Firejail: Question about Desktop Integration

Created on 30 Mar 2019 · 4Comments · Source: netblue30/firejail

According to the man page, it is specified that desktop integration covers, among other things, the execution of files using the icon.

But also all common file managers are isolated by default. That should mean that everything that is executed via file manager should be isolated (via dolphin.profile for example), and therefore also unknown programs without profile? Or is this a thinking error?

question

Source

FOSSONLY

Most helpful comment

Nope, you can see witch programms are firejailed by default, when you run firecfg there are PROGRAMM created lines. If you want to look at it again later you can run ls -l /usr/local/bin every symlink to firejail is an programm that will be executed by default with firejail.

firecfg also does .desktop files fixes that have Exec=/bin/PROGRAMM or DBusActivatable=true (but it have a bug #2624).

Besides: the most filemanagers aren't firejailed by default (but have a profile). You can manualy firejail every programm by default by running sudo ln -s /usr/bin/firejail /usr/local/bin/PROGRAMM

rusty-snake on 30 Mar 2019

👍2

All 4 comments

firecfg also does .desktop files fixes that have Exec=/bin/PROGRAMM or DBusActivatable=true (but it have a bug #2624).

Besides: the most filemanagers aren't firejailed by default (but have a profile). You can manualy firejail every programm by default by running sudo ln -s /usr/bin/firejail /usr/local/bin/PROGRAMM

rusty-snake on 30 Mar 2019

👍2

See #1261 for reasoning as to why file managers are not sandboxed by default.

SkewedZeppelin on 30 Mar 2019

👍1

Applications are also often unsandboxed if they are referenced in an application as helper applications by using their full path. Which means that their symlinks in /usr/local/bin are bypassed. Example: krusader