github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1323] Digikam profile #901

New issue

Closed

opened 2026-05-05 07:05:51 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:05:51 -06:00

Owner

Originally created by @curiosity-seeker on GitHub (May 31, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1323

This is the profile that works for me using Digikam 5.5.0 on Fedora 25. I haven't created a pull request as I'm not sure if the list of allowed syscalls works for other distros or versions. So I ask other users to test that profile before it can possibly be officially added. Note that the 2 noblacklist options are actually not necessary - I just added them to make sure that they won't conflict with possible future additions/changes to disable-common.inc.

# Persistent global definitions go here
include /etc/firejail/globals.local

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/digikam.local

noblacklist ${HOME}/.kde/share/apps/digikam
noblacklist ${HOME}/.config/digikamrc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp.keep access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
nogroups
shell none
# private-bin program
# private-etc none
private-dev
private-tmp

Originally created by @curiosity-seeker on GitHub (May 31, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1323 This is the profile that works for me using Digikam 5.5.0 on Fedora 25. I haven't created a pull request as I'm not sure if the list of allowed syscalls works for other distros or versions. So I ask other users to test that profile before it can possibly be officially added. Note that the 2 noblacklist options are actually not necessary - I just added them to make sure that they won't conflict with possible future additions/changes to disable-common.inc. ``` # Persistent global definitions go here include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. include /etc/firejail/digikam.local noblacklist ${HOME}/.kde/share/apps/digikam noblacklist ${HOME}/.config/digikamrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp.keep access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group nogroups shell none # private-bin program # private-etc none private-dev private-tmp ```

gitea-mirror

2026-05-05 07:05:51 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:05:59 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 1, 2017):

I merged you on mainline: https://github.com/netblue30/firejail/blob/master/etc/digikam.profile

Thanks, it is working fine on Kunbuntu 17.04. For Debian jessie I had to add 3 more syscalls. Also, I disabled private-dev in order to be able to connect to a camera - I'll have to look more into it.

The whitelisted seccomp line is commented out for now, until we get more information from people using other distributions. What you can do is to copy that line uncommented in /etc/firejail/digikam.local - it will have precedence over the regular seccomp line in the profile.

@netblue30 commented on GitHub (Jun 1, 2017): I merged you on mainline: https://github.com/netblue30/firejail/blob/master/etc/digikam.profile Thanks, it is working fine on Kunbuntu 17.04. For Debian jessie I had to add 3 more syscalls. Also, I disabled private-dev in order to be able to connect to a camera - I'll have to look more into it. The whitelisted seccomp line is commented out for now, until we get more information from people using other distributions. What you can do is to copy that line uncommented in /etc/firejail/digikam.local - it will have precedence over the regular seccomp line in the profile.

gitea-mirror commented

2026-05-05 07:06:01 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Jun 1, 2017):

Thanks, but the profile contains

seccomp

and that prevents digikam from starting. Probably a mistake ...

EDIT: Sorry - correction. Using both seccomp.keep and seccomp works for me. I didn't know that both can be used together. Very interesting!

EDIT2: Nevertheless, seccomp alone doesn't work for me.

@curiosity-seeker commented on GitHub (Jun 1, 2017): Thanks, but the profile contains seccomp and that prevents digikam from starting. Probably a mistake ... EDIT: Sorry - correction. Using both seccomp.keep and seccomp works for me. I didn't know that both can be used together. Very interesting! EDIT2: Nevertheless, seccomp **alone** doesn't work for me.

gitea-mirror commented

2026-05-05 07:06:04 -06:00

Author

Owner

@curiosity-seeker commented on GitHub (Jun 25, 2017):

Sorry for coming back to this old issue but I'm still a bit confused. The seccomp.keep line works for Fedora, Kubuntu and Debian Jessie. There might be other distros for which is doesn't. But shouldn't one expect that seccomp doesn't work for them even less? So why did you add it?

In my understanding

seccomp.keep whatever
seccomp

do not provide better security compared to

seccomp.keep whatever

alone. Or am I wrong?

@curiosity-seeker commented on GitHub (Jun 25, 2017): Sorry for coming back to this old issue but I'm still a bit confused. The `seccomp.keep` line works for Fedora, Kubuntu and Debian Jessie. There might be other distros for which is doesn't. But shouldn't one expect that `seccomp` doesn't work for them even less? So why did you add it? In my understanding ``` seccomp.keep whatever seccomp ``` do not provide better security compared to `seccomp.keep whatever` alone. Or am I wrong?

gitea-mirror referenced this issue

2026-05-05 10:08:01 -06:00

[PR #901] [MERGED] do not blacklist msmtprc in mutt #3792

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#901

No description provided.

Rows
Columns