Profile requests #1139

@vinoff I had a look at beeper and put together a minimally/crudely tested profile. Didn't feel like signing up (just a personal thing with sharing a phone number etcetera). You can find it here. I've based the profile on what I could determine via the beeper-latest-bin from the AUR.

Apparently the beeper.desktop file disables chrome-sandbox by using the below Exec line:

Exec=beeper --no-sandbox %U

IMO this isn't the most secure thing to do, so I'd advise to try this app while removing that --no-sandbox flag and see if things break. Just my $ 0.02 :-)

If you could test Beeper when actually using it, that would be great. We could consider adding the profile (adjusted where needed) later. Don't feel comfortable doing so when I haven't done that properly. HTH

jtrv · 2023-09-15T01:01:51Z

a profile for tidal-hifi would be great.

So far I have this, I'll try to open a PR later:

# Firejail profile for tidal-hifi

include globals.local

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${HOME}/.config/tidal-hifi
whitelist /opt/tidal-hifi

apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6,netlink

disable-mnt
private-cache
private-dev
private-tmp

seccomp !chroot
tracelog

private-bin chrome-sandbox,electron,electron[0-9],electron[0-9][0-9],tidal-hifi,xdg-open
private-opt tidal-hifi

dbus-system none

join-or-start tidal-hifi

marek22k · 2023-09-22T10:45:59Z

I would be happy about a profile for Eclipse.

Lonniebiz · 2023-11-03T21:28:25Z

Pinokio allows you to play around with all the awesome new open source AI models that are rapidly coming out these days. It allows you to install, run, and automate any AI applications and models automatically and effortlessly.

I'm very eager to try it out via AppImage, but I need a firejail profile for it. This video claims it is already self-contained, but I'd feel more comfortable if firejail ensured that containment. I don't want the AI to break out and take over my computer!

Anyway, I'm really looking forward to there being a profile for this AppImage. Thank you in advance.

Lonniebiz · 2023-11-26T13:22:10Z

Pulsar:
https://pulsar-edit.dev/

AppImage is available here:
https://pulsar-edit.dev/download.html#regular-releases

This is live fork of the (discontinued) Atom text editor. Atom was made by GitHub's original owners. Microsoft purchased GitHub and "sunset" the project on December 15, 2022. It is a fantastic text editor for web development. I'm so happy to see it forked.

The profile will likely be very similar to the one already created for Atom:
/etc/firejail/atom.profile

However, from running it in a virtual machine, I see at least two changes that are needed; its config file folder location:
~/.config/Pulsar --> I wish everything was kept here, but there's also:
~/.pulsar -----------> I noticed that addon packages are kept in this location.

I'd love to see a Pulsar profile located here:
/etc/firejail/pulsar.profile

I achieved a custom profile that launches Pulsar, but it can likely be improved to be less permissive. I'm still learning.

marek22k · 2023-11-30T09:18:50Z

I would be happy about a profile for Nyxt.

glitsj16 · 2023-11-30T11:56:53Z

@marek22k Can you try nyxt with --noprofile and --profile=noprofile please? I'm afraid it might be bubblewrapped as mentioned in #6103 and #3647. If not we can start designing a profile for it.

marek22k · 2023-11-30T13:45:06Z

$firejail --noprofile --profile=noprofile.profile /usr/bin/nyxt 
Error: --noprofile and --profile options are mutually exclusive

$firejail --noprofile /usr/bin/nyxt 
Parent pid 5479, child pid 5480
Child process initialized in 5.96 ms
Nyxt version 3.9.2
<INFO> [13:43:59] Source location: #P"/usr/share/nyxt/"
<INFO> [13:43:59] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 13:43:59.860: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 13:43:59.861: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 13:44:00.252: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [13:44:00] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [13:44:00] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 24:
SIGABRT received.

   0: fp=0x699f3dac76c0 pc=0x699f5107d83c Foreign function (null)

Parent is shutting down, bye...

What does it mean that it is in bwrap? Why can't Firejail build Sandox around bwrap?

Lonniebiz · 2023-11-30T14:06:18Z

Sielo: https://sielo.app/

This web browser has some innovative features. I'm especially interested in what they call tabs spaces, which essentially allows you to tile multiple webpages within a single window. They provide a portable AppImage for download, and that's what I'd like a Firejail profile for.

glitsj16 · 2023-11-30T14:58:51Z

@marek22k
So the --noprofile test confirms that bubblewrap refuses to play along with firejail. Two options left though.

(1) Behind the scenes --noprofile uses /etc/default.profile, which includes disable-common.inc. The latter file blacklists ${PATH}/bwrap. Try $ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt.
(2) Also run $ firejail --profile=noprofile /usr/bin/nyxt. This is the weakest possible firejail profile. It does not block access to ${PATH}/bwrap like --noprofile does. If it still fails, we can't sandbox nyxt with firejail due to incompatibilities between the two.

marek22k · 2023-11-30T15:13:20Z

$ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt
Parent pid 440743, child pid 440744
Child process initialized in 5.28 ms
Nyxt version 3.9.2
<INFO> [15:11:29] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:29] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:29.703: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:29.999: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:29] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f55bbbcf6c0 pc=0x7f55cc2bd83c Foreign function (null)

Parent is shutting down, bye...

$ firejail --profile=noprofile /usr/bin/nyxt
Reading profile /etc/firejail/noprofile.profile
Parent pid 440852, child pid 440853
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 6.67 ms
Nyxt version 3.9.2
<INFO> [15:11:55] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:56] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:56.172: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:56.477: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:56] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f36c6dcf6c0 pc=0x7f36d74fe83c Foreign function (null)

Parent is shutting down, bye...

Too bad firejail and bwrap don't work together. firejail blocks file access for browsers by default except for the download folder, bwrap doesn't do that. I'll see if I can find some bwrap documentation somewhere where I can set this.

glitsj16 · 2023-11-30T15:35:42Z

@marek22k Yup, those incompatibilities are indeed a pain. Maybe you can try containing nyxt with bubblejail, which is bubblewrap-based.

rusty-snake · 2023-11-30T19:00:44Z

(1) Behind the scenes --noprofile uses /etc/default.profile

No. It is more like --profile=/dev/null (I.e. empty.profile).

Longer firejail+bwrap discussions should happen in a new Discussion.

marek22k · 2023-12-06T20:41:31Z

I would be happy about a profile for Apache NetBeans IDE.

Maybe something like the following:

include netbeans.local
include globals.local

noblacklist ${HOME}/.netbeans

ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc


include allow-common-devel.inc
include disable-common.inc
include disable-programs.inc

caps.drop all
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp

private-cache
private-dev
private-tmp

restrict-namespaces

ilikenwf · 2024-02-15T04:54:45Z

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

dev-uhuru · 2024-02-21T11:41:00Z

I have tweaked some electron profile for Joplin (distributed as appimage). Happy to share my file with the notes of what I tried and didn't. A cleaned up version below (i removed all comments):

#   NOBLACKLISTS
noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf

#   ALLOW INCLUDES
#   BLACKLISTS
blacklist /usr/libexec

#   DISABLE INCLUDES
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
include disable-shell.inc

# content of disable-exec.inc - removed noexec /tmp, prevented joplin from starting
noexec ${HOME}
noexec ${RUNUSER}
noexec /dev/mqueue
noexec /dev/shm
noexec /run/shm
noexec /var

include chromium-common-hardened.inc.profile

#   NOWHITELISTS

#   MKDIRS
mkdir ${HOME}/.config/Joplin
mkdir ${HOME}/.config/joplin-desktop

#   WHITELISTS
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf

#   WHITELIST INCLUDES
include whitelist-runuser-common.inc
include whitelist-var-common.inc

#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo

#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
disable-mnt
private-cache
private-tmp

#   DBUS FILTER
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-system none

Then launching with: firejail --appimage --profile=joplin --nosound /path/to/Joplin.AppImage

glitsj16 · 2024-02-21T20:50:58Z

@dev-uhuru Nice! Feel free to open a PR for joplin.profile. We can help work out any specifics for the non-appimage version (if there are any). Thanks for sharing.

RundownRhino · 2024-03-22T00:59:56Z

I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and it seems that the comments in the profile are slightly outdated.
In addition to these lines in firefox.local:

# Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

(and to ignore dbus-user none and include firefox-common-addons.profile in firefox-common.local), after investigating via firejail --profile=firefox.profile --dbus-user.log firefox I found out I also needed to enable this dbus route:

dbus-user.talk org.kde.kdeconnect

This should probably be added to the comment in firefox.local, if someone can replicate this issue.

glitsj16 · 2024-03-22T11:49:39Z

@RundownRhino Thanks for reporting. Comments are prone to gather dust as software moves on. Can you open a PR for it?

RundownRhino · 2024-03-23T04:38:24Z

@glitsj16 Opened a PR. As a side note, it seems include firefox-common-addons.profile is not necessary for this extension to work, but rather breaks all firefox sound when enabled. Not sure why, maybe from the ignore whitelists that it does.

konstantin1722 · 2024-04-16T14:35:53Z

Hi, I have sketched out a profile for Obsidian, I needed it urgently. I've been looking into it for a couple of hours, so I think more knowledgeable people will suggest improvements. But it already works for appimage and binary.

# Save this file as "obsidian.profile" in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.

### Basic Blacklisting ###
include disable-common.inc          # dangerous directories like ~/.ssh and ~/.gnupg
include disable-devel.inc           # development tools such as gcc and gdb
include disable-exec.inc            # non-executable directories such as /var, /tmp, and /home
include disable-interpreters.inc    # perl, python, lua etc.
include disable-programs.inc        # user configuration for programs such as firefox, vlc etc.
include disable-xdg.inc             # standard user directories: Documents, Pictures, Videos, Music

#include disable-shell.inc           # sh, bash, zsh etc.

### Home Directory Whitelisting ###
whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.cache/AMD
whitelist ${HOME}/.cache/nvidia
whitelist ${HOME}/.local/share/vulkan
whitelist ${HOME}/.local/share/vulkan/implicit_layer.d
whitelist ${HOME}/.config/vulkan
whitelist ${HOME}/.local/share/vulkan/loader_settings.d
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.Xdefaults-desktop-pc
whitelist ${HOME}/.config/kdedefaults/gtk-3.0
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist ${HOME}/.local/share/applnk
whitelist ${HOME}/.config/obsidian

include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/machines/api.obsidian.md
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/systemd/machines/raw.githubusercontent.com
whitelist /run/udev/control

include whitelist-run-common.inc
include whitelist-runuser-common.inc

whitelist /usr/share/applnk

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor       # if you have AppArmor running, try this one!

caps.drop all
ipc-namespace

#no3d           # disable 3D acceleration
#nodvd          # disable DVD and CD devices
#nogroups       # disable supplementary user groups
#noinput        # disable input devices
#novideo        # disable video capture devices

nonewprivs
noroot
?HAS_APPIMAGE: notv            # disable DVB TV devices
?HAS_APPIMAGE: nou2f           # disable U2F devices

protocol unix,inet,inet6,netlink,

# If you need networking, enable the firewall and disable "net none"
#net none        # disable network
netfilter       # enable default firewall in sandbox

seccomp !chroot # allowing chroot, just in case this is an Electron app
shell none

#tracelog       # send blacklist violations to syslog

disable-mnt     # no access to /mnt, /media, /run/mount and /run/media

private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28
private-dev
private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls,

?HAS_APPIMAGE: private-lib
?HAS_APPIMAGE: private-tmp

#dbus-user none
#dbus-system none
dbus-user filter

There's a resolution for git, as I'm using the Obsidian plugin for git.

whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

...

private-bin ...git,...

Launch commands:

firejail --appimage --profile=/home/$USER/.config/firejail/obsidian.profile ./Obsidian-1.5.12.AppImage
# or
firejail --profile=/home/$USER/.config/firejail/obsidian.profile /usr/bin/obsidian

I left some things commented out as I didn't fully understand them. I'm interested in a discussion on this profile, anyone have any tips for improvement?

UPD: #6314

kmk3 · 2024-04-16T14:41:45Z

Hi, I have sketched out a profile for Obsidian

I left some things commented out as I didn't fully understand them. I'm
interested in a discussion on this profile, anyone have any tips for
improvement?

Please open a pull request for it; this issue is not a good place for reviews.

tmarplatt · 2024-05-09T05:18:00Z

I humbly request profile support for DaVinci Resolve for Linux, a non-linear video editor application. It requires input and gpu dev access. It is released as a self-contained AppImage executable.

The file is free to download but the website may hide the download link and ask you to register before download.

I've not managed to get it working on Linux Mint 21.3. It seems to require elevated privileges and it looks like that conflicts with --appimage.

glitsj16 · 2024-05-09T08:20:05Z

@tmarplatt

I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try.

First of all, its not the program itself that's distributed as AppImage, but its installer. That ties in to your remark that it requires elevated privileges. Anything that wants to install files to the system-wide directories (e.g. /opt/DaVinciResolve) will need sudo, nothing new or unexpected there. The foo.run file (the AppImage) also supports installing into your ${HOME} via the -C switch (see ./foo.run -h for details). TL;DR Install the program first and after doing so you can start testing/creating a firejail profile for it.

Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are several AUR packages available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format).

To save some time and hair-pulling you can check upfront if Firejail is actually able to sandbox DaVinci Resolve properly by running it via the noprofile.profile. Depending on where you've installed that could look like firejail --profile=noprofile /opt/resolve/bin/resolve. If the program doesn't work with that profile it will not be possible to use Firejail for sandboxing it.

Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route.

HTH

This was referenced Mar 10, 2017

Why not a profile for Tor Messenger #973

Closed

New profiles #1003

Closed

request: a profile for amule #1092

Closed

netblue30 added the enhancement New feature request label Mar 10, 2017

netblue30 mentioned this issue Mar 10, 2017

Profile requests #825

Closed