Tight Firejail profiles
Shell PHP C++
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.github/ISSUE_TEMPLATE Update issue templates Jul 14, 2018
.gitignore Add .gitignore (mainly useful for me!) Jul 14, 2018
CONTRIBUTING.md Add contributing guidelines Jul 14, 2018
LICENSE Changed license to GNU GPL v2.0 Sep 29, 2016
Natron.profile Rename profile, convert to common.inc Aug 14, 2018
README.md Add newsboat Aug 12, 2018
Viber.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
akregator.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
amule.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
ardour5.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
blender.profile Whitelist /usr/share/ Aug 17, 2018
brackets.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
brlcad-gen.sh Add brl-cad. Jul 15, 2018
brlcad.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
calligra.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
calligraauthor.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligraconverter.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligraflow.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligraplan.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligraplanwork.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligrasheets.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligrastage.profile Add newlines to calligra sub-profiles Jul 14, 2018
calligrawords.profile Add newlines to calligra sub-profiles Jul 14, 2018
chromium.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
common.inc Add private-srv Aug 17, 2018
darktable.profile Whitelist directories in /usr/share Aug 17, 2018
dia.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
dropbox Add example dropbox script for gen_libraries Jul 15, 2018
dropbox.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
electron-common.inc Add electron-common with libraries necessary for electron apps. Modif… Jul 14, 2018
emacs.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
fetchmail.profile Revert whitelisting of /usr/share for now - additional directories ne… Aug 17, 2018
firefox-esr.profile Add support for firefox-esr Jul 14, 2018
firefox.common Make script more flexible (can disable private-lib generation) and co… Jul 23, 2018
firefox.profile Add /usr/share/mime Aug 17, 2018
flameshot.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
flowblade.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
fontforge.profile Whitelist /usr/share, add private-etc Aug 17, 2018
freecad.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
freecadcmd.profile Rewrite all profiles Sep 15, 2017
geany.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
gen_libraries Add comments to gen_libraries Jul 14, 2018
gerbera.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
gimp.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
google-chrome.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
google-earth-pro Convert Google Earth (Pro) profile to common.inc, write wrapper scrip… Jul 28, 2018
google-earth-pro.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
gradio.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
hugin.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
imagej.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
inkscape.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
jail Update profiles, tentatively introduce X11 jailing Jul 30, 2017
kdenlive.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
libreoffice.profile Whitelist /usr/share Aug 17, 2018
linphone.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
lmms.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
luminance-hdr.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
macrofusion.profile I'm an idiot. Jan 11, 2018
messengerfordesktop.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
mpd.profile Blacklist /usr/share/ Aug 17, 2018
mpv-relaxed.inc Split mpv.profile into regular profile (only local files) and relaxed… Aug 14, 2018
mpv.profile Whitelist /usr/share Aug 17, 2018
mupdf.profile Whitelist /usr/share Aug 17, 2018
mutt.profile Whitelist /usr/share Aug 17, 2018
newsboat.profile Whitelist /usr/share/ Aug 17, 2018
openshot.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
pidgin.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
qemu-system-common.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
qemu-system-i386.profile Add qemu-system-i386, clarify which profiles are included Jul 28, 2018
qemu-system-x86_64.profile Add qemu Jul 28, 2018
qpdfview.profile Whitelist /usr/share Aug 17, 2018
ricochet.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
rocketchat.profile Add a bunch of profiles Jan 11, 2018
scribus.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
scrot.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
shotcut.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
signal-desktop.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
skype.profile Convert hardcoded Downloads folder to ${DOWNLOADS} Jul 25, 2018
slack.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
synfigstudio.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
telegram-desktop.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
tor-browser-en.profile Standardize contributor attribution Aug 14, 2018
torbrowser-launcher.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
viewnior.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
virtualbox.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
x-terminal-emulator.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
xfburn.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
youtube-dl.profile Put noexec back in common.inc - individual noexec statements apparent… Aug 12, 2018
zart.profile Standardize contributor attribution Aug 14, 2018

README.md

firejail-profiles

Tight Firejail profiles

This is a collection of tighter firejail (https://github.com/netblue30/firejail) profiles for certain applications. These may or may not work on your computer since some of them use seccomp filters, which may depend on architecture and OS. These were designed on Debian sid/experimental x86_64.

I am slowly switching the profiles to use a common.inc file so that maintenance becomes easier and I cut down on duplicate stuff.

Just a note: I would highly recommend using systemd to sandbox system processes. I personally do not use firejail to sandbox system processes since I'm using systemd to start the process anyway (so it's easier to use the sandboxing capabilities of systemd itself).

Utilities

Currently there is one utility file in this repository: gen_libraries. gen_libraries is a collection of bash functions which helps dynamically resolve the libraries needed by a program in a more powerful way than the built-in one shipped with firejail. Most pertinently, it allows passing a folder as the first argument, in which case it will use find to locate all files within the folder and run ldd on each of them. This makes it easier, say, to compile a list for firefox.

An example script, firefox.common, which makes use of gen_libraries is provided in this repository as well. You should edit $FXLIBDIR and $GENLIB to point to your firefox lib directory (defaults to /usr/lib/firefox) and the gen_libraries script (default ~/scripts/gen_libraries) or disable private-lib generation by setting $PRIVLIB to 0. The script has the following features:

  • It can simply load a profile (pass the path to the profile as the first argument and 0 as the second and third arguments).
  • It can create a temporary profile which is completely empty (pass the path to any profile as the first argument, 1 as the second argument, and 0 as the third argument).
  • It can create a temporary profile and copy over files from another profile (pass the path to the profile which you wish to copy files from as the first argument and 1 as the second and third arguments). You can edit the list of files and folders to be copied over by editing the $TOCOPY variable.

You can disable the systemd specific parts of the script by setting $USE_SYSTEMD to 0. You may also need to edit the list of additional libraries (the second argument to compile_list), since that list is what works for me on my system but may not be enough on yours.

Another example script, dropbox, is also provided which uses gen_libraries to dynamically generate the library dependencies needed to get dropbox working with a private-lib filter.

Yet another example script, google-earth-pro, is provided which uses gen_libraries to dynamically generate the library dependencies needed to get google-earth-pro working with a private-lib filter. Also note that due to some issues with google-earth-pro, the script manually removes the lock file generated by Google Earth after quitting.

Profiles

List of currently-supported programs:

  • Ardour 5
  • Akregator
  • aMule
  • Blender
  • Brackets
  • BRL-CAD (experimental) - use the generator script brlcad-gen.sh to generate aliased profiles and setup the private-bin predicate.
  • Calligra
  • Darktable
  • Dia
  • Dropbox
  • Fetchmail
  • Firefox (regular and ESR)
  • Flameshot
  • Flowblade
  • Fontforge
  • FreeCAD
  • Geany
  • Gerbera
  • GIMP
  • Google Chrome
  • Google Earth Pro
  • Gradio
  • Hugin
  • ImageJ
  • Inkscape
  • Kdenlive
  • Libreoffice
  • Linphone
  • LMMS
  • Luminance HDR
  • Macrofusion
  • Messenger For Desktop
  • MPD
  • MPV
  • MuPDF
  • Mutt
  • Natron (thanks @triceratops1!)
  • Newsboat
  • OpenShot
  • Pidgin
  • Qemu (VMs should be stored in ${HOME}/qemu-vms or edit qemu-system-common.profile to whitelist the folder you store your VMs in) - profiles included for qemu-system-{i386,x86_64}, but you can create your own by building off of qemu-system-common.profile
  • QPDFView
  • Ricochet
  • Scribus
  • Scrot
  • Shotcut
  • Signal Desktop
  • Skype
  • Slack Desktop
  • Synfig Studio
  • Telegram Desktop
  • Tor Browser Bundle (through the torbrowser-launcher package on Debian)
  • Tor Browser profile for Arch (thanks @robotanarchy!)
  • Viber
  • Viewnior
  • Virtualbox
  • Generic terminal emulator (the profile is called x-terminal-emulator because of the /etc/alternatives system in Debian)
  • Xfburn
  • Youtube-dl
  • Zart (thanks @triceratops1!)