebank
• dooble browser
• Otter browser
• mattermost desktop client
• FreeTube
• Spectacle
• Lyx
• Fractal
• Quaternion
• Youtube-Viewer
• balsa
• Minecraft Server
• Minitube
• lutris
• tutanota-desktop
• Coyim
• Avidemux
• librewolf
• pipe-viewer
• gtk-pipe-viewer
• sway
• tmux
• librecad
• Notable
• qemu-system-*
• qemu-kvm
• virt-manager
• Microsoft Edge for linux
• gh

Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

Originally created by @netblue30 on GitHub (Mar 10, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1139 Issue to ask for and discuss about new profiles. Progress is tracked in: https://github.com/users/netblue30/projects/7 - command line document converter (e.g. `latex2*`, `pdf*`, `rst2*`, `pod2`, `pcp2pdf`, `wkhtmltopdf`, ...) - [ ] **`disable-sys.inc`** to restrict access to files in `/sys/{block,bus,class,dev,devices,kernel}` - [ ] KVM - [ ] jmemorize - [ ] KTnef, - [ ] KRDC - [ ] discover - [ ] KWalletManager, - [ ] brl-cad (a millitary-veteran CAD..but common at civilian enviorments) - [ ] https://sourceforge.net/projects/animationmaker/ - [ ] jdownloader2 - [ ] [InSync](https://www.insynchq.com/) - [ ] [variety](http://peterlevi.com/variety/) - [ ] [KDE connect](https://community.kde.org/KDEConnect) - [ ] autotrace - [ ] [Y PPA Manager](https://launchpad.net/y-ppa-manager) - [ ] Adobe reader - [ ] standalone flashplayer - [ ] Adobe AIR - [ ] cinepaint - [ ] jahshakavr - [ ] soulseekqt - [ ] [Tribler](https://github.com/Tribler/tribler) - [ ] [Leonflix](http://leonflix.net/) - [ ] upwork desktop - [ ] Quake3 - [ ] UrbanTerror - [ ] Citra - [ ] [makemkv](https://www.makemkv.com/) - [ ] Mellowplayer - [ ] [Stubby](https://github.com/getdnsapi/stubby) - [ ] SpamAssassin - [ ] Kile - [ ] [llpp](https://github.com/moosotc/llpp) - [ ] [zotero](https://www.zotero.org/download/) - [ ] neovim - [ ] [Sia-UI](https://gitlab.com/NebulousLabs/Sia-UI/-/releases) - [ ] [Calculator](https://github.com/elementary/calculator) (`io.elementary.calculator`) - [ ] [Calendar](https://github.com/elementary/calendar) - [ ] `io.elementary.calendar` - [ ] `io.elementary.calendar-daemon` - [ ] [Camera](https://github.com/elementary/camera) (`io.elementary.camera`) - [ ] [Captive Portal Assistant](https://github.com/elementary/capnet-assist) (`io.elementary.capnet-assist`) - [ ] [Code](https://github.com/elementary/code) (`io.elementary.code`) - [ ] [Files](https://github.com/elementary/files) - [ ] `io.elementary.files` - [ ] `io.elementary.files-daemon` - [ ] `io.elementary.files-pkexec` - [ ] [Music](https://github.com/elementary/music) (`io.elementary.music`) - [ ] [Photos](https://github.com/elementary/photos) (`io.elementary.photos`) - Based on the old Shotwell code - [ ] [Terminal](https://github.com/elementary/terminal) (`io.elementary.terminal`) - [ ] [Videos](https://github.com/elementary/videos) (`io.elementary.videos`) - [ ] [GNOME Podcasts](https://gitlab.gnome.org/World/podcasts) (`gnome-podcasts`) - [ ] [pass](https://git.zx2c4.com/password-store/) / [gopass](https://github.com/gopasspw/gopass) - [ ] `pass` - [ ] `gopass` - [ ] [Keybase](https://github.com/keybase/client) - [ ] `kbfsfuse` (not sure if this one makes sense...) - [ ] `keybase` - [ ] `keybase-gui` - [ ] [Yubikey Manager](https://github.com/Yubico/yubikey-manager-qt) - [ ] `ykman` - [ ] `ykman-gui` - [ ] [GZDoom](https://github.com/coelckers/gzdoom) (`gzdoom`) - [ ] [QuakeSpasm](https://sourceforge.net/projects/quakespasm/) (`quake`) - [ ] [rRootage](https://sourceforge.net/projects/rrootage/) (`rrootage`) - [ ] [Renames TV Series](https://www.tweaking4all.com/home-theatre/rename-my-tv-series-v2/) - [ ] [deepin-screen-recorder](https://github.com/linuxdeepin/deepin-screen-recorder) - [ ] [Joplin](https://joplinapp.org/) - [ ] mate-terminal - [ ] asbru - [ ] socat - [ ] [cordless](https://github.com/Bios-Marcel/cordless) - [ ] Unity/Unity Hub - [ ] pcloud - [ ] [lens](https://github.com/lensapp/lens) - [ ] Obsidian - [ ] luarocks - [ ] Stremio - [ ] [cointop](https://github.com/miguelmota/cointop) - [ ] [irssi](https://irssi.org/) - [ ] [easytag](https://sourceforge.net/projects/easytag/) - [ ] [mbsync](https://isync.sourceforge.io/mbsync.html) - [ ] [Bitwig Studio](https://www.bitwig.com/download/) - [ ] [radicale](https://radicale.org) - [ ] [solvespace](https://solvespace.com/) - [ ] screen - [ ] [khard](https://github.com/scheibler/khard) - [ ] [vdirsyncer](https://github.com/pimutils/vdirsyncer) - [ ] cryptomator - [ ] SRBMiner - [ ] NBMiner - [ ] [Hypnotix](https://github.com/linuxmint/hypnotix) - [ ] Fwknop - [ ] Sublime Text 4 - [ ] Hamsket - [ ] webex - [ ] Veloren and Airshipper - [ ] openstego - [ ] etcher and Ventoy - [ ] waifu2x-converter-cpp - [ ] MEGAsync - [ ] seafile-client - [ ] retroshare - [ ] Aether - [ ] rust-analyzer - [ ] FireDM - [ ] xournal-thumbnailer - [ ] blender-thumbnailer.py - [ ] rustup - [ ] scour - [ ] gnome-extensions-app - [ ] gnome-extensions - [ ] gnome-games - [ ] gnome-do - [ ] gnome-epub-thumbnailer - [ ] gnome-kra-ora-thumbnailer - [ ] gnome-dictionary - [ ] gnome-translate - [ ] x2goserver <details><summary>Resolved</summary> > strikethrough means won't fix - [x] kwrite - [x] [Jerry chess](https://github.com/asdfjkl/jerry) - [x] Riot.im (desktop) - [x] freemind - [x] tshark - [x] tcpdump - [x] freecad - [x] geary - [x] [imagej](https://imagej.nih.gov/ij/) - [x] [macrofusion](https://sourceforge.net/projects/macrofusion/) - [x] discord - [x] [rambox](https://github.com/saenzramiro/rambox) - [x] ~gnome-online-miners~ - [x] gnome-sound-recorder - [x] Natron - [x] Cinelerra - [x] amule - [x] Calligra - [x] ~Ghetto-skype~ - [x] Blender - [x] Google Earth - [x] shotcut - [x] ~[Tbb PPA](http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)~ - [x] ~Gnome-boxes~ - [x] ~Tor Messenger~ - [x] amuled - [x] shortwave - [x] [WPS-Office](http://www.wps.com/) - [x] ~[Temaviewer](https://www.teamviewer.com/en/download/linux/)~ https://github.com/netblue30/firejail/issues/825#issuecomment-250977527 - [x] [Ricochet](https://ricochet.im/) - [x] tvbrowser - [x] foliate - [x] [RTV](https://github.com/michael-lazar/rtv) - [x] homebank - [x] dooble browser - [x] Otter browser - [x] [mattermost desktop client](https://github.com/mattermost/desktop) - [x] [FreeTube](https://github.com/FreeTubeApp/FreeTube/) - [x] Spectacle - [x] Lyx - [x] [Fractal](https://gitlab.gnome.org/GNOME/fractal) - [x] [Quaternion](https://github.com/QMatrixClient/Quaternion/) - [x] [Youtube-Viewer](https://github.com/trizen/youtube-viewer) - [x] [balsa](https://github.com/GNOME/balsa) - [x] Minecraft Server - [x] [Minitube](https://flavio.tordini.org/minitube) - [x] lutris - [x] tutanota-desktop - [x] Coyim - [x] Avidemux - [x] librewolf - [x] pipe-viewer - [x] gtk-pipe-viewer - [x] sway - [x] tmux - [x] [librecad](https://librecad.org/) - [x] Notable - [x] `qemu-system-*` - [x] ~qemu-kvm~ - [x] virt-manager - [x] Microsoft Edge for linux - [x] [gh](https://cli.github.com/) </details> > Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

gitea-mirror added the

enhancement

help wanted

labels 2026-05-05 06:40:09 -06:00

gitea-mirror commented 2026-05-05 06:40:18 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (Mar 22, 2017):

macrofusion
hugin
imagej
geary

<!-- gh-comment-id:288276232 --> @nyancat18 commented on GitHub (Mar 22, 2017): macrofusion hugin imagej geary

gitea-mirror commented 2026-05-05 06:40:20 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (Mar 22, 2017):

https://sourceforge.net/projects/macrofusion/
http://hugin.sourceforge.net/
https://imagej.nih.gov/ij/

<!-- gh-comment-id:288276355 --> @nyancat18 commented on GitHub (Mar 22, 2017): https://sourceforge.net/projects/macrofusion/ http://hugin.sourceforge.net/ https://imagej.nih.gov/ij/

gitea-mirror commented 2026-05-05 06:40:23 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Mar 22, 2017):

@rekixex does #1154 work for you?

<!-- gh-comment-id:288472443 --> @Fred-Barclay commented on GitHub (Mar 22, 2017): @rekixex does #1154 work for you?

gitea-mirror commented 2026-05-05 06:40:26 -06:00

Author

Owner

Copy link

@magistryo commented on GitHub (Mar 24, 2017):

Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.

<!-- gh-comment-id:289163719 --> @magistryo commented on GitHub (Mar 24, 2017): Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.

gitea-mirror commented 2026-05-05 06:40:29 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Mar 26, 2017):

@rekixex gpicview has been added: b51d44a29a 😄

<!-- gh-comment-id:289305251 --> @Fred-Barclay commented on GitHub (Mar 26, 2017): @rekixex gpicview has been added: b51d44a29a07772cf4b38b6133aad343e76185d8 :smile:

gitea-mirror commented 2026-05-05 06:40:31 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (Mar 30, 2017):

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

2 freecad (a civil-use CAD)

3 dia (from gnome)

4 fontforge

<!-- gh-comment-id:290275289 --> @nyancat18 commented on GitHub (Mar 30, 2017): 1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments) ~2 freecad (a civil-use CAD)~ ~3 dia (from gnome)~ ~4 fontforge~

gitea-mirror commented 2026-05-05 06:40:34 -06:00

Author

Owner

Copy link

@mustaqimM commented on GitHub (Apr 10, 2017):

Nylas Email client
Wire Chat client
@Fred-Barclay

<!-- gh-comment-id:292895567 --> @mustaqimM commented on GitHub (Apr 10, 2017): Nylas [Email client](https://github.com/nylas/nylas-mail) Wire [Chat client](https://github.com/wireapp/wire-desktop/) @Fred-Barclay

gitea-mirror commented 2026-05-05 06:40:37 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Apr 12, 2017):

@mustaqimM We actually already have a Wire profile. 😄

<!-- gh-comment-id:293617990 --> @Fred-Barclay commented on GitHub (Apr 12, 2017): @mustaqimM We actually already have a Wire profile. :smile:

gitea-mirror commented 2026-05-05 06:40:40 -06:00

Author

Owner

Copy link

@mustaqimM commented on GitHub (Apr 13, 2017):

@Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for Nylas Mail, I get

Streaming log data to /tmp/Nylas-Mail-3.log
[3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e <unknown>
#1 0x000001e6e25b <unknown>
#2 0x000000cbe6a6 <unknown>
#3 0x000001248602 <unknown>
#4 0x000001e59226 <unknown>
#5 0x000001e74755 <unknown>
#6 0x000001e74a48 <unknown>
#7 0x000001e74e9b <unknown>
#8 0x000001e4e669 <unknown>
#9 0x000001e8d41e <unknown>
#10 0x000001eac40a <unknown>
#11 0x000002707e36 <unknown>
#12 0x00000270803e <unknown>
#13 0x000001eac4ce <unknown>
#14 0x000001ea8a53 <unknown>
#15 0x7f332d63e2e7 start_thread
#16 0x7f332707f54f __GI___clone

Failed to generate minidump.
Parent is shutting down, bye...

By the way, it's an electron app.

<!-- gh-comment-id:293785007 --> @mustaqimM commented on GitHub (Apr 13, 2017): @Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for `Nylas Mail`, I get ``` Streaming log data to /tmp/Nylas-Mail-3.log [3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_. #0 0x000001e5855e <unknown> #1 0x000001e6e25b <unknown> #2 0x000000cbe6a6 <unknown> #3 0x000001248602 <unknown> #4 0x000001e59226 <unknown> #5 0x000001e74755 <unknown> #6 0x000001e74a48 <unknown> #7 0x000001e74e9b <unknown> #8 0x000001e4e669 <unknown> #9 0x000001e8d41e <unknown> #10 0x000001eac40a <unknown> #11 0x000002707e36 <unknown> #12 0x00000270803e <unknown> #13 0x000001eac4ce <unknown> #14 0x000001ea8a53 <unknown> #15 0x7f332d63e2e7 start_thread #16 0x7f332707f54f __GI___clone Failed to generate minidump. Parent is shutting down, bye... ``` By the way, it's an electron app.

gitea-mirror commented 2026-05-05 06:40:41 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Apr 13, 2017):

Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?

<!-- gh-comment-id:293908737 --> @Fred-Barclay commented on GitHub (Apr 13, 2017): Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?

gitea-mirror commented 2026-05-05 06:40:43 -06:00

Author

Owner

Copy link

@Micha-Btz commented on GitHub (May 1, 2017):

would be nice to have profiles for tvbrowser and jdownloader2 :-)

<!-- gh-comment-id:298355791 --> @Micha-Btz commented on GitHub (May 1, 2017): would be nice to have profiles for ~tvbrowser~ and jdownloader2 :-)

gitea-mirror commented 2026-05-05 06:40:46 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 10, 2017):

Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/transmission-gtk.local

# transmission-gtk bittorrent profile
noblacklist ${HOME}/.config/transmission
noblacklist ${HOME}/.cache/transmission

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-bin transmission-gtk
private-dev
private-tmp

<!-- gh-comment-id:300624789 --> @ghost commented on GitHub (May 10, 2017): Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following: ``` # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/transmission-gtk.local # transmission-gtk bittorrent profile noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs noroot nosound protocol unix,inet,inet6 seccomp shell none tracelog private-bin transmission-gtk private-dev private-tmp ```

gitea-mirror commented 2026-05-05 06:40:47 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 10, 2017):

The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.

<!-- gh-comment-id:300640511 --> @netblue30 commented on GitHub (May 10, 2017): The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.

gitea-mirror commented 2026-05-05 06:40:50 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (May 11, 2017):

Profile requests:

• Riot.im
• Wire.com

<!-- gh-comment-id:300729631 --> @qazip commented on GitHub (May 11, 2017): Profile requests: - Riot.im - Wire.com

gitea-mirror commented 2026-05-05 06:40:52 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (May 13, 2017):

cherrytree (a onenote-like app for linux)

vym/freemind

<!-- gh-comment-id:301251091 --> @nyancat18 commented on GitHub (May 13, 2017): cherrytree (a onenote-like app for linux) vym/freemind

gitea-mirror commented 2026-05-05 06:40:55 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 13, 2017):

@qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile

@nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\

@hThoreau - If you just use the default profile, is that one working?

$ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk

Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution

<!-- gh-comment-id:301274516 --> @netblue30 commented on GitHub (May 13, 2017): @qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile @nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\ @hThoreau - If you just use the default profile, is that one working? ````` $ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk ````` Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution

gitea-mirror commented 2026-05-05 06:40:57 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (May 14, 2017):

thanks @netblue30

but freemind/vym :D

<!-- gh-comment-id:301283681 --> @nyancat18 commented on GitHub (May 14, 2017): thanks @netblue30 but freemind/vym :D

gitea-mirror commented 2026-05-05 06:40:58 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (May 14, 2017):

@netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).

<!-- gh-comment-id:301298931 --> @qazip commented on GitHub (May 14, 2017): @netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).

gitea-mirror commented 2026-05-05 06:41:00 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (May 21, 2017):

Another profile request:

• Jerry chess (https://github.com/asdfjkl/jerry)

<!-- gh-comment-id:302959156 --> @qazip commented on GitHub (May 21, 2017): Another profile request: - Jerry chess (https://github.com/asdfjkl/jerry)

gitea-mirror commented 2026-05-05 06:41:02 -06:00

Author

Owner

Copy link

@breznak commented on GitHub (May 25, 2017):

InSync
https://www.insynchq.com/

variety
http://peterlevi.com/variety/

KDE connect
https://community.kde.org/KDEConnect

RedShift
https://wiki.archlinux.org/index.php/redshift

and
Y PPA Manager
https://launchpad.net/y-ppa-manager

Would be nice to have too.

<!-- gh-comment-id:304003504 --> @breznak commented on GitHub (May 25, 2017): InSync https://www.insynchq.com/ variety http://peterlevi.com/variety/ KDE connect https://community.kde.org/KDEConnect ~RedShift https://wiki.archlinux.org/index.php/redshift~ and Y PPA Manager https://launchpad.net/y-ppa-manager Would be nice to have too.

gitea-mirror commented 2026-05-05 06:41:03 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (May 25, 2017):

cinepaint

<!-- gh-comment-id:304088021 --> @nyancat18 commented on GitHub (May 25, 2017): cinepaint

gitea-mirror commented 2026-05-05 06:41:06 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (May 25, 2017):

jahshakavr

<!-- gh-comment-id:304108597 --> @nyancat18 commented on GitHub (May 25, 2017): jahshakavr

gitea-mirror commented 2026-05-05 06:41:09 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (May 27, 2017):

• Youtube-Viewer (https://github.com/trizen/youtube-viewer)

<!-- gh-comment-id:304431991 --> @qazip commented on GitHub (May 27, 2017): - Youtube-Viewer (https://github.com/trizen/youtube-viewer)

gitea-mirror commented 2026-05-05 06:41:11 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (May 28, 2017):

@razip youtube-dl

<!-- gh-comment-id:304487327 --> @nyancat18 commented on GitHub (May 28, 2017): @razip youtube-dl

gitea-mirror commented 2026-05-05 06:41:12 -06:00

Author

Owner

Copy link

@ghanan commented on GitHub (Jun 2, 2017):

Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/
Maybe it could be implemented using some overlayfs.

<!-- gh-comment-id:305900887 --> @ghanan commented on GitHub (Jun 2, 2017): Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/ Maybe it could be implemented using some overlayfs.

gitea-mirror commented 2026-05-05 06:41:14 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jun 2, 2017):

@rekixex Catfish has been added: 67a6d8712f
I'll try to work on Cheese as well.

<!-- gh-comment-id:305932343 --> @Fred-Barclay commented on GitHub (Jun 2, 2017): @rekixex Catfish has been added: 67a6d8712f1ec3a43dc5bcf7ffa471c19b0e218e I'll try to work on Cheese as well.

gitea-mirror commented 2026-05-05 06:41:16 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jun 4, 2017):

@ghanan - it is quite easy, this is an example using OpenShot video editor:

In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better):

$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin

In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian:

$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms
# apt-get install openshot
# exit

Back in the first terminal run the program

$ openshot

Once you close both sandboxes, overlayfs is disabled and openshot disappears.

<!-- gh-comment-id:306063071 --> @netblue30 commented on GitHub (Jun 4, 2017): @ghanan - it is quite easy, this is an example using OpenShot video editor: In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better): ````` $ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin ````` In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian: ````` $ sudo firejail --join=test Switching to pid 2464, the first child process inside the sandbox changing root to /proc/2464/root Child process initialized in 6.05 ms # apt-get install openshot # exit ````` Back in the first terminal run the program ````` $ openshot ````` Once you close both sandboxes, overlayfs is disabled and openshot disappears.

gitea-mirror commented 2026-05-05 06:41:17 -06:00

Author

Owner

Copy link

@pemartins1 commented on GitHub (Jun 28, 2017):

I saw it's already on the list but nevertheless I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).

Thank you very much and keep up with the good work.

<!-- gh-comment-id:311553430 --> @pemartins1 commented on GitHub (Jun 28, 2017): I saw it's already on the list but nevertheless I'd like to request a profile for **Geary Email Client** (https://github.com/GNOME/geary). Thank you very much and keep up with the good work.

gitea-mirror commented 2026-05-05 06:41:20 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 29, 2017):

I'm using the nautilus profile provided here in the etc folder. It blocks the extensions clamtk-gnome (5.24-1) and nautilus-compare (0.0.4+po1-1), though other extensions that I also have installed, nautilus-wipe (0.3-1) and onionshare (0.9.2-1), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.

<!-- gh-comment-id:311852895 --> @ghost commented on GitHub (Jun 29, 2017): I'm using the nautilus profile [provided here in the etc folder](https://github.com/netblue30/firejail/blob/master/etc/nautilus.profile). It blocks the extensions [clamtk-gnome (5.24-1)](https://packages.debian.org/stretch/clamtk-gnome) and [nautilus-compare (0.0.4+po1-1)](https://packages.debian.org/stretch/nautilus-compare), though other extensions that I also have installed, [nautilus-wipe (0.3-1)](https://packages.debian.org/stretch/nautilus-wipe) and [onionshare (0.9.2-1)](https://packages.debian.org/buster/onionshare), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.

gitea-mirror commented 2026-05-05 06:41:22 -06:00

Author

Owner

Copy link

@startx2017 commented on GitHub (Jun 29, 2017):

@rekixex - KWrite: https://github.com/netblue30/firejail/blob/master/etc/kwrite.profile

@pemartins1 - Geary: https://github.com/netblue30/firejail/blob/master/etc/geary.profile

<!-- gh-comment-id:311940738 --> @startx2017 commented on GitHub (Jun 29, 2017): @rekixex - KWrite: https://github.com/netblue30/firejail/blob/master/etc/kwrite.profile @pemartins1 - Geary: https://github.com/netblue30/firejail/blob/master/etc/geary.profile

gitea-mirror commented 2026-05-05 06:41:24 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 10, 2017):

Requesting a profile for soulseekqt ( a few links because the download page hasn't been updated yet, and the last two are direct links )

http://www.soulseekqt.net/news/
https://groups.google.com/d/msg/soulseek-discussion/lOvh7PoOKR0/uIZKRFZmCQAJ
https://www.dropbox.com/s/b8st8jznojbus0b/SoulseekQt-2017-2-20-Ubuntu17-64bit.tgz (x86_64)
https://www.dropbox.com/s/m12bxp0bjl6iqo9/SoulseekQt-2017-2-20-Ubuntu17-32bit.tgz (i686)

<!-- gh-comment-id:314211249 --> @ghost commented on GitHub (Jul 10, 2017): Requesting a profile for soulseekqt ( a few links because the download page hasn't been updated yet, and the last two are direct links ) http://www.soulseekqt.net/news/ https://groups.google.com/d/msg/soulseek-discussion/lOvh7PoOKR0/uIZKRFZmCQAJ https://www.dropbox.com/s/b8st8jznojbus0b/SoulseekQt-2017-2-20-Ubuntu17-64bit.tgz (x86_64) https://www.dropbox.com/s/m12bxp0bjl6iqo9/SoulseekQt-2017-2-20-Ubuntu17-32bit.tgz (i686)

gitea-mirror commented 2026-05-05 06:41:26 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 10, 2017):

Tribler, a onion routing torrent client: https://github.com/Tribler/tribler

<!-- gh-comment-id:314221844 --> @ghost commented on GitHub (Jul 10, 2017): **Tribler**, a onion routing torrent client: https://github.com/Tribler/tribler

gitea-mirror commented 2026-05-05 06:41:27 -06:00

Author

Owner

Copy link

@nyancat18 commented on GitHub (Jul 11, 2017):

utox (a light tox client)

<!-- gh-comment-id:314527143 --> @nyancat18 commented on GitHub (Jul 11, 2017): utox (a light tox client)

gitea-mirror commented 2026-05-05 06:41:29 -06:00

Author

Owner

Copy link

@wiredrunner commented on GitHub (Jul 15, 2017):

Enpass password manager, enpass.io

<!-- gh-comment-id:315570245 --> @wiredrunner commented on GitHub (Jul 15, 2017): Enpass password manager, enpass.io

gitea-mirror commented 2026-05-05 06:41:30 -06:00

Author

Owner

Copy link

@KernelFreeze commented on GitHub (Jul 28, 2017):

Minecraft Server (Java), only allow java and server files

<!-- gh-comment-id:318714106 --> @KernelFreeze commented on GitHub (Jul 28, 2017): Minecraft Server (Java), only allow java and server files

gitea-mirror commented 2026-05-05 06:41:32 -06:00

Author

Owner

Copy link

@loopified commented on GitHub (Aug 13, 2017):

Discord.

<!-- gh-comment-id:322074131 --> @loopified commented on GitHub (Aug 13, 2017): [Discord](https://discordapp.com/).

gitea-mirror commented 2026-05-05 06:41:33 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Nov 8, 2017):

@wiredrunner Enpass added in 78b6a1d4b0 😄

<!-- gh-comment-id:342929956 --> @Fred-Barclay commented on GitHub (Nov 8, 2017): @wiredrunner Enpass added in 78b6a1d4b0815770c09fe4db3a37ca6ce3149261 😄

gitea-mirror commented 2026-05-05 06:41:34 -06:00

Author

Owner

Copy link

@pemartins1 commented on GitHub (Dec 7, 2017):

I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed.

Thanks for everything once again!

<!-- gh-comment-id:349874701 --> @pemartins1 commented on GitHub (Dec 7, 2017): I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed. Thanks for everything once again!

gitea-mirror commented 2026-05-05 06:41:36 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Dec 7, 2017):

@pemartins1 see https://github.com/netblue30/firejail/pull/1613#issuecomment-340260231

<!-- gh-comment-id:349879295 --> @SkewedZeppelin commented on GitHub (Dec 7, 2017): @pemartins1 see https://github.com/netblue30/firejail/pull/1613#issuecomment-340260231

gitea-mirror commented 2026-05-05 06:41:37 -06:00

Author

Owner

Copy link

@viq commented on GitHub (Jan 5, 2018):

Lightly tested discord profile in #1715

<!-- gh-comment-id:355643895 --> @viq commented on GitHub (Jan 5, 2018): Lightly tested discord profile in #1715

gitea-mirror commented 2026-05-05 06:41:39 -06:00

Author

Owner

Copy link

@idnovic commented on GitHub (Mar 3, 2018):

add vs code

<!-- gh-comment-id:370148404 --> @idnovic commented on GitHub (Mar 3, 2018): add [vs code](https://code.visualstudio.com/)

gitea-mirror commented 2026-05-05 06:41:42 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Mar 4, 2018):

@idnovic VS Code added in f6502ebf23 😁

<!-- gh-comment-id:370203228 --> @Fred-Barclay commented on GitHub (Mar 4, 2018): @idnovic VS Code added in f6502ebf237a54a9914c80f386f321772f0e8063 :grin:

gitea-mirror commented 2026-05-05 06:41:45 -06:00

Author

Owner

Copy link

@punksta commented on GitHub (Mar 21, 2018):

Would like to have upwork desktop profile and base profile for other time tracking systems.
Nice to have:

• disabled/random system hardware information
• window sandbox by default

<!-- gh-comment-id:374894060 --> @punksta commented on GitHub (Mar 21, 2018): Would like to have [upwork desktop](https://www.upwork.com/downloads) profile and base profile for other time tracking systems. Nice to have: - disabled/random system hardware information - window sandbox by default

gitea-mirror commented 2026-05-05 06:41:47 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 4, 2018):

Copying from #1878: Coyim (suggested by @bn0785ac)

<!-- gh-comment-id:386485226 --> @chiraag-nataraj commented on GitHub (May 4, 2018): Copying from #1878: Coyim (suggested by @bn0785ac)

gitea-mirror commented 2026-05-05 06:41:48 -06:00

Author

Owner

Copy link

@pemartins1 commented on GitHub (Jun 4, 2018):

Minitube
https://flavio.tordini.org/minitube

<!-- gh-comment-id:394297755 --> @pemartins1 commented on GitHub (Jun 4, 2018): **Minitube** https://flavio.tordini.org/minitube

gitea-mirror commented 2026-05-05 06:41:50 -06:00

Author

Owner

Copy link

@pemartins1 commented on GitHub (Jun 26, 2018):

Cantata
https://github.com/CDrummond/cantata

<!-- gh-comment-id:400376960 --> @pemartins1 commented on GitHub (Jun 26, 2018): **Cantata** https://github.com/CDrummond/cantata

gitea-mirror commented 2026-05-05 06:41:53 -06:00

Author

Owner

Copy link

@iskunk commented on GitHub (Oct 18, 2018):

I have put together a profile for Citra (Nintendo 3DS game system emulator), and would like to contribute it.

(Note that the private-dev line might be uncommented once #2203 is resolved.)

<!-- gh-comment-id:430880835 --> @iskunk commented on GitHub (Oct 18, 2018): I have put together a profile for [Citra](https://citra-emu.org/) (Nintendo 3DS game system emulator), and would like to [contribute it](https://github.com/netblue30/firejail/files/2490332/citra-qt.profile.txt). (Note that the `private-dev` line might be uncommented once #2203 is resolved.)

gitea-mirror commented 2026-05-05 06:41:56 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Oct 19, 2018):

qownnotes: https://github.com/pbek/QOwnNotes

<!-- gh-comment-id:431480693 --> @qazip commented on GitHub (Oct 19, 2018): qownnotes: https://github.com/pbek/QOwnNotes

gitea-mirror commented 2026-05-05 06:41:58 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Oct 19, 2018):

@qazip Can you try this profile for qownnotes?

# Firejail profile for QOwnNotes
# Description: Plain-text file notepad with markdown support and ownCloud integration
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/QOwnNotes.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE

mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog

disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp

noexec ${HOME}
noexec /tmp

<!-- gh-comment-id:431520226 --> @Fred-Barclay commented on GitHub (Oct 19, 2018): @qazip Can you try this profile for qownnotes? ``` # Firejail profile for QOwnNotes # Description: Plain-text file notepad with markdown support and ownCloud integration # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/QOwnNotes.local # Persistent global definitions include /etc/firejail/globals.local noblacklist ${HOME}/Nextcloud/Notes noblacklist ${HOME}/.config/PBE noblacklist ${HOME}/.local/share/PBE mkdir ${HOME}/Nextcloud/Notes mkdir ${HOME}.config/PBE mkdir ${HOME}/.local/share/PBE whitelist ${HOME}/Nextcloud/Notes whitelist ${HOME}/.config/PBE whitelist ${HOME}/.local/share/PBE include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc caps.drop all machine-id netfilter no3d nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6,netlink seccomp shell none tracelog disable-mnt private-bin QOwnNotes,gio private-dev private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} noexec /tmp ```

gitea-mirror commented 2026-05-05 06:42:01 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Oct 19, 2018):

@Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add:

noblacklist ${DOCUMENTS}
whitelist ${DOCUMENTS}

<!-- gh-comment-id:431529572 --> @Vincent43 commented on GitHub (Oct 19, 2018): @Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add: ``` noblacklist ${DOCUMENTS} whitelist ${DOCUMENTS} ```

gitea-mirror commented 2026-05-05 06:42:03 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Nov 28, 2018):

feedreader (https://github.com/jangernert/FeedReader)

<!-- gh-comment-id:442488200 --> @qazip commented on GitHub (Nov 28, 2018): feedreader (https://github.com/jangernert/FeedReader)

gitea-mirror commented 2026-05-05 06:42:05 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Nov 28, 2018):

@qazip feedreader was added a few days ago in cc898c1902

<!-- gh-comment-id:442598899 --> @SkewedZeppelin commented on GitHub (Nov 28, 2018): @qazip feedreader was added a few days ago in cc898c19023a9aea92bc7e863f8fd46600d27598

gitea-mirror commented 2026-05-05 06:42:06 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Dec 1, 2018):

In #2273 profiles for Quake3 and UrbanTerror have been requested.

<!-- gh-comment-id:443437581 --> @reinerh commented on GitHub (Dec 1, 2018): In #2273 profiles for Quake3 and UrbanTerror have been requested.

gitea-mirror commented 2026-05-05 06:42:08 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Jan 2, 2019):

Anki (https://apps.ankiweb.net/index.html)

<!-- gh-comment-id:450838218 --> @qazip commented on GitHub (Jan 2, 2019): Anki (https://apps.ankiweb.net/index.html)

gitea-mirror commented 2026-05-05 06:42:10 -06:00

Author

Owner

Copy link

@q3cpma commented on GitHub (Jan 14, 2019):

Hello, a profile for makemkv (https://www.makemkv.com/) would be nice since it's one of the only GNU/Linux proprietary softwares without alternative.

<!-- gh-comment-id:454033764 --> @q3cpma commented on GitHub (Jan 14, 2019): Hello, a profile for makemkv (https://www.makemkv.com/) would be nice since it's one of the only GNU/Linux proprietary softwares without alternative.

gitea-mirror commented 2026-05-05 06:42:14 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Jan 15, 2019):

@q3cpma there is handbrake which seems to do the same and already has an existing profile

<!-- gh-comment-id:454248314 --> @SkewedZeppelin commented on GitHub (Jan 15, 2019): @q3cpma there is [handbrake](https://handbrake.fr/) which seems to do the same and already has an existing profile

gitea-mirror commented 2026-05-05 06:42:18 -06:00

Author

Owner

Copy link

@q3cpma commented on GitHub (Jan 15, 2019):

On Mon, Jan 14, 2019 at 06:48:26PM -0800, SkewedZeppelin wrote:

@q3cpma there is handbrake which seems to do the same and already has an existing profile

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/1139#issuecomment-454248314

Hello, it's absolutely not the same, MakeMKV is used to decrypt BDs.

<!-- gh-comment-id:454359239 --> @q3cpma commented on GitHub (Jan 15, 2019): On Mon, Jan 14, 2019 at 06:48:26PM -0800, SkewedZeppelin wrote: > @q3cpma there is [handbrake](https://handbrake.fr/) which seems to do the same and already has an existing profile > > -- > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub: > https://github.com/netblue30/firejail/issues/1139#issuecomment-454248314 Hello, it's absolutely not the same, MakeMKV is used to decrypt BDs.

gitea-mirror commented 2026-05-05 06:42:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 15, 2019):

Maybe mpv can this if libdvdcss is installed.

EDIT: or other libs.
See: https://wiki.archlinux.org/index.php/Blu-ray

<!-- gh-comment-id:454436570 --> @rusty-snake commented on GitHub (Jan 15, 2019): Maybe mpv can this if libdvdcss is installed. EDIT: or other libs. See: https://wiki.archlinux.org/index.php/Blu-ray

gitea-mirror commented 2026-05-05 06:42:22 -06:00

Author

Owner

Copy link

@q3cpma commented on GitHub (Jan 15, 2019):

On Tue, Jan 15, 2019 at 07:37:54AM -0800, rusty-snake wrote:

Maybe mpv can this if libdvdcss is installed.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/1139#issuecomment-454436570

Well, no, since libdvdcss is for DVDs (like its name implies). libaacs and
libbdplus exist for this purpose, but I don't know any tool that uses them for
backup, sadly.

<!-- gh-comment-id:454481766 --> @q3cpma commented on GitHub (Jan 15, 2019): On Tue, Jan 15, 2019 at 07:37:54AM -0800, rusty-snake wrote: > Maybe mpv can this if libdvdcss is installed. > > -- > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub: > https://github.com/netblue30/firejail/issues/1139#issuecomment-454436570 Well, no, since libdvdcss is for DVDs (like its name implies). libaacs and libbdplus exist for this purpose, but I don't know any tool that uses them for backup, sadly.

gitea-mirror commented 2026-05-05 06:42:24 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 16, 2019):

the default konversation profile do not contains the netlink protocol so the logs are spammed with errors, i'm not sure about the consequences for the app or if it's intended by the profile author.

netfilter in warzone2100 profile is breaking the game hosting function for me, not sure if it's because i'm using --net eth0 --ip.. to bypass my vpn

<!-- gh-comment-id:454780721 --> @ghost commented on GitHub (Jan 16, 2019): the default **konversation** profile do not contains the `netlink` protocol so the logs are spammed with errors, i'm not sure about the consequences for the app or if it's intended by the profile author.  `netfilter` in **warzone2100** profile is breaking the game hosting function for me, not sure if it's because i'm using --net eth0 --ip.. to bypass my vpn

gitea-mirror commented 2026-05-05 06:42:25 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Jan 16, 2019):

@Lockdis konvrsation profile is fixed in master now, thx.

<!-- gh-comment-id:454983929 --> @Vincent43 commented on GitHub (Jan 16, 2019): @Lockdis konvrsation profile is fixed in master now, thx.

gitea-mirror commented 2026-05-05 06:42:27 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 18, 2019):

https://github.com/netblue30/firejail/blob/master/etc/flameshot.profile

flameshot is not working (the application hang and refuse to take screenshot, i can't find errors in log) for me with the default profile, by removing memory-deny-write-execute it works

<!-- gh-comment-id:455420202 --> @ghost commented on GitHub (Jan 18, 2019): https://github.com/netblue30/firejail/blob/master/etc/flameshot.profile **flameshot** is not working (the application hang and refuse to take screenshot, i can't find errors in log) for me with the default profile, by removing `memory-deny-write-execute` it works

gitea-mirror commented 2026-05-05 06:42:29 -06:00

Author

Owner

Copy link

@Vincent43 commented on GitHub (Jan 18, 2019):

@Lockdis fixed in master, thx. 6e8ced5fbd

<!-- gh-comment-id:455484866 --> @Vincent43 commented on GitHub (Jan 18, 2019): @Lockdis fixed in master, thx. https://github.com/netblue30/firejail/commit/6e8ced5fbd4ac199f2cf48fc01fe43c81c211fb5

gitea-mirror commented 2026-05-05 06:42:31 -06:00

Author

Owner

Copy link

@brakenow commented on GitHub (Jan 18, 2019):

Mellowplayer please. :-) It depends on flashplayer.

MellowPlayer is a free, open source and cross-platform desktop app with cloud music integration.

<!-- gh-comment-id:455549001 --> @brakenow commented on GitHub (Jan 18, 2019): Mellowplayer please. :-) It depends on flashplayer. > MellowPlayer is a free, open source and cross-platform desktop app with cloud music integration.

gitea-mirror commented 2026-05-05 06:42:34 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Jan 24, 2019):

Fractal (It's a matrix client: https://gitlab.gnome.org/GNOME/fractal)

<!-- gh-comment-id:457140624 --> @qazip commented on GitHub (Jan 24, 2019): Fractal (It's a matrix client: https://gitlab.gnome.org/GNOME/fractal)

gitea-mirror commented 2026-05-05 06:42:36 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Feb 3, 2019):

Quaternion (It's a matrix client: https://github.com/QMatrixClient/Quaternion/)

<!-- gh-comment-id:460058075 --> @qazip commented on GitHub (Feb 3, 2019): Quaternion (It's a matrix client: https://github.com/QMatrixClient/Quaternion/)

gitea-mirror commented 2026-05-05 06:42:38 -06:00

Author

Owner

Copy link

@cyrinux commented on GitHub (Feb 12, 2019):

Stubby https://github.com/getdnsapi/stubby, a dns resolver, think a profile like unbound maybe?

<!-- gh-comment-id:462776725 --> @cyrinux commented on GitHub (Feb 12, 2019): Stubby https://github.com/getdnsapi/stubby, a dns resolver, think a profile like unbound maybe?

gitea-mirror commented 2026-05-05 06:42:40 -06:00

Author

Owner

Copy link

@schtobia commented on GitHub (Feb 16, 2019):

webui-aria2, the popular web UI for the aria2 download manager, has now also a profile. (Could be included via PR.)

<!-- gh-comment-id:464298348 --> @schtobia commented on GitHub (Feb 16, 2019): [webui-aria2](https://github.com/ziahamza/webui-aria2/), the popular web UI for the [aria2 download manager](https://github.com/aria2/aria2), has now [also a profile](https://github.com/schtobia/firejail/blob/master/etc/webui-aria2.profile). ([Could be](https://github.com/schtobia/firejail/compare) included via PR.)

gitea-mirror commented 2026-05-05 06:42:41 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Feb 16, 2019):

@schtobia Please open the PR! It'd be great to have this. 😉

<!-- gh-comment-id:464360623 --> @Fred-Barclay commented on GitHub (Feb 16, 2019): @schtobia Please open the PR! It'd be great to have this. :wink:

gitea-mirror commented 2026-05-05 06:42:42 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 13, 2019):

Postfix

Specifically the smtp executable. Seems non-trivial; this script fails with a useless error message:

#!/bin/sh

keys=$(postconf -h smtp_tls_CAfile)
dir_keys=${keys%/*}
dir_cfg=${dir_keys%/*}

alias_maps_param=$(postconf -h alias_maps)
alias_maps=${alias_maps_param##*:}

firejail --whitelist="$alias_maps"\
         --whitelist="$dir_cfg"\
         --whitelist="$(postconf -h daemon_directory)"\
         --whitelist="$(postconf -h data_directory)"\
         --whitelist="$(postconf -h smtp_tls_CApath)"\
         --whitelist="$(postconf -h myorigin)"\
         /usr/lib/postfix/sbin/smtp "$@"

(edit)

If I run that script directly from the CLI, firejail gives: "invalid whitelist path: /etc/aliases". If I remove that whitelist entry, firejail complains about the next one.. and so on. The only path firejail allows me to whitelist from the above list is /var/lib/postfix (the data_directory).

SpamAssassin

There are data leaks, so sandboxing S/A is important for security. I've not tried the default config so I'm not sure if a profile is needed but there are essential config files so I guess it's likely.

<!-- gh-comment-id:472627632 --> @ghost commented on GitHub (Mar 13, 2019): ## [Postfix](http://www.postfix.org/) Specifically the *smtp* executable. Seems non-trivial; this script fails with a useless error message: ``` #!/bin/sh keys=$(postconf -h smtp_tls_CAfile) dir_keys=${keys%/*} dir_cfg=${dir_keys%/*} alias_maps_param=$(postconf -h alias_maps) alias_maps=${alias_maps_param##*:} firejail --whitelist="$alias_maps"\ --whitelist="$dir_cfg"\ --whitelist="$(postconf -h daemon_directory)"\ --whitelist="$(postconf -h data_directory)"\ --whitelist="$(postconf -h smtp_tls_CApath)"\ --whitelist="$(postconf -h myorigin)"\ /usr/lib/postfix/sbin/smtp "$@" ``` (edit) If I run that script directly from the CLI, `firejail` gives: "invalid whitelist path: /etc/aliases". If I remove that whitelist entry, `firejail` complains about the next one.. and so on. The only path `firejail` allows me to whitelist from the above list is `/var/lib/postfix` (the `data_directory`). ## [SpamAssassin](https://spamassassin.apache.org/) There are data leaks, so sandboxing S/A is important for security. I've not tried the default config so I'm not sure if a profile is needed but there are essential config files so I guess it's likely.

gitea-mirror commented 2026-05-05 06:42:45 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 13, 2019):

@libBletchley Did you try the server profile yet for PostFix/smtp? The default profile is a generic GUI one (like it says inside the file). On another note, IMHO it would be more appropriate for a daemon like smtp to use native systemd hardening techniques.

<!-- gh-comment-id:472631130 --> @ghost commented on GitHub (Mar 13, 2019): @libBletchley Did you try the `server` profile yet for PostFix/smtp? The default profile is a generic GUI one (like it says inside the file). On another note, IMHO it would be more appropriate for a daemon like smtp to use native systemd hardening techniques.

gitea-mirror commented 2026-05-05 06:42:47 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 13, 2019):

@glitsj16 I didn't know about server.profile. Maybe I'll try that and add port 25 loosening in the netfilter. I plan to use firejail to force it through a Tor middlebox so systemd changes wouldn't be sufficient.

<!-- gh-comment-id:472632801 --> @ghost commented on GitHub (Mar 13, 2019): @glitsj16 I didn't know about `server.profile`. Maybe I'll try that and add port 25 loosening in the netfilter. I plan to use firejail to force it through a Tor middlebox so systemd changes wouldn't be sufficient.

gitea-mirror commented 2026-05-05 06:42:50 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 18, 2019):

I have a working smtp.profile. Note that it was tested in a firejail that is isolated on a Tor middlebox. I've removed anything Tor-specific but did not test it that way. Anyway, this is the profile if someone wants to integrate it. Note that postfix_smtp.profile may be a better name.

# Firejail profile for postfix/smtp

# This was derived from the generic server.profile, which allows /sbin
# and /usr/sbin directories.  This is where servers are installed
# depending on your usage.  This configuration was then customized for
# postfix/smtp.

# Recommended script to use for this profile (which you may want to
# save as "$(postconf -h daemon_directory)/smtp_firejail)":
#
# #!/bin/bash
# typeset -r cmd_dir=$(/usr/sbin/postconf -h command_directory); # literal path used here for security reasons
# typeset -r exec_smtp=$("$cmd_dir"/postconf -h daemon_directory)/smtp
# firejail --profile=smtp.profile\
#          --noblacklist="$cmd_dir"\
#          --whitelist="$("$cmd_dir"/postconf -h queue_directory)"\
#          --whitelist="$("$cmd_dir"/postconf -h data_directory)"\
#          "$exec_smtp" "$@"

## Postfix/smtp custom rules ##

# Needed for the two whitelist specifications that follow:
writable-var

# Directory needed for writing lockfiles is generally
# /var/spool/postfix/pid.  The common literal parent directory is
# hard-coded here.  It's recommended to include this in your script to
# enforce configuration consistency:
#   --whitelist="$(postconf -h queue_directory)"
whitelist /var/spool/postfix

# It has not been confirmed whether write access to /var/lib/postfix
# is needed.  It's hard-coded here for good measure.  It's recommended
# to include this in your script to enforce configuration consistency:
#   --whitelist="$(postconf -h data_directory)"
whitelist /var/lib/postfix

# Directory needed for executables: /usr/bin.  The common literal
# directory is hard-coded here.  It's recommended to include this in
# your script to enforce configuration consistency:
#   --noblacklist="$(postconf -h command_directory)"
noblacklist /usr/sbin


## Defaults inherited from server.profile ##

blacklist /tmp/.X11-unix

noblacklist /sbin

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps
no3d
nosound
private
private-dev
private-tmp
seccomp
shell none

# too new for author's firejail version to test
# (so you may want to remove these comments):
#
# nodvd
# notv
# nou2f
# novideo

Postfix/smtp seems to write to /var/log without any issues, even though it's not whitelisted. I'm not sure how that's possible.

<!-- gh-comment-id:474121052 --> @ghost commented on GitHub (Mar 18, 2019): I have a working `smtp.profile`. Note that it was tested in a firejail that is isolated on a Tor middlebox. I've removed anything Tor-specific but did not test it that way. Anyway, this is the profile if someone wants to integrate it. Note that `postfix_smtp.profile` may be a better name. ``` # Firejail profile for postfix/smtp # This was derived from the generic server.profile, which allows /sbin # and /usr/sbin directories. This is where servers are installed # depending on your usage. This configuration was then customized for # postfix/smtp. # Recommended script to use for this profile (which you may want to # save as "$(postconf -h daemon_directory)/smtp_firejail)": # # #!/bin/bash # typeset -r cmd_dir=$(/usr/sbin/postconf -h command_directory); # literal path used here for security reasons # typeset -r exec_smtp=$("$cmd_dir"/postconf -h daemon_directory)/smtp # firejail --profile=smtp.profile\ # --noblacklist="$cmd_dir"\ # --whitelist="$("$cmd_dir"/postconf -h queue_directory)"\ # --whitelist="$("$cmd_dir"/postconf -h data_directory)"\ # "$exec_smtp" "$@" ## Postfix/smtp custom rules ## # Needed for the two whitelist specifications that follow: writable-var # Directory needed for writing lockfiles is generally # /var/spool/postfix/pid. The common literal parent directory is # hard-coded here. It's recommended to include this in your script to # enforce configuration consistency: # --whitelist="$(postconf -h queue_directory)" whitelist /var/spool/postfix # It has not been confirmed whether write access to /var/lib/postfix # is needed. It's hard-coded here for good measure. It's recommended # to include this in your script to enforce configuration consistency: # --whitelist="$(postconf -h data_directory)" whitelist /var/lib/postfix # Directory needed for executables: /usr/bin. The common literal # directory is hard-coded here. It's recommended to include this in # your script to enforce configuration consistency: # --noblacklist="$(postconf -h command_directory)" noblacklist /usr/sbin ## Defaults inherited from server.profile ## blacklist /tmp/.X11-unix noblacklist /sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps no3d nosound private private-dev private-tmp seccomp shell none # too new for author's firejail version to test # (so you may want to remove these comments): # # nodvd # notv # nou2f # novideo ``` Postfix/smtp seems to write to `/var/log` without any issues, even though it's not whitelisted. I'm not sure how that's possible.

gitea-mirror commented 2026-05-05 06:42:52 -06:00

Author

Owner

Copy link

@alien2003 commented on GitHub (Mar 22, 2019):

bitwarden

<!-- gh-comment-id:475574902 --> @alien2003 commented on GitHub (Mar 22, 2019): bitwarden

gitea-mirror commented 2026-05-05 06:42:54 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Mar 26, 2019):

Lyx
Kile
Spectacle
Avidemux
Vmware-Workstation

<!-- gh-comment-id:476805097 --> @CodeArtisan00 commented on GitHub (Mar 26, 2019): ~[Lyx](https://www.lyx.org)~ [Kile](https://kile.sourceforge.io) ~[Spectacle](https://kde.org/applications/graphics/spectacle/)~ ~[Avidemux](http://avidemux.sourceforge.net)~ ~[Vmware-Workstation](https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html)~

gitea-mirror commented 2026-05-05 06:42:56 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 28, 2019):

RTV

<!-- gh-comment-id:477730211 --> @ghost commented on GitHub (Mar 28, 2019): [RTV](https://github.com/michael-lazar/rtv)

gitea-mirror commented 2026-05-05 06:42:57 -06:00

Author

Owner

Copy link

@johnp commented on GitHub (May 8, 2019):

llpp
foliate

<!-- gh-comment-id:490468141 --> @johnp commented on GitHub (May 8, 2019): [llpp](https://github.com/moosotc/llpp) ~[foliate](https://github.com/johnfactotum/foliate)~

gitea-mirror commented 2026-05-05 06:42:59 -06:00

Author

Owner

Copy link

@TheDarkTrumpet commented on GitHub (May 20, 2019):

Added pull request https://github.com/netblue30/firejail/pull/2710

<!-- gh-comment-id:494135850 --> @TheDarkTrumpet commented on GitHub (May 20, 2019): Added pull request https://github.com/netblue30/firejail/pull/2710

gitea-mirror commented 2026-05-05 06:43:01 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 30, 2019):

• Adobe reader
• standalone flashplayer
• Adobe AIR

Requested in #2731 by @jose1711

<!-- gh-comment-id:497277740 --> @rusty-snake commented on GitHub (May 30, 2019): * Adobe reader * standalone flashplayer * Adobe AIR Requested in #2731 by @jose1711

gitea-mirror commented 2026-05-05 06:43:02 -06:00

Author

Owner

Copy link

@jose1711 commented on GitHub (May 30, 2019):

please add autotrace - it has a high number of CVE's assigned (https://www.cvedetails.com/vulnerability-list/vendor_id-12987/product_id-26551/year-2017/opov-1/Autotrace-Project-Autotrace.html)

<!-- gh-comment-id:497283550 --> @jose1711 commented on GitHub (May 30, 2019): please add `autotrace` - it has a high number of CVE's assigned (https://www.cvedetails.com/vulnerability-list/vendor_id-12987/product_id-26551/year-2017/opov-1/Autotrace-Project-Autotrace.html)

gitea-mirror commented 2026-05-05 06:43:04 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (May 31, 2019):

@jose1711 this autotrace? https://github.com/autotrace/autotrace

<!-- gh-comment-id:497552960 --> @Fred-Barclay commented on GitHub (May 31, 2019): @jose1711 this autotrace? https://github.com/autotrace/autotrace

gitea-mirror commented 2026-05-05 06:43:06 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (May 31, 2019):

@Fred-Barclay that seems to be an unoffical fork of the original
http://autotrace.sourceforge.net/

fedora ships a patched version of the original
arch aur has the unofficial
debian used to ship the original
gentoo doesn't ship either

https://blogs.gentoo.org/ago/2017/05/20/autotrace-multiple-vulnerabilities-the-autotrace-nightmare/

<!-- gh-comment-id:497555359 --> @SkewedZeppelin commented on GitHub (May 31, 2019): @Fred-Barclay that seems to be an unoffical fork of the original http://autotrace.sourceforge.net/ fedora ships a patched version of the original arch aur has the unofficial debian used to ship the original gentoo doesn't ship either https://blogs.gentoo.org/ago/2017/05/20/autotrace-multiple-vulnerabilities-the-autotrace-nightmare/

gitea-mirror commented 2026-05-05 06:43:09 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jun 3, 2019):

@qazip can you try this profile for jerry-chess?

# Firejail profile for jerry
# Description: Chess GUI
# This file is overwritten after every install/update
# Persistent local customizations
include jerry.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/dkl

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

caps.drop all
machine-id
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin jerry,stockfish,sh,bash
private-dev
private-etc fonts,gtk-2.0,gtk-3.0
private-tmp

memory-deny-write-execute

<!-- gh-comment-id:498085734 --> @Fred-Barclay commented on GitHub (Jun 3, 2019): @qazip can you try this profile for jerry-chess? ``` # Firejail profile for jerry # Description: Chess GUI # This file is overwritten after every install/update # Persistent local customizations include jerry.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/dkl include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc caps.drop all machine-id net none no3d nodbus nodvd nogroups nonewprivs noroot nosound notv novideo protocol unix seccomp shell none tracelog private-bin jerry,stockfish,sh,bash private-dev private-etc fonts,gtk-2.0,gtk-3.0 private-tmp memory-deny-write-execute ```

gitea-mirror commented 2026-05-05 06:43:10 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Jun 4, 2019):

@Fred-Barclay, I no longer use jerry-chess. But I'll see if I can test it sometime this week!

<!-- gh-comment-id:498737742 --> @qazip commented on GitHub (Jun 4, 2019): @Fred-Barclay, I no longer use jerry-chess. But I'll see if I can test it sometime this week!

gitea-mirror commented 2026-05-05 06:43:11 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 18, 2019):

Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)

Last Update: 2017-03-08 (tor-browser 6.x.x)
No Support for Ubuntu 17.10, 18.04, 18.10, 19.04

Tor Messenger: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily (No future development https://blog.torproject.org/sunsetting-tor-messenger)

Gnome-boxes (a nice gui for kvm system)

firejail --noprofile gnome-boxes don't work.

UPDTE: firejail --noprofile --writable-var gnome-boxes can start VMs but if you shutdown them, gnome-boxes coredumps.

gnome-online-miners

cannot be jailed by firejail because it has only binaries in libexec that are started via dbus.

---

I suggest to close these requests.

<!-- gh-comment-id:502988692 --> @rusty-snake commented on GitHub (Jun 18, 2019): > Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html) Last Update: 2017-03-08 (tor-browser 6.x.x) No Support for Ubuntu 17.10, **18.04**, 18.10, 19.04 > Tor Messenger: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily (No future development https://blog.torproject.org/sunsetting-tor-messenger) > Gnome-boxes (a nice gui for kvm system) `firejail --noprofile gnome-boxes` don't work. UPDTE: `firejail --noprofile --writable-var gnome-boxes` can start VMs but if you shutdown them, gnome-boxes coredumps. > gnome-online-miners cannot be jailed by firejail because it has only binaries in libexec that are started via dbus. *** I suggest to close these requests.

gitea-mirror commented 2026-05-05 06:43:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 25, 2019):

closed everything expect gnome-boxes (firejail --noprofile --writable-var gnome-boxes works) I will write a profile this week.

---

@qazip Have you found the time

<!-- gh-comment-id:505302251 --> @rusty-snake commented on GitHub (Jun 25, 2019): closed everything expect gnome-boxes (`firejail --noprofile --writable-var gnome-boxes` works) I will write a profile this week. *** @qazip Have you found the time

gitea-mirror commented 2026-05-05 06:43:14 -06:00

Author

Owner

Copy link

@qazip commented on GitHub (Jun 25, 2019):

No, sorry. I tried to install jerry from AUR but it's giving an error. I don't want to compile it myself..

But if it works for you, it probably works for me too!

<!-- gh-comment-id:505391892 --> @qazip commented on GitHub (Jun 25, 2019): No, sorry. I tried to install jerry from AUR but it's giving an error. I don't want to compile it myself.. But if it works for you, it probably works for me too!

gitea-mirror commented 2026-05-05 06:43:16 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 30, 2019):

Give up writing a profile for gnome-boxes, poweroff a VM always ends in a coredump.

<!-- gh-comment-id:507044530 --> @rusty-snake commented on GitHub (Jun 30, 2019): Give up writing a profile for gnome-boxes, poweroff a VM always ends in a coredump.

gitea-mirror commented 2026-05-05 06:43:18 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 20, 2019):

FreeTube requested in #2918 by @MystesofEternity

<!-- gh-comment-id:522902873 --> @rusty-snake commented on GitHub (Aug 20, 2019): [FreeTube](https://github.com/FreeTubeApp/FreeTube/) requested in #2918 by @MystesofEternity

gitea-mirror commented 2026-05-05 06:43:20 -06:00

Author

Owner

Copy link

@Niklas974 commented on GitHub (Aug 29, 2019):

I would appreciate a profile for zotero (Reference management software)

<!-- gh-comment-id:526248422 --> @Niklas974 commented on GitHub (Aug 29, 2019): I would appreciate a profile for [zotero](https://www.zotero.org/download/) (Reference management software)

gitea-mirror commented 2026-05-05 06:43:22 -06:00

Author

Owner

Copy link

@matu3ba commented on GitHub (Sep 27, 2019):

neovim, setup script (or adding to firecfg) for desktop files for AppImage in $HOME/.local/bin

<!-- gh-comment-id:535753667 --> @matu3ba commented on GitHub (Sep 27, 2019): neovim, setup script (or adding to firecfg) for desktop files for AppImage in `$HOME/.local/bin`

gitea-mirror commented 2026-05-05 06:43:24 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Sep 30, 2019):

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

<!-- gh-comment-id:536360852 --> @svc88 commented on GitHub (Sep 30, 2019): Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases thank you so much

gitea-mirror commented 2026-05-05 06:43:27 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 5, 2019):

Draft for RTV

# Firejail profile for rtv
# Description: Browse Reddit from your terminal
# This file is overwritten after every install/update
# Persistent local customizations
include rtv.local
# Persistent global definitions
include globals.local

blacklist /tmp/.X11-unix

noblacklist ${HOME}/.config/rtv
noblacklist ${HOME}/.local/share/rtv

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.config/rtv
mkdir ${HOME}/.local/share/rtv
whitelist ${HOME}/.config/rtv
whitelist ${HOME}/.local/share/rtv
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin python*,rtv
private-cache
private-dev
private-etc ca-certificates,alternatives,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg

<!-- gh-comment-id:538637298 --> @rusty-snake commented on GitHub (Oct 5, 2019): <details> <summary>Draft for RTV</summary> ``` # Firejail profile for rtv # Description: Browse Reddit from your terminal # This file is overwritten after every install/update # Persistent local customizations include rtv.local # Persistent global definitions include globals.local blacklist /tmp/.X11-unix noblacklist ${HOME}/.config/rtv noblacklist ${HOME}/.local/share/rtv # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.config/rtv mkdir ${HOME}/.local/share/rtv whitelist ${HOME}/.config/rtv whitelist ${HOME}/.local/share/rtv include whitelist-var-common.inc apparmor caps.drop all machine-id netfilter no3d nodbus nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none tracelog disable-mnt private-bin python*,rtv private-cache private-dev private-etc ca-certificates,alternatives,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg ``` </details>

gitea-mirror commented 2026-05-05 06:43:30 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Oct 5, 2019):

@rusty-snake Looks good! One thing, on Arch I need to add sh,xdg-settings to private-bin for the rtv.profile to work. 😉

<!-- gh-comment-id:538698654 --> @Fred-Barclay commented on GitHub (Oct 5, 2019): @rusty-snake Looks good! One thing, on Arch I need to add `sh,xdg-settings` to private-bin for the rtv.profile to work. :wink:

gitea-mirror commented 2026-05-05 06:43:33 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Oct 27, 2019):

amuled is the deamon version of amule.

I run it like this:
firejail --private-bin=amuled --profile=/etc/firejail/amule.profile /usr/bin/amuled

<!-- gh-comment-id:546683127 --> @ghost commented on GitHub (Oct 27, 2019): amuled is the deamon version of amule. I run it like this: `firejail --private-bin=amuled --profile=/etc/firejail/amule.profile /usr/bin/amuled`

gitea-mirror commented 2026-05-05 06:43:35 -06:00

Author

Owner

Copy link

@dandelionred commented on GitHub (Nov 3, 2019):

Profile request: mattermost desktop client

<!-- gh-comment-id:549127012 --> @dandelionred commented on GitHub (Nov 3, 2019): Profile request: [mattermost desktop client](https://github.com/mattermost/desktop)

gitea-mirror commented 2026-05-05 06:43:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Dec 14, 2019):

WPS-Office (http://www.wps.com/)
[Moved form #3040]

<!-- gh-comment-id:565740380 --> @rusty-snake commented on GitHub (Dec 14, 2019): WPS-Office (http://www.wps.com/) [Moved form #3040]

gitea-mirror commented 2026-05-05 06:43:39 -06:00

Author

Owner

Copy link

@necopinus commented on GitHub (Jan 6, 2020):

Some profile requests... This looks like the right place to post them, but if I should open a separate ticket(s), just let me know.

---

The Elementary OS's Pantheon desktop is really nice. While the project is planning to move towards using Flatpaks for their major apps, the change doesn't seem imminent and having pre-defined jails would be awesome for those of us running Pantheon on non Elementary OS systems.

• Calculator (io.elementary.calculator)
• Calendar
  • io.elementary.calendar
  • io.elementary.calendar-daemon
• Camera (io.elementary.camera)
• Captive Portal Assistant (io.elementary.capnet-assist)
• Code (io.elementary.code)
• Files
  • io.elementary.files
  • io.elementary.files-daemon
  • io.elementary.files-pkexec
• Music (io.elementary.music)
• Photos (io.elementary.photos) - Based on the old Shotwell code
• Terminal (io.elementary.terminal)
• Videos (io.elementary.videos)

---

Some other profiles that would be awesome to have:

• GNOME Podcasts (gnome-podcasts)
• pass / gopass
  • pass
  • gopass
• Keybase
  • kbfsfuse (not sure if this one makes sense...)
  • keybase
  • keybase-gui
• Yubikey Manager
  • ykman
  • ykman-gui
• GZDoom (gzdoom)
• QuakeSpasm (quake)
• rRootage (rrootage)

<!-- gh-comment-id:570974798 --> @necopinus commented on GitHub (Jan 6, 2020): Some profile requests... This looks like the right place to post them, but if I should open a separate ticket(s), just let me know. --- The [Elementary OS](https://elementary.io/)'s Pantheon desktop is really nice. While [the project is planning to move towards using Flatpaks for their major apps](https://github.com/elementary/appcenter/issues/1088), the change doesn't seem imminent and having pre-defined jails would be awesome for those of us running Pantheon on non Elementary OS systems. - [ ] [Calculator](https://github.com/elementary/calculator) (`io.elementary.calculator`) - [ ] [Calendar](https://github.com/elementary/calendar) - [ ] `io.elementary.calendar` - [ ] `io.elementary.calendar-daemon` - [ ] [Camera](https://github.com/elementary/camera) (`io.elementary.camera`) - [ ] [Captive Portal Assistant](https://github.com/elementary/capnet-assist) (`io.elementary.capnet-assist`) - [ ] [Code](https://github.com/elementary/code) (`io.elementary.code`) - [ ] [Files](https://github.com/elementary/files) - [ ] `io.elementary.files` - [ ] `io.elementary.files-daemon` - [ ] `io.elementary.files-pkexec` - [ ] [Music](https://github.com/elementary/music) (`io.elementary.music`) - [ ] [Photos](https://github.com/elementary/photos) (`io.elementary.photos`) - Based on the old Shotwell code - [ ] [Terminal](https://github.com/elementary/terminal) (`io.elementary.terminal`) - [ ] [Videos](https://github.com/elementary/videos) (`io.elementary.videos`) --- Some other profiles that would be awesome to have: - [ ] [GNOME Podcasts](https://gitlab.gnome.org/World/podcasts) (`gnome-podcasts`) - [ ] [pass](https://git.zx2c4.com/password-store/) / [gopass](https://github.com/gopasspw/gopass) - [ ] `pass` - [ ] `gopass` - [ ] [Keybase](https://github.com/keybase/client) - [ ] `kbfsfuse` (not sure if this one makes sense...) - [ ] `keybase` - [ ] `keybase-gui` - [ ] [Yubikey Manager](https://github.com/Yubico/yubikey-manager-qt) - [ ] `ykman` - [ ] `ykman-gui` - [ ] [GZDoom](https://github.com/coelckers/gzdoom) (`gzdoom`) - [ ] [QuakeSpasm](https://sourceforge.net/projects/quakespasm/) (`quake`) - [ ] [rRootage](https://sourceforge.net/projects/rrootage/) (`rrootage`)

gitea-mirror commented 2026-05-05 06:43:42 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jan 6, 2020):

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

@rusty-snake any update on supporting this profile?

<!-- gh-comment-id:571166146 --> @svc88 commented on GitHub (Jan 6, 2020): > Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases > thank you so much @rusty-snake any update on supporting this profile?

gitea-mirror commented 2026-05-05 06:43:45 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jan 6, 2020):

Also:
https://www.tweaking4all.com/home-theatre/rename-my-tv-series-v2/
Renames TV Series, code is not open source, so ideally a profile would be needed to block everything but internet and main folder where all TV Series lies.

I tried running default profile but i get these errors:

Parent pid 17333, child pid 17334
Warning: cleaning all supplementary groups
Child process initialized in 84.83 ms
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 00000000004570FE: EAccessViolation:
Access violation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.

Parent is shutting down, bye...

<!-- gh-comment-id:571167827 --> @svc88 commented on GitHub (Jan 6, 2020): Also: https://www.tweaking4all.com/home-theatre/rename-my-tv-series-v2/ Renames TV Series, code is not open source, so ideally a profile would be needed to block everything but internet and main folder where all TV Series lies. I tried running default profile but i get these errors: ``` Parent pid 17333, child pid 17334 Warning: cleaning all supplementary groups Child process initialized in 84.83 ms Exception at 000000000067F072: EInOutError: Can not load SQLite client library "libsqlite3.so". Check your installation. Exception at 000000000067F072: EInOutError: Can not load SQLite client library "libsqlite3.so". Check your installation. Exception at 00000000004570FE: EAccessViolation: Access violation. Exception at 000000000067F072: EInOutError: Can not load SQLite client library "libsqlite3.so". Check your installation. Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 06:43:48 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 6, 2020):

Can not load SQLite client library "libsqlite3.so". Check your installation.

@svc88 That sounds like you're missing sqlite. Do you have it installed?

<!-- gh-comment-id:571295278 --> @ghost commented on GitHub (Jan 6, 2020): > Can not load SQLite client library "libsqlite3.so". Check your installation. @svc88 That sounds like you're missing sqlite. Do you have it installed?

gitea-mirror commented 2026-05-05 06:43:50 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 19, 2020):

@johnp can you test this profile for foliate. (firejail 0.9.62+)

foliate.profile

# Firejail profile for foliate
# Description: Simple and modern GTK eBook reader
# This file is overwritten after every install/update
# Persistent local customizations
include foliate.local
# Persistent global definitions
include globals.local

noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
whitelist ${DOCUMENTS}
whitelist ${DOWNLOADS}
whitelist /usr/share/com.github.johnfactotum.Foliate
whitelist /usr/share/hyphen
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
net none
no3d
#nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog

disable-mnt
private-bin com.github.johnfactotum.Foliate,gjs
private-cache
private-dev
private-etc dconf,fonts,gconf,gtk-3.0
private-tmp

read-only ${HOME}
read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate

Update: Added in df1c73a0

<!-- gh-comment-id:575990120 --> @rusty-snake commented on GitHub (Jan 19, 2020): @johnp can you test this profile for foliate. (firejail 0.9.62+) <details><summary> foliate.profile </summary> ``` # Firejail profile for foliate # Description: Simple and modern GTK eBook reader # This file is overwritten after every install/update # Persistent local customizations include foliate.local # Persistent global definitions include globals.local noblacklist ${DOCUMENTS} noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate whitelist ${DOCUMENTS} whitelist ${DOWNLOADS} whitelist /usr/share/com.github.johnfactotum.Foliate whitelist /usr/share/hyphen include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id net none no3d #nodbus nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix seccomp shell none tracelog disable-mnt private-bin com.github.johnfactotum.Foliate,gjs private-cache private-dev private-etc dconf,fonts,gconf,gtk-3.0 private-tmp read-only ${HOME} read-write ${HOME}/.cache/com.github.johnfactotum.Foliate read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate ``` </details> **Update:** Added in df1c73a0

gitea-mirror commented 2026-05-05 06:43:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 21, 2020):

@youknow10 can you test this profile for WPS Office. (firejail 0.9.62+)

wps.profile

# Firejail profile for wps
# Description: WPS Office
# This file is overwritten after every install/update
# Persistent local customizations
include wps.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.kingsoft
noblacklist ${HOME}/.config/Kingsoft
noblacklist ${HOME}/.local/share/Kingsoft

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-cache
private-dev
#private-opt kingsoft
private-tmp

#join-or-start wps

wpp.profile

# Firejail profile for wpp
# Description: WPS Office - Presentation
# This file is overwritten after every install/update
# Persistent local customizations
include wpp.local
# Persistent global definitions
# added by included profile
#include globals.local

ignore machine-id
ignore nosound

# Redirect
include wps.profile

<!-- gh-comment-id:576856521 --> @rusty-snake commented on GitHub (Jan 21, 2020): @youknow10 can you test this profile for WPS Office. (firejail 0.9.62+) <details><summary> wps.profile </summary> ``` # Firejail profile for wps # Description: WPS Office # This file is overwritten after every install/update # Persistent local customizations include wps.local # Persistent global definitions include globals.local noblacklist ${HOME}/.kingsoft noblacklist ${HOME}/.config/Kingsoft noblacklist ${HOME}/.local/share/Kingsoft include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all machine-id netfilter no3d nodbus nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp shell none tracelog private-cache private-dev #private-opt kingsoft private-tmp #join-or-start wps ``` </details> <details><summary> wpp.profile </summary> ``` # Firejail profile for wpp # Description: WPS Office - Presentation # This file is overwritten after every install/update # Persistent local customizations include wpp.local # Persistent global definitions # added by included profile #include globals.local ignore machine-id ignore nosound # Redirect include wps.profile ``` </details>

gitea-mirror commented 2026-05-05 06:43:55 -06:00

Author

Owner

Copy link

@youknow16 commented on GitHub (Jan 23, 2020):

@rusty-snake , they seem to work fine. Thanks.
Isn't it better to block the network with "net none"?
Also, there are two more programs there (wpspdf and et)

<!-- gh-comment-id:577799080 --> @youknow16 commented on GitHub (Jan 23, 2020): @rusty-snake , they seem to work fine. Thanks. Isn't it better to block the network with "net none"? Also, there are two more programs there (wpspdf and et)

gitea-mirror commented 2026-05-05 06:43:57 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 23, 2020):

Isn't it better to block the network with "net none"?

As a user opt-in, sure. However, it has some networking features (cloud 🤧 backup, help/manual, internal browser (based on chrome 68 🤒 🤢 😵 💀 )).

<!-- gh-comment-id:577853309 --> @rusty-snake commented on GitHub (Jan 23, 2020): > Isn't it better to block the network with "net none"? As a user opt-in, sure. However, it has some networking features (cloud :sneezing_face: backup, help/manual, internal browser (based on chrome _68_ :face_with_thermometer: :nauseated_face: :dizzy_face: :skull: )).

gitea-mirror commented 2026-05-05 06:43:59 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2020):

@youknow10 cc57e0c

<!-- gh-comment-id:579924913 --> @rusty-snake commented on GitHub (Jan 29, 2020): @youknow10 cc57e0c

gitea-mirror commented 2026-05-05 06:44:02 -06:00

Author

Owner

Copy link

@ericschdt commented on GitHub (Feb 9, 2020):

I would like to request a profile for the deepin-screen-recorder and Joplin.

<!-- gh-comment-id:583861367 --> @ericschdt commented on GitHub (Feb 9, 2020): I would like to request a profile for the [deepin-screen-recorder](https://github.com/linuxdeepin/deepin-screen-recorder) and [Joplin](https://joplinapp.org/).

gitea-mirror commented 2026-05-05 06:44:05 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 21, 2020):

mate-terminal requested in #3289 by @trancemind65.

<!-- gh-comment-id:602025945 --> @rusty-snake commented on GitHub (Mar 21, 2020): mate-terminal requested in #3289 by @trancemind65.

gitea-mirror commented 2026-05-05 06:44:07 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 21, 2020):

@trancemind65 Sandboxing a terminal emulator without making it unusable would be difficult. Due to their nature they require access to a wide and rather unpredictable set of commands (other applications) and restricting filesystem access would cause all kinds of impracticalities. That's why firejail blacklists them in /etc/firejail/disable-common.inc, mate-terminal included. Have a look inside that file to get the idea. Unless you have a very limited and predictable use-case it wouldn't be worth the effort IMHO.

<!-- gh-comment-id:602030874 --> @ghost commented on GitHub (Mar 21, 2020): @trancemind65 Sandboxing a terminal emulator without making it unusable would be difficult. Due to their nature they require access to a wide and rather unpredictable set of commands (other applications) and restricting filesystem access would cause all kinds of impracticalities. That's why firejail blacklists them in /etc/firejail/disable-common.inc, mate-terminal included. Have a look inside that file to get the idea. Unless you have a very limited and predictable use-case it wouldn't be worth the effort IMHO.

gitea-mirror commented 2026-05-05 06:44:09 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 21, 2020):

please a FireJail profile for Mate-Terminal, thanks!

<!-- gh-comment-id:602036079 --> @ghost commented on GitHub (Mar 21, 2020): please a FireJail profile for Mate-Terminal, thanks!

gitea-mirror commented 2026-05-05 06:44:10 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 23, 2020):

thanks for the info @ glitsj16.

<!-- gh-comment-id:602672358 --> @ghost commented on GitHub (Mar 23, 2020): thanks for the info @ glitsj16.

gitea-mirror commented 2026-05-05 06:44:12 -06:00

Author

Owner

Copy link

@Atrate commented on GitHub (Mar 26, 2020):

If I want to push a fix to a profile should I just make a PR or do I need to post it in this issue?

<!-- gh-comment-id:604521990 --> @Atrate commented on GitHub (Mar 26, 2020): If I want to push a fix to a profile should I just make a PR or do I need to post it in this issue?

gitea-mirror commented 2026-05-05 06:44:13 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 26, 2020):

make a PR -- in general if you have a finish patch a PR is easier to review while issues are better to discuss before coding.

<!-- gh-comment-id:604525285 --> @rusty-snake commented on GitHub (Mar 26, 2020): make a PR -- in general if you have a finish patch a PR is easier to review while issues are better to discuss before coding.

gitea-mirror commented 2026-05-05 06:44:15 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 4, 2020):

I would like to request a profile for shortwave the replacement of Gradio application.

<!-- gh-comment-id:609053080 --> @ghost commented on GitHub (Apr 4, 2020): I would like to request a profile for [shortwave](https://gitlab.gnome.org/World/Shortwave) the replacement of [Gradio](https://github.com/haecker-felix/gradio) application.

gitea-mirror commented 2026-05-05 06:44:16 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 4, 2020):

@chrpinedo can you test this profile.

shortwave.profile

# Firejail profile for shortwave
# Description: Listen to internet radio
# This file is overwritten after every install/update
# Persistent local customizations
include shortwave.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/Shortwave
noblacklist ${HOME}/.local/share/Shortwave

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/Shortwave
mkdir ${HOME}/.local/share/Shortwave
whitelist ${HOME}/.cache/Shortwave
whitelist ${HOME}/.local/share/Shortwave
whitelist /usr/share/shortwave
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin shortwave
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp

<!-- gh-comment-id:609058447 --> @rusty-snake commented on GitHub (Apr 4, 2020): @chrpinedo can you test this profile. <details><summary>shortwave.profile</summary> ``` # Firejail profile for shortwave # Description: Listen to internet radio # This file is overwritten after every install/update # Persistent local customizations include shortwave.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/Shortwave noblacklist ${HOME}/.local/share/Shortwave include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.cache/Shortwave mkdir ${HOME}/.local/share/Shortwave whitelist ${HOME}/.cache/Shortwave whitelist ${HOME}/.local/share/Shortwave whitelist /usr/share/shortwave include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all netfilter nodvd nogroups nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6 seccomp shell none tracelog disable-mnt private-bin shortwave private-cache private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg private-tmp ``` </details>

gitea-mirror commented 2026-05-05 06:44:19 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 5, 2020):

@rusty-snake it seems to work right. I had to comment the line #include whitelist-runuser-common.inc because that file doesn't exist in my version 0.9.62-1 ArchLinux. I don't know if I can provide you with some kind of debugging information. Thanks!

<!-- gh-comment-id:609395426 --> @ghost commented on GitHub (Apr 5, 2020): @rusty-snake it seems to work right. I had to comment the line `#include whitelist-runuser-common.inc` because that file doesn't exist in my version 0.9.62-1 ArchLinux. I don't know if I can provide you with some kind of debugging information. Thanks!

gitea-mirror commented 2026-05-05 06:44:22 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 5, 2020):

You can check if there are no missing whitelist paths.
Terminal1: firejail --profile=path/to/shortwave.profile --name=shortwave --private shortwave
Terminal2: firejail --join=shortwave ls -Ra

For whitelist-runuser-common.inc you can use these lines (just add to the profile if you want).

whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/dconf
whitelist ${RUNUSER}/gdm/Xauthority
#whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
whitelist ${RUNUSER}/wayland-0

<!-- gh-comment-id:609396330 --> @rusty-snake commented on GitHub (Apr 5, 2020): You can check if there are no missing whitelist paths. Terminal1: `firejail --profile=path/to/shortwave.profile --name=shortwave --private shortwave` Terminal2: `firejail --join=shortwave ls -Ra` For whitelist-runuser-common.inc you can use these lines (just add to the profile if you want). ``` whitelist ${RUNUSER}/bus whitelist ${RUNUSER}/dconf whitelist ${RUNUSER}/gdm/Xauthority #whitelist ${RUNUSER}/.mutter-Xwaylandauth.* whitelist ${RUNUSER}/pulse/native whitelist ${RUNUSER}/wayland-0 ```

gitea-mirror commented 2026-05-05 06:44:27 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 10, 2020):

Hi @rusty-snake ! To check your two commands I had to disable shell none and private-bin shortwave because I was unable to get a shell inside the firejail or to run a ls -Ra command.

Regarding your whitelist-runuser-common.inc file I guess If I should activate it, I don't understand quite well if it would be useful and for which. For integration with GNOME ?

Second, I propose one change to your profile:

• whitelist ~/.cache/gstreamer-1.0 directory (it appears with ls -Ra in a private firejail running shortwave).

shortwave.profile.txt

<!-- gh-comment-id:611967060 --> @ghost commented on GitHub (Apr 10, 2020): Hi @rusty-snake ! To check your two commands I had to disable `shell none` and `private-bin shortwave` because I was unable to get a shell inside the firejail or to run a `ls -Ra` command. Regarding your `whitelist-runuser-common.inc` file I guess If I should activate it, I don't understand quite well if it would be useful and for which. For integration with GNOME ? Second, I propose one change to your profile: - whitelist `~/.cache/gstreamer-1.0` directory (it appears with ls -Ra in a private firejail running shortwave). [shortwave.profile.txt](https://github.com/netblue30/firejail/files/4461010/shortwave.profile.txt)

gitea-mirror commented 2026-05-05 06:44:29 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 10, 2020):

Thanks for your answer. wruc restricts the files available under /run/user/UID (= it is for hardening). You can copy it or wait for the next firejail release.

Regarding .cache/gstreamer-1.0, IDT that it breaks something if it is not whitelisted. There are more programs also using/creating it and didn't have it whitelisted. Anyway private-cache makes ~/.cache a tmpfs.

I can't open your attachment (trouble after the FFX 75 update I guess), if there is anything important.

<!-- gh-comment-id:612108905 --> @rusty-snake commented on GitHub (Apr 10, 2020): Thanks for your answer. wruc restricts the files available under /run/user/UID (= it is for hardening). You can copy it or wait for the next firejail release. Regarding `.cache/gstreamer-1.0`, IDT that it breaks something if it is not whitelisted. There are more programs also using/creating it and didn't have it whitelisted. Anyway `private-cache` makes `~/.cache` a tmpfs. I can't open your attachment (trouble after the FFX 75 update I guess), if there is anything important.

gitea-mirror commented 2026-05-05 06:44:31 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 10, 2020):

@rusty-snake don't worry about my attachment it only adds the noblacklist/mkdir/whitelist for the .cache/gstreamer-1.0 directory that it is no useful because of private-cache, as you said. Thanks for your comments!

<!-- gh-comment-id:612111817 --> @ghost commented on GitHub (Apr 10, 2020): @rusty-snake don't worry about my attachment it only adds the noblacklist/mkdir/whitelist for the `.cache/gstreamer-1.0` directory that it is no useful because of `private-cache`, as you said. Thanks for your comments!

gitea-mirror commented 2026-05-05 06:44:34 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 16, 2020):

Asbru requested by @NRGLine4Sec in #3512.

<!-- gh-comment-id:659236812 --> @rusty-snake commented on GitHub (Jul 16, 2020): [Asbru](https://github.com/asbru-cm/asbru-cm) requested by @NRGLine4Sec in #3512.

gitea-mirror commented 2026-05-05 06:44:36 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jul 18, 2020):

Homebank - [new profile request]

Homebank is a personal finance manager. Ive looked at a lot of them around and none of them come close to what this offers(includes crypto support) so its worth the firejail setup.
Its a simple installation via apt-get.
Homebank also updates the currencies online, so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

As many apps, i dont trust this much without firejail, so Il really appreciate if you can help push this in the front of the queue.

http://homebank.free.fr/en/downloads.php
https://code.launchpad.net/homebank

<!-- gh-comment-id:660469194 --> @svc88 commented on GitHub (Jul 18, 2020): **Homebank - [new profile request]** Homebank is a personal finance manager. Ive looked at a lot of them around and none of them come close to what this offers(includes crypto support) so its worth the firejail setup. Its a simple installation via apt-get. Homebank also updates the currencies online, so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection? As many apps, i dont trust this much without firejail, so Il really appreciate if you can help push this in the front of the queue. http://homebank.free.fr/en/downloads.php https://code.launchpad.net/homebank

gitea-mirror commented 2026-05-05 06:44:38 -06:00

Author

Owner

Copy link

@bbhtt commented on GitHub (Jul 18, 2020):

@svc88 Can you try this? homebank.txt Couldn't check the conversion rates online, even without Firejail it says "not found". I don't have any experience using this software, so you might want to tinker it. Under Firejail 0.9.62 the profile for firefox hasn't whitelisted the /usr/share/doc, so you won't be able to open contents.

<!-- gh-comment-id:660491933 --> @bbhtt commented on GitHub (Jul 18, 2020): @svc88 Can you try this? [homebank.txt](https://github.com/netblue30/firejail/files/4943615/homebank.txt) Couldn't check the conversion rates online, even without Firejail it says "not found". I don't have any experience using this software, so you might want to tinker it. Under Firejail 0.9.62 the profile for firefox hasn't whitelisted the `/usr/share/doc`, so you won't be able to open contents.

gitea-mirror commented 2026-05-05 06:44:39 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jul 19, 2020):

@kortewegdevries thank you so much. It works on my side. You have to add a few currencies in the Currency preferences and then choose a base currency (default USD), after that close and re-open homebank and go back into the currency dialog box you will see the currencies are being updated.
Here is my log file, not sure if these dconf errors are normal though?

Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/homebank.profile
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-devel.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-exec.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-programs.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Jul 19 11:43:32 Parent pid 20380, child pid 20383
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Jul 19 11:43:32 Warning: skipping asound.conf for private /etc
Jul 19 11:43:32 Warning: skipping crypto-policies for private /etc
Jul 19 11:43:32 Warning: skipping dconf for private /etc
Jul 19 11:43:32 Warning: skipping pki for private /etc
Jul 19 11:43:32 Warning: skipping locale.conf for private /etc
Jul 19 11:43:32 Private /etc installed in 24.71 ms
Jul 19 11:43:32 6 programs installed in 4.64 ms
Jul 19 11:43:32 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Jul 19 11:43:32 Warning: cleaning all supplementary groups
Jul 19 11:43:32 Warning: cleaning all supplementary groups
Jul 19 11:43:32 Blacklist violations are logged to syslog
Jul 19 11:43:32  ]0;firejail homebank  Child process initialized in 104.32 ms
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): GLib-WARNING **: 11:44:37.792: getpwuid_r(): failed due to unknown user id (1000)
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.821: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.825: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.894: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.927: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.951: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.974: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.997: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.019: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.042: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.065: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.088: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.107: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.118: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.130: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.147: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.046: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.063: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.078: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.095: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.112: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.129: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.146: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.162: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.178: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.195: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:40 
Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.152: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:40 
Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.153: failed to commit changes to dconf: Could not connect: Permission denied

My other question is, if incoming connections are denied by default with 'netfilters' and outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection" ?

<!-- gh-comment-id:660621433 --> @svc88 commented on GitHub (Jul 19, 2020): @kortewegdevries thank you so much. It works on my side. You have to add a few currencies in the Currency preferences and then choose a base currency (default USD), after that close and re-open homebank and go back into the currency dialog box you will see the currencies are being updated. Here is my log file, not sure if these dconf errors are normal though? ``` Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/homebank.profile Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-common.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-devel.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-exec.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-programs.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-common.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Jul 19 11:43:32 Parent pid 20380, child pid 20383 Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode Jul 19 11:43:32 Warning: skipping asound.conf for private /etc Jul 19 11:43:32 Warning: skipping crypto-policies for private /etc Jul 19 11:43:32 Warning: skipping dconf for private /etc Jul 19 11:43:32 Warning: skipping pki for private /etc Jul 19 11:43:32 Warning: skipping locale.conf for private /etc Jul 19 11:43:32 Private /etc installed in 24.71 ms Jul 19 11:43:32 6 programs installed in 4.64 ms Jul 19 11:43:32 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Jul 19 11:43:32 Warning: cleaning all supplementary groups Jul 19 11:43:32 Warning: cleaning all supplementary groups Jul 19 11:43:32 Blacklist violations are logged to syslog Jul 19 11:43:32 ]0;firejail homebank Child process initialized in 104.32 ms Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): GLib-WARNING **: 11:44:37.792: getpwuid_r(): failed due to unknown user id (1000) Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.821: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.825: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.894: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.927: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.951: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.974: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:37 Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.997: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.019: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.042: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.065: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.088: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.107: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.118: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.130: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:38 Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.147: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.046: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.063: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.078: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.095: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.112: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.129: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.146: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.162: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.178: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:39 Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.195: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:40 Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.152: failed to commit changes to dconf: Could not connect: Permission denied Jul 19 11:44:40 Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.153: failed to commit changes to dconf: Could not connect: Permission denied ``` My other question is, if incoming connections are denied by default with 'netfilters' and outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection" ?

gitea-mirror commented 2026-05-05 06:44:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 19, 2020):

Notes on the homeback profile:

• does it really need to have a browser? if so we need to drop private-bin
• dbus-system none can likely be enabled
• ipc-namespace can cause issues
• include whitelist-runuser-common.inc can likely be enabled
• include disable-xdg.inc can likely be enabled. needs to be moved at the end of the block
• whitelist needs to be moved down
• ${HOME}/.config/homebank needs a mkdir, noblacklist, blacklist
• blacklist /tmp/.X11-unix: is this a gui or a cli program??!

not sure if these dconf errors are normal though?

If the come from a file-open dialog they can be ignored

incoming connections are denied by default with 'netfilters'

Only if you use net foobar0 and only if they are no response (i.e. a new connection).
And only IPv4.

outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection"

yes

so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send.

<!-- gh-comment-id:660623530 --> @rusty-snake commented on GitHub (Jul 19, 2020): Notes on the homeback profile: - does it really need to have a browser? if so we need to drop private-bin - `dbus-system none` can likely be enabled - ~`ipc-namespace` can cause issues~ - `include whitelist-runuser-common.inc` can likely be enabled - `include disable-xdg.inc` can likely be enabled. needs to be moved at the end of the block - whitelist needs to be moved down - `${HOME}/.config/homebank` needs a mkdir, noblacklist, blacklist - `blacklist /tmp/.X11-unix`: is this a gui or a cli program??! > not sure if these dconf errors are normal though? If the come from a file-open dialog they can be ignored > incoming connections are denied by default with 'netfilters' Only if you use `net foobar0` and only if they are no response (i.e. a new connection). And only IPv4. > outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection" yes > so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection? You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send.

gitea-mirror commented 2026-05-05 06:44:43 -06:00

Author

Owner

Copy link

@bbhtt commented on GitHub (Jul 19, 2020):

does it really need to have a browser? if so we need to drop private-bin

It has a manual or contents and online resources. I don't know if they're needed.

dbus-system none can likely be enabled include whitelist-runuser-common.inc can likely be enabled

0.9.62 doesn't have those profiles/controls. I kept them uncommented to suit owns version, and I didn't run it under latest.

include disable-xdg.inc can likely be enabled. needs to be moved at the end of the block ${HOME}/.config/homebank needs a mkdir, noblacklist,blacklist blacklist /tmp/.X11-unix: is this a gui or a cli program??!

Fixed...? What should I blacklist under /.config?

<!-- gh-comment-id:660629504 --> @bbhtt commented on GitHub (Jul 19, 2020): > does it really need to have a browser? if so we need to drop private-bin It has a manual or contents and online resources. I don't know if they're needed. > `dbus-system non`e can likely be enabled `include whitelist-runuser-common.inc` can likely be enabled 0.9.62 doesn't have those profiles/controls. I kept them uncommented to suit owns version, and I didn't run it under latest. > `include disable-xdg.inc` can likely be enabled. needs to be moved at the end of the block `${HOME}/.config/homebank` needs a mkdir, noblacklist,blacklist `blacklist /tmp/.X11-unix`: is this a gui or a cli program??! Fixed...? What should I blacklist under `/.config`?

gitea-mirror commented 2026-05-05 06:44:46 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 19, 2020):

I would suggest that you open a PR with it, so we can bring it upstream. A PR is easier when reviewing.

<!-- gh-comment-id:660631307 --> @rusty-snake commented on GitHub (Jul 19, 2020): I would suggest that you open a PR with it, so we can bring it upstream. A PR is easier when reviewing.

gitea-mirror commented 2026-05-05 06:44:48 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jul 19, 2020):

No, browser is not needed at all (unless you want to click on the help/about page) - So no none of that is important. So you can remove private-bin.
This is a gui program so you disable blacklist /tmp/.X11-unix (right?)

outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection"

yes

so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send.

Thanks for confirming, i think its best if you kill the whole network altogether with net none (for now at least) There will be a popup saying "Cannot resolve frankfurter.app" when opening Homebank as it will try to get the currency updates, but i can deal with that until i ask the dev to make the currency updates optional.

Im really not sure how to open a PR, would appreciate if one of you can open it so that we can continue there? I think the profile @kortewegdevries posted just needs small changes as we said

<!-- gh-comment-id:660635138 --> @svc88 commented on GitHub (Jul 19, 2020): No, browser is not needed at all (unless you want to click on the help/about page) - So no none of that is important. So you can remove private-bin. This is a gui program so you disable `blacklist /tmp/.X11-unix` (right?) > > outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection" > > yes > > > so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection? > > You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send. Thanks for confirming, i think its best if you kill the whole network altogether with net none (for now at least) There will be a popup saying "Cannot resolve frankfurter.app" when opening Homebank as it will try to get the currency updates, but i can deal with that until i ask the dev to make the currency updates optional. Im really not sure how to open a PR, would appreciate if one of you can open it so that we can continue there? I think the profile @kortewegdevries posted just needs small changes as we said

gitea-mirror commented 2026-05-05 06:44:52 -06:00

Author

Owner

Copy link

@MrFrank17 commented on GitHub (Jul 23, 2020):

I tried to create a profile for the pcloud client (www.pcloud.com). It looks like that at the moment:

protocol unix,inet,inet6,netlink,packet noblacklist ${PATH}/fusermount whitelist ${HOME}/.config/pcloud whitelist ${HOME}/.pcloud whitelist ${HOME}/.local/share/applications/appimagekit-pcloud.desktop whitelist ${HOME}/.config/pulse noblacklist ${HOME}/pCloudDrive include default.profile

It is partly working - the syncing works for me so far.
The client additionally mounts the cloud data in a separate local folder - this is not working.

If you want to try to create a pcloud profile, you can use that as a starting ground.

<!-- gh-comment-id:663216517 --> @MrFrank17 commented on GitHub (Jul 23, 2020): I tried to create a profile for the pcloud client (www.pcloud.com). It looks like that at the moment: `protocol unix,inet,inet6,netlink,packet noblacklist ${PATH}/fusermount whitelist ${HOME}/.config/pcloud whitelist ${HOME}/.pcloud whitelist ${HOME}/.local/share/applications/appimagekit-pcloud.desktop whitelist ${HOME}/.config/pulse noblacklist ${HOME}/pCloudDrive include default.profile` It is partly working - the syncing works for me so far. The client additionally mounts the cloud data in a separate local folder - this is not working. If you want to try to create a pcloud profile, you can use that as a starting ground.

gitea-mirror commented 2026-05-05 06:44:53 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 23, 2020):

Background: even --noprofile and --profile=noprofile.profile did not help (https://github.com/netblue30/firejail/issues/2748#issuecomment-660551208 and the following).

<!-- gh-comment-id:663222096 --> @rusty-snake commented on GitHub (Jul 23, 2020): Background: even --noprofile and --profile=noprofile.profile did not help (https://github.com/netblue30/firejail/issues/2748#issuecomment-660551208 and the following).

gitea-mirror commented 2026-05-05 06:44:56 -06:00

Author

Owner

Copy link

@bbhtt commented on GitHub (Jul 28, 2020):

@MrFrank17 Can you check if this profile works?
pcloud.txt

: Downloads~$ firejail --profile=pcloud.profile --appimage pcloud both should be in same Downloads folder,

The client additionally mounts the cloud data in a separate local folder - this is not working.

I don't understand how this works. There's a pcloudrive in Home,I select any folder to upload to the cloud,then select a folder within pclouddrive then sync seems to work. But I don't see where this is downloaded/mounted.

There's currently a buffer overflow while running the program.

Also why is a terminal on the list, do we make profiles for them?

<!-- gh-comment-id:664952532 --> @bbhtt commented on GitHub (Jul 28, 2020): @MrFrank17 Can you check if this profile works? [pcloud.txt](https://github.com/netblue30/firejail/files/4987501/pcloud.txt) `: Downloads~$ firejail --profile=pcloud.profile --appimage pcloud` both should be in same Downloads folder, > The client additionally mounts the cloud data in a separate local folder - this is not working. I don't understand how this works. There's a pcloudrive in Home,I select any folder to upload to the cloud,then select a folder within `pclouddrive` then sync seems to work. But I don't see where this is downloaded/mounted. There's currently a buffer overflow while running the program. Also why is a terminal on the list, do we make profiles for them?

gitea-mirror commented 2026-05-05 06:44:59 -06:00

Author

Owner

Copy link

@MrFrank17 commented on GitHub (Jul 28, 2020):

I had to comment include whitelist-runuser-common.inc (not found) and dbus-system none

That is the output:
output.txt

Yes, the pclouddrive in HOME shall show the cloud files. This is what I meant with "mounted folder" - sorry, if that was confusing. However, it still does not work.
Yes, syncing works for me as well.

Sorry, not sure what you mean with that:

Also why is a terminal on the list, do we make profiles for them?

<!-- gh-comment-id:665199580 --> @MrFrank17 commented on GitHub (Jul 28, 2020): I had to comment `include whitelist-runuser-common.inc` (not found) and `dbus-system none` That is the output: [output.txt](https://github.com/netblue30/firejail/files/4990353/output.txt) Yes, the `pclouddrive` in HOME shall show the cloud files. This is what I meant with "mounted folder" - sorry, if that was confusing. However, it still does not work. Yes, syncing works for me as well. Sorry, not sure what you mean with that: > Also why is a terminal on the list, do we make profiles for them?

gitea-mirror commented 2026-05-05 06:45:02 -06:00

Author

Owner

Copy link

@bbhtt commented on GitHub (Jul 29, 2020):

Oh okay, now I understand, it's probably an encrypted vdisk image that gets mounted through the application only.

<!-- gh-comment-id:665572440 --> @bbhtt commented on GitHub (Jul 29, 2020): Oh okay, now I understand, it's probably an encrypted vdisk image that gets mounted through the application only.

gitea-mirror commented 2026-05-05 06:45:05 -06:00

Author

Owner

Copy link

@neirenoir commented on GitHub (Aug 23, 2020):

I would like to request a profile for Unity Hub (and Unity, by extension).

<!-- gh-comment-id:678815360 --> @neirenoir commented on GitHub (Aug 23, 2020): I would like to request a profile for Unity Hub (and Unity, by extension).

gitea-mirror commented 2026-05-05 06:45:08 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Oct 29, 2020):

A profile for Lutris would be great. It's a very useful and popular software (a GNU/Linux flagship like GIMP) and firejailing it would make a lot of sense (running untrusted roms / games etc).

Might not be simple to get everything running fine due to its expansive support for many emulators (some of which may already have a firejail profile) and Wine but a profile to make changes to would be useful too. The profile could be very permissive at first. It would be best if it was a very stringent profile but made sure that everything it launches, launches with firejail and has a working firejail-profile.

#3483

<!-- gh-comment-id:719010437 --> @mYnDstrEAm commented on GitHub (Oct 29, 2020): A profile for [Lutris](https://github.com/lutris/lutris/) would be great. It's a very useful and popular software (a GNU/Linux flagship like GIMP) and firejailing it would make a lot of sense (running untrusted roms / games etc). Might not be simple to get everything running fine due to its expansive support for many emulators (some of which may already have a firejail profile) and Wine but a profile to make changes to would be useful too. The profile could be very permissive at first. It would be best if it was a very stringent profile but made sure that everything it launches, launches with firejail and has a working firejail-profile. #3483

gitea-mirror commented 2026-05-05 06:45:09 -06:00

Author

Owner

Copy link

@vargn commented on GitHub (Nov 10, 2020):

A profile for the discord TUI Cordless would be nice.

https://github.com/Bios-Marcel/cordless

<!-- gh-comment-id:725019023 --> @vargn commented on GitHub (Nov 10, 2020): A profile for the discord TUI Cordless would be nice. https://github.com/Bios-Marcel/cordless

gitea-mirror commented 2026-05-05 06:45:10 -06:00

Author

Owner

Copy link

@bbros-dev commented on GitHub (Dec 1, 2020):

A profile for socat would be useful as a starting point for allowing customizations.

<!-- gh-comment-id:736176025 --> @bbros-dev commented on GitHub (Dec 1, 2020): A profile for socat would be useful as a starting point for allowing customizations.

gitea-mirror commented 2026-05-05 06:45:12 -06:00

Author

Owner

Copy link

@heli-aviator commented on GitHub (Jan 4, 2021):

I would love a profile for

• Signal app
• Tutanota mail

If possible, I would love to see that we could firejail/sandbox i.e. the downloads folder for opening downloaded content. I have no idea if this is possible.

<!-- gh-comment-id:754291416 --> @heli-aviator commented on GitHub (Jan 4, 2021): I would love a profile for - [ ] Signal app - [ ] Tutanota mail If possible, I would love to see that we could firejail/sandbox i.e. the downloads folder for opening downloaded content. I have no idea if this is possible.

gitea-mirror commented 2026-05-05 06:45:13 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 5, 2021):

@heli-aviator I added tutanota-desktop.profile in git. It would be awesome if you could test it. To do so you'll need to replicate the commits from https://github.com/netblue30/firejail/pull/3870/files. Download the profile and save it as ${HOME}/.config/firejail/tutanota-desktop.profile. Start it by running firejail --ignore=quiet tutanota-desktop in a terminal and check for errors etc. If it's working as expected you can add it to your firecfg.cfg or wait until a new firejail release does so. Feel free to open a new issue if you have more questions on tutanota-desktop.

<!-- gh-comment-id:754625261 --> @ghost commented on GitHub (Jan 5, 2021): @heli-aviator I added tutanota-desktop.profile in git. It would be awesome if you could test it. To do so you'll need to replicate the commits from https://github.com/netblue30/firejail/pull/3870/files. Download the profile and save it as ${HOME}/.config/firejail/tutanota-desktop.profile. Start it by running `firejail --ignore=quiet tutanota-desktop` in a terminal and check for errors etc. If it's working as expected you can add it to your firecfg.cfg or wait until a new firejail release does so. Feel free to open a new issue if you have more questions on tutanota-desktop.

gitea-mirror commented 2026-05-05 06:45:15 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 5, 2021):

To do so you'll need to replicate the commits from https://github.com/netblue30/firejail/pull/3870/files …

… and https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/electron.profile.

To not break other programs which include electron.profile, copy the content of electron.profile (here on master) at the end of you tutanota-desktop.profile.

---

Is the "Signal app" somthing else then signal-desktop?

<!-- gh-comment-id:754628345 --> @rusty-snake commented on GitHub (Jan 5, 2021): > To do so you'll need to replicate the commits from https://github.com/netblue30/firejail/pull/3870/files … … **and https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/electron.profile**. To not break other programs which include electron.profile, copy the content of electron.profile (here on master) at the _end_ of you tutanota-desktop.profile. ----- Is the "Signal app" somthing else then signal-desktop?

gitea-mirror commented 2026-05-05 06:45:16 -06:00

Author

Owner

Copy link

@rptaylor commented on GitHub (Jan 6, 2021):

Would be great to have a profile for https://github.com/lensapp/lens
It's an electron app distributed via AppImage; I tried a number of options including firejail --appimage --private --net=none --x11 --profile=/etc/firejail/electron.profile ./Lens-4.0.6.AppImage but it did not work.

Process 16512 (kontena-lens) of user 1027 dumped core.
                                                             
                                                             Stack trace of thread 2:
                                                             #0  0x00007f5145f1c37d syscall (libc.so.6 + 0xfc37d)
                                                             #1  0x000055c5073b2e30 n/a (kontena-lens + 0x4fa1e30)
                                                             #2  0x00007f5145f21913 __clone (libc.so.6 + 0x101913)
                                                             
                                                             Stack trace of thread 1:
                                                             #0  0x00007f5145f21905 __clone (libc.so.6 + 0x101905)
                                                             #1  0x000055c5073aad58 n/a (kontena-lens + 0x4f99d58)
                                                             #2  0x000055c5073aace9 n/a (kontena-lens + 0x4f99ce9)
                                                             #3  0x000055c5075dbcee n/a (kontena-lens + 0x51cacee)
                                                             #4  0x000055c5054d7dbc n/a (kontena-lens + 0x30c6dbc)
                                                             #5  0x000055c5054d9278 n/a (kontena-lens + 0x30c8278)
                                                             #6  0x000055c5075e086a n/a (kontena-lens + 0x51cf86a)
                                                             #7  0x000055c504850021 n/a (kontena-lens + 0x243f021)
                                                             #8  0x000055c503c40c3d n/a (kontena-lens + 0x182fc3d)
                                                             #9  0x00007f5145e47042 __libc_start_main (libc.so.6 + 0x27042)
                                                             #10 0x000055c503c4096a _start (kontena-lens + 0x182f96a)

https://github.com/lensapp/lens/issues/1905

<!-- gh-comment-id:755761230 --> @rptaylor commented on GitHub (Jan 6, 2021): Would be great to have a profile for https://github.com/lensapp/lens It's an electron app distributed via AppImage; I tried a number of options including `firejail --appimage --private --net=none --x11 --profile=/etc/firejail/electron.profile ./Lens-4.0.6.AppImage` but it did not work. ``` Process 16512 (kontena-lens) of user 1027 dumped core. Stack trace of thread 2: #0 0x00007f5145f1c37d syscall (libc.so.6 + 0xfc37d) #1 0x000055c5073b2e30 n/a (kontena-lens + 0x4fa1e30) #2 0x00007f5145f21913 __clone (libc.so.6 + 0x101913) Stack trace of thread 1: #0 0x00007f5145f21905 __clone (libc.so.6 + 0x101905) #1 0x000055c5073aad58 n/a (kontena-lens + 0x4f99d58) #2 0x000055c5073aace9 n/a (kontena-lens + 0x4f99ce9) #3 0x000055c5075dbcee n/a (kontena-lens + 0x51cacee) #4 0x000055c5054d7dbc n/a (kontena-lens + 0x30c6dbc) #5 0x000055c5054d9278 n/a (kontena-lens + 0x30c8278) #6 0x000055c5075e086a n/a (kontena-lens + 0x51cf86a) #7 0x000055c504850021 n/a (kontena-lens + 0x243f021) #8 0x000055c503c40c3d n/a (kontena-lens + 0x182fc3d) #9 0x00007f5145e47042 __libc_start_main (libc.so.6 + 0x27042) #10 0x000055c503c4096a _start (kontena-lens + 0x182f96a) ``` https://github.com/lensapp/lens/issues/1905

gitea-mirror commented 2026-05-05 06:45:17 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 8, 2021):

firejail --private --net=none --ignore='noexec /tmp' --appimage --profile=electron Lens-4.0.6.AppImage allows me to start lens. I don't use kubernetes/lens so I can not write a full profile or tell if lens works with this command, but it starts with it.

Notes:

• --ignore='noexec /tmp': they seem to map(?) something from /tmp and then execute it.
• The electron.profile in firejail 0.9.64 does not work with the electron sandbox.

(Fedora 32; firejail from git)

<!-- gh-comment-id:757010032 --> @rusty-snake commented on GitHub (Jan 8, 2021): `firejail --private --net=none --ignore='noexec /tmp' --appimage --profile=electron Lens-4.0.6.AppImage` allows me to start lens. I don't use kubernetes/lens so I can not write a full profile or tell if lens works with this command, but it starts with it. Notes: - `--ignore='noexec /tmp'`: they seem to map(?) something from /tmp and then execute it. - The electron.profile in firejail 0.9.64 does not work with the electron sandbox. (Fedora 32; firejail from git)

gitea-mirror commented 2026-05-05 06:45:20 -06:00

Author

Owner

Copy link

@hariceratops commented on GitHub (Jan 16, 2021):

Would like to have a profile for Obsidian
Link to the application's site : https://obsidian.md/
Currently while running the application with firejail yields the following log

firejail --appimage obsidian.appimage

Mounting appimage type 2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 6611, child pid 6614

** Warning: dropping all Linux capabilities **

Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 108.17 ms

Parent is shutting down, bye...
AppImage unmounted

<!-- gh-comment-id:761523388 --> @hariceratops commented on GitHub (Jan 16, 2021): Would like to have a profile for Obsidian Link to the application's site : https://obsidian.md/ Currently while running the application with firejail yields the following log firejail --appimage obsidian.appimage ------------------------------------------------------------------------------------------- Mounting appimage type 2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 6611, child pid 6614 ** Warning: dropping all Linux capabilities ** Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 108.17 ms Parent is shutting down, bye... AppImage unmounted

gitea-mirror commented 2026-05-05 06:45:23 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 16, 2021):

obsidian.profile draft

# Firejail profile for obsidian
# Description: Markdown-based knowledge base
# This file is overwritten after every install/update
# Persistent local customizations
include obsidian.local
# Persistent global definitions
include globals.local

#noblacklist PATH

include disable-shell.inc

#mkdir PATH
##mkfile PATH
#whitelist PATH
whitelist ${DOCUMENTS}
whitelist ${PICTURES}

net none

private-bin obsidian

# Redirect
include electron.profile

<!-- gh-comment-id:761526521 --> @rusty-snake commented on GitHub (Jan 16, 2021): <details><summary>obsidian.profile draft</summary> ``` # Firejail profile for obsidian # Description: Markdown-based knowledge base # This file is overwritten after every install/update # Persistent local customizations include obsidian.local # Persistent global definitions include globals.local #noblacklist PATH include disable-shell.inc #mkdir PATH ##mkfile PATH #whitelist PATH whitelist ${DOCUMENTS} whitelist ${PICTURES} net none private-bin obsidian # Redirect include electron.profile ``` </details>

gitea-mirror commented 2026-05-05 06:45:25 -06:00

Author

Owner

Copy link

@hariceratops commented on GitHub (Jan 16, 2021):

obsidian.profile draft

# Firejail profile for obsidian
# Description: Markdown-based knowledge base
# This file is overwritten after every install/update
# Persistent local customizations
# Yet to define local customizations
# Persistent global definitions
include globals.local

#noblacklist PATH

include disable-shell.inc

#mkdir PATH
##mkfile PATH
#whitelist PATH
whitelist ${DOCUMENTS}
whitelist ${PICTURES}

net none

private-bin obsidian

# Redirect
include electron.profile

Ran it with firejail --profile=/etc/firejail/obsidian.profile --apparmor obsidian.apparmor
The application doesnt launch though, the log looks like below
Reading profile /etc/firejail/obsidian.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Mounting appimage type 2
Parent pid 10764, child pid 10767

** Warning: dropping all Linux capabilities **

Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Child process initialized in 116.48 ms

Parent is shutting down, bye...
AppImage unmounted

<!-- gh-comment-id:761566351 --> @hariceratops commented on GitHub (Jan 16, 2021): > obsidian.profile draft > > ``` > # Firejail profile for obsidian > # Description: Markdown-based knowledge base > # This file is overwritten after every install/update > # Persistent local customizations > # Yet to define local customizations > # Persistent global definitions > include globals.local > > #noblacklist PATH > > include disable-shell.inc > > #mkdir PATH > ##mkfile PATH > #whitelist PATH > whitelist ${DOCUMENTS} > whitelist ${PICTURES} > > net none > > private-bin obsidian > > # Redirect > include electron.profile > ``` Ran it with firejail --profile=/etc/firejail/obsidian.profile --apparmor obsidian.apparmor The application doesnt launch though, the log looks like below Reading profile /etc/firejail/obsidian.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Mounting appimage type 2 Parent pid 10764, child pid 10767 ** Warning: dropping all Linux capabilities ** Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Child process initialized in 116.48 ms Parent is shutting down, bye... AppImage unmounted

gitea-mirror commented 2026-05-05 06:45:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 16, 2021):

This draft (just based on the permission of the flatpak and the fact that it is an electron program) requires the electron.profile from master. If you use firejail 0.9.64 you can copy the electron.profile from master to ~/.config/firejail/electron.profile. (This will then likely break other electron based programs, so just for testing).

<!-- gh-comment-id:761569033 --> @rusty-snake commented on GitHub (Jan 16, 2021): This draft (just based on the permission of the flatpak and the fact that it is an electron program) requires the electron.profile from master. If you use firejail 0.9.64 you can copy the electron.profile from master to ~/.config/firejail/electron.profile. (This will then likely break other electron based programs, so just for testing).

gitea-mirror commented 2026-05-05 06:45:30 -06:00

Author

Owner

Copy link

@ZachIndigo commented on GitHub (Jan 29, 2021):

I would request librewolf. I have written a rough one, but having an official one would be nice.

librewolf.txt

<!-- gh-comment-id:769554777 --> @ZachIndigo commented on GitHub (Jan 29, 2021): I would request librewolf. I have written a rough one, but having an official one would be nice. [librewolf.txt](https://github.com/netblue30/firejail/files/5891482/librewolf.txt)

gitea-mirror commented 2026-05-05 06:45:31 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 29, 2021):

Draft based on @BenEvolent333 profile.

librewolf.profile

# Firejail profile for librewolf
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include librewolf.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/librewolf
noblacklist ${HOME}/.librewolf

mkdir ${HOME}/.cache/librewolf
mkdir ${HOME}/.librewolf
whitelist ${HOME}/.cache/librewolf
whitelist ${HOME}/.librewolf
#include whitelist-usr-share-common.inc

dbus-user filter
dbus-user.own org.mpris.MediaPlayer2.librewolf.*
# Uncomment or put in your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

# Redirect
include firefox-common.profile

<!-- gh-comment-id:769622699 --> @rusty-snake commented on GitHub (Jan 29, 2021): Draft based on @BenEvolent333 profile. <details><summary>librewolf.profile</summary> ``` # Firejail profile for librewolf # Description: DESCRIPTION # This file is overwritten after every install/update # Persistent local customizations include librewolf.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/librewolf noblacklist ${HOME}/.librewolf mkdir ${HOME}/.cache/librewolf mkdir ${HOME}/.librewolf whitelist ${HOME}/.cache/librewolf whitelist ${HOME}/.librewolf #include whitelist-usr-share-common.inc dbus-user filter dbus-user.own org.mpris.MediaPlayer2.librewolf.* # Uncomment or put in your firefox.local to enable native notifications. #dbus-user.talk org.freedesktop.Notifications ignore dbus-user none # Redirect include firefox-common.profile ``` </details>

gitea-mirror commented 2026-05-05 06:45:35 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Jan 30, 2021):

avidemux.profile

include avidemux.local
include globals.local

noblacklist ${HOME}/.avidemux6
noblacklist ${HOME}/.config/avidemux3_qt5rc
noblacklist ${VIDEOS}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

apparmor
caps.drop all
net none
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
protocol unix
seccomp
seccomp.block-secondary
shell none
tracelog

whitelist ${HOME}/.avidemux6
whitelist ${HOME}/.config/avidemux3_qt5rc
whitelist ${VIDEOS}
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#disable-mnt
private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

Should I add or omit something? It would be great if someone may test it.

<!-- gh-comment-id:770264909 --> @CodeArtisan00 commented on GitHub (Jan 30, 2021): <details> <summary>avidemux.profile</summary> <br> ``` include avidemux.local include globals.local noblacklist ${HOME}/.avidemux6 noblacklist ${HOME}/.config/avidemux3_qt5rc noblacklist ${VIDEOS} include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc apparmor caps.drop all net none nodvd nogroups nonewprivs noroot notv nou2f protocol unix seccomp seccomp.block-secondary shell none tracelog whitelist ${HOME}/.avidemux6 whitelist ${HOME}/.config/avidemux3_qt5rc whitelist ${VIDEOS} include whitelist-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc #disable-mnt private-bin avidemux3_cli,avidemux3_jobs_qt5,avidemux3_qt5 private-cache private-dev private-tmp dbus-user none dbus-system none ``` </details> Should I add or omit something? It would be great if someone may test it.

gitea-mirror commented 2026-05-05 06:45:36 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 30, 2021):

@Neo00001 open a PR with it after applying the nitpicks below.

Should I add or omit something?

If it works and nothing is borken, everything can stay.

• add profile headers
• add mkdirs for the dotfiles
• move the whitelist block below the disable block
• maybe add novideo?
• disable-programs.inc and firecfg.config

<!-- gh-comment-id:770269827 --> @rusty-snake commented on GitHub (Jan 30, 2021): @Neo00001 open a PR with it after applying the nitpicks below. > Should I add or omit something? If it works and nothing is borken, everything can stay. - add profile headers - add `mkdir`s for the dotfiles - move the whitelist block below the disable block - maybe add novideo? - disable-programs.inc and firecfg.config

gitea-mirror commented 2026-05-05 06:45:38 -06:00

Author

Owner

Copy link

@CodeArtisan00 commented on GitHub (Jan 30, 2021):

maybe add novideo?

yep

open a PR

doing it

<!-- gh-comment-id:770288407 --> @CodeArtisan00 commented on GitHub (Jan 30, 2021): > maybe add novideo? yep > open a PR doing it

gitea-mirror commented 2026-05-05 06:45:40 -06:00

Author

Owner

Copy link

@matu3ba commented on GitHub (Feb 7, 2021):

luarocks would be great, as neovim and other programs will or do include it for packaging. see here.

<!-- gh-comment-id:774762948 --> @matu3ba commented on GitHub (Feb 7, 2021): luarocks would be great, as neovim and other programs will or do include it for packaging. see [here](https://github.com/wbthomason/packer.nvim/issues/175).

gitea-mirror commented 2026-05-05 06:45:43 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 27, 2021):

add mpv in firefox-common-addons
there's an extension, that allows to launch an url with mpv (with youtube-dl)
https://addons.mozilla.org/en-US/firefox/addon/play-with/

Just add:

noblacklist ~/.config/mpv
whitelist ~/.config/mpv

in firefox-common-addons.inc

<!-- gh-comment-id:787075150 --> @ghost commented on GitHub (Feb 27, 2021): add mpv in firefox-common-addons there's an extension, that allows to launch an url with mpv (with youtube-dl) https://addons.mozilla.org/en-US/firefox/addon/play-with/ Just add: > noblacklist ~/.config/mpv > whitelist ~/.config/mpv in firefox-common-addons.inc

gitea-mirror commented 2026-05-05 06:45:45 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 27, 2021):

@pirate486743186 for firefox-common-addons you can always open a PR 😉 . Anyway both are already in:

437be33f40/etc/inc/firefox-common-addons.inc (L76-L91)

<!-- gh-comment-id:787076067 --> @rusty-snake commented on GitHub (Feb 27, 2021): @pirate486743186 for firefox-common-addons you can always open a PR :wink: . Anyway both are already in: https://github.com/netblue30/firejail/blob/437be33f400e26858f398e021f1c896f132897eb/etc/inc/firefox-common-addons.inc#L76-L91

gitea-mirror commented 2026-05-05 06:45:48 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 27, 2021):

it's all commented out...

playwith uses a clever little hack, it pretends to be downloading a playlist as a file, then you configure firefox to automatically launch mpv with it.

it only needs the mpv profile for convenience. No external client.
It doesn't need all that crap. (python3 is already allowed higher)

<!-- gh-comment-id:787081083 --> @ghost commented on GitHub (Feb 27, 2021): it's all commented out... playwith uses a clever little hack, it pretends to be downloading a playlist as a file, then you configure firefox to automatically launch mpv with it. it only needs the mpv profile for convenience. No external client. It doesn't need all that crap. (python3 is already allowed higher)

gitea-mirror commented 2026-05-05 06:45:51 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 27, 2021):

it's all commented out...

IMHO we can (or should) move the noblacklist/whitelist stuff up and make it default.

python3 is already allowed higher

👍 can be removed there

<!-- gh-comment-id:787082388 --> @rusty-snake commented on GitHub (Feb 27, 2021): > it's all commented out... IMHO we can (or should) move the `noblacklist`/`whitelist` stuff up and make it default. > python3 is already allowed higher :+1: can be removed there

gitea-mirror commented 2026-05-05 06:45:55 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 1, 2021):

add pipe-viewer/gtk-pipe-viewer
create a common profile for youtube-viewer, straw-viewer and pipe viewer
they are virtually identical

and add
whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs
and
private-bin xterm
and remove
dbus-user none

it needs a terminal for some features, it tries to autodetect it from $TERM
the default is xterm, so that should cover most cases.

it complains about dbus in the terminal, but i don't see anything broken.

<!-- gh-comment-id:788030003 --> @ghost commented on GitHub (Mar 1, 2021): add pipe-viewer/gtk-pipe-viewer create a common profile for youtube-viewer, straw-viewer and pipe viewer they are virtually identical and add whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs and private-bin xterm and remove dbus-user none it needs a terminal for some features, it tries to autodetect it from $TERM the default is xterm, so that should cover most cases. it complains about dbus in the terminal, but i don't see anything broken.

gitea-mirror commented 2026-05-05 06:45:57 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 4, 2021):

https://github.com/netblue30/firejail/pull/4064

corrections for newsbeuter

it needs .local/share/newsbeuter
it should not create .newsbeuter
it should ignore configuration of newsboat specific folders

corrections for newsboat

needs .local and .config
needs access to newsbeuter folders, for migration
it shouldn't create .newsboat
probably add w3m in private-bin

<!-- gh-comment-id:790180711 --> @ghost commented on GitHub (Mar 4, 2021): https://github.com/netblue30/firejail/pull/4064 corrections for newsbeuter it needs .local/share/newsbeuter it should not create .newsbeuter it should ignore configuration of newsboat specific folders corrections for newsboat needs .local and .config needs access to newsbeuter folders, for migration it shouldn't create .newsboat probably add w3m in private-bin

gitea-mirror commented 2026-05-05 06:45:58 -06:00

Author

Owner

Copy link

@corngoblin commented on GitHub (Mar 30, 2021):

I'd like a Stremio profile

<!-- gh-comment-id:810374299 --> @corngoblin commented on GitHub (Mar 30, 2021): I'd like a Stremio profile

gitea-mirror commented 2026-05-05 06:46:01 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 12, 2021):

Hi there, can we put the following to the list:

• cointop (https://github.com/miguelmota/cointop)
• irssi (https://irssi.org/)
• sway wm (https://github.com/swaywm/sway)
• easytag (https://sourceforge.net/projects/easytag/)
• mbsync (https://isync.sourceforge.io/mbsync.html)
• Bitwig Studio (/opt/bitwig-studio is used on linux distributions, trial is available at https://www.bitwig.com/download/)

Last but not least for now:

• Update VSCodium (it needs dir from ~/.config as well, so just amend /etc/firejail/vscodium.profile)

<!-- gh-comment-id:817908590 --> @ghost commented on GitHub (Apr 12, 2021): Hi there, can we put the following to the list: - `cointop` (https://github.com/miguelmota/cointop) - `irssi` (https://irssi.org/) - ~`sway` wm (https://github.com/swaywm/sway)~ - `easytag` (https://sourceforge.net/projects/easytag/) - `mbsync` (https://isync.sourceforge.io/mbsync.html) - `Bitwig Studio` (`/opt/bitwig-studio` is used on linux distributions, trial is available at https://www.bitwig.com/download/) Last but not least for now: - Update `VSCodium` (it needs dir from ~/.config as well, so just amend /etc/firejail/vscodium.profile)

gitea-mirror commented 2026-05-05 06:46:03 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 12, 2021):

Update VSCodium (it needs dir from ~/.config as well, so just amend /etc/firejail/vscodium.profile)

@vatonbero Can you provide the full path that is missing so we can fix this please? Just for the record, if that's a bug in the current vscodium.profile it would get more attention / get properly tagged as a bug etcetera if you open a seperate issue for it. Thanks for informing us though!

<!-- gh-comment-id:817917633 --> @ghost commented on GitHub (Apr 12, 2021): > Update VSCodium (it needs dir from ~/.config as well, so just amend /etc/firejail/vscodium.profile) @vatonbero Can you provide the full path that is missing so we can fix this please? Just for the record, if that's a bug in the current vscodium.profile it would get more attention / get properly tagged as a bug etcetera if you open a seperate issue for it. Thanks for informing us though!

gitea-mirror commented 2026-05-05 06:46:06 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 12, 2021):

@vatonbero Can you provide the full path that is missing so we can fix this please? Just for the record, if that's a bug in the current vscodium.profile it would get more attention / get properly tagged as a bug etcetera if you open a seperate issue for it. Thanks for informing us though!

Thank you for the reply. I have opened one bug report however i must say that i still cannot determine if this is a bug or not. Here is the report https://github.com/netblue30/firejail/issues/4183

<!-- gh-comment-id:817955381 --> @ghost commented on GitHub (Apr 12, 2021): > @vatonbero Can you provide the full path that is missing so we can fix this please? Just for the record, if that's a bug in the current vscodium.profile it would get more attention / get properly tagged as a bug etcetera if you open a seperate issue for it. Thanks for informing us though! Thank you for the reply. I have opened one bug report however i must say that i still cannot determine if this is a bug or not. Here is the report https://github.com/netblue30/firejail/issues/4183

gitea-mirror commented 2026-05-05 06:46:10 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 13, 2021):

A couple more:

• radicale cal/card dav server (https://radicale.org)
• solvespace used for parametric modeling (https://solvespace.com/)
• librecad 2d cad program (https://librecad.org/)
• screen multiplexer (https://www.gnu.org/software/screen/). Add tmux as well?
• easytag media tagger (https://sourceforge.net/projects/easytag/)

<!-- gh-comment-id:818809385 --> @ghost commented on GitHub (Apr 13, 2021): A couple more: - `radicale` cal/card dav server (https://radicale.org) - `solvespace` used for parametric modeling (https://solvespace.com/) - ~`librecad` 2d cad program (https://librecad.org/)~ - `screen` multiplexer (https://www.gnu.org/software/screen/). Add ~`tmux`~ as well? - `easytag` media tagger (https://sourceforge.net/projects/easytag/)

gitea-mirror commented 2026-05-05 06:46:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Apr 14, 2021):

sway is already in #4164

<!-- gh-comment-id:819401065 --> @rusty-snake commented on GitHub (Apr 14, 2021): sway is already in #4164

gitea-mirror commented 2026-05-05 06:46:14 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 14, 2021):

A bit more:

• khard cli carddav client (https://github.com/scheibler/khard)
• vdirsyncer calendar and contact sync (https://github.com/pimutils/vdirsyncer)

<!-- gh-comment-id:819601834 --> @ghost commented on GitHub (Apr 14, 2021): A bit more: - `khard` cli carddav client (https://github.com/scheibler/khard) - `vdirsyncer` calendar and contact sync (https://github.com/pimutils/vdirsyncer)

gitea-mirror commented 2026-05-05 06:46:15 -06:00

Author

Owner

Copy link

@chomwitt commented on GitHub (Apr 25, 2021):

I'd like a profile on:

• Obsidian a mind organizer (https://obsidian.md/ ) (appimage)

<!-- gh-comment-id:826307482 --> @chomwitt commented on GitHub (Apr 25, 2021): I'd like a profile on: - **Obsidian** a mind organizer (https://obsidian.md/ ) (appimage)

gitea-mirror commented 2026-05-05 06:46:17 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (May 3, 2021):

for joplin-appimage following profile seems working.

# ~/.config/firejail/joplin.profile

# does not work without this
ignore noexec /tmp

# inherit base profile
include electron.profile

# whitelist configs
whitelist ${HOME}/.config/@joplin
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop

and following desktop

[Desktop Entry]
Name=Joplin
Exec=firejail --profile=joplin --appimage /opt/appimages/Joplin.AppImage
Terminal=false
Type=Application
Icon=joplin
StartupWMClass=Joplin
X-AppImage-Version=1.3.9.2863
Comment=Joplin for Desktop
Categories=Office;

<!-- gh-comment-id:831373644 --> @sak96 commented on GitHub (May 3, 2021): for [joplin-appimage](https://aur.archlinux.org/packages/joplin-appimage/) following profile seems working. ```firejail # ~/.config/firejail/joplin.profile # does not work without this ignore noexec /tmp # inherit base profile include electron.profile # whitelist configs whitelist ${HOME}/.config/@joplin whitelist ${HOME}/.config/Joplin whitelist ${HOME}/.config/joplin-desktop ``` and following desktop ```desktop [Desktop Entry] Name=Joplin Exec=firejail --profile=joplin --appimage /opt/appimages/Joplin.AppImage Terminal=false Type=Application Icon=joplin StartupWMClass=Joplin X-AppImage-Version=1.3.9.2863 Comment=Joplin for Desktop Categories=Office; ```

gitea-mirror commented 2026-05-05 06:46:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 3, 2021):

joplin.profile based on @sak96's post above

# Firejail profile for joplin
# Description: DESCRIPTION OF THE PROGRAM
# This file is overwritten after every install/update
# Persistent local customizations
include joplin.local
# Persistent global definitions
include globals.local

include disable-shell.inc

# FIXME: mkdir or mkfile?
mkdir ${HOME}/.config/@joplin
mkdir ${HOME}/.config/Joplin
mkdir ${HOME}/.config/joplin-desktop
whitelist ${HOME}/.config/@joplin
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop

machine-id
nosound

private-bin joplin

# Redirect
include electron.profile

<!-- gh-comment-id:831384616 --> @rusty-snake commented on GitHub (May 3, 2021): <details><summary> joplin.profile based on @sak96's post above </summary> ``` # Firejail profile for joplin # Description: DESCRIPTION OF THE PROGRAM # This file is overwritten after every install/update # Persistent local customizations include joplin.local # Persistent global definitions include globals.local include disable-shell.inc # FIXME: mkdir or mkfile? mkdir ${HOME}/.config/@joplin mkdir ${HOME}/.config/Joplin mkdir ${HOME}/.config/joplin-desktop whitelist ${HOME}/.config/@joplin whitelist ${HOME}/.config/Joplin whitelist ${HOME}/.config/joplin-desktop machine-id nosound private-bin joplin # Redirect include electron.profile ``` </details>

gitea-mirror commented 2026-05-05 06:46:23 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (May 4, 2021):

i think there are three variants in (cli + desktop/ui + appimage) of joplin avialable. will test the above profile against all of them.
Thanks @rusty-snake

<!-- gh-comment-id:831702990 --> @sak96 commented on GitHub (May 4, 2021): i think there are three variants in (cli + desktop/ui + appimage) of joplin avialable. will test the above profile against all of them. Thanks @rusty-snake

gitea-mirror commented 2026-05-05 06:46:27 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (May 4, 2021):

joplin cli

cli uses bash script which runs main.js in /usr/share/joplin/ using node.
Points for improvement can bash be restricted ?.
Note: editor access required like vim is there any generic profile for the same.

profile for cli

# Firejail profile for joplin
# Description: A note taking and to-do application
# This file is overwritten after every install/update
# Persistent local customizations
include joplin.local
# Persistent global definitions
include globals.local

private-bin joplin,node,bash

machine-id
nosound

whitelist /usr/share/joplin/
read-only /usr/share/joplin/

mkdir ${HOME}/.config/joplin
whitelist ${HOME}/.config/joplin

# inherit base profile
include allow-nodejs.inc
include electron.profile

joplin desktop

Desktop uses bash script which runs/usr/share/joplin-desktop/@joplinapp-desktop using node.
Points for improvement can bash be restricted ? is the no exec restricted enought ? can we resuse joplin cli to use this ?.

profile for desktop

# Firejail profile for joplin-desktop
# Description: A note taking and to-do application
# This file is overwritten after every install/update
# Persistent local customizations
include joplin-desktop.local
# Persistent global definitions
include globals.local

ignore noexec /tmp

machine-id
nosound

private-bin joplin-desktop,bash

# allow execution of /usr/share/joplin-desktop/@joplinapp-desktop
# https://github.com/netblue30/firejail/issues/3794
whitelist /usr/share/joplin-desktop/
read-only /usr/share/joplin-desktop/
ignore apparmor
ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop

# allow configs
mkdir ${HOME}/.config/joplin-desktop
whitelist ${HOME}/.config/joplin-desktop

# inherit base profile
include electron.profile

<!-- gh-comment-id:831917967 --> @sak96 commented on GitHub (May 4, 2021): ## joplin cli cli uses bash script which runs main.js in `/usr/share/joplin/` using node. Points for improvement `can bash be restricted ?`. Note: editor access required like vim is there any generic profile for the same. <details> <summary> profile for cli </summary> ```firejail # Firejail profile for joplin # Description: A note taking and to-do application # This file is overwritten after every install/update # Persistent local customizations include joplin.local # Persistent global definitions include globals.local private-bin joplin,node,bash machine-id nosound whitelist /usr/share/joplin/ read-only /usr/share/joplin/ mkdir ${HOME}/.config/joplin whitelist ${HOME}/.config/joplin # inherit base profile include allow-nodejs.inc include electron.profile ``` </details> ## joplin desktop Desktop uses bash script which runs`/usr/share/joplin-desktop/@joplinapp-desktop` using node. Points for improvement `can bash be restricted ? is the no exec restricted enought ? can we resuse joplin cli to use this ?`. <details> <summary> profile for desktop </summary> ```firejail # Firejail profile for joplin-desktop # Description: A note taking and to-do application # This file is overwritten after every install/update # Persistent local customizations include joplin-desktop.local # Persistent global definitions include globals.local ignore noexec /tmp machine-id nosound private-bin joplin-desktop,bash # allow execution of /usr/share/joplin-desktop/@joplinapp-desktop # https://github.com/netblue30/firejail/issues/3794 whitelist /usr/share/joplin-desktop/ read-only /usr/share/joplin-desktop/ ignore apparmor ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop # allow configs mkdir ${HOME}/.config/joplin-desktop whitelist ${HOME}/.config/joplin-desktop # inherit base profile include electron.profile ``` </details>

gitea-mirror commented 2026-05-05 06:46:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 4, 2021):

Fell free to open a PR with them.
Sorting, ordering, disable-programs and so on are explained in the pull request template and CONTRIBUTING.md

whitelist /usr/share/joplin/
read-only /usr/share/joplin/

I would be surprised if /usr/share/foo is writeable as regular users. leave the read-only and the trailing slash.

ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop

Never noexeced.

inherit base profile

Use "Redirect"

can we resuse joplin cli to use this

I would joplin-cli make redirect to joplin-desktop (and not desktop redirect cli because of the next)

Points for improvement

joplin-cli needs no x11/wayland and no xdgruntimedir(?), right:

blacklist /tmp/.X11-unix
blacklist ${RUNUSER}

private-etc templates can be found in profile.template too.

<!-- gh-comment-id:831945208 --> @rusty-snake commented on GitHub (May 4, 2021): Fell free to open a PR with them. Sorting, ordering, disable-programs and so on are explained in the [pull request template](https://github.com/netblue30/firejail/blob/master/.github/pull_request_template.md) and [CONTRIBUTING.md](https://github.com/netblue30/firejail/blob/master/CONTRIBUTING.md#opening-an-pull-request) > whitelist /usr/share/joplin/ read-only /usr/share/joplin/ I would be surprised if /usr/share/foo is writeable as regular users. leave the `read-only` and the trailing slash. > ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop Never `noexec`ed. > inherit base profile Use "Redirect" > can we resuse joplin cli to use this I would joplin-cli make redirect to joplin-desktop (and not desktop redirect cli because of the next) > Points for improvement joplin-cli needs no x11/wayland and no xdgruntimedir(?), right: ``` blacklist /tmp/.X11-unix blacklist ${RUNUSER} ``` `private-etc` templates can be found in profile.template too.

gitea-mirror commented 2026-05-05 06:46:31 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (May 5, 2021):

is there any profile to enable editors ?
like vim/emac/gvim/code all at once ?
the joplin cli requires you to use some editor.

---

ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop

Never noexeced.
could you explain this comment as well.

<!-- gh-comment-id:832561605 --> @sak96 commented on GitHub (May 5, 2021): is there any profile to enable editors ? like vim/emac/gvim/code all at once ? the joplin cli requires you to use some editor. --- ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop Never `noexec`ed. could you explain this comment as well.

gitea-mirror commented 2026-05-05 06:46:33 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 5, 2021):

is there any profile to enable editors ?
like vim/emac/gvim/code all at once ?

No. It's not possible to allow anything necessary to run editors by e.g. include allow-editors.inc. But have a look at mutt.profile

ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop
Never noexeced.
could you explain this comment as well

There is no noexec /usr/share/joplin-desktop/@joplinapp-desktop.

<!-- gh-comment-id:832565952 --> @rusty-snake commented on GitHub (May 5, 2021): > is there any profile to enable editors ? like vim/emac/gvim/code all at once ? No. It's not possible to allow anything necessary to run editors by e.g. `include allow-editors.inc`. But have a look at [mutt.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/mutt.profile) > ignore noexec /usr/share/joplin-desktop/@joplinapp-desktop Never noexeced. could you explain this comment as well There is no `noexec /usr/share/joplin-desktop/@joplinapp-desktop`.

gitea-mirror commented 2026-05-05 06:46:35 -06:00

Author

Owner

Copy link

@sak96 commented on GitHub (May 5, 2021):

This line was required noexec /usr/share/joplin-desktop/@joplinapp-desktop .
This is the actual desktop app executable. without this i get permission denied error.

---

Also one more query i had was what is diffrence between noblacklist and whitelist.
if i use noblacklist ${HOME}/.vim followed by whitelist ${HOME}/.config/joplin then ~/.vim doesn't show up in the sandbox.
if i use noblacklist both places then all elements in home directory are visible for the app (including ~/my_personal_folder).
if i use whitelist both place then only .vim and required config shows up.

The effects it has are in /usr/share/joplin are more visible as whitelist will erase all other directories in /usr/share, which had negative effect on vim.

<!-- gh-comment-id:832688052 --> @sak96 commented on GitHub (May 5, 2021): This line was required `noexec /usr/share/joplin-desktop/@joplinapp-desktop` . This is the actual desktop app executable. without this i get `permission denied error`. --- Also one more query i had was what is diffrence between `noblacklist` and `whitelist`. if i use `noblacklist ${HOME}/.vim` followed by `whitelist ${HOME}/.config/joplin` then `~/.vim` doesn't show up in the sandbox. if i use `noblacklist` both places then all elements in home directory are visible for the app (including `~/my_personal_folder`). if i use `whitelist` both place then only .vim and required config shows up. The effects it has are in /usr/share/joplin are more visible as whitelist will erase all other directories in /usr/share, which had negative effect on vim.

gitea-mirror commented 2026-05-05 06:46:37 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 5, 2021):

This line was required noexec /usr/share/joplin-desktop/@joplinapp-desktop.
This is the actual desktop app executable. without this i get permission denied error.

@sak96 Turning 'the actual desktop app executable' into noexec doesn't make any sense. Please follow @rusty-snake's advice and open a PR. That'll give everyone a much better view on all relevant files, and the whole view at that (which is important too). This thread is for profile requests only, not for actually creating one (or several). We're happy to help, it's just easier to follow on a PR view in the GitHub UI. On a side note, why not use vim with its own sandbox profile instead of mixing things in a joplin profile?

<!-- gh-comment-id:832712413 --> @ghost commented on GitHub (May 5, 2021): > This line was required `noexec /usr/share/joplin-desktop/@joplinapp-desktop`. This is the actual desktop app executable. without this i get permission denied error. @sak96 Turning 'the actual desktop app executable' into noexec doesn't make any sense. Please follow @rusty-snake's advice and open a PR. That'll give everyone a much better view on all relevant files, and the whole view at that (which is important too). This thread is for profile requests only, not for actually creating one (or several). We're happy to help, it's just easier to follow on a PR view in the GitHub UI. On a side note, why not use vim with its own sandbox profile instead of mixing things in a joplin profile?

gitea-mirror commented 2026-05-05 06:46:39 -06:00

Author

Owner

Copy link

@samsaraswheel commented on GitHub (May 18, 2021):

Profile request:

Nice to have please.
cryptomator This is a client side encryption tool like Boxcryptor (https://cryptomator.org/ and https://community.cryptomator.org/)

The linux version is in an Appimage java based package format.

Thefirejail --appimage "cryptomator.appimage" command works, you can create mounts, but you can't open any encrypted mounts in other file locations or usb. Comes up with a bunch of java resource call denied errors and FUSE no access errors.

I think it shouldn't be too much to setup. Seccomp especially would be nice. Playing around with some whitelist settings but haven't got a working profile yet. If anyone has one please add.

Edit:
referring documentation section 3.6 EncFS and SSHFS from https://firejail.wordpress.com/documentation-2/basic-usage/?like_comment=579
I think this may have something to do with it.

For various reasons, during sandbox setup Firejail handles EncFS filesystems as root user. FUSE will prevent the root access to user’s files and the sandbox will fail to start.
This problem affects all filesystems based on FUSE library.

<!-- gh-comment-id:842920181 --> @samsaraswheel commented on GitHub (May 18, 2021): ### **Profile request**: Nice to have please. `cryptomator` This is a client side encryption tool like Boxcryptor (https://cryptomator.org/ and https://community.cryptomator.org/) The linux version is in an Appimage java based package format. The` firejail --appimage "cryptomator.appimage" ` command works, you can create mounts, but you can't open any encrypted mounts in other file locations or usb. Comes up with a bunch of java resource call denied errors and FUSE no access errors. I think it shouldn't be too much to setup. Seccomp especially would be nice. Playing around with some whitelist settings but haven't got a working profile yet. If anyone has one please add. Edit: referring documentation section 3.6 EncFS and SSHFS from https://firejail.wordpress.com/documentation-2/basic-usage/?like_comment=579 I think this may have something to do with it. > For various reasons, during sandbox setup Firejail handles EncFS filesystems as root user. FUSE will prevent the root access to user’s files and the sandbox will fail to start. > This problem affects all filesystems based on FUSE library.

gitea-mirror commented 2026-05-05 06:46:41 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 18, 2021):

FTR: FUSE mounts must be mounted allow_root or allow_other. Otherwise firejail isn't allowed to access them.

<!-- gh-comment-id:842953519 --> @rusty-snake commented on GitHub (May 18, 2021): FTR: FUSE mounts must be mounted `allow_root` or `allow_other`. Otherwise firejail isn't allowed to access them.

gitea-mirror commented 2026-05-05 06:46:42 -06:00

Author

Owner

Copy link

@Area51Kacz commented on GitHub (May 30, 2021):

Edge browser (Microsoft Browser) https://www.microsoftedgeinsider.com/en-us/download?platform=linux-deb

https://aur.archlinux.org/packages/microsoft-edge-beta-bin/

<!-- gh-comment-id:850922154 --> @Area51Kacz commented on GitHub (May 30, 2021): Edge browser (Microsoft Browser) https://www.microsoftedgeinsider.com/en-us/download?platform=linux-deb https://aur.archlinux.org/packages/microsoft-edge-beta-bin/

gitea-mirror commented 2026-05-05 06:46:44 -06:00

Author

Owner

Copy link

@christianskou07 commented on GitHub (Jun 4, 2021):

SRBMiner https://www.srbminer.com/ or https://github.com/doktor83/SRBMiner-Multi
NBMiner https://nbminer.com/ or https://github.com/NebuTech/NBMiner

Would be extremely convenient to have as neither of them are open sourced, hence the need for firejail.

<!-- gh-comment-id:854464922 --> @christianskou07 commented on GitHub (Jun 4, 2021): SRBMiner https://www.srbminer.com/ or https://github.com/doktor83/SRBMiner-Multi NBMiner https://nbminer.com/ or https://github.com/NebuTech/NBMiner Would be extremely convenient to have as neither of them are open sourced, hence the need for firejail.

gitea-mirror commented 2026-05-05 06:46:47 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 6, 2021):

I'm suprised that "gh" isn't here
it's a cli for github, by github.
https://cli.github.com

<!-- gh-comment-id:855461024 --> @ghost commented on GitHub (Jun 6, 2021): I'm suprised that "gh" isn't here it's a cli for github, by github. https://cli.github.com

gitea-mirror commented 2026-05-05 06:46:50 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Jun 16, 2021):

Hypnotix, user-friendly streaming application.

<!-- gh-comment-id:862485486 --> @reinerh commented on GitHub (Jun 16, 2021): [Hypnotix](https://github.com/linuxmint/hypnotix), user-friendly streaming application.

gitea-mirror commented 2026-05-05 06:46:52 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Fwknop requested in #4423 by @osevan

<!-- gh-comment-id:886964164 --> @rusty-snake commented on GitHub (Jul 26, 2021): Fwknop requested in #4423 by @osevan

gitea-mirror commented 2026-05-05 06:46:56 -06:00

Author

Owner

Copy link

@ilikenwf commented on GitHub (Aug 20, 2021):

A profile for Hamsket, a fork of Rambox would be nice.

It is another electron application, and so far I'm unsure how to get around disabling it's own sandbox to use with firejail, though.

<!-- gh-comment-id:902857495 --> @ilikenwf commented on GitHub (Aug 20, 2021): A profile for Hamsket, a fork of Rambox would be nice. It is another electron application, and so far I'm unsure how to get around disabling it's own sandbox to use with firejail, though.

gitea-mirror commented 2026-05-05 06:46:59 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 20, 2021):

electron.profile works together with electron's sandbox. (since 0.9.64 IIRC)
So a profile for it can be small like

HEADER

ignore some stuff from electron.profile

noblacklist + whitelist hamsket paths

additional hardening

# Redirect
include electron.profile

grep "^include electron.profile" /etc/firejail/*.profile to see profiles for other electron programs.

EDIT: U can use all (usual) firejail commands except caps.drop all, nonewprivs, noroot, protocol, seccomp*, memory-deny-write-execute for electron programs.

<!-- gh-comment-id:902866224 --> @rusty-snake commented on GitHub (Aug 20, 2021): electron.profile works together with electron's sandbox. (since 0.9.64 IIRC) So a profile for it can be small like ``` HEADER ignore some stuff from electron.profile noblacklist + whitelist hamsket paths additional hardening # Redirect include electron.profile ``` `grep "^include electron.profile" /etc/firejail/*.profile` to see profiles for other electron programs. EDIT: U can use all (usual) firejail commands except `caps.drop all`, `nonewprivs`, `noroot`, `protocol`, `seccomp*`, `memory-deny-write-execute` for electron programs.

gitea-mirror commented 2026-05-05 06:47:01 -06:00

Author

Owner

Copy link

@antidot0 commented on GitHub (Sep 2, 2021):

Unfortunately webex is a mandatory for students and teachers, at least in my country. It would be great if there was an option to use it with firejail.

<!-- gh-comment-id:911096664 --> @antidot0 commented on GitHub (Sep 2, 2021): Unfortunately webex is a mandatory for students and teachers, at least in my country. It would be great if there was an option to use it with firejail.

gitea-mirror commented 2026-05-05 06:47:04 -06:00

Author

Owner

Copy link

@laplasa commented on GitHub (Sep 22, 2021):

Veloren and Airshipper

https://veloren.net/

https://github.com/veloren/veloren
https://github.com/veloren/Airshipper

<!-- gh-comment-id:924583498 --> @laplasa commented on GitHub (Sep 22, 2021): Veloren and Airshipper https://veloren.net/ https://github.com/veloren/veloren https://github.com/veloren/Airshipper

gitea-mirror commented 2026-05-05 06:47:06 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 22, 2021):

@laplasa can you try

airshipper.profile

# Firejail profile for airshipper
# Description: Airshipper is the official launcher for Veloren
# This file is overwritten after every install/update
# Persistent local customizations
include airshipper.local
# Persistent global definitions
include globals.local

ignore noexec ${HOME}

noblacklist ${HOME}/.local/share/airshipper

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.local/share/airshipper
whitelist ${HOME}/.local/share/airshipper
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
shell none
tracelog

disable-mnt
private-bin airshipper
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

<!-- gh-comment-id:924603118 --> @rusty-snake commented on GitHub (Sep 22, 2021): @laplasa can you try <details><summary>airshipper.profile</summary> ``` # Firejail profile for airshipper # Description: Airshipper is the official launcher for Veloren # This file is overwritten after every install/update # Persistent local customizations include airshipper.local # Persistent global definitions include globals.local ignore noexec ${HOME} noblacklist ${HOME}/.local/share/airshipper include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.local/share/airshipper whitelist ${HOME}/.local/share/airshipper include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all netfilter nodvd nogroups noinput nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary shell none tracelog disable-mnt private-bin airshipper private-cache private-dev private-tmp dbus-user none dbus-system none ``` </details>

gitea-mirror commented 2026-05-05 06:47:08 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 12, 2021):

openstego by @Rult in #4677

<!-- gh-comment-id:966858036 --> @rusty-snake commented on GitHub (Nov 12, 2021): openstego by @Rult in #4677

gitea-mirror commented 2026-05-05 06:47:10 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 21, 2021):

etcher and Ventoy by @Lonniebiz in #4704

<!-- gh-comment-id:974873801 --> @rusty-snake commented on GitHub (Nov 21, 2021): etcher and Ventoy by @Lonniebiz in #4704

gitea-mirror commented 2026-05-05 06:47:10 -06:00

Author

Owner

Copy link

@Rult commented on GitHub (Nov 22, 2021):

waifu2x-converter-cpp doesn't see my GPU even with --noprofile.
After running the program without firejail it temporarily picks up the GPU and later runs with firejail as intended until system reboot.
Test GPU visibility: waifu2x-converter-cpp --list-processor
Test image processing: waifu2x-converter-cpp -i some_small_picture.jpg -o output_pic.jpg
As its only purpose is an image processing, openstego profile could be used as a base (but it doesn't need Java or any GUI).

<!-- gh-comment-id:975183645 --> @Rult commented on GitHub (Nov 22, 2021): [waifu2x-converter-cpp](https://aur.archlinux.org/packages/waifu2x-converter-cpp-cuda-git) doesn't see my GPU even with `--noprofile`. After running the program without firejail it temporarily picks up the GPU and later runs with firejail as intended until system reboot. Test GPU visibility: `waifu2x-converter-cpp --list-processor` Test image processing: `waifu2x-converter-cpp -i some_small_picture.jpg -o output_pic.jpg` As its only purpose is an image processing, `openstego` profile could be used as a base (but it doesn't need Java or any GUI).

gitea-mirror commented 2026-05-05 06:47:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 29, 2021):

MEGAsync by @firejailaddssecuirty in #4721

<!-- gh-comment-id:981625237 --> @rusty-snake commented on GitHub (Nov 29, 2021): MEGAsync by @firejailaddssecuirty in #4721

gitea-mirror commented 2026-05-05 06:47:14 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 2, 2022):

Notable in #4813 by @githlp

<!-- gh-comment-id:1003752039 --> @rusty-snake commented on GitHub (Jan 2, 2022): [Notable](https://notable.app/) in #4813 by @githlp

gitea-mirror commented 2026-05-05 06:47:16 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

I’m using seafile-client on this profile, which seems to work.

<!-- gh-comment-id:1006189127 --> @CaseOf commented on GitHub (Jan 6, 2022): I’m using [seafile-client](https://github.com/haiwen/seafile-client) on this [profile](https://gist.github.com/CaseOf/2f12ae0f19c35f6a5a048b49492d13f0), which seems to work.

gitea-mirror commented 2026-05-05 06:47:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 6, 2022):

Remove

• ipc-namespacE
• include disable-passwdmgr.inc
• private-opt

Add

• wruc, wrc, wvc, wusc
• dpc, ds
• DEscription
• no3d?
• noinput
• noprinters
• seccomp.block-secondary
• tracelog
• private-etc network template
• blacklist /usr/libexec if you have

and open a PR.

<!-- gh-comment-id:1006357965 --> @rusty-snake commented on GitHub (Jan 6, 2022): Remove - `ipc-namespacE` - `include disable-passwdmgr.inc` - private-opt Add - wruc, wrc, wvc, wusc - dpc, ds - DEscription - no3d? - noinput - noprinters - seccomp.block-secondary - tracelog - private-etc network template - `blacklist /usr/libexec` if you have and open a PR.

gitea-mirror commented 2026-05-05 06:47:22 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

I did add lines 8 and 9 because I was blacklisting these in disable-programs, is it ok?

<!-- gh-comment-id:1006780937 --> @CaseOf commented on GitHub (Jan 6, 2022): I did add lines 8 and 9 because I was blacklisting these in disable-programs, is it ok?

gitea-mirror commented 2026-05-05 06:47:23 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 6, 2022):

Yes, that's the way you do it, blacklist in dp.inc and noblacklist in the profile.

IDK what's in ${HOME}/Seafile but maybe it would be better to blacklist it (instead of only .seafile-data).

<!-- gh-comment-id:1006790301 --> @rusty-snake commented on GitHub (Jan 6, 2022): Yes, that's the way you do it, blacklist in dp.inc and noblacklist in the profile. IDK what's in ${HOME}/Seafile but maybe it would be better to blacklist it (instead of only .seafile-data).

gitea-mirror commented 2026-05-05 06:47:26 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

it is supposed to sync libraries in that directory.

<!-- gh-comment-id:1006792042 --> @CaseOf commented on GitHub (Jan 6, 2022): it is supposed to sync libraries in that directory.

gitea-mirror commented 2026-05-05 06:47:27 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

adding disable-shell.inc prevents seafile to run…

<!-- gh-comment-id:1006926594 --> @CaseOf commented on GitHub (Jan 6, 2022): adding disable-shell.inc prevents seafile to run…

gitea-mirror commented 2026-05-05 06:47:30 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 6, 2022):

... private-bin seafile-applet,seaf-daemon,seaf-cli there's no shell

???

<!-- gh-comment-id:1006928632 --> @rusty-snake commented on GitHub (Jan 6, 2022): ... `private-bin seafile-applet,seaf-daemon,seaf-cli` there's no shell ???

gitea-mirror commented 2026-05-05 06:47:32 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

seaf-cli is a python shell script

<!-- gh-comment-id:1006929147 --> @CaseOf commented on GitHub (Jan 6, 2022): seaf-cli is a python shell script

gitea-mirror commented 2026-05-05 06:47:34 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

4b375fa016
what’s your opinion?

<!-- gh-comment-id:1006941921 --> @CaseOf commented on GitHub (Jan 6, 2022): https://github.com/CaseOf/firejail/commit/4b375fa0162484ed992c90c0730dc4e4d46bf2e6 what’s your opinion?

gitea-mirror commented 2026-05-05 06:47:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jan 6, 2022):

Remove

• include disable-passwdmgr.inc
• no3d? < syntax
• seccomp,block-secondar < syntax

add it to firecfg.config and open the PR

<!-- gh-comment-id:1006946353 --> @rusty-snake commented on GitHub (Jan 6, 2022): Remove - include disable-passwdmgr.inc - no3d? < syntax - seccomp,block-secondar < syntax add it to firecfg.config and open the PR

gitea-mirror commented 2026-05-05 06:47:39 -06:00

Author

Owner

Copy link

@CaseOf commented on GitHub (Jan 6, 2022):

ah no3d was a question, it can work when this is set but when starting from shell, it says it cant reach opengl stuff it would.
what to do in this case?
libGL error: MESA-LOADER: failed to retrieve device information

6a1f6d60e3

<!-- gh-comment-id:1006948748 --> @CaseOf commented on GitHub (Jan 6, 2022): ah no3d was a question, it can work when this is set but when starting from shell, it says it cant reach opengl stuff it would. what to do in this case? `libGL error: MESA-LOADER: failed to retrieve device information` https://github.com/CaseOf/firejail/commit/6a1f6d60e31c630ee8ed171ae409e5069b7cb3d9

gitea-mirror commented 2026-05-05 06:47:42 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jan 9, 2022):

retroshare by @osevan in #4842.

<!-- gh-comment-id:1008353125 --> @kmk3 commented on GitHub (Jan 9, 2022): retroshare by @osevan in #4842.

gitea-mirror commented 2026-05-05 06:47:44 -06:00

Author

Owner

Copy link

@Futureknows commented on GitHub (May 11, 2022):

Aether (non snap version from https://getaether.net/download/)

<!-- gh-comment-id:1123688011 --> @Futureknows commented on GitHub (May 11, 2022): Aether (non snap version from https://getaether.net/download/)

gitea-mirror commented 2026-05-05 06:47:46 -06:00

Author

Owner

Copy link

@KOLANICH commented on GitHub (May 30, 2022):

rust-analyzer (called from such apps as kate and qtcreator, it's an LSP server), access to ~/.cargo/registry is needed.

<!-- gh-comment-id:1141174845 --> @KOLANICH commented on GitHub (May 30, 2022): `rust-analyzer` (called from such apps as kate and qtcreator, it's an LSP server), access to ~/.cargo/registry is needed.

gitea-mirror commented 2026-05-05 06:47:48 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 30, 2022):

Starting point for rust-analyzer.profile: https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/cargo.profile

<!-- gh-comment-id:1141237348 --> @rusty-snake commented on GitHub (May 30, 2022): Starting point for rust-analyzer.profile: https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/cargo.profile

gitea-mirror commented 2026-05-05 06:47:53 -06:00

Author

Owner

Copy link

@KOLANICH commented on GitHub (May 30, 2022):

Yeah, I have tried to add noblacklist ~/.cargo/registry into kate.local without any success.

<!-- gh-comment-id:1141363820 --> @KOLANICH commented on GitHub (May 30, 2022): Yeah, I have tried to add `noblacklist ~/.cargo/registry` into `kate.local` without any success.

gitea-mirror commented 2026-05-05 06:47:56 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 30, 2022):

@KOLANICH

Yeah, I have tried to add noblacklist ~/.cargo/registry into kate.local without any success.

${HOME}/.cargo/registry is not blacklisted anywhere, but ${HOME}/.cargo is. As it happens there's been a merge recently relating to the kate.profile that includes allow-common-devel.inc, which does noblacklist ${HOME}/.cargo. You might want to integrate those changes in your profile or build from git.

<!-- gh-comment-id:1141402027 --> @ghost commented on GitHub (May 30, 2022): @KOLANICH > Yeah, I have tried to add noblacklist ~/.cargo/registry into kate.local without any success. ${HOME}/.cargo/registry is not blacklisted anywhere, but ${HOME}/.cargo is. As it happens there's been a [merge](https://github.com/netblue30/firejail/pull/5159/files) recently relating to the kate.profile that includes `allow-common-devel.inc`, which does `noblacklist ${HOME}/.cargo`. You might want to integrate those changes in your profile or build from git.

gitea-mirror commented 2026-05-05 06:47:58 -06:00

Author

Owner

Copy link

@KOLANICH commented on GitHub (May 30, 2022):

As it happens there's been a merge recently relating to the kate.profile that includes allow-common-devel.inc, which does noblacklist ${HOME}/.cargo. You might want to integrate those changes in your profile or build from git.

In fact my first action if I have any profile issues is to rebuild from git, but it hasn't helped. But thanks, I'll try to add noblacklist ${HOME}/.cargo.

<!-- gh-comment-id:1141431720 --> @KOLANICH commented on GitHub (May 30, 2022): >As it happens there's been a merge recently relating to the kate.profile that includes allow-common-devel.inc, which does `noblacklist ${HOME}/.cargo`. You might want to integrate those changes in your profile or build from git. In fact my first action if I have any profile issues is to rebuild from git, but it hasn't helped. But thanks, I'll try to add `noblacklist ${HOME}/.cargo`.

gitea-mirror commented 2026-05-05 06:48:00 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (May 31, 2022):

(Offtopic)

@glitsj16 commented on May 30:

@KOLANICH

Yeah, I have tried to add noblacklist ~/.cargo/registry into kate.local
without any success.

HOME/.cargo/registryisnotblacklistedanywhere,but{HOME}/.cargo is. As it
happens there's been a
merge recently
relating to the kate.profile that includes allow-common-devel.inc, which
does noblacklist ${HOME}/.cargo. You might want to integrate those changes
in your profile or build from git.

Looks like GitHub mangled part of the text; I opened an issue for this:

• https://github.com/github/feedback/discussions/17522

<!-- gh-comment-id:1141587448 --> @kmk3 commented on GitHub (May 31, 2022): (Offtopic) @glitsj16 commented [on May 30](https://github.com/netblue30/firejail/issues/1139#issuecomment-1141402027): > @KOLANICH > > > Yeah, I have tried to add noblacklist ~/.cargo/registry into kate.local > > without any success. > > HOME/.cargo/registryisnotblacklistedanywhere,but{HOME}/.cargo is. As it > happens there's been a > [merge](https://github.com/netblue30/firejail/pull/5159/files) recently > relating to the kate.profile that includes `allow-common-devel.inc`, which > does `noblacklist ${HOME}/.cargo`. You might want to integrate those changes > in your profile or build from git. Looks like GitHub mangled part of the text; I opened an issue for this: * <https://github.com/github/feedback/discussions/17522>

gitea-mirror commented 2026-05-05 06:48:03 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (May 31, 2022):

Please add FireDM to the list:

• https://www.appimagehub.com/p/1502600
• https://appimage.github.io/FireDM/

<!-- gh-comment-id:1142190755 --> @Lonniebiz commented on GitHub (May 31, 2022): Please add **FireDM** to the list: - https://www.appimagehub.com/p/1502600 - https://appimage.github.io/FireDM/

gitea-mirror commented 2026-05-05 06:48:06 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Jun 26, 2022):

Notepadqq:
https://www.appimagehub.com/p/1233488/

<!-- gh-comment-id:1166547865 --> @Lonniebiz commented on GitHub (Jun 26, 2022): Notepadqq: https://www.appimagehub.com/p/1233488/

gitea-mirror commented 2026-05-05 06:48:10 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Jul 25, 2022):

OnlyOffice
Download the AppImage here:
https://www.onlyoffice.com/download-desktop.aspx?from=default#desktop

<!-- gh-comment-id:1193594524 --> @Lonniebiz commented on GitHub (Jul 25, 2022): **OnlyOffice** Download the AppImage here: https://www.onlyoffice.com/download-desktop.aspx?from=default#desktop

gitea-mirror commented 2026-05-05 06:48:12 -06:00

Author

Owner

Copy link

@korason7117 commented on GitHub (Aug 17, 2022):

Bottles:
https://usebottles.com/

<!-- gh-comment-id:1218227816 --> @korason7117 commented on GitHub (Aug 17, 2022): Bottles: https://usebottles.com/

gitea-mirror commented 2026-05-05 06:48:14 -06:00

Author

Owner

Copy link

@0x020B commented on GitHub (Aug 17, 2022):

"Legal computer viruses" in China

QQ
https://im.qq.com/linuxqq/download.html
Wechat
https://www.ubuntukylin.com/applications/106-cn.html
Tencent Meeting
https://source.meeting.qq.com/download/
dingtalk
https://alidocs.dingtalk.com/i/p/nb9XJlJ7QbxN8GyA/docs/ROGpvEna5YQWmaPgQ156W4ykmK3zoB27
feishu
https://www.feishu.cn/download
Baidu NetDisk
https://pan.baidu.com/download
360 Secure Browser
https://browser.360.net/gc/index.html?src=se

<!-- gh-comment-id:1218465778 --> @0x020B commented on GitHub (Aug 17, 2022): "Legal computer viruses" in China ------ QQ <https://im.qq.com/linuxqq/download.html> Wechat <https://www.ubuntukylin.com/applications/106-cn.html> Tencent Meeting <https://source.meeting.qq.com/download/> dingtalk <https://alidocs.dingtalk.com/i/p/nb9XJlJ7QbxN8GyA/docs/ROGpvEna5YQWmaPgQ156W4ykmK3zoB27> feishu <https://www.feishu.cn/download> Baidu NetDisk <https://pan.baidu.com/download> 360 Secure Browser <https://browser.360.net/gc/index.html?src=se>

gitea-mirror commented 2026-05-05 06:48:16 -06:00

Author

Owner

Copy link

@jian-lin commented on GitHub (Aug 30, 2022):

nyxt: a keyboard-driven web browser designed for power users

<!-- gh-comment-id:1231196187 --> @jian-lin commented on GitHub (Aug 30, 2022): [nyxt](https://github.com/atlas-engineer/nyxt): a keyboard-driven web browser designed for power users

gitea-mirror commented 2026-05-05 06:48:19 -06:00

Author

Owner

Copy link

@alkim0 commented on GitHub (Sep 1, 2022):

viu: terminal image viewer

This is what I'm currently using, but it could probably be tightened:

# Firejail profile for viu
# Description: viu is an image viewer.
# This file is overwritten after every install/update
# Persistent local customizations
include viu.local
# Persistent global definitions
include globals.local

blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-write-mnt.inc
# Users may want to view images in ${HOME}
#include disable-xdg.inc

# Users may want to view images in ${HOME}
#include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
# Users may want to view images in /usr/share
#include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
net none
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
seccomp.block-secondary
tracelog

private-bin viu
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

memory-deny-write-execute

<!-- gh-comment-id:1234752797 --> @alkim0 commented on GitHub (Sep 1, 2022): [viu](https://github.com/atanunq/viu): terminal image viewer This is what I'm currently using, but it could probably be tightened: ``` # Firejail profile for viu # Description: viu is an image viewer. # This file is overwritten after every install/update # Persistent local customizations include viu.local # Persistent global definitions include globals.local blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-shell.inc include disable-write-mnt.inc # Users may want to view images in ${HOME} #include disable-xdg.inc # Users may want to view images in ${HOME} #include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc # Users may want to view images in /usr/share #include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all net none nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix seccomp seccomp.block-secondary tracelog private-bin viu private-cache private-dev private-tmp dbus-user none dbus-system none memory-deny-write-execute ```

gitea-mirror commented 2026-05-05 06:48:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 1, 2022):

Open a PR with it. There's nothing much which can be hardened beside your comments.

• include disable-proc.inc
• check for configurations files in $HOME (follow the instructions in the template)
• add machine-id
• consider read-only ${HOME}
• maybe we should comment mdwe by default

<!-- gh-comment-id:1234759577 --> @rusty-snake commented on GitHub (Sep 1, 2022): Open a PR with it. There's nothing much which can be hardened beside your comments. - `include disable-proc.inc` - check for configurations files in `$HOME` (follow the instructions in the template) - add `machine-id` - consider `read-only ${HOME}` - maybe we should comment mdwe by default

gitea-mirror commented 2026-05-05 06:48:22 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Sep 3, 2022):

muffon: desktop music streaming browser

An alternative to the nuclear music player which still is too bugged to use and already has a fj profile. It probably only needs a few tweaks to that profile.

<!-- gh-comment-id:1236083911 --> @mYnDstrEAm commented on GitHub (Sep 3, 2022): [muffon](https://github.com/staniel359/muffon): desktop music streaming browser An alternative to the [nuclear music player](https://github.com/nukeop/nuclear/) which still is too bugged to use and already has a fj profile. It probably only needs a few tweaks to that profile.

gitea-mirror commented 2026-05-05 06:48:25 -06:00

Author

Owner

Copy link

@DNDEBUG commented on GitHub (Nov 18, 2022):

Vscape/Runescape
very cool game
can't run with firejail

<!-- gh-comment-id:1320057992 --> @DNDEBUG commented on GitHub (Nov 18, 2022): [Vscape/Runescape](https://vidyascape.org/) very cool game can't run with firejail

gitea-mirror commented 2026-05-05 06:48:26 -06:00

Author

Owner

Copy link

@bruceleerabbit commented on GitHub (Dec 14, 2022):

Kalium installer
Kalium app

Kalium is a Java—Gradle project distributed as a self-installing package. Gradle is the executable used for installation and after installation later invocations should cause the app to execute. So in principle there should be a profile for running for the purpose of installation & a separate profile for the purpose of running the (already installed) app.

<!-- gh-comment-id:1350342973 --> @bruceleerabbit commented on GitHub (Dec 14, 2022): Kalium installer Kalium app Kalium is a Java—Gradle project distributed as a self-installing package. Gradle is the executable used for installation and after installation later invocations should cause the app to execute. So in principle there should be a profile for running for the purpose of installation & a separate profile for the purpose of running the (already installed) app.

gitea-mirror commented 2026-05-05 06:48:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Dec 19, 2022):

olive by @anomalocaris452 in #5534

<!-- gh-comment-id:1357950138 --> @rusty-snake commented on GitHub (Dec 19, 2022): olive by @anomalocaris452 in #5534

gitea-mirror commented 2026-05-05 06:48:31 -06:00

Author

Owner

Copy link

@anomalocaris452 commented on GitHub (Dec 19, 2022):

could we add yed too?

its very close to visio + on linux u only get dia (abandonware) + karbon + lodraw there

<!-- gh-comment-id:1358619601 --> @anomalocaris452 commented on GitHub (Dec 19, 2022): could we add yed too? its very close to visio + on linux u only get dia (abandonware) + **karbon** + lodraw there

gitea-mirror commented 2026-05-05 06:48:33 -06:00

Author

Owner

Copy link

@anomalocaris452 commented on GitHub (Dec 23, 2022):

@rusty-snake new request

Enve-animator (a cute ktoon tier app) https://maurycyliebner.github.io/

Wick Editor (its LITERALLY Hype/Animate but open source kek) https://www.wickeditor.com/#/download/

And Olive Should be Olive 0.2 (0.1 its unsupported + no github commits cz devs are only on 0.2)

<!-- gh-comment-id:1363538378 --> @anomalocaris452 commented on GitHub (Dec 23, 2022): @rusty-snake new request Enve-animator (a cute ktoon tier app) https://maurycyliebner.github.io/ Wick Editor (its LITERALLY Hype/Animate but open source kek) https://www.wickeditor.com/#/download/ And Olive Should be Olive 0.2 (0.1 its unsupported + no github commits cz devs are only on 0.2)

gitea-mirror commented 2026-05-05 06:48:34 -06:00

Author

Owner

Copy link

@bruceleerabbit commented on GitHub (Dec 23, 2022):

hydroxide

<!-- gh-comment-id:1364358335 --> @bruceleerabbit commented on GitHub (Dec 23, 2022): hydroxide

gitea-mirror commented 2026-05-05 06:48:36 -06:00

Author

Owner

Copy link

@anomalocaris452 commented on GitHub (Dec 24, 2022):

opentoonz https://opentoonz.github.io/e/

tahoma2d https://tahoma2d.org/

tupi https://tupitube.com/

<!-- gh-comment-id:1364552433 --> @anomalocaris452 commented on GitHub (Dec 24, 2022): opentoonz https://opentoonz.github.io/e/ tahoma2d https://tahoma2d.org/ tupi https://tupitube.com/

gitea-mirror commented 2026-05-05 06:48:37 -06:00

Author

Owner

Copy link

@anomalocaris452 commented on GitHub (Dec 30, 2022):

google web designer

firejail its importanat cz it literally relies on abandonware libraries >)

<!-- gh-comment-id:1367678603 --> @anomalocaris452 commented on GitHub (Dec 30, 2022): google web designer firejail its importanat cz it literally relies on abandonware libraries >)

gitea-mirror commented 2026-05-05 06:48:39 -06:00

Author

Owner

Copy link

@vinoff commented on GitHub (Mar 24, 2023):

WhatsApp Desktop: https://aur.archlinux.org/packages/whatsapp-nativefier

<!-- gh-comment-id:1482638443 --> @vinoff commented on GitHub (Mar 24, 2023): WhatsApp Desktop: https://aur.archlinux.org/packages/whatsapp-nativefier

gitea-mirror commented 2026-05-05 06:48:40 -06:00

Author

Owner

Copy link

@Dyras commented on GitHub (Apr 7, 2023):

Mullvad Browser:
https://mullvad.net/en/download/browser/linux
https://github.com/mullvad/mullvad-browser

It's based on Tor Browser.

<!-- gh-comment-id:1500052260 --> @Dyras commented on GitHub (Apr 7, 2023): Mullvad Browser: https://mullvad.net/en/download/browser/linux https://github.com/mullvad/mullvad-browser It's based on Tor Browser.

gitea-mirror commented 2026-05-05 06:48:42 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 7, 2023):

@Dyras I'm sure we'll be including a profile for Mullvad Browser soonish. At the moment it's not fully clear yet how distro's will package it. In the mean time you can try these, which I tested for the AUR's mullvad-browser-bin.

<!-- gh-comment-id:1500125403 --> @ghost commented on GitHub (Apr 7, 2023): @Dyras I'm sure we'll be including a profile for Mullvad Browser soonish. At the moment it's not fully clear yet how distro's will package it. In the mean time you can try [these](https://gist.github.com/glitsj16/cb0e325cd5e7269defc6843e6bb88532), which I tested for the AUR's [mullvad-browser-bin](https://aur.archlinux.org/packages/mullvad-browser-bin).

gitea-mirror commented 2026-05-05 06:48:43 -06:00

Author

Owner

Copy link

@kirasok commented on GitHub (Jun 4, 2023):

bukubrow support for firefox
bukubrow is a WebExtension for Buku, a command-line bookmark manager

<!-- gh-comment-id:1575542029 --> @kirasok commented on GitHub (Jun 4, 2023): [bukubrow](https://github.com/SamHH/bukubrow-webext) support for firefox [buku](https://github.com/jarun/Buku)brow is a WebExtension for Buku, a command-line bookmark manager

gitea-mirror commented 2026-05-05 06:48:45 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 6, 2023):

@kirasok After installing the bukubrow WebExtension in your Firefox and placing files from its native messaging host counterpart into ~/.mozilla/native-messaging-hosts, you should be good to go. You might need to add whitelist ${HOME}/.local/share/buku to your ~/.config/firejail/firefox.local to access buku's bookmarks.db. Not sure if an additional read-only ${HOME}/.local/share/buku is needed, but that's easily determined when using the WebExtension.

It's not clear to me if your request includes a Firejail profile for buku itself. Just out of curiosity I've played with it and created a preliminary profile for it. As buku heavily relies on the EDITOR and/or VISUAL environment variables to determine your preferred text editor, it's a bit tricky to cover all options in a Firejail profile. So I only added support for nano by default. If you decide to try it with another text editor, read the comments inside about supporting gedit and adapt accordingly. Here's the buku.profile. I have zero familiarity with buku, and I haven't tested it very thoroughly, but it's a start... Please communicate there for now if you need help. We can open a PR to bring it into Firejail later.

<!-- gh-comment-id:1577783701 --> @ghost commented on GitHub (Jun 6, 2023): @kirasok After installing the bukubrow WebExtension in your Firefox and placing files from its [native messaging host counterpart](https://github.com/SamHH/bukubrow-host) into ~/.mozilla/native-messaging-hosts, you should be good to go. You might need to add `whitelist ${HOME}/.local/share/buku` to your ~/.config/firejail/firefox.local to access buku's bookmarks.db. Not sure if an additional `read-only ${HOME}/.local/share/buku` is needed, but that's easily determined when using the WebExtension. It's not clear to me if your request includes a Firejail profile for `buku` itself. Just out of curiosity I've played with it and created a preliminary profile for it. As buku heavily relies on the EDITOR and/or VISUAL environment variables to determine your preferred text editor, it's a bit tricky to cover all options in a Firejail profile. So I only added support for `nano` by default. If you decide to try it with another text editor, read the comments inside about supporting `gedit` and adapt accordingly. Here's the [buku.profile](https://gist.github.com/glitsj16/c8e66f5a903c18bc65931a424a2db65e). I have zero familiarity with buku, and I haven't tested it very thoroughly, but it's a start... Please communicate there for now if you need help. We can open a PR to bring it into Firejail later.

gitea-mirror commented 2026-05-05 06:48:46 -06:00

Author

Owner

Copy link

@FOSSProponent9436 commented on GitHub (Jun 10, 2023):

SVPManager / Installer https://www.svp-team.com/

<!-- gh-comment-id:1585663994 --> @FOSSProponent9436 commented on GitHub (Jun 10, 2023): SVPManager / Installer https://www.svp-team.com/

gitea-mirror commented 2026-05-05 06:48:47 -06:00

Author

Owner

Copy link

@MikeNavy commented on GitHub (Jun 20, 2023):

Hi,

I request a profile to be added for VMware Workstation Player.

Product page: https://www.vmware.com/content/vmware/vmware-published-sites/us/products/workstation-player/workstation-player-evaluation.html.html

("VMware Player" and "VMware Workstation" have been merged in "VMware Workstation Player" years ago, and "VMware Player" no longer exists; today existing products are "VMware Workstation Player" and "VMware Workstation Pro")

See https://github.com/netblue30/firejail/issues/5861, vmplayer cannot use existing "vmware-player.profile" or "vmware.profile".

Regards,

MN

<!-- gh-comment-id:1598497888 --> @MikeNavy commented on GitHub (Jun 20, 2023): Hi, I request a profile to be added for VMware Workstation Player. Product page: https://www.vmware.com/content/vmware/vmware-published-sites/us/products/workstation-player/workstation-player-evaluation.html.html ("VMware Player" and "VMware Workstation" have been merged in "VMware Workstation Player" years ago, and "VMware Player" no longer exists; today existing products are "VMware Workstation Player" and "VMware Workstation Pro") See https://github.com/netblue30/firejail/issues/5861, `vmplayer` cannot use existing "vmware-player.profile" or "vmware.profile". Regards, MN

gitea-mirror commented 2026-05-05 06:48:48 -06:00

Author

Owner

Copy link

@svc88 commented on GitHub (Jul 1, 2023):

Hi

Please can i request RSSGuard profile, https://github.com/martinrotter/rssguard/releases
They use appimage

<!-- gh-comment-id:1616039456 --> @svc88 commented on GitHub (Jul 1, 2023): Hi Please can i request RSSGuard profile, https://github.com/martinrotter/rssguard/releases They use appimage

gitea-mirror commented 2026-05-05 06:48:49 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 2, 2023):

@svc88 I've put together this rssguard.profile. Can you test if it works and offers the functionalities you expect? Personally I don't use any of these online feed services and didn't want to create any accounts so there might be some extra options needed in the profile. Basics and Adblock activation via node do seem to work okay, that I've tested. The app is quite verbose on CLI so you should be able to catch any errors while testing.

UPDATE: opened #5881 to bring this in.

# Firejail profile for rssguard
# Description: Simple (yet powerful) Qt feed reader
# This file is overwritten after every install/update
# Persistent local customizations
include rssguard.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/RSS Guard 4

include allow-nodejs.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

mkdir ${HOME}/.config/RSS Guard 4
whitelist ${HOME}/.config/RSS Guard 4
whitelist ${DOWNLOADS}
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
netfilter
# no3d
nodvd
nogroups
noinput
nonewprivs
noroot
# nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
tracelog

disable-mnt
private-bin node,rssguard
private-dev
private-etc @network,@sound,@tls-ca,@x11,mime.types
private-tmp

dbus-user none
dbus-system none

restrict-namespaces

<!-- gh-comment-id:1616775677 --> @ghost commented on GitHub (Jul 2, 2023): @svc88 I've put together this `rssguard.profile`. Can you test if it works and offers the functionalities you expect? Personally I don't use any of these online feed services and didn't want to create any accounts so there might be some extra options needed in the profile. Basics and Adblock activation via node do seem to work okay, that I've tested. The app is quite verbose on CLI so you should be able to catch any errors while testing. UPDATE: opened #5881 to bring this in. ``` # Firejail profile for rssguard # Description: Simple (yet powerful) Qt feed reader # This file is overwritten after every install/update # Persistent local customizations include rssguard.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/RSS Guard 4 include allow-nodejs.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/RSS Guard 4 whitelist ${HOME}/.config/RSS Guard 4 whitelist ${DOWNLOADS} include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc apparmor caps.drop all netfilter # no3d nodvd nogroups noinput nonewprivs noroot # nosound notv nou2f novideo protocol unix,inet,inet6 seccomp tracelog disable-mnt private-bin node,rssguard private-dev private-etc @network,@sound,@tls-ca,@x11,mime.types private-tmp dbus-user none dbus-system none restrict-namespaces ```

gitea-mirror commented 2026-05-05 06:48:51 -06:00

Author

Owner

Copy link

@celenityy commented on GitHub (Aug 8, 2023):

I'd really appreciate profiles for Heroic Games Launcher & Prism Launcher

<!-- gh-comment-id:1668726870 --> @celenityy commented on GitHub (Aug 8, 2023): I'd really appreciate profiles for [Heroic Games Launcher](https://heroicgameslauncher.com/) & [Prism Launcher](https://prismlauncher.org/)

gitea-mirror commented 2026-05-05 06:48:53 -06:00

Author

Owner

Copy link

@vinoff commented on GitHub (Sep 13, 2023):

A profile for BEEPER would be great. https://www.beeper.com/

<!-- gh-comment-id:1717148575 --> @vinoff commented on GitHub (Sep 13, 2023): A profile for **BEEPER** would be great. https://www.beeper.com/

gitea-mirror commented 2026-05-05 06:48:56 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Sep 13, 2023):

@vinoff I had a look at beeper and put together a minimally/crudely tested profile. Didn't feel like signing up (just a personal thing with sharing a phone number etcetera). You can find it here. I've based the profile on what I could determine via the beeper-latest-bin from the AUR.

Apparently the beeper.desktop file disables chrome-sandbox by using the below Exec line:

Exec=beeper --no-sandbox %U

IMO this isn't the most secure thing to do, so I'd advise to try this app while removing that --no-sandbox flag and see if things break. Just my $ 0.02 :-)

If you could test Beeper when actually using it, that would be great. We could consider adding the profile (adjusted where needed) later. Don't feel comfortable doing so when I haven't done that properly. HTH

<!-- gh-comment-id:1717702906 --> @ghost commented on GitHub (Sep 13, 2023): @vinoff I had a look at `beeper` and put together a minimally/crudely tested profile. Didn't feel like signing up (just a personal thing with sharing a phone number etcetera). You can [find it here](https://gist.github.com/glitsj16/3a34f00fe7e74716e1965c25afa714eb). I've based the profile on what I could determine via the [beeper-latest-bin](https://aur.archlinux.org/packages/beeper-latest-bin) from the AUR. Apparently the `beeper.desktop` file disables chrome-sandbox by using the below Exec line: ``` Exec=beeper --no-sandbox %U ``` IMO this isn't the most secure thing to do, so I'd advise to try this app while removing that `--no-sandbox` flag and see if things break. Just my $ 0.02 :-) If you could test Beeper when actually using it, that would be great. We could consider adding the profile (adjusted where needed) later. Don't feel comfortable doing so when I haven't done that properly. HTH

gitea-mirror commented 2026-05-05 06:48:57 -06:00

Author

Owner

Copy link

@jtrv commented on GitHub (Sep 15, 2023):

a profile for tidal-hifi would be great.

So far I have this, I'll try to open a PR later:

# Firejail profile for tidal-hifi

include globals.local

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${HOME}/.config/tidal-hifi
whitelist /opt/tidal-hifi

apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6,netlink

disable-mnt
private-cache
private-dev
private-tmp

seccomp !chroot
tracelog

private-bin chrome-sandbox,electron,electron[0-9],electron[0-9][0-9],tidal-hifi,xdg-open
private-opt tidal-hifi

dbus-system none

join-or-start tidal-hifi

<!-- gh-comment-id:1720342797 --> @jtrv commented on GitHub (Sep 15, 2023): a profile for [tidal-hifi](https://github.com/Mastermindzh/tidal-hifi) would be great. So far I have this, I'll try to open a PR later: ``` # Firejail profile for tidal-hifi include globals.local include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc whitelist ${HOME}/.config/tidal-hifi whitelist /opt/tidal-hifi apparmor caps.keep sys_admin,sys_chroot netfilter nodvd nogroups noinput nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6,netlink disable-mnt private-cache private-dev private-tmp seccomp !chroot tracelog private-bin chrome-sandbox,electron,electron[0-9],electron[0-9][0-9],tidal-hifi,xdg-open private-opt tidal-hifi dbus-system none join-or-start tidal-hifi ```

gitea-mirror commented 2026-05-05 06:49:00 -06:00

Author

Owner

Copy link

@marek22k commented on GitHub (Sep 22, 2023):

I would be happy about a profile for Eclipse.

<!-- gh-comment-id:1731207228 --> @marek22k commented on GitHub (Sep 22, 2023): I would be happy about a profile for [Eclipse](https://eclipseide.org/).

gitea-mirror commented 2026-05-05 06:49:02 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Nov 3, 2023):

Pinokio allows you to play around with all the awesome new open source AI models that are rapidly coming out these days. It allows you to install, run, and automate any AI applications and models automatically and effortlessly.

I'm very eager to try it out via AppImage, but I need a firejail profile for it. This video claims it is already self-contained, but I'd feel more comfortable if firejail ensured that containment. I don't want the AI to break out and take over my computer!

Anyway, I'm really looking forward to there being a profile for this AppImage. Thank you in advance.

<!-- gh-comment-id:1793125497 --> @Lonniebiz commented on GitHub (Nov 3, 2023): [Pinokio](https://docs.pinokio.computer/) allows you to play around with all the awesome new open source AI models that are rapidly coming out these days. It allows you to install, run, and automate any AI applications and models automatically and effortlessly. I'm very eager to try it out via [AppImage](https://github.com/pinokiocomputer/pinokio/releases), but I need a firejail profile for it. This [video](https://www.youtube.com/watch?v=Gunh6VoEJuU) claims it is already self-contained, but I'd feel more comfortable if firejail ensured that containment. I don't want the AI to break out and take over my computer! Anyway, I'm really looking forward to there being a profile for this AppImage. Thank you in advance.

gitea-mirror commented 2026-05-05 06:49:03 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Nov 26, 2023):

Pulsar:
https://pulsar-edit.dev/

AppImage is available here:
https://pulsar-edit.dev/download.html#regular-releases

This is live fork of the (discontinued) Atom text editor. Atom was made by GitHub's original owners. Microsoft purchased GitHub and "sunset" the project on December 15, 2022. It is a fantastic text editor for web development. I'm so happy to see it forked.

The profile will likely be very similar to the one already created for Atom:
/etc/firejail/atom.profile

However, from running it in a virtual machine, I see at least two changes that are needed; its config file folder location:
~/.config/Pulsar --> I wish everything was kept here, but there's also:
~/.pulsar -----------> I noticed that addon packages are kept in this location.

I'd love to see a Pulsar profile located here:
/etc/firejail/pulsar.profile

I achieved a custom profile that launches Pulsar, but it can likely be improved to be less permissive. I'm still learning.

<!-- gh-comment-id:1826783530 --> @Lonniebiz commented on GitHub (Nov 26, 2023): **Pulsar:** https://pulsar-edit.dev/ AppImage is available here: https://pulsar-edit.dev/download.html#regular-releases This is live fork of the (discontinued) Atom text editor. Atom was made by GitHub's original owners. Microsoft purchased GitHub and "sunset" the project on December 15, 2022. It is a fantastic text editor for web development. I'm so happy to see it forked. The profile will likely be very similar to the one already created for Atom: /etc/firejail/atom.profile However, from running it in a virtual machine, I see at least two changes that are needed; its config file folder location: ~/.config/Pulsar --> I wish everything was kept here, but there's also: ~/.pulsar -----------> I noticed that addon packages are kept in this location. I'd love to see a Pulsar profile located here: /etc/firejail/pulsar.profile I achieved a [custom profile that launches Pulsar](https://github.com/netblue30/firejail/issues/6105), but it can likely be improved to be less permissive. I'm still learning.

gitea-mirror commented 2026-05-05 06:49:04 -06:00

Author

Owner

Copy link

@marek22k commented on GitHub (Nov 30, 2023):

I would be happy about a profile for Nyxt.

<!-- gh-comment-id:1833379156 --> @marek22k commented on GitHub (Nov 30, 2023): I would be happy about a profile for [Nyxt](https://nyxt.atlas.engineer/).

gitea-mirror commented 2026-05-05 06:49:05 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 30, 2023):

@marek22k Can you try nyxt with --noprofile and --profile=noprofile please? I'm afraid it might be bubblewrapped as mentioned in #6103 and #3647. If not we can start designing a profile for it.

<!-- gh-comment-id:1833624160 --> @ghost commented on GitHub (Nov 30, 2023): @marek22k Can you try nyxt with `--noprofile` and `--profile=noprofile` please? I'm afraid it might be bubblewrapped as mentioned in #6103 and #3647. If not we can start designing a profile for it.

gitea-mirror commented 2026-05-05 06:49:07 -06:00

Author

Owner

Copy link

@marek22k commented on GitHub (Nov 30, 2023):

$firejail --noprofile --profile=noprofile.profile /usr/bin/nyxt 
Error: --noprofile and --profile options are mutually exclusive

$firejail --noprofile /usr/bin/nyxt 
Parent pid 5479, child pid 5480
Child process initialized in 5.96 ms
Nyxt version 3.9.2
<INFO> [13:43:59] Source location: #P"/usr/share/nyxt/"
<INFO> [13:43:59] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 13:43:59.860: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 13:44:00.252: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [13:44:00] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [13:44:00] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 24:
SIGABRT received.

   0: fp=0x699f3dac76c0 pc=0x699f5107d83c Foreign function (null)

Parent is shutting down, bye...

What does it mean that it is in bwrap? Why can't Firejail build Sandox around bwrap?

<!-- gh-comment-id:1833812459 --> @marek22k commented on GitHub (Nov 30, 2023): ``` $firejail --noprofile --profile=noprofile.profile /usr/bin/nyxt Error: --noprofile and --profile options are mutually exclusive ``` ``` $firejail --noprofile /usr/bin/nyxt Parent pid 5479, child pid 5480 Child process initialized in 5.96 ms Nyxt version 3.9.2 <INFO> [13:43:59] Source location: #P"/usr/share/nyxt/" <INFO> [13:43:59] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket" (nyxt:2): libenchant-WARNING **: 13:43:59.860: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory bwrap: Can't mount proc on /newroot/proc: Operation not permitted ** (nyxt:2): ERROR **: 13:44:00.252: Failed to fully launch dbus-proxy: Child process exited with code 1 <WARN> [13:44:00] Warning: Error in FFI method: The value :INVALID-CODE-OBJECT-AT-PC is not of type (SIMPLE-ARRAY (SIGNED-BYTE 32) (*)) bwrap: Can't mount proc on /newroot/proc: Operation not permitted bwrap: Can't mount proc on /newroot/proc: Operation not permitted <WARN> [13:44:00] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed bwrap: Can't mount proc on /newroot/proc: Operation not permitted (process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed fatal error encountered in SBCL pid 2 tid 24: SIGABRT received. 0: fp=0x699f3dac76c0 pc=0x699f5107d83c Foreign function (null) Parent is shutting down, bye... ``` What does it mean that it is in bwrap? Why can't Firejail build Sandox around bwrap?

gitea-mirror commented 2026-05-05 06:49:08 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Nov 30, 2023):

Sielo: https://sielo.app/

This web browser has some innovative features. I'm especially interested in what they call tabs spaces, which essentially allows you to tile multiple webpages within a single window. They provide a portable AppImage for download, and that's what I'd like a Firejail profile for.

<!-- gh-comment-id:1833847174 --> @Lonniebiz commented on GitHub (Nov 30, 2023): Sielo: https://sielo.app/ This web browser has some innovative features. I'm especially interested in what they call **tabs spaces**, which essentially allows you to tile multiple webpages within a single window. They provide a portable [AppImage](https://sielo.app/download.php?for=linux) for download, and that's what I'd like a Firejail profile for.

gitea-mirror commented 2026-05-05 06:49:09 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 30, 2023):

@marek22k
So the --noprofile test confirms that bubblewrap refuses to play along with firejail. Two options left though.

(1) Behind the scenes --noprofile uses /etc/default.profile, which includes disable-common.inc. The latter file blacklists {PATH}/bwrap. Try ` firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt. (2) Also run $ firejail --profile=noprofile /usr/bin/nyxt`. This is the weakest possible firejail profile. It does not block access to ${PATH}/bwrap like --noprofile does. If it still fails, we can't sandbox nyxt with firejail due to incompatibilities between the two.

<!-- gh-comment-id:1833947124 --> @ghost commented on GitHub (Nov 30, 2023): @marek22k So the --noprofile test confirms that bubblewrap refuses to play along with firejail. Two options left though. (1) Behind the scenes --noprofile uses /etc/default.profile, which includes disable-common.inc. The latter file blacklists ${PATH}/bwrap. Try `$ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt`. (2) Also run `$ firejail --profile=noprofile /usr/bin/nyxt`. This is the weakest possible firejail profile. It does not block access to ${PATH}/bwrap like --noprofile does. If it still fails, we can't sandbox nyxt with firejail due to incompatibilities between the two.

gitea-mirror commented 2026-05-05 06:49:10 -06:00

Author

Owner

Copy link

@marek22k commented on GitHub (Nov 30, 2023):

$ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt
Parent pid 440743, child pid 440744
Child process initialized in 5.28 ms
Nyxt version 3.9.2
<INFO> [15:11:29] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:29] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:29.703: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:29.999: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:29] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f55bbbcf6c0 pc=0x7f55cc2bd83c Foreign function (null)

Parent is shutting down, bye...

$ firejail --profile=noprofile /usr/bin/nyxt
Reading profile /etc/firejail/noprofile.profile
Parent pid 440852, child pid 440853
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 6.67 ms
Nyxt version 3.9.2
<INFO> [15:11:55] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:56] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:56.172: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:56.477: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:56] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f36c6dcf6c0 pc=0x7f36d74fe83c Foreign function (null)

Parent is shutting down, bye...

Too bad firejail and bwrap don't work together. firejail blocks file access for browsers by default except for the download folder, bwrap doesn't do that. I'll see if I can find some bwrap documentation somewhere where I can set this.

<!-- gh-comment-id:1833973372 --> @marek22k commented on GitHub (Nov 30, 2023): ``` $ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt Parent pid 440743, child pid 440744 Child process initialized in 5.28 ms Nyxt version 3.9.2 <INFO> [15:11:29] Source location: #P"/usr/share/nyxt/" <INFO> [15:11:29] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket" (nyxt:2): libenchant-WARNING **: 15:11:29.703: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory bwrap: Can't mount proc on /newroot/proc: Operation not permitted ** (nyxt:2): ERROR **: 15:11:29.999: Failed to fully launch dbus-proxy: Child process exited with code 1 <WARN> [15:11:29] Warning: Error in FFI method: The value :INVALID-CODE-OBJECT-AT-PC is not of type (SIMPLE-ARRAY (SIGNED-BYTE 32) (*)) bwrap: Can't mount proc on /newroot/proc: Operation not permitted bwrap: Can't mount proc on /newroot/proc: Operation not permitted <WARN> [15:11:30] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed bwrap: Can't mount proc on /newroot/proc: Operation not permitted <WARN> [15:11:30] Warning: Web process terminated for buffer 6528 (opening ) because it crashed (process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed fatal error encountered in SBCL pid 2 tid 12: SIGABRT received. 0: fp=0x7f55bbbcf6c0 pc=0x7f55cc2bd83c Foreign function (null) Parent is shutting down, bye... ``` ``` $ firejail --profile=noprofile /usr/bin/nyxt Reading profile /etc/firejail/noprofile.profile Parent pid 440852, child pid 440853 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Child process initialized in 6.67 ms Nyxt version 3.9.2 <INFO> [15:11:55] Source location: #P"/usr/share/nyxt/" <INFO> [15:11:56] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket" (nyxt:2): libenchant-WARNING **: 15:11:56.172: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory (nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory bwrap: Can't mount proc on /newroot/proc: Operation not permitted ** (nyxt:2): ERROR **: 15:11:56.477: Failed to fully launch dbus-proxy: Child process exited with code 1 <WARN> [15:11:56] Warning: Error in FFI method: The value :INVALID-CODE-OBJECT-AT-PC is not of type (SIMPLE-ARRAY (SIGNED-BYTE 32) (*)) bwrap: Can't mount proc on /newroot/proc: Operation not permitted bwrap: Can't mount proc on /newroot/proc: Operation not permitted <WARN> [15:11:56] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed bwrap: Can't mount proc on /newroot/proc: Operation not permitted <WARN> [15:11:56] Warning: Web process terminated for buffer 6528 (opening ) because it crashed (process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed fatal error encountered in SBCL pid 2 tid 12: SIGABRT received. 0: fp=0x7f36c6dcf6c0 pc=0x7f36d74fe83c Foreign function (null) Parent is shutting down, bye... ``` Too bad firejail and bwrap don't work together. firejail blocks file access for browsers by default except for the download folder, bwrap doesn't do that. I'll see if I can find some bwrap documentation somewhere where I can set this.

gitea-mirror commented 2026-05-05 06:49:11 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Nov 30, 2023):

@marek22k Yup, those incompatibilities are indeed a pain. Maybe you can try containing nyxt with bubblejail, which is bubblewrap-based.

<!-- gh-comment-id:1834013982 --> @ghost commented on GitHub (Nov 30, 2023): @marek22k Yup, those incompatibilities are indeed a pain. Maybe you can try containing nyxt with [bubblejail](https://github.com/igo95862/bubblejail), which is bubblewrap-based.

gitea-mirror commented 2026-05-05 06:49:12 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Nov 30, 2023):

(1) Behind the scenes --noprofile uses /etc/default.profile

No. It is more like --profile=/dev/null (I.e. empty.profile).

Longer firejail+bwrap discussions should happen in a new Discussion.

<!-- gh-comment-id:1834381539 --> @rusty-snake commented on GitHub (Nov 30, 2023): > (1) Behind the scenes --noprofile uses /etc/default.profile No. It is more like --profile=/dev/null (I.e. empty.profile). Longer firejail+bwrap discussions should happen in a new Discussion.

gitea-mirror commented 2026-05-05 06:49:13 -06:00

Author

Owner

Copy link

@marek22k commented on GitHub (Dec 6, 2023):

I would be happy about a profile for Apache NetBeans IDE.

Maybe something like the following:

include netbeans.local
include globals.local

noblacklist ${HOME}/.netbeans

ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc


include allow-common-devel.inc
include disable-common.inc
include disable-programs.inc

caps.drop all
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp

private-cache
private-dev
private-tmp

restrict-namespaces

<!-- gh-comment-id:1843657847 --> @marek22k commented on GitHub (Dec 6, 2023): I would be happy about a profile for [Apache NetBeans IDE](https://netbeans.apache.org/). Maybe something like the following: ``` include netbeans.local include globals.local noblacklist ${HOME}/.netbeans ignore include disable-devel.inc ignore include disable-exec.inc ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc include allow-common-devel.inc include disable-common.inc include disable-programs.inc caps.drop all netfilter no3d nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6 seccomp private-cache private-dev private-tmp restrict-namespaces ```

gitea-mirror commented 2026-05-05 06:49:15 -06:00

Author

Owner

Copy link

@ilikenwf commented on GitHub (Feb 15, 2024):

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

<!-- gh-comment-id:1945368640 --> @ilikenwf commented on GitHub (Feb 15, 2024): I'd like a profile for [Armcord](https://github.com/NextWork123/ArmCord), as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one? Either way, something like the following (it uses gio for opening links). ``` include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc #include electron-common.profile # to use this we'd need to ignore the no private-lib directive? mkdir ${HOME}/.config/ArmCord whitelist ${DOWNLOADS} whitelist ${HOME}/.config/ArmCord include whitelist-common.inc dbus-user.talk org.freedesktop.Notifications ignore dbus-user none dbus-user.talk org.mozilla.librewolf.* dbus-user.talk io.gitlab.librewolf.* dbus-user.talk org.cachyos.cachy_browser.* private-lib gio caps.drop all netfilter nodvd nogroups nonewprivs noroot notv protocol unix,inet,inet6,netlink ```

gitea-mirror commented 2026-05-05 06:49:16 -06:00

Author

Owner

Copy link

@0xn1h1Lo commented on GitHub (Feb 21, 2024):

I have tweaked some electron profile for Joplin (distributed as appimage). Happy to share my file with the notes of what I tried and didn't. A cleaned up version below (i removed all comments):

#   NOBLACKLISTS
noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf

#   ALLOW INCLUDES
#   BLACKLISTS
blacklist /usr/libexec

#   DISABLE INCLUDES
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
include disable-shell.inc

# content of disable-exec.inc - removed noexec /tmp, prevented joplin from starting
noexec ${HOME}
noexec ${RUNUSER}
noexec /dev/mqueue
noexec /dev/shm
noexec /run/shm
noexec /var

include chromium-common-hardened.inc.profile

#   NOWHITELISTS

#   MKDIRS
mkdir ${HOME}/.config/Joplin
mkdir ${HOME}/.config/joplin-desktop

#   WHITELISTS
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf

#   WHITELIST INCLUDES
include whitelist-runuser-common.inc
include whitelist-var-common.inc

#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo

#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
disable-mnt
private-cache
private-tmp

#   DBUS FILTER
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-system none

Then launching with: firejail --appimage --profile=joplin --nosound /path/to/Joplin.AppImage

<!-- gh-comment-id:1956468208 --> @0xn1h1Lo commented on GitHub (Feb 21, 2024): I have tweaked some electron profile for Joplin (distributed as appimage). Happy to share my file with the notes of what I tried and didn't. A cleaned up version below (i removed all comments): ``` # NOBLACKLISTS noblacklist ${HOME}/.config/Electron noblacklist ${HOME}/.config/electron*-flag*.conf # ALLOW INCLUDES # BLACKLISTS blacklist /usr/libexec # DISABLE INCLUDES include disable-common.inc include disable-devel.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc include disable-shell.inc # content of disable-exec.inc - removed noexec /tmp, prevented joplin from starting noexec ${HOME} noexec ${RUNUSER} noexec /dev/mqueue noexec /dev/shm noexec /run/shm noexec /var include chromium-common-hardened.inc.profile # NOWHITELISTS # MKDIRS mkdir ${HOME}/.config/Joplin mkdir ${HOME}/.config/joplin-desktop # WHITELISTS whitelist ${HOME}/.config/Joplin whitelist ${HOME}/.config/joplin-desktop whitelist ${DOWNLOADS} whitelist ${HOME}/.config/Electron whitelist ${HOME}/.config/electron*-flag*.conf # WHITELIST INCLUDES include whitelist-runuser-common.inc include whitelist-var-common.inc # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) caps.keep sys_admin,sys_chroot netfilter nodvd nogroups noinput notv nou2f novideo # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) disable-mnt private-cache private-tmp # DBUS FILTER dbus-user filter dbus-user.talk org.freedesktop.Notifications dbus-system none ``` Then launching with: `firejail --appimage --profile=joplin --nosound /path/to/Joplin.AppImage`

gitea-mirror commented 2026-05-05 06:49:18 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 21, 2024):

@dev-uhuru Nice! Feel free to open a PR for joplin.profile. We can help work out any specifics for the non-appimage version (if there are any). Thanks for sharing.

<!-- gh-comment-id:1957888312 --> @ghost commented on GitHub (Feb 21, 2024): @dev-uhuru Nice! Feel free to open a PR for joplin.profile. We can help work out any specifics for the non-appimage version (if there are any). Thanks for sharing.

gitea-mirror commented 2026-05-05 06:49:20 -06:00

Author

Owner

Copy link

@RundownRhino commented on GitHub (Mar 22, 2024):

I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and it seems that the comments in the profile are slightly outdated.
In addition to these lines in firefox.local:

# Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

(and to ignore dbus-user none and include firefox-common-addons.profile in firefox-common.local), after investigating via firejail --profile=firefox.profile --dbus-user.log firefox I found out I also needed to enable this dbus route:

dbus-user.talk org.kde.kdeconnect

This should probably be added to the comment in firefox.local, if someone can replicate this issue.

<!-- gh-comment-id:2014128309 --> @RundownRhino commented on GitHub (Mar 22, 2024): I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and it seems that the comments in the profile are slightly outdated. In addition to these lines in firefox.local: ``` # Add the next lines to your firefox.local for plasma browser integration. dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration dbus-user.talk org.kde.JobViewServer dbus-user.talk org.kde.kuiserver ``` (and to `ignore dbus-user none` and `include firefox-common-addons.profile` in firefox-common.local), after investigating via `firejail --profile=firefox.profile --dbus-user.log firefox` I found out I also needed to enable this dbus route: ``` dbus-user.talk org.kde.kdeconnect ``` This should probably be added to the comment in `firefox.local`, if someone can replicate this issue.

gitea-mirror commented 2026-05-05 06:49:22 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 22, 2024):

@RundownRhino Thanks for reporting. Comments are prone to gather dust as software moves on. Can you open a PR for it?

<!-- gh-comment-id:2014916426 --> @ghost commented on GitHub (Mar 22, 2024): @RundownRhino Thanks for reporting. Comments are prone to gather dust as software moves on. Can you open a PR for it?

gitea-mirror commented 2026-05-05 06:49:24 -06:00

Author

Owner

Copy link

@RundownRhino commented on GitHub (Mar 23, 2024):

@glitsj16 Opened a PR. As a side note, it seems include firefox-common-addons.profile is not necessary for this extension to work, but rather breaks all firefox sound when enabled. Not sure why, maybe from the ignore whitelists that it does.

<!-- gh-comment-id:2016345296 --> @RundownRhino commented on GitHub (Mar 23, 2024): @glitsj16 Opened a PR. As a side note, it seems `include firefox-common-addons.profile` is not necessary for this extension to work, but rather breaks all firefox sound when enabled. Not sure why, maybe from the `ignore whitelist`s that it does.

gitea-mirror commented 2026-05-05 06:49:26 -06:00

Author

Owner

Copy link

@konstantin1722 commented on GitHub (Apr 16, 2024):

Hi, I have sketched out a profile for Obsidian, I needed it urgently. I've been looking into it for a couple of hours, so I think more knowledgeable people will suggest improvements. But it already works for appimage and binary.

# Save this file as "obsidian.profile" in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.

### Basic Blacklisting ###
include disable-common.inc          # dangerous directories like ~/.ssh and ~/.gnupg
include disable-devel.inc           # development tools such as gcc and gdb
include disable-exec.inc            # non-executable directories such as /var, /tmp, and /home
include disable-interpreters.inc    # perl, python, lua etc.
include disable-programs.inc        # user configuration for programs such as firefox, vlc etc.
include disable-xdg.inc             # standard user directories: Documents, Pictures, Videos, Music

#include disable-shell.inc           # sh, bash, zsh etc.

### Home Directory Whitelisting ###
whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.cache/AMD
whitelist ${HOME}/.cache/nvidia
whitelist ${HOME}/.local/share/vulkan
whitelist ${HOME}/.local/share/vulkan/implicit_layer.d
whitelist ${HOME}/.config/vulkan
whitelist ${HOME}/.local/share/vulkan/loader_settings.d
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.Xdefaults-desktop-pc
whitelist ${HOME}/.config/kdedefaults/gtk-3.0
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist ${HOME}/.local/share/applnk
whitelist ${HOME}/.config/obsidian

include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/machines/api.obsidian.md
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/systemd/machines/raw.githubusercontent.com
whitelist /run/udev/control

include whitelist-run-common.inc
include whitelist-runuser-common.inc

whitelist /usr/share/applnk

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor       # if you have AppArmor running, try this one!

caps.drop all
ipc-namespace

#no3d           # disable 3D acceleration
#nodvd          # disable DVD and CD devices
#nogroups       # disable supplementary user groups
#noinput        # disable input devices
#novideo        # disable video capture devices

nonewprivs
noroot
?HAS_APPIMAGE: notv            # disable DVB TV devices
?HAS_APPIMAGE: nou2f           # disable U2F devices

protocol unix,inet,inet6,netlink,

# If you need networking, enable the firewall and disable "net none"
#net none        # disable network
netfilter       # enable default firewall in sandbox

seccomp !chroot # allowing chroot, just in case this is an Electron app
shell none

#tracelog       # send blacklist violations to syslog

disable-mnt     # no access to /mnt, /media, /run/mount and /run/media

private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28
private-dev
private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls,

?HAS_APPIMAGE: private-lib
?HAS_APPIMAGE: private-tmp

#dbus-user none
#dbus-system none
dbus-user filter

There's a resolution for git, as I'm using the Obsidian plugin for git.

whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

...

private-bin ...git,...

Launch commands:

firejail --appimage --profile=/home/$USER/.config/firejail/obsidian.profile ./Obsidian-1.5.12.AppImage
# or
firejail --profile=/home/$USER/.config/firejail/obsidian.profile /usr/bin/obsidian

I left some things commented out as I didn't fully understand them. I'm interested in a discussion on this profile, anyone have any tips for improvement?

UPD: #6314

<!-- gh-comment-id:2059250917 --> @konstantin1722 commented on GitHub (Apr 16, 2024): Hi, I have sketched out a profile for Obsidian, I needed it urgently. I've been looking into it for a couple of hours, so I think more knowledgeable people will suggest improvements. But it already works for appimage and binary. ``` # Save this file as "obsidian.profile" in ~/.config/firejail directory. Firejail will find it # automatically every time you sandbox your application. ### Basic Blacklisting ### include disable-common.inc # dangerous directories like ~/.ssh and ~/.gnupg include disable-devel.inc # development tools such as gcc and gdb include disable-exec.inc # non-executable directories such as /var, /tmp, and /home include disable-interpreters.inc # perl, python, lua etc. include disable-programs.inc # user configuration for programs such as firefox, vlc etc. include disable-xdg.inc # standard user directories: Documents, Pictures, Videos, Music #include disable-shell.inc # sh, bash, zsh etc. ### Home Directory Whitelisting ### whitelist ${HOME}/.gitconfig whitelist ${HOME}/.config/git whitelist ${HOME}/.pki/nssdb whitelist ${HOME}/.cache/AMD whitelist ${HOME}/.cache/nvidia whitelist ${HOME}/.local/share/vulkan whitelist ${HOME}/.local/share/vulkan/implicit_layer.d whitelist ${HOME}/.config/vulkan whitelist ${HOME}/.local/share/vulkan/loader_settings.d whitelist ${HOME}/.config/kdedefaults whitelist ${HOME}/.Xdefaults-desktop-pc whitelist ${HOME}/.config/kdedefaults/gtk-3.0 whitelist ${HOME}/.cache/mesa_shader_cache whitelist ${HOME}/.local/share/applnk whitelist ${HOME}/.config/obsidian include whitelist-common.inc ### Filesystem Whitelisting ### whitelist /run/systemd/machines/api.obsidian.md whitelist /run/systemd/resolve/io.systemd.Resolve whitelist /run/systemd/machines/raw.githubusercontent.com whitelist /run/udev/control include whitelist-run-common.inc include whitelist-runuser-common.inc whitelist /usr/share/applnk include whitelist-usr-share-common.inc include whitelist-var-common.inc #apparmor # if you have AppArmor running, try this one! caps.drop all ipc-namespace #no3d # disable 3D acceleration #nodvd # disable DVD and CD devices #nogroups # disable supplementary user groups #noinput # disable input devices #novideo # disable video capture devices nonewprivs noroot ?HAS_APPIMAGE: notv # disable DVB TV devices ?HAS_APPIMAGE: nou2f # disable U2F devices protocol unix,inet,inet6,netlink, # If you need networking, enable the firewall and disable "net none" #net none # disable network netfilter # enable default firewall in sandbox seccomp !chroot # allowing chroot, just in case this is an Electron app shell none #tracelog # send blacklist violations to syslog disable-mnt # no access to /mnt, /media, /run/mount and /run/media private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28 private-dev private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls, ?HAS_APPIMAGE: private-lib ?HAS_APPIMAGE: private-tmp #dbus-user none #dbus-system none dbus-user filter ``` There's a resolution for git, as I'm using the Obsidian plugin for git. ``` whitelist ${HOME}/.gitconfig whitelist ${HOME}/.config/git ... private-bin ...git,... ``` Launch commands: ```bash firejail --appimage --profile=/home/$USER/.config/firejail/obsidian.profile ./Obsidian-1.5.12.AppImage # or firejail --profile=/home/$USER/.config/firejail/obsidian.profile /usr/bin/obsidian ``` I left some things commented out as I didn't fully understand them. I'm interested in a discussion on this profile, anyone have any tips for improvement? **UPD:** #6314

gitea-mirror commented 2026-05-05 06:49:29 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 16, 2024):

Hi, I have sketched out a profile for Obsidian

I left some things commented out as I didn't fully understand them. I'm
interested in a discussion on this profile, anyone have any tips for
improvement?

Please open a pull request for it; this issue is not a good place for reviews.

<!-- gh-comment-id:2059264161 --> @kmk3 commented on GitHub (Apr 16, 2024): > Hi, I have sketched out a profile for Obsidian > I left some things commented out as I didn't fully understand them. I'm > interested in a discussion on this profile, anyone have any tips for > improvement? Please open a pull request for it; this issue is not a good place for reviews.

gitea-mirror commented 2026-05-05 06:49:31 -06:00

Author

Owner

Copy link

@tmarplatt commented on GitHub (May 9, 2024):

I humbly request profile support for DaVinci Resolve for Linux, a non-linear video editor application. It requires input and gpu dev access. It is released as a self-contained AppImage executable.

The file is free to download but the website may hide the download link and ask you to register before download.

I've not managed to get it working on Linux Mint 21.3. It seems to require elevated privileges and it looks like that conflicts with --appimage.

<!-- gh-comment-id:2101954988 --> @tmarplatt commented on GitHub (May 9, 2024): I humbly request profile support for [DaVinci Resolve](https://www.blackmagicdesign.com/es/products/davinciresolve/) for Linux, a non-linear video editor application. It requires input and gpu dev access. It is released as a self-contained AppImage executable. The file is free to download but the website may hide the download link and ask you to register before download. I've not managed to get it working on Linux Mint 21.3. It seems to require elevated privileges and it looks like that conflicts with `--appimage`.

gitea-mirror commented 2026-05-05 06:49:32 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 9, 2024):

@tmarplatt

I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try.

First of all, its not the program itself that's distributed as AppImage, but its installer. That ties in to your remark that it requires elevated privileges. Anything that wants to install files to the system-wide directories (e.g. /opt/DaVinciResolve) will need sudo, nothing new or unexpected there. The foo.run file (the AppImage) also supports installing into your ${HOME} via the -C switch (see ./foo.run -h for details). TL;DR Install the program first and after doing so you can start testing/creating a firejail profile for it.

Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are several AUR packages available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format).

To save some time and hair-pulling you can check upfront if Firejail is actually able to sandbox DaVinci Resolve properly by running it via the noprofile.profile. Depending on where you've installed that could look like firejail --profile=noprofile /opt/resolve/bin/resolve. If the program doesn't work with that profile it will not be possible to use Firejail for sandboxing it.

Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route.

HTH

<!-- gh-comment-id:2102186342 --> @ghost commented on GitHub (May 9, 2024): @tmarplatt I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try. First of all, its `not` the program itself that's distributed as `AppImage`, but its `installer`. That ties in to your remark that it requires elevated privileges. Anything that wants to install files to the system-wide directories (e.g. /opt/DaVinciResolve) will need sudo, nothing new or unexpected there. The foo.run file (the AppImage) also supports installing into your ${HOME} via the -C switch (see ./foo.run -h for details). TL;DR Install the program first and after doing so you can start testing/creating a firejail profile for it. Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are [several AUR packages](https://aur.archlinux.org/packages?K=davinci-resolve) available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format). To save some time and hair-pulling you can `check upfront` if Firejail is actually able to sandbox DaVinci Resolve properly by running it via the `noprofile.profile`. Depending on where you've installed that could look like `firejail --profile=noprofile /opt/resolve/bin/resolve`. If the program doesn't work with that profile it will not be possible to use Firejail for sandboxing it. Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route. HTH

gitea-mirror commented 2026-05-05 06:49:34 -06:00

Author

Owner

Copy link

@vinoff commented on GitHub (May 25, 2024):

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

<!-- gh-comment-id:2131236034 --> @vinoff commented on GitHub (May 25, 2024): vesktop: https://github.com/Vencord/Vesktop Vesktop is a custom Discord App aiming to give you better performance and improve linux support

gitea-mirror commented 2026-05-05 06:49:35 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 25, 2024):

@vinoff

We'll look into vesktop. In the mean time it would be very helpful if you could provide some details on this program. Especially, as it is a Discord clone, my first thoughts are to try to integrate a vesktop.profile into our existing discord-common.profile. Can you tell us where vesktop stores its data? E.g. does it also use ${HOME}/.config/discord or does it have its own dedicated location? Also interesting to know would be the path under which vesktop's executable is installed (/opt/vesktop or somewhere else)?

HTH

<!-- gh-comment-id:2131287056 --> @ghost commented on GitHub (May 25, 2024): @vinoff We'll look into `vesktop`. In the mean time it would be very helpful if you could provide some details on this program. Especially, as it is a Discord clone, my first thoughts are to try to integrate a vesktop.profile into our existing `discord-common.profile`. Can you tell us where vesktop stores its data? E.g. does it also use ${HOME}/.config/discord or does it have its own dedicated location? Also interesting to know would be the path under which vesktop's executable is installed (/opt/vesktop or somewhere else)? HTH

gitea-mirror commented 2026-05-05 06:49:36 -06:00

Author

Owner

Copy link

@ilikenwf commented on GitHub (May 30, 2024):

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

This works but netfilter needs removed otherwise.

<!-- gh-comment-id:2140174880 --> @ilikenwf commented on GitHub (May 30, 2024): > I'd like a profile for [Armcord](https://github.com/NextWork123/ArmCord), as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one? > > Either way, something like the following (it uses gio for opening links). > > ``` > include disable-common.inc > include disable-devel.inc > include disable-interpreters.inc > include disable-programs.inc > #include electron-common.profile # to use this we'd need to ignore the no private-lib directive? > > mkdir ${HOME}/.config/ArmCord > whitelist ${DOWNLOADS} > whitelist ${HOME}/.config/ArmCord > include whitelist-common.inc > > dbus-user.talk org.freedesktop.Notifications > ignore dbus-user none > > dbus-user.talk org.mozilla.librewolf.* > dbus-user.talk io.gitlab.librewolf.* > dbus-user.talk org.cachyos.cachy_browser.* > > private-lib gio > > caps.drop all > netfilter > nodvd > nogroups > nonewprivs > noroot > notv > protocol unix,inet,inet6,netlink > ``` This works but netfilter needs removed otherwise.

gitea-mirror commented 2026-05-05 06:49:37 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 30, 2024):

@ilikenwf

As an aside, what's the difference between including the hardened electron profile and the normal one?

The following options can be added to the sandbox when your kernel supports unprivileged namespaces (which the tradional,larger distro's have for a while now):

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

This results in a significant hardening of the sandbox. So if you can, it's advised to enable it.
We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via blink-common.local that has the one-liner include blink-common-hardened.inc.profile.

Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so.

$ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ArmCord

# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc

ignore noexec ${HOME}

mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

ignore novideo
private-bin armcord

dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start armcord

# Redirect
include electron-common.profile

<!-- gh-comment-id:2140546444 --> @ghost commented on GitHub (May 30, 2024): @ilikenwf > As an aside, what's the difference between including the hardened electron profile and the normal one? The following options can be added to the sandbox when your kernel supports `unprivileged namespaces` (which the tradional,larger distro's have for a while now): caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink seccomp !chroot This results in a significant hardening of the sandbox. So if you can, it's advised to enable it. We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via `blink-common.local` that has the one-liner `include blink-common-hardened.inc.profile`. Based on the [ArmCord packages available in the AUR](https://aur.archlinux.org/packages?K=armcord&O=0&submit=Go) I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the [firejail-git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git) version to do so. ```sh $ cat ~/.config/firejail/armcord.profile # Firejail profile for armcord # Description: Standalone Discord client # This file is overwritten after every install/update # Persistent local customizations include armcord.local # Persistent global definitions include globals.local noblacklist ${HOME}/.config/ArmCord # sh is needed to allow Firefox to open links #include allow-bin-sh.inc ignore noexec ${HOME} mkdir ${HOME}/.config/ArmCord whitelist ${HOME}/.config/ArmCord #whitelist /opt/Armcord whitelist /opt/armcord whitelist /usr/share/armcord # The lines below are needed to find the default Firefox profile name, to allow # opening links in an existing instance of Firefox (note that it still fails if # there isn't a Firefox instance running with the default profile; see #5352) noblacklist ${HOME}/.mozilla whitelist ${HOME}/.mozilla/firefox/profiles.ini ignore novideo private-bin armcord dbus-user filter dbus-user.talk io.gitlab.librewolf.* dbus-user.talk org.cachyos.cachy_browser.* dbus-user.talk org.freedesktop.Notifications # Allow D-Bus communication with Firefox for opening links dbus-user.talk org.mozilla.* ignore dbus-user none join-or-start armcord # Redirect include electron-common.profile ```

gitea-mirror commented 2026-05-05 06:49:39 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (May 31, 2024):

Floorp?

<!-- gh-comment-id:2142933271 --> @neurodiverseEsoteric commented on GitHub (May 31, 2024): [Floorp?](https://floorp.app/en)

gitea-mirror commented 2026-05-05 06:49:40 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 31, 2024):

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

<!-- gh-comment-id:2142960716 --> @ghost commented on GitHub (May 31, 2024): @neurodiverseEsoteric We have [floorp.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/floorp.profile) now. You can either [use firejail-git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git) or wait until it comes down whenever your OS receives the upcoming `0.9.74` release.

gitea-mirror commented 2026-05-05 06:49:41 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (May 31, 2024):

oh ok thanks

<!-- gh-comment-id:2142964653 --> @neurodiverseEsoteric commented on GitHub (May 31, 2024): oh ok thanks

gitea-mirror commented 2026-05-05 06:49:42 -06:00

Author

Owner

Copy link

@imgurbot12 commented on GitHub (Jun 16, 2024):

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

@glitsj16

I came up with the following profile which could be used to start with:

# Custom FireJail Profile for Vesktop
include globals.local

# allow discord access to config directory
noblacklist ${HOME}/.config/discord
mkdir       ${HOME}/.config/discord
whitelist   ${HOME}/.config/discord

# allow Vencord access to config directory
noblacklist ${HOME}/.config/Vencord
mkdir       ${HOME}/.config/Vencord
whitelist   ${HOME}/.config/Vencord

# allow vesktop access to config directory
noblacklist ${HOME}/.config/vesktop
mkdir       ${HOME}/.config/vesktop
whitelist   ${HOME}/.config/vesktop

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

# disable temp
private-tmp
noexec /tmp

# additional restrictions
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

# Below is modified `discord-common.profile`
# ==========================================
include discord-common.local

ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

ignore noexec ${HOME}
ignore novideo

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh,discord,vesktop
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

include electron.profile

It does require vesktop to be run with --no-sandbox because otherwise you get:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Vesktop/chrome-sandbox is owned by root and has mode 4755.

which I'm not sure how to fix.

<!-- gh-comment-id:2170987015 --> @imgurbot12 commented on GitHub (Jun 16, 2024): > vesktop: https://github.com/Vencord/Vesktop > > Vesktop is a custom Discord App aiming to give you better performance and improve linux support @glitsj16 I came up with the following profile which could be used to start with: ```firejail # Custom FireJail Profile for Vesktop include globals.local # allow discord access to config directory noblacklist ${HOME}/.config/discord mkdir ${HOME}/.config/discord whitelist ${HOME}/.config/discord # allow Vencord access to config directory noblacklist ${HOME}/.config/Vencord mkdir ${HOME}/.config/Vencord whitelist ${HOME}/.config/Vencord # allow vesktop access to config directory noblacklist ${HOME}/.config/vesktop mkdir ${HOME}/.config/vesktop whitelist ${HOME}/.config/vesktop include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc # disable temp private-tmp noexec /tmp # additional restrictions caps.drop all netfilter nodvd nogroups nonewprivs noroot notv protocol unix,inet,inet6,netlink # Below is modified `discord-common.profile` # ========================================== include discord-common.local ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore apparmor ignore disable-mnt ignore private-cache ignore dbus-user none ignore dbus-system none ignore noexec ${HOME} ignore novideo private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh,discord,vesktop private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl include electron.profile ``` It does require vesktop to be run with `--no-sandbox` because otherwise you get: ``` The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Vesktop/chrome-sandbox is owned by root and has mode 4755. ``` which I'm not sure how to fix.

gitea-mirror commented 2026-05-05 06:49:44 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 16, 2024):

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

<!-- gh-comment-id:2171015462 --> @ghost commented on GitHub (Jun 16, 2024): @vinoff @imgurbot12 Here's a `vesktop.profile` you can test with Firejail `0.9.72`. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details. HTH

gitea-mirror commented 2026-05-05 06:49:46 -06:00

Author

Owner

Copy link

@imgurbot12 commented on GitHub (Jun 16, 2024):

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here.

<!-- gh-comment-id:2171029109 --> @imgurbot12 commented on GitHub (Jun 16, 2024): > @vinoff @imgurbot12 > > Here's a `vesktop.profile` you can test with Firejail `0.9.72`. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details. > > HTH Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here.

gitea-mirror commented 2026-05-05 06:49:51 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (Jul 12, 2024):

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

Also requesting a profile for /usr/bin/webapp-manager, please...

<!-- gh-comment-id:2226283437 --> @neurodiverseEsoteric commented on GitHub (Jul 12, 2024): > @neurodiverseEsoteric > > We have [floorp.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/floorp.profile) now. You can either [use firejail-git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git) or wait until it comes down whenever your OS receives the upcoming `0.9.74` release. I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet? Also requesting a profile for `/usr/bin/webapp-manager`, please...

gitea-mirror commented 2026-05-05 06:49:54 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 12, 2024):

@neurodiverseEsoteric

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

On Arch Linux myself. There simply isn't a 0.9.74 release yet. Best you can do is install firejail-git from AUR and keep that in sync with the git commits.

<!-- gh-comment-id:2226305018 --> @ghost commented on GitHub (Jul 12, 2024): @neurodiverseEsoteric > I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet? On Arch Linux myself. There simply isn't a 0.9.74 release yet. Best you can do is install [firejail-git](https://aur.archlinux.org/packages/firejail-git) from AUR and keep that in sync with the git commits.

gitea-mirror commented 2026-05-05 06:49:57 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 12, 2024):

@neurodiverseEsoteric

Also requesting a profile for /usr/bin/webapp-manager, please...

I've looked into webapp-manager. Although creating a dedicated Firejail profile for it is possible, it would have to create a very weak sandbox due to the upstream use of hardcoded absolute paths (see below). Also, its support for flatpaks and snaps is problematic in this context: Firejail simply can't sandbox those.

Personally I wouldn't feel comfortable using this app to run web browsers in such a weak sandbox. Other collaborators may of course see this differently and create a webapp-manager.profile in the future. So I'm not saying it won't happen. In any case, stay vigilant when using this app...

a061d9a4b0/usr/lib/webapp-manager/common.py (L174-L230)

<!-- gh-comment-id:2226524263 --> @ghost commented on GitHub (Jul 12, 2024): @neurodiverseEsoteric > Also requesting a profile for /usr/bin/webapp-manager, please... I've looked into [webapp-manager](https://github.com/linuxmint/webapp-manager). Although creating a dedicated Firejail profile for it is possible, it would have to create a very weak sandbox due to the upstream use of `hardcoded absolute paths` (see below). Also, its support for `flatpaks` and `snaps` is problematic in this context: Firejail simply can't sandbox those. Personally I wouldn't feel comfortable using this app to run web browsers in such a weak sandbox. Other collaborators may of course see this differently and create a webapp-manager.profile in the future. So I'm not saying it won't happen. In any case, stay vigilant when using this app... https://github.com/linuxmint/webapp-manager/blob/a061d9a4b0b1b0c3707472b93daf7f732cfc939f/usr/lib/webapp-manager/common.py#L174-L230

gitea-mirror commented 2026-05-05 06:49:59 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (Jul 15, 2024):

@glitsj16 Oh

<!-- gh-comment-id:2227568012 --> @neurodiverseEsoteric commented on GitHub (Jul 15, 2024): @glitsj16 Oh

gitea-mirror commented 2026-05-05 06:50:01 -06:00

Author

Owner

Copy link

@Utini2000 commented on GitHub (Aug 19, 2024):

OnlyOffice-Desktopeditors bases on libreoffice.profile:

ignore blacklist ${HOME}/.config/onlyoffice
ignore blacklist ${HOME}/.local/share/onlyoffice
ignore join-or-start libreoffice

whitelist ${HOME}/.config/onlyoffice
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.local/share/onlyoffice/

include libreoffice.profile

join-or-start onlyoffice-desktopeditors

This works for me just fine.

<!-- gh-comment-id:2296460937 --> @Utini2000 commented on GitHub (Aug 19, 2024): OnlyOffice-Desktopeditors bases on libreoffice.profile: ``` ignore blacklist ${HOME}/.config/onlyoffice ignore blacklist ${HOME}/.local/share/onlyoffice ignore join-or-start libreoffice whitelist ${HOME}/.config/onlyoffice whitelist ${HOME}/.config/kdedefaults whitelist ${HOME}/.local/share/onlyoffice/ include libreoffice.profile join-or-start onlyoffice-desktopeditors ``` This works for me just fine.

gitea-mirror commented 2026-05-05 06:50:04 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 4, 2024):

latest VSCodium on debian 11 requested in #6461 by @MiltiadisKoutsokeras.

<!-- gh-comment-id:2328080047 --> @rusty-snake commented on GitHub (Sep 4, 2024): latest VSCodium on debian 11 requested in #6461 by @MiltiadisKoutsokeras.

gitea-mirror commented 2026-05-05 06:50:06 -06:00

Author

Owner

Copy link

@emerajid commented on GitHub (Sep 4, 2024):

https://pulsar-edit.dev/
https://pulsar-edit.dev/about.html
https://github.com/pulsar-edit

Not much different from atom.profile, yet a few changes creeped in.

# Firejail profile for uplsar
# Description: A Community-led Hyper-Hackable Text Editor
# This file is overwritten after every install/update
# Persistent local customizations
include pulsar.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-exec.inc
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor

disable-mnt
noblacklist ${HOME}/.pulsar
noblacklist ${HOME}/.config/Pulsar

# Allows files commonly used by IDEs
include allow-common-devel.inc

# net none
nosound

# Redirect
include electron.profile

<!-- gh-comment-id:2329666320 --> @emerajid commented on GitHub (Sep 4, 2024): https://pulsar-edit.dev/ https://pulsar-edit.dev/about.html https://github.com/pulsar-edit Not much different from atom.profile, yet a few changes creeped in. ``` # Firejail profile for uplsar # Description: A Community-led Hyper-Hackable Text Editor # This file is overwritten after every install/update # Persistent local customizations include pulsar.local # Persistent global definitions include globals.local # Disabled until someone reported positive feedback ignore include disable-exec.inc ignore include disable-devel.inc ignore include disable-interpreters.inc ignore include disable-xdg.inc ignore whitelist ${DOWNLOADS} ignore whitelist ${HOME}/.config/Electron ignore whitelist ${HOME}/.config/electron*-flag*.conf ignore include whitelist-common.inc ignore include whitelist-runuser-common.inc ignore include whitelist-usr-share-common.inc ignore include whitelist-var-common.inc ignore apparmor disable-mnt noblacklist ${HOME}/.pulsar noblacklist ${HOME}/.config/Pulsar # Allows files commonly used by IDEs include allow-common-devel.inc # net none nosound # Redirect include electron.profile ```

gitea-mirror commented 2026-05-05 06:50:09 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 9, 2024):

16xPrompt by @leodip in #6470

<!-- gh-comment-id:2338736720 --> @rusty-snake commented on GitHub (Sep 9, 2024): 16xPrompt by @leodip in #6470

gitea-mirror commented 2026-05-05 06:50:11 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Sep 10, 2024):

x2goserver by @mabra in #5837

<!-- gh-comment-id:2340440624 --> @kmk3 commented on GitHub (Sep 10, 2024): x2goserver by @mabra in #5837

gitea-mirror commented 2026-05-05 06:50:14 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Sep 14, 2024):

prismlauncher by @ipaqmaster in #6381

<!-- gh-comment-id:2350885029 --> @kmk3 commented on GitHub (Sep 14, 2024): prismlauncher by @ipaqmaster in #6381

gitea-mirror commented 2026-05-05 06:50:17 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 19, 2024):

gifsicle and gifski by @salisbury-espinosa in #6481

<!-- gh-comment-id:2361157081 --> @rusty-snake commented on GitHub (Sep 19, 2024): gifsicle and gifski by @salisbury-espinosa in #6481

gitea-mirror commented 2026-05-05 06:50:20 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (Sep 23, 2024):

I'd like a betterbird.profile, please...

<!-- gh-comment-id:2367078984 --> @neurodiverseEsoteric commented on GitHub (Sep 23, 2024): I'd like a betterbird.profile, please...

gitea-mirror commented 2026-05-05 06:50:22 -06:00

Author

Owner

Copy link

@ilikenwf commented on GitHub (Oct 11, 2024):

@ilikenwf

As an aside, what's the difference between including the hardened electron profile and the normal one?

The following options can be added to the sandbox when your kernel supports unprivileged namespaces (which the tradional,larger distro's have for a while now):

caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink seccomp !chroot

This results in a significant hardening of the sandbox. So if you can, it's advised to enable it. We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via blink-common.local that has the one-liner include blink-common-hardened.inc.profile.

Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so.

$ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ArmCord

# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc

ignore noexec ${HOME}

mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

ignore novideo
private-bin armcord

dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start armcord

# Redirect
include electron-common.profile

private-bin armcord breaks it under Archlinux here.

<!-- gh-comment-id:2406520986 --> @ilikenwf commented on GitHub (Oct 11, 2024): > @ilikenwf > > > As an aside, what's the difference between including the hardened electron profile and the normal one? > > The following options can be added to the sandbox when your kernel supports `unprivileged namespaces` (which the tradional,larger distro's have for a while now): > > caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink seccomp !chroot > > This results in a significant hardening of the sandbox. So if you can, it's advised to enable it. We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via `blink-common.local` that has the one-liner `include blink-common-hardened.inc.profile`. > > Based on the [ArmCord packages available in the AUR](https://aur.archlinux.org/packages?K=armcord&O=0&submit=Go) I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the [firejail-git](https://github.com/netblue30/firejail/wiki/Using-firejail-from-git) version to do so. > > ```shell > $ cat ~/.config/firejail/armcord.profile > # Firejail profile for armcord > # Description: Standalone Discord client > # This file is overwritten after every install/update > # Persistent local customizations > include armcord.local > # Persistent global definitions > include globals.local > > noblacklist ${HOME}/.config/ArmCord > > # sh is needed to allow Firefox to open links > #include allow-bin-sh.inc > > ignore noexec ${HOME} > > mkdir ${HOME}/.config/ArmCord > whitelist ${HOME}/.config/ArmCord > #whitelist /opt/Armcord > whitelist /opt/armcord > whitelist /usr/share/armcord > > # The lines below are needed to find the default Firefox profile name, to allow > # opening links in an existing instance of Firefox (note that it still fails if > # there isn't a Firefox instance running with the default profile; see #5352) > noblacklist ${HOME}/.mozilla > whitelist ${HOME}/.mozilla/firefox/profiles.ini > > ignore novideo > private-bin armcord > > dbus-user filter > dbus-user.talk io.gitlab.librewolf.* > dbus-user.talk org.cachyos.cachy_browser.* > dbus-user.talk org.freedesktop.Notifications > # Allow D-Bus communication with Firefox for opening links > dbus-user.talk org.mozilla.* > ignore dbus-user none > > join-or-start armcord > > # Redirect > include electron-common.profile > ``` `private-bin armcord` breaks it under Archlinux here.

gitea-mirror commented 2026-05-05 06:50:25 -06:00

Author

Owner

Copy link

@gcb commented on GitHub (Nov 8, 2024):

syncthing at #6536

update: I've been using this for a month on several machines and working perfectly. I think it is ready for review.

<!-- gh-comment-id:2465066112 --> @gcb commented on GitHub (Nov 8, 2024): syncthing at #6536 update: I've been using this for a month on several machines and working perfectly. I think it is ready for review.

gitea-mirror commented 2026-05-05 06:50:28 -06:00

Author

Owner

Copy link

@Lonniebiz commented on GitHub (Nov 8, 2024):

I'd like a profile for Dbeaver:
https://dbeaver.io/

AppImage of Dbeaver:
https://github.com/valicm/dbeaver-ce-appimage/releases/tag/latest

<!-- gh-comment-id:2465118137 --> @Lonniebiz commented on GitHub (Nov 8, 2024): I'd like a profile for Dbeaver: https://dbeaver.io/ AppImage of Dbeaver: https://github.com/valicm/dbeaver-ce-appimage/releases/tag/latest

gitea-mirror commented 2026-05-05 06:50:30 -06:00

Author

Owner

Copy link

@dmitryvakulenko commented on GitHub (Nov 9, 2024):

I try to make profile for Zed editor in #6541.

<!-- gh-comment-id:2466185073 --> @dmitryvakulenko commented on GitHub (Nov 9, 2024): I try to make profile for [Zed](https://zed.dev/) editor in #6541.

gitea-mirror commented 2026-05-05 06:50:34 -06:00

Author

Owner

Copy link

@ilikenwf commented on GitHub (Jan 2, 2025):

Armcord has apparently either been renamed or migrated to "Legcord." - to support both, copy, paste, and renaming is required as everywhere we'd see "armcord," "legcord" needs to be used instead.

<!-- gh-comment-id:2568510597 --> @ilikenwf commented on GitHub (Jan 2, 2025): Armcord has apparently either been renamed or migrated to "Legcord." - to support both, copy, paste, and renaming is required as everywhere we'd see "armcord," "legcord" needs to be used instead.

gitea-mirror commented 2026-05-05 06:50:37 -06:00

Author

Owner

Copy link

@py-cyberuser commented on GitHub (Feb 17, 2025):

Add Profile

Add a profile for hyprland

Though at first I thought firejail can't deal with wayland compositor, surprisingly I find sway profile which means actually it's possible . I would appreciate if hyprland profile can be added.

Thanks for all your works!

<!-- gh-comment-id:2662605592 --> @py-cyberuser commented on GitHub (Feb 17, 2025): **Add Profile** Add a profile for [hyprland](https://github.com/hyprwm/Hyprland) Though at first I thought firejail can't deal with wayland compositor, surprisingly I find [sway profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/sway.profile) which means actually it's possible . I would appreciate if hyprland profile can be added. Thanks for all your works!

gitea-mirror commented 2026-05-05 06:50:39 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 19, 2025):

betterbird by @PWungsten in #6651

<!-- gh-comment-id:2668077369 --> @rusty-snake commented on GitHub (Feb 19, 2025): betterbird by @PWungsten in #6651

gitea-mirror commented 2026-05-05 06:50:41 -06:00

Author

Owner

Copy link

@vinoff commented on GitHub (Feb 23, 2025):

Request:

• Zen Browser https://zen-browser.app/

<!-- gh-comment-id:2676727655 --> @vinoff commented on GitHub (Feb 23, 2025): Request: - Zen Browser https://zen-browser.app/

gitea-mirror commented 2026-05-05 06:50:46 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (May 2, 2025):

LMStudio by @saltiniroberto in #6731

<!-- gh-comment-id:2846462475 --> @rusty-snake commented on GitHub (May 2, 2025): LMStudio by @saltiniroberto in #6731

gitea-mirror commented 2026-05-05 06:50:48 -06:00

Author

Owner

Copy link

@gcb commented on GitHub (May 5, 2025):

Gradle in #6726

<!-- gh-comment-id:2851001114 --> @gcb commented on GitHub (May 5, 2025): Gradle in #6726

gitea-mirror commented 2026-05-05 06:50:51 -06:00

Author

Owner

Copy link

@neurodiverseEsoteric commented on GitHub (Jul 5, 2025):

I'd like a profile for Goofcord (the better Discord desktop), please, as --noprofile exposes the home filesystem despite --private= and using the discord profile breaks whitelisting of directories for some reason...

<!-- gh-comment-id:3040153115 --> @neurodiverseEsoteric commented on GitHub (Jul 5, 2025): I'd like a profile for Goofcord (the better Discord desktop), please, as `--noprofile` exposes the home filesystem despite `--private=` and using the discord profile breaks whitelisting of directories for some reason...

gitea-mirror commented 2026-05-05 06:50:52 -06:00

Author

Owner

Copy link

@cameronj86 commented on GitHub (Jul 8, 2025):

TradingView and/or any banking/financial application as a baseline that I can use as a template for my broker's app.

<!-- gh-comment-id:3047267841 --> @cameronj86 commented on GitHub (Jul 8, 2025): [TradingView](https://tvd-packages.tradingview.com/ubuntu/stable/latest/jammy/tradingview_amd64.deb) and/or any banking/financial application as a baseline that I can use as a template for my broker's app.

gitea-mirror commented 2026-05-05 06:50:54 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jul 12, 2025):

A profile for llama-server from https://github.com/ggml-org/llama.cpp and firefox that could be used together inside a network namespace.

So I could run -name llama flag with the profile when I launch llama-server and the use —join flag when I run firefox, to be able to access the UI

<!-- gh-comment-id:3065915439 --> @ghost commented on GitHub (Jul 12, 2025): A profile for llama-server from https://github.com/ggml-org/llama.cpp and firefox that could be used together inside a network namespace. So I could run -name llama flag with the profile when I launch llama-server and the use —join flag when I run firefox, to be able to access the UI

gitea-mirror commented 2026-05-05 06:50:55 -06:00

Author

Owner

Copy link

@BooniChan commented on GitHub (Jul 26, 2025):

A profile for KVIrc would be great!
Kvirc is an IRC client written in c++/QT and with KDE support. It has a lot of features like: scripting, python & pearl support, themes etc etc and always found it better than the mainstream ones like Konversation.

Thank you!

<!-- gh-comment-id:3122034772 --> @BooniChan commented on GitHub (Jul 26, 2025): A profile for KVIrc would be great! Kvirc is an IRC client written in c++/QT and with KDE support. It has a lot of features like: scripting, python & pearl support, themes etc etc and always found it better than the mainstream ones like Konversation. Thank you!

gitea-mirror commented 2026-05-05 06:50:58 -06:00

Author

Owner

Copy link

@gcb commented on GitHub (Jul 28, 2025):

KVIrc

i'm testing all kde-ish clients for the last decade, trying to move from my terminal old client, and had never heard of that one. will create a profile for it when i try it out soon-ish.

<!-- gh-comment-id:3127350580 --> @gcb commented on GitHub (Jul 28, 2025): > KVIrc i'm testing all kde-ish clients for the last decade, trying to move from my terminal old client, and had never heard of that one. will create a profile for it when i try it out soon-ish.

gitea-mirror commented 2026-05-05 06:51:00 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Oct 1, 2025):

Please make a profile for manyverse, a crossplatform client for scuttlebut

Secure Scuttlebutt is a peer-to peer communication protocol, mesh network, and self-hosted social media ecosystem. Each user hosts their own content and the content of the peers they follow, which provides fault tolerance and eventual consistency. Messages are digitally signed and added to an append-only list of messages published by an author. SSB is primarily used for implementing distributed social networks, and utilizes cryptography to assure that content remains unforged as it is propagated through the network. In contrast to the major corporate social media platforms, user data and content on Secure Scuttlebutt is not monetized, there are no software design decisions being made in order to maximize user engagement or boost marketing metrics, and there is no paid advertising.

<!-- gh-comment-id:3355911825 --> @mYnDstrEAm commented on GitHub (Oct 1, 2025): Please make a profile for [manyverse](https://gitlab.com/staltz/manyverse), a crossplatform client for scuttlebut >[Secure Scuttlebutt](https://en.wikipedia.org/wiki/Secure_Scuttlebutt) is a peer-to peer communication protocol, mesh network, and self-hosted social media ecosystem. Each user hosts their own content and the content of the peers they follow, which provides fault tolerance and eventual consistency. Messages are digitally signed and added to an append-only list of messages published by an author. SSB is primarily used for implementing distributed social networks, and utilizes cryptography to assure that content remains unforged as it is propagated through the network. In contrast to the major corporate social media platforms, user data and content on Secure Scuttlebutt is not monetized, there are no software design decisions being made in order to maximize user engagement or boost marketing metrics, and there is no paid advertising.

gitea-mirror commented 2026-05-05 06:51:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 12, 2025):

gemini-cli by @aminvakil in #6935

<!-- gh-comment-id:3394121311 --> @rusty-snake commented on GitHub (Oct 12, 2025): gemini-cli by @aminvakil in #6935

gitea-mirror commented 2026-05-05 06:51:03 -06:00

Author

Owner

Copy link

@cameronj86 commented on GitHub (Jan 8, 2026):

^ On a related note, Claude Code

(and/or perhaps a llm-cli-common.profile)

<!-- gh-comment-id:3721450281 --> @cameronj86 commented on GitHub (Jan 8, 2026): ^ On a related note, Claude Code (and/or perhaps a `llm-cli-common.profile`)

gitea-mirror commented 2026-05-05 06:51:06 -06:00

Author

Owner

Copy link

@DoS007 commented on GitHub (Feb 1, 2026):

DaVinci Resolve 20, the best/most proffessional video editing software for linux available (the not-studio edition is for "free")

<!-- gh-comment-id:3831964501 --> @DoS007 commented on GitHub (Feb 1, 2026): DaVinci Resolve 20, the best/most proffessional video editing software for linux available (the not-studio edition is for "free")

gitea-mirror commented 2026-05-05 06:51:09 -06:00

Author

Owner

Copy link

@Raneded commented on GitHub (Feb 21, 2026):

Can we have WebCord profile please?

<!-- gh-comment-id:3938609779 --> @Raneded commented on GitHub (Feb 21, 2026): Can we have WebCord profile please?

gitea-mirror commented 2026-05-05 06:51:12 -06:00

Author

Owner

Copy link

@aminvakil commented on GitHub (Feb 26, 2026):

opencode (https://github.com/anomalyco/opencode)

That being said, I completely forgot https://github.com/netblue30/firejail/pull/6936 :)

<!-- gh-comment-id:3966124325 --> @aminvakil commented on GitHub (Feb 26, 2026): opencode (https://github.com/anomalyco/opencode) That being said, I completely forgot https://github.com/netblue30/firejail/pull/6936 :)

gitea-mirror commented 2026-05-05 06:51:16 -06:00

Author

Owner

Copy link

@fpaty6820-ship-it commented on GitHub (Mar 11, 2026):

Zrythm https://www.zrythm.org/es/index.htm

Storyboarder https://wonderunit.com/storyboarder/

Fricción https://github.com/friction2d/friction/

Envié
https://maurycyliebner.github.io/

Olive https://www.olivevideoeditor.org/

<!-- gh-comment-id:4042073288 --> @fpaty6820-ship-it commented on GitHub (Mar 11, 2026): Zrythm https://www.zrythm.org/es/index.htm Storyboarder https://wonderunit.com/storyboarder/ Fricción https://github.com/friction2d/friction/ Envié https://maurycyliebner.github.io/ Olive https://www.olivevideoeditor.org/

gitea-mirror commented 2026-05-05 06:51:18 -06:00

Author

Owner

Copy link

@fpaty6820-ship-it commented on GitHub (Mar 11, 2026):

Gaffer: www.gafferhq.org
Glaxnimate: glaxnimate.mattbas.org
Stirling PDF https://www.stirling.com/
Appflowy https://joplinapp.org/

<!-- gh-comment-id:4042335400 --> @fpaty6820-ship-it commented on GitHub (Mar 11, 2026): Gaffer: www.gafferhq.org Glaxnimate: glaxnimate.mattbas.org Stirling PDF https://www.stirling.com/ Appflowy https://joplinapp.org/

gitea-mirror referenced this issue 2026-05-05 07:12:36 -06:00

[GH-ISSUE #1387] Firejail with systemd daemon #951

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#789

No description provided.