New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: ‘program.local’ ‘global.local’ and ‘program.profile’? #1510
Comments
There are better, more reliable, and more well documented methods of achieving what you want on the networking side. Take a look at the iptables documentation, you can achieve similar things with at least the 'owner' match or the 'cgroup' match, and possibly other ways too. Alternatively, don't configure the network in the main network namespace, then configure it explicitly in dedicated namespaces. As far as whether or not any of this is possible with Firejail, I'd be willing to bet the answer is probably no, as making this possible would provide a trivial method of escaping the isolation firejail provides. |
You can disable apparmor by adding |
Thank you for a very complete answer. The order of precedence combined with the 'ignore' flag is exactly what I have been trying to figure out. When I read the manual, I noted the 'ignore' flag's existence, but then lost the reference. Similarly, WRT 'net' flag, the manual, (which in retrospect was obviously referring to the .desktop launcher,) suggested 'net=none' . When I tried to put that into a profile, it crashed! |
I would like to enable ‘apparmor’ and disable the internet, (protocol unix’[?],) globally, yet selectively disable ‘apparmor’ and/or enable the internet on a per program basis.
Can this be done by using an appropriate combination of ‘global.local’ and ‘program.local’ profiles?
For example,a neat/tidy solution would be something like:
global.local: {enable apparmor, disable internet connectivity}
program.local: {selectively enable internet connectivity}
Further, if the above did in fact work!!!, would it be possible to selectively disable apparmor in the ‘program.local’ profile?
A less neat solution, (if the ‘program.local’ setting overrides the profile setting,) would be to run the following bash and edit the created '.local' files as needed:
I would be grateful to hear your thoughts
Irvine
The text was updated successfully, but these errors were encountered: