macrofusion
hugin
imagej
geary

https://sourceforge.net/projects/macrofusion/
http://hugin.sourceforge.net/
https://imagej.nih.gov/ij/

@rekixex does #1154 work for you?

Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.

@rekixex gpicview has been added: b51d44a29a07772cf4b38b6133aad343e76185d8 :smile:

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

~2 freecad (a civil-use CAD)~

~3 dia (from gnome)~

~4 fontforge~

Nylas Email client
Wire Chat client
@Fred-Barclay

@mustaqimM We actually already have a Wire profile. :smile:

@Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for Nylas Mail, I get

Streaming log data to /tmp/Nylas-Mail-3.log
[3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e <unknown>
#1 0x000001e6e25b <unknown>
#2 0x000000cbe6a6 <unknown>
#3 0x000001248602 <unknown>
#4 0x000001e59226 <unknown>
#5 0x000001e74755 <unknown>
#6 0x000001e74a48 <unknown>
#7 0x000001e74e9b <unknown>
#8 0x000001e4e669 <unknown>
#9 0x000001e8d41e <unknown>
#10 0x000001eac40a <unknown>
#11 0x000002707e36 <unknown>
#12 0x00000270803e <unknown>
#13 0x000001eac4ce <unknown>
#14 0x000001ea8a53 <unknown>
#15 0x7f332d63e2e7 start_thread
#16 0x7f332707f54f __GI___clone

Failed to generate minidump.
Parent is shutting down, bye...

By the way, it's an electron app.

Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?

would be nice to have profiles for ~tvbrowser~ and jdownloader2 :-)

Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/transmission-gtk.local

# transmission-gtk bittorrent profile
noblacklist ${HOME}/.config/transmission
noblacklist ${HOME}/.cache/transmission

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-bin transmission-gtk
private-dev
private-tmp

The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.

Profile requests:

• Riot.im
• Wire.com

cherrytree (a onenote-like app for linux)

vym/freemind

@qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile

@nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\

@hThoreau - If you just use the default profile, is that one working?
$ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk
Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution

thanks @netblue30

but freemind/vym :D

@netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).

Another profile request:

• Jerry chess (https://github.com/asdfjkl/jerry)

InSync
https://www.insynchq.com/

variety
http://peterlevi.com/variety/

KDE connect
https://community.kde.org/KDEConnect

~RedShift
https://wiki.archlinux.org/index.php/redshift~

and
Y PPA Manager
https://launchpad.net/y-ppa-manager

Would be nice to have too.

cinepaint

jahshakavr

• Youtube-Viewer (https://github.com/trizen/youtube-viewer)

@razip youtube-dl

Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/
Maybe it could be implemented using some overlayfs.

@rekixex Catfish has been added: 67a6d8712f1ec3a43dc5bcf7ffa471c19b0e218e
I'll try to work on Cheese as well.

@ghanan - it is quite easy, this is an example using OpenShot video editor:

In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better):
$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin
In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian:
`````
$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms

apt-get install openshot

exit

Back in the first terminal run the program
$ openshot
`````
Once you close both sandboxes, overlayfs is disabled and openshot disappears.

I saw it's already on the list but nevertheless I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).

Thank you very much and keep up with the good work.

I'm using the nautilus profile provided here in the etc folder. It blocks the extensions clamtk-gnome (5.24-1) and nautilus-compare (0.0.4+po1-1), though other extensions that I also have installed, nautilus-wipe (0.3-1) and onionshare (0.9.2-1), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.

@rekixex - KWrite: https://github.com/netblue30/firejail/blob/master/etc/kwrite.profile

@pemartins1 - Geary: https://github.com/netblue30/firejail/blob/master/etc/geary.profile

Requesting a profile for soulseekqt ( a few links because the download page hasn't been updated yet, and the last two are direct links )

http://www.soulseekqt.net/news/
https://groups.google.com/d/msg/soulseek-discussion/lOvh7PoOKR0/uIZKRFZmCQAJ
https://www.dropbox.com/s/b8st8jznojbus0b/SoulseekQt-2017-2-20-Ubuntu17-64bit.tgz (x86_64)
https://www.dropbox.com/s/m12bxp0bjl6iqo9/SoulseekQt-2017-2-20-Ubuntu17-32bit.tgz (i686)

Tribler, a onion routing torrent client: https://github.com/Tribler/tribler

utox (a light tox client)

Enpass password manager, enpass.io

Minecraft Server (Java), only allow java and server files

Discord.

@wiredrunner Enpass added in 78b6a1d4b0815770c09fe4db3a37ca6ce3149261 😄

I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed.

Thanks for everything once again!

@pemartins1 see https://github.com/netblue30/firejail/pull/1613#issuecomment-340260231

Lightly tested discord profile in #1715

add vs code

@idnovic VS Code added in f6502ebf237a54a9914c80f386f321772f0e8063 :grin:

Would like to have upwork desktop profile and base profile for other time tracking systems.
Nice to have:

• disabled/random system hardware information
• window sandbox by default

Copying from #1878: Coyim (suggested by @bn0785ac)

Minitube
https://flavio.tordini.org/minitube

Cantata
https://github.com/CDrummond/cantata

I have put together a profile for Citra (Nintendo 3DS game system emulator), and would like to contribute it.

(Note that the private-dev line might be uncommented once #2203 is resolved.)

qownnotes: https://github.com/pbek/QOwnNotes

@qazip Can you try this profile for qownnotes?

# Firejail profile for QOwnNotes
# Description: Plain-text file notepad with markdown support and ownCloud integration
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/QOwnNotes.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE

mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog

disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp

noexec ${HOME}
noexec /tmp

@Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add:

noblacklist ${DOCUMENTS}
whitelist ${DOCUMENTS}

feedreader (https://github.com/jangernert/FeedReader)

@qazip feedreader was added a few days ago in cc898c19023a9aea92bc7e863f8fd46600d27598

In #2273 profiles for Quake3 and UrbanTerror have been requested.

Anki (https://apps.ankiweb.net/index.html)

Hello, a profile for makemkv (https://www.makemkv.com/) would be nice since it's one of the only GNU/Linux proprietary softwares without alternative.

@q3cpma there is handbrake which seems to do the same and already has an existing profile

On Mon, Jan 14, 2019 at 06:48:26PM -0800, SkewedZeppelin wrote:

@q3cpma there is handbrake which seems to do the same and already has an existing profile

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/1139#issuecomment-454248314

Hello, it's absolutely not the same, MakeMKV is used to decrypt BDs.

Maybe mpv can this if libdvdcss is installed.

EDIT: or other libs.
See: https://wiki.archlinux.org/index.php/Blu-ray

On Tue, Jan 15, 2019 at 07:37:54AM -0800, rusty-snake wrote:

Maybe mpv can this if libdvdcss is installed.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/1139#issuecomment-454436570

Well, no, since libdvdcss is for DVDs (like its name implies). libaacs and
libbdplus exist for this purpose, but I don't know any tool that uses them for
backup, sadly.

the default konversation profile do not contains the netlink protocol so the logs are spammed with errors, i'm not sure about the consequences for the app or if it's intended by the profile author.

netfilter in warzone2100 profile is breaking the game hosting function for me, not sure if it's because i'm using --net eth0 --ip.. to bypass my vpn

@Lockdis konvrsation profile is fixed in master now, thx.

https://github.com/netblue30/firejail/blob/master/etc/flameshot.profile

flameshot is not working (the application hang and refuse to take screenshot, i can't find errors in log) for me with the default profile, by removing memory-deny-write-execute it works

@Lockdis fixed in master, thx. https://github.com/netblue30/firejail/commit/6e8ced5fbd4ac199f2cf48fc01fe43c81c211fb5

Mellowplayer please. :-) It depends on flashplayer.

MellowPlayer is a free, open source and cross-platform desktop app with cloud music integration.

Fractal (It's a matrix client: https://gitlab.gnome.org/GNOME/fractal)

Quaternion (It's a matrix client: https://github.com/QMatrixClient/Quaternion/)

Stubby https://github.com/getdnsapi/stubby, a dns resolver, think a profile like unbound maybe?

webui-aria2, the popular web UI for the aria2 download manager, has now also a profile. (Could be included via PR.)

@schtobia Please open the PR! It'd be great to have this. :wink:

Postfix

Specifically the smtp executable. Seems non-trivial; this script fails with a useless error message:

#!/bin/sh

keys=$(postconf -h smtp_tls_CAfile)
dir_keys=${keys%/*}
dir_cfg=${dir_keys%/*}

alias_maps_param=$(postconf -h alias_maps)
alias_maps=${alias_maps_param##*:}

firejail --whitelist="$alias_maps"\
         --whitelist="$dir_cfg"\
         --whitelist="$(postconf -h daemon_directory)"\
         --whitelist="$(postconf -h data_directory)"\
         --whitelist="$(postconf -h smtp_tls_CApath)"\
         --whitelist="$(postconf -h myorigin)"\
         /usr/lib/postfix/sbin/smtp "$@"

(edit)

If I run that script directly from the CLI, firejail gives: "invalid whitelist path: /etc/aliases". If I remove that whitelist entry, firejail complains about the next one.. and so on. The only path firejail allows me to whitelist from the above list is /var/lib/postfix (the data_directory).

SpamAssassin

There are data leaks, so sandboxing S/A is important for security. I've not tried the default config so I'm not sure if a profile is needed but there are essential config files so I guess it's likely.

@libBletchley Did you try the server profile yet for PostFix/smtp? The default profile is a generic GUI one (like it says inside the file). On another note, IMHO it would be more appropriate for a daemon like smtp to use native systemd hardening techniques.

@glitsj16 I didn't know about server.profile. Maybe I'll try that and add port 25 loosening in the netfilter. I plan to use firejail to force it through a Tor middlebox so systemd changes wouldn't be sufficient.

I have a working smtp.profile. Note that it was tested in a firejail that is isolated on a Tor middlebox. I've removed anything Tor-specific but did not test it that way. Anyway, this is the profile if someone wants to integrate it. Note that postfix_smtp.profile may be a better name.

# Firejail profile for postfix/smtp

# This was derived from the generic server.profile, which allows /sbin
# and /usr/sbin directories.  This is where servers are installed
# depending on your usage.  This configuration was then customized for
# postfix/smtp.

# Recommended script to use for this profile (which you may want to
# save as "$(postconf -h daemon_directory)/smtp_firejail)":
#
# #!/bin/bash
# typeset -r cmd_dir=$(/usr/sbin/postconf -h command_directory); # literal path used here for security reasons
# typeset -r exec_smtp=$("$cmd_dir"/postconf -h daemon_directory)/smtp
# firejail --profile=smtp.profile\
#          --noblacklist="$cmd_dir"\
#          --whitelist="$("$cmd_dir"/postconf -h queue_directory)"\
#          --whitelist="$("$cmd_dir"/postconf -h data_directory)"\
#          "$exec_smtp" "$@"

## Postfix/smtp custom rules ##

# Needed for the two whitelist specifications that follow:
writable-var

# Directory needed for writing lockfiles is generally
# /var/spool/postfix/pid.  The common literal parent directory is
# hard-coded here.  It's recommended to include this in your script to
# enforce configuration consistency:
#   --whitelist="$(postconf -h queue_directory)"
whitelist /var/spool/postfix

# It has not been confirmed whether write access to /var/lib/postfix
# is needed.  It's hard-coded here for good measure.  It's recommended
# to include this in your script to enforce configuration consistency:
#   --whitelist="$(postconf -h data_directory)"
whitelist /var/lib/postfix

# Directory needed for executables: /usr/bin.  The common literal
# directory is hard-coded here.  It's recommended to include this in
# your script to enforce configuration consistency:
#   --noblacklist="$(postconf -h command_directory)"
noblacklist /usr/sbin


## Defaults inherited from server.profile ##

blacklist /tmp/.X11-unix

noblacklist /sbin

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc

caps
no3d
nosound
private
private-dev
private-tmp
seccomp
shell none

# too new for author's firejail version to test
# (so you may want to remove these comments):
#
# nodvd
# notv
# nou2f
# novideo

Postfix/smtp seems to write to /var/log without any issues, even though it's not whitelisted. I'm not sure how that's possible.

bitwarden

~Lyx~
Kile
Spectacle
Avidemux
~Vmware-Workstation~

RTV

llpp
~foliate~

Added pull request https://github.com/netblue30/firejail/pull/2710

• Adobe reader
• standalone flashplayer

• Adobe AIR

  Requested in #2731 by @jose1711

please add autotrace - it has a high number of CVE's assigned (https://www.cvedetails.com/vulnerability-list/vendor_id-12987/product_id-26551/year-2017/opov-1/Autotrace-Project-Autotrace.html)

@jose1711 this autotrace? https://github.com/autotrace/autotrace

@Fred-Barclay that seems to be an unoffical fork of the original
http://autotrace.sourceforge.net/

fedora ships a patched version of the original
arch aur has the unofficial
debian used to ship the original
gentoo doesn't ship either

https://blogs.gentoo.org/ago/2017/05/20/autotrace-multiple-vulnerabilities-the-autotrace-nightmare/

@qazip can you try this profile for jerry-chess?

# Firejail profile for jerry
# Description: Chess GUI
# This file is overwritten after every install/update
# Persistent local customizations
include jerry.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/dkl

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

caps.drop all
machine-id
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
shell none
tracelog

private-bin jerry,stockfish,sh,bash
private-dev
private-etc fonts,gtk-2.0,gtk-3.0
private-tmp

memory-deny-write-execute

@Fred-Barclay, I no longer use jerry-chess. But I'll see if I can test it sometime this week!

Tbb (http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)

Last Update: 2017-03-08 (tor-browser 6.x.x)
No Support for Ubuntu 17.10, 18.04, 18.10, 19.04

Tor Messenger: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily (No future development https://blog.torproject.org/sunsetting-tor-messenger)

Gnome-boxes (a nice gui for kvm system)

firejail --noprofile gnome-boxes don't work.

gnome-online-miners

cannot be jailed by firejail because it has only binaries in libexec that are started via dbus.

I suggest to close these requests.

closed everything expect gnome-boxes (firejail --noprofile --writable-var gnome-boxes works) I will write a profile this week.

@qazip Have you found the time

No, sorry. I tried to install jerry from AUR but it's giving an error. I don't want to compile it myself..

But if it works for you, it probably works for me too!

Give up writing a profile for gnome-boxes, poweroff a VM always ends in a coredump.

FreeTube requested in #2918 by @MystesofEternity

I would appreciate a profile for zotero (Reference management software)

neovim, setup script (or adding to firecfg) for desktop files for AppImage in $HOME/.local/bin

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

@rusty-snake Looks good! One thing, on Arch I need to add sh,xdg-settings to private-bin for the rtv.profile to work. :wink:

amuled is the deamon version of amule.

I run it like this:
firejail --private-bin=amuled --profile=/etc/firejail/amule.profile /usr/bin/amuled

Profile request: mattermost desktop client

WPS-Office (http://www.wps.com/)
[Moved form #3040]

Some profile requests... This looks like the right place to post them, but if I should open a separate ticket(s), just let me know.

The Elementary OS's Pantheon desktop is really nice. While the project is planning to move towards using Flatpaks for their major apps, the change doesn't seem imminent and having pre-defined jails would be awesome for those of us running Pantheon on non Elementary OS systems.

• [ ] [Calculator](https://github.com/elementary/calculator) (io.elementary.calculator)
• [ ] [Calendar](https://github.com/elementary/calendar)
  
  
  
  • [ ] io.elementary.calendar
  
  
  • [ ] io.elementary.calendar-daemon
  
  
• [ ] [Camera](https://github.com/elementary/camera) (io.elementary.camera)
• [ ] [Captive Portal Assistant](https://github.com/elementary/capnet-assist) (io.elementary.capnet-assist)
• [ ] [Code](https://github.com/elementary/code) (io.elementary.code)
• [ ] [Files](https://github.com/elementary/files)
  
  
  
  • [ ] io.elementary.files
  
  
  • [ ] io.elementary.files-daemon
  
  
  • [ ] io.elementary.files-pkexec
  
  
• [ ] [Music](https://github.com/elementary/music) (io.elementary.music)
• [ ] [Photos](https://github.com/elementary/photos) (io.elementary.photos) - Based on the old Shotwell code
• [ ] [Terminal](https://github.com/elementary/terminal) (io.elementary.terminal)
• [ ] [Videos](https://github.com/elementary/videos) (io.elementary.videos)

Some other profiles that would be awesome to have:

• [ ] [GNOME Podcasts](https://gitlab.gnome.org/World/podcasts) (gnome-podcasts)
• [ ] [pass](https://git.zx2c4.com/password-store/) / gopass
  
  
  
  • [ ] pass
  
  
  • [ ] gopass
  
  
• [ ] [Keybase](https://github.com/keybase/client)
  
  
  
  • [ ] kbfsfuse (not sure if this one makes sense...)
  
  
  • [ ] keybase
  
  
  • [ ] keybase-gui
  
  
• [ ] [Yubikey Manager](https://github.com/Yubico/yubikey-manager-qt)
  
  
  
  • [ ] ykman
  
  
  • [ ] ykman-gui
  
  
• [ ] [GZDoom](https://github.com/coelckers/gzdoom) (gzdoom)
• [ ] [QuakeSpasm](https://sourceforge.net/projects/quakespasm/) (quake)
• [ ] [rRootage](https://sourceforge.net/projects/rrootage/) (rrootage)

Please can make profile for Sia-UI .appimage https://gitlab.com/NebulousLabs/Sia-UI/-/releases
thank you so much

@rusty-snake any update on supporting this profile?

Also:
https://www.tweaking4all.com/home-theatre/rename-my-tv-series-v2/
Renames TV Series, code is not open source, so ideally a profile would be needed to block everything but internet and main folder where all TV Series lies.

I tried running default profile but i get these errors:

Parent pid 17333, child pid 17334
Warning: cleaning all supplementary groups
Child process initialized in 84.83 ms
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.
Exception at 00000000004570FE: EAccessViolation:
Access violation.
Exception at 000000000067F072: EInOutError:
Can not load SQLite client library "libsqlite3.so". Check your installation.

Parent is shutting down, bye...

Can not load SQLite client library "libsqlite3.so". Check your installation.

@svc88 That sounds like you're missing sqlite. Do you have it installed?

@johnp can you test this profile for foliate. (firejail 0.9.62+)

# Firejail profile for foliate
# Description: Simple and modern GTK eBook reader
# This file is overwritten after every install/update
# Persistent local customizations
include foliate.local
# Persistent global definitions
include globals.local

noblacklist ${DOCUMENTS}
noblacklist ${HOME}/.cache/com.github.johnfactotum.Foliate
noblacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/com.github.johnfactotum.Foliate
mkdir ${HOME}/.local/share/com.github.johnfactotum.Foliate
whitelist ${HOME}/.cache/com.github.johnfactotum.Foliate
whitelist ${HOME}/.local/share/com.github.johnfactotum.Foliate
whitelist ${DOCUMENTS}
whitelist ${DOWNLOADS}
whitelist /usr/share/com.github.johnfactotum.Foliate
whitelist /usr/share/hyphen
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
net none
no3d
#nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none
tracelog

disable-mnt
private-bin com.github.johnfactotum.Foliate,gjs
private-cache
private-dev
private-etc dconf,fonts,gconf,gtk-3.0
private-tmp

read-only ${HOME}
read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate

Update: Added in df1c73a0

@youknow10 can you test this profile for WPS Office. (firejail 0.9.62+)

# Firejail profile for wps
# Description: WPS Office
# This file is overwritten after every install/update
# Persistent local customizations
include wps.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.kingsoft
noblacklist ${HOME}/.config/Kingsoft
noblacklist ${HOME}/.local/share/Kingsoft

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
machine-id
netfilter
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-cache
private-dev
#private-opt kingsoft
private-tmp

#join-or-start wps

# Firejail profile for wpp
# Description: WPS Office - Presentation
# This file is overwritten after every install/update
# Persistent local customizations
include wpp.local
# Persistent global definitions
# added by included profile
#include globals.local

ignore machine-id
ignore nosound

# Redirect
include wps.profile

@rusty-snake , they seem to work fine. Thanks.
Isn't it better to block the network with "net none"?
Also, there are two more programs there (wpspdf and et)

Isn't it better to block the network with "net none"?

As a user opt-in, sure. However, it has some networking features (cloud :sneezing_face: backup, help/manual, internal browser (based on chrome _68_ :face_with_thermometer: :nauseated_face: :dizzy_face: :skull: )).

@youknow10 cc57e0c

I would like to request a profile for the deepin-screen-recorder and Joplin.

mate-terminal requested in #3289 by @trancemind65.

@trancemind65 Sandboxing a terminal emulator without making it unusable would be difficult. Due to their nature they require access to a wide and rather unpredictable set of commands (other applications) and restricting filesystem access would cause all kinds of impracticalities. That's why firejail blacklists them in /etc/firejail/disable-common.inc, mate-terminal included. Have a look inside that file to get the idea. Unless you have a very limited and predictable use-case it wouldn't be worth the effort IMHO.

please a FireJail profile for Mate-Terminal, thanks!

thanks for the info @ glitsj16.

If I want to push a fix to a profile should I just make a PR or do I need to post it in this issue?

make a PR -- in general if you have a finish patch a PR is easier to review while issues are better to discuss before coding.

I would like to request a profile for shortwave the replacement of Gradio application.

@chrpinedo can you test this profile.

# Firejail profile for shortwave
# Description: Listen to internet radio
# This file is overwritten after every install/update
# Persistent local customizations
include shortwave.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/Shortwave
noblacklist ${HOME}/.local/share/Shortwave

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/Shortwave
mkdir ${HOME}/.local/share/Shortwave
whitelist ${HOME}/.cache/Shortwave
whitelist ${HOME}/.local/share/Shortwave
whitelist /usr/share/shortwave
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

apparmor
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
shell none
tracelog

disable-mnt
private-bin shortwave
private-cache
private-dev
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gconf,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,ssl,X11,xdg
private-tmp

@rusty-snake it seems to work right. I had to comment the line #include whitelist-runuser-common.inc because that file doesn't exist in my version 0.9.62-1 ArchLinux. I don't know if I can provide you with some kind of debugging information. Thanks!

You can check if there are no missing whitelist paths.
Terminal1: firejail --profile=path/to/shortwave.profile --name=shortwave --private shortwave
Terminal2: firejail --join=shortwave ls -Ra

For whitelist-runuser-common.inc you can use these lines (just add to the profile if you want).

whitelist ${RUNUSER}/bus
whitelist ${RUNUSER}/dconf
whitelist ${RUNUSER}/gdm/Xauthority
#whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
whitelist ${RUNUSER}/pulse/native
whitelist ${RUNUSER}/wayland-0

Hi @rusty-snake ! To check your two commands I had to disable shell none and private-bin shortwave because I was unable to get a shell inside the firejail or to run a ls -Ra command.

Regarding your whitelist-runuser-common.inc file I guess If I should activate it, I don't understand quite well if it would be useful and for which. For integration with GNOME ?

Second, I propose one change to your profile:

• whitelist ~/.cache/gstreamer-1.0 directory (it appears with ls -Ra in a private firejail running shortwave).

shortwave.profile.txt

Thanks for your answer. wruc restricts the files available under /run/user/UID (= it is for hardening). You can copy it or wait for the next firejail release.

Regarding .cache/gstreamer-1.0, IDT that it breaks something if it is not whitelisted. There are more programs also using/creating it and didn't have it whitelisted. Anyway private-cache makes ~/.cache a tmpfs.

I can't open your attachment (trouble after the FFX 75 update I guess), if there is anything important.

@rusty-snake don't worry about my attachment it only adds the noblacklist/mkdir/whitelist for the .cache/gstreamer-1.0 directory that it is no useful because of private-cache, as you said. Thanks for your comments!

Asbru requested by @NRGLine4Sec in #3512.

Homebank - [new profile request]

Homebank is a personal finance manager. Ive looked at a lot of them around and none of them come close to what this offers(includes crypto support) so its worth the firejail setup.
Its a simple installation via apt-get.
Homebank also updates the currencies online, so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

As many apps, i dont trust this much without firejail, so Il really appreciate if you can help push this in the front of the queue.

http://homebank.free.fr/en/downloads.php
https://code.launchpad.net/homebank

@svc88 Can you try this? homebank.txt Couldn't check the conversion rates online, even without Firejail it says "not found". I don't have any experience using this software, so you might want to tinker it. Under Firejail 0.9.62 the profile for firefox hasn't whitelisted the /usr/share/doc, so you won't be able to open contents.

@kortewegdevries thank you so much. It works on my side. You have to add a few currencies in the Currency preferences and then choose a base currency (default USD), after that close and re-open homebank and go back into the currency dialog box you will see the currencies are being updated.
Here is my log file, not sure if these dconf errors are normal though?

Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/homebank.profile
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-devel.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-exec.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-interpreters.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-programs.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc
Jul 19 11:43:32 Reading profile /usr/local/etc/firejail/whitelist-var-common.inc
Jul 19 11:43:32 Parent pid 20380, child pid 20383
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool.1.gz, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/servertool, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv.1.gz, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/tnameserv, cannot find inode
Jul 19 11:43:32 Warning fcopy: skipping /etc/alternatives/orbd.1.gz, cannot find inode
Jul 19 11:43:32 Warning: skipping asound.conf for private /etc
Jul 19 11:43:32 Warning: skipping crypto-policies for private /etc
Jul 19 11:43:32 Warning: skipping dconf for private /etc
Jul 19 11:43:32 Warning: skipping pki for private /etc
Jul 19 11:43:32 Warning: skipping locale.conf for private /etc
Jul 19 11:43:32 Private /etc installed in 24.71 ms
Jul 19 11:43:32 6 programs installed in 4.64 ms
Jul 19 11:43:32 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Jul 19 11:43:32 Warning: cleaning all supplementary groups
Jul 19 11:43:32 Warning: cleaning all supplementary groups
Jul 19 11:43:32 Blacklist violations are logged to syslog
Jul 19 11:43:32  ]0;firejail homebank  Child process initialized in 104.32 ms
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): GLib-WARNING **: 11:44:37.792: getpwuid_r(): failed due to unknown user id (1000)
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.821: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): Gtk-WARNING **: 11:44:37.825: Unable to open server bookmarks: Failed to open file “/home/test/.config/gtk-3.0/servers”: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.894: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.927: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.951: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.974: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:37 
Jul 19 11:44:37 (homebank:31): dconf-WARNING **: 11:44:37.997: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.019: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.042: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.065: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.088: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.107: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.118: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.130: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:38 
Jul 19 11:44:38 (homebank:31): dconf-WARNING **: 11:44:38.147: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.046: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.063: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.078: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.095: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.112: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.129: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.146: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.162: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.178: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:39 
Jul 19 11:44:39 (homebank:31): dconf-WARNING **: 11:44:39.195: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:40 
Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.152: failed to commit changes to dconf: Could not connect: Permission denied
Jul 19 11:44:40 
Jul 19 11:44:40 (homebank:31): dconf-WARNING **: 11:44:40.153: failed to commit changes to dconf: Could not connect: Permission denied

My other question is, if incoming connections are denied by default with 'netfilters' and outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection" ?

Notes on the homeback profile:

• does it really need to have a browser? if so we need to drop private-bin
• dbus-system none can likely be enabled
• ~ipc-namespace can cause issues~
• include whitelist-runuser-common.inc can likely be enabled
• include disable-xdg.inc can likely be enabled. needs to be moved at the end of the block
• whitelist needs to be moved down
• ${HOME}/.config/homebank needs a mkdir, noblacklist, blacklist
• blacklist /tmp/.X11-unix: is this a gui or a cli program??!

not sure if these dconf errors are normal though?

If the come from a file-open dialog they can be ignored

incoming connections are denied by default with 'netfilters'

Only if you use net foobar0 and only if they are no response (i.e. a new connection).
And only IPv4.

outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection"

yes

so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send.

does it really need to have a browser? if so we need to drop private-bin

It has a manual or contents and online resources. I don't know if they're needed.

dbus-system none can likely be enabled include whitelist-runuser-common.inc can likely be enabled

0.9.62 doesn't have those profiles/controls. I kept them uncommented to suit owns version, and I didn't run it under latest.

include disable-xdg.inc can likely be enabled. needs to be moved at the end of the block ${HOME}/.config/homebank needs a mkdir, noblacklist,blacklist blacklist /tmp/.X11-unix: is this a gui or a cli program??!

Fixed...? What should I blacklist under /.config?

I would suggest that you open a PR with it, so we can bring it upstream. A PR is easier when reviewing.

No, browser is not needed at all (unless you want to click on the help/about page) - So no none of that is important. So you can remove private-bin.
This is a gui program so you disable blacklist /tmp/.X11-unix (right?)

outgoing connections are allowed does that mean that if the program for example had a backdoor wouldnt it still be able to upload content back to their servers with an "outgoing connection"

yes

so is it possible to allow incoming connections to update the currencies but at the same time block all outgoing connections with netfilters for protection?

You need to allow outgoing-connections to request the new currencies. netfilter can not be used to only allow connections for currencies, since it do not know anything about the data being send.

Thanks for confirming, i think its best if you kill the whole network altogether with net none (for now at least) There will be a popup saying "Cannot resolve frankfurter.app" when opening Homebank as it will try to get the currency updates, but i can deal with that until i ask the dev to make the currency updates optional.

Im really not sure how to open a PR, would appreciate if one of you can open it so that we can continue there? I think the profile @kortewegdevries posted just needs small changes as we said

I tried to create a profile for the pcloud client (www.pcloud.com). It looks like that at the moment:

protocol unix,inet,inet6,netlink,packet noblacklist ${PATH}/fusermount whitelist ${HOME}/.config/pcloud whitelist ${HOME}/.pcloud whitelist ${HOME}/.local/share/applications/appimagekit-pcloud.desktop whitelist ${HOME}/.config/pulse noblacklist ${HOME}/pCloudDrive include default.profile

It is partly working - the syncing works for me so far.
The client additionally mounts the cloud data in a separate local folder - this is not working.

If you want to try to create a pcloud profile, you can use that as a starting ground.

Background: even --noprofile and --profile=noprofile.profile did not help (https://github.com/netblue30/firejail/issues/2748#issuecomment-660551208 and the following).

@MrFrank17 Can you check if this profile works?
pcloud.txt

: Downloads~$ firejail --profile=pcloud.profile --appimage pcloud both should be in same Downloads folder,

The client additionally mounts the cloud data in a separate local folder - this is not working.

I don't understand how this works. There's a pcloudrive in Home,I select any folder to upload to the cloud,then select a folder within pclouddrive then sync seems to work. But I don't see where this is downloaded/mounted.

There's currently a buffer overflow while running the program.

Also why is a terminal on the list, do we make profiles for them?

I had to comment include whitelist-runuser-common.inc (not found) and dbus-system none

That is the output:
output.txt

Yes, the pclouddrive in HOME shall show the cloud files. This is what I meant with "mounted folder" - sorry, if that was confusing. However, it still does not work.
Yes, syncing works for me as well.

Sorry, not sure what you mean with that:

Also why is a terminal on the list, do we make profiles for them?

Oh okay, now I understand, it's probably an encrypted vdisk image that gets mounted through the application only.

I would like to request a profile for Unity Hub (and Unity, by extension).

A profile for Lutris would be great. It's a very useful and popular software (a GNU/Linux flagship like GIMP) and firejailing it would make a lot of sense (running untrusted roms / games etc).

Might not be simple to get everything running fine due to its expansive support for many emulators (some of which may already have a firejail profile) and Wine but a profile to make changes to would be useful too. The profile could be very permissive at first. It would be best if it was a very stringent profile but made sure that everything it launches, launches with firejail and has a working firejail-profile.

3483

A profile for the discord TUI Cordless would be nice.

https://github.com/Bios-Marcel/cordless

A profile for socat would be useful as a starting point for allowing customizations.