Tight Firejail profiles
This is a collection of tighter firejail (https://github.com/netblue30/firejail) profiles for certain applications. These may or may not work on your computer since some of them use seccomp filters, which may depend on architecture and OS. These were designed on Debian sid/experimental x86_64.
I have tentatively started enabling X11 jailing on some of these profiles. Because xpra servers take so long to start up, I end up starting the xpra servers separately (at login) and assign different ones for different things. For example, :470 is for all of the jailed terminal emulators and :480 is for mutt (and anything it spawns). I also created a jail script that simply tells xpra to initialize the given display number and run the given command — it's simple but handy for xpra servers I only need for a given program. If you use different xpra display numbers or don't use X11 jailing at all, simply modify or comment the env command in x-terminal-emulator.profile and mutt.profile.
List of currently-supported programs:
- Ardour 5
- Akregator
- aMule
- Blender
- Brackets
- Calligra
- Cinelerra
- Darktable
- Dia
- Fetchmail
- Firefox
- Flowblade
- FreeCAD
- GIMP
- Google Chrome
- Google Earth
- Hugin
- ImageJ
- Inkscape
- Kdenlive
- Libreoffice
- Linphone
- LMMS
- Luminance HDR
- Macrofusion
- MPD
- MuPDF
- Mutt
- Natron (thanks @triceratops1!)
- OpenShot
- Pidgin
- QPDFView
- Ricochet
- Scribus
- Shotcut
- Skype
- Synfig Studio
- Tor (experimental!)
- Tor Browser Bundle (through the torbrowser-launcher package on Debian)
- Tor Browser profile for Arch (thanks @robotanarchy!)
- Viber
- Viewnior
- Virtualbox
- Generic terminal emulator (the profile is called x-terminal-emulator because of the /etc/alternatives system in Debian)
- Youtube-dl
- Zart (thanks @triceratops1!)