content to add for FAQ: #1385, #2046, #2387
[TODO:review]

(keyword "help" and "tip", searching for open issues)
Tips to add for FAQ: #404, #1652
GUI stuff: #2707
[mark as outdated]

more to add:

• https://github.com/netblue30/firejail/projects/1 (some points are better for a new page or for create a profile)
• (not all) https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Aquestion
• (not all) https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Ainformation
• #2795

~Note: Update the FAQ link in the README when this is Finish.~ done

I'll move it in the wiki today!

New wiki page, thanks @rusty-snake, start editing! I'm not sure what I'll do with the one on the web page, probably I'll redirect it to wiki.

@rusty-snake - go for it!

For the PulseAudio FAQ https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#pulseaudio-7080-issue it says

It affects among others Arch, Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0.

Since this issue is only present for pulseaudio 7 or 8, and currently on Arch pulseaudio is at version 12.2, any reason to leave Arch in the list?

Arch removed from PulseAudio issue!

#404 defines improved strace hint, which belongs to the guide and does not make sense to seperate

2707 used a reference to overlayfs, which is described in another guide

@rusty-snake https://github.com/netblue30/firejail/projects/1 explains several things. Do you want me to write some tests on that for explanation?
I do not get exactly what the use cases are and would likely write maybe 1 sentence to each functionality.
Regarding https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Aquestion, https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Ainformation would it maybe not easier to tag them as FAQ or hint a proper searching for the user on github?
Copy-pasting loads of text for uncertain gain does not look super interesting to me.

https://github.com/netblue30/firejail/projects/1 explains several things

I think only the Usage section is good for the FAQ, the other are better for a own page.

https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Aquestion, https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Ainformation

that was rather meant that if you have time / energy you can go through it to see which of them are suitable

404 Found. :rofl:

> > https://github.com/netblue30/firejail/projects/1 explains several things

I think only the Usage section is good for the FAQ, the other are better for a own page.

Will look into that.

https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Aquestion, https://github.com/netblue30/firejail/issues?&q=is%3Aissue+label%3Ainformation

that was rather meant that if you have time / energy you can go through it to see which of them are suitable

I did request a search option for duplicates in github and will do it by that means. Aside hopefully soon the related options are searchable/usable to group issues.

404 Found. rofl

xD

@netblue30
What do you want to do with all the questions/comments on the support page?
Are there tools for extracting the comments and importing them into another github repo?
Or do you think it is even worth the effort?

@rusty-snake I was thinking of explaining one profile, but after a while I realized
that it is more useful to integrate that into the profile creation (for the part Usage).

So the overall idea is to change name of "Wiki: creating profile" to "Wiki: Usage and Profiles".
I have several duplicate stuff already and generally the shell parameters are quite the same as the profile options.
dirty idea thingy to be integrated:
https://gist.github.com/matu3ba/2fe10dc599d1f0671a23cce8aeb0a975
What do you think?

i think that creating profiles should contain all information that makes writing your own profiles easier, so what about spliting a small usage out of your Idea and add it to FAQ and the rest to Creating profiels

What do you want to do with all the questions/comments on the support page?

Maybe we can extract some of the questions/solutions they come up with, but other than that is not worth the trouble importing them.

https://github.com/netblue30/firejail/issues/2812

Quite a common question, I'll added to the FAQ.

>

[Mark as outdated]

[Mark as outdated]

$ firejail --allow-debuggers --ignore=seccomp --ignore=protocol --ignore=noroot --ignore=nogroups --ignore=nonewprivs firefox --no-remote

I don't like recommending this, nor have I seen it necessary. Where is it from?

@SkewedZeppelin from the wordpress FAQ.

line 135: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions/_compare/edf31690da5d6fe123482a3b7d21aef013f53b54

I add only --ignore=noroot --ignore=nogroups --ignore=nonewprivs.

FAQ killing process
ip tables filter (better guideline, no FAQ)
Did you identify any further useful FAQs?

[Mark as Outdated]

Netflix (Widevine CDM) should only need browser-allow-drm yes.
The only time ptrace is used with with Widevine CDM under Chromium in certain edge cases iirc.

and I thought ignore noroot was all that was needed for NVIDIA proprietary drivers?

I haven't tested AMDGPU PRO in a while but I don't think it uses any SUID binaries like the NVIDIA ones, so it can be removed from there.

Last update of tasks 2019-07-02
Last update of work 2019-07-08
FAQ
information
#2812 tor browser fix
#2795 firefox mailto, #1718 mailto for chromium,
#2579 #692 adding information of incompability of running firejail inside docker (no virtualization as goal of firejail)
#2291 apparmor local customizations (fixing apparmor)
#833 read-only well known inconsistency, #402 #158
#1521 root permission crash/using firejail on root users server ((new) server guideline, hint)

question
Apparmor activation/deactivation/integration testing #1987
Symlink fixing (installation path in /usr/local ie #1995, #2629 [common problem]
Allowing specific profiles #2097
Whitelist and Blacklist bugs? #2419

elsewhere
information
#2480 is related to read-only

1600 wlan interfaces with firejail [new guideline]

questions
Running inside Docker not supported #1956,

FAQ killing process [addition of example to FAQ?]
[ip tables filter (better guideline, no FAQ)](https://firejail.wordpress.com/support/comment-page-1/#comment-293) [new/better guideline]

Outdated and apparmor should be sufficiently explained in man page.

Last update of tasks 2019-07-02
Last update of work 2019-07-09

Common problem
1.Symlink fixing(installation path in /usr/local #1995 #2629

1. whitelist and blacklist #2419 whitelist-blacklist discussion #1569
2. allowing specific profiles #2097

Guidelines

1. server #1521
2. cgroup #593
3. wlan interfaces #1600, ip tables filter
4. strace #404
5. Xephyr ??? #1652

Can we please not use the hide/resolve comment feature?
I know it can be handy, but evil GitHub prevents non-logged in users from reading hidden comments (even ones that aren't spam and are simply outdated/resolved) for whatever crazy reason.

Commenting here since this issue has the most hidden comments.

@SkewedZeppelin

const x = 1

explained in here could be used or can you think of a better way?
I dont like the need to write the annoying tags, so I requested a github functionality for this.

@matu3ba

I dont like the need to write the annoying tags, so I requested a github functionality for this.

Easyer: GH allow all users to show the comments.

@SkewedZeppelin OK, that's real evil from GH. I will not use it for now, but one questions. Do you mean that also for the profile request issue or just for the wiki issues?

TODO
1.allowing specific profiles #2097

1. LD_PRELOAD, once finished

@matu3ba I don't really understand what your new "A program does not start with firejail" point is about. starts the program fine, but not in firejail or firejail breaks the program from starting.

@rusty-snake It is the description of the problem.
Do you have a better idea how to reformulate?
Or shall I leave it out?

firejail --list does not show the running program to be inside a firejail sandbox.

1. There is no firejail profile

@matu3ba that makes no sense, becausefirejail PROGRAM_WITHOUT_PROFILE will load the default profile.

~#2953~

2880

3173

3185

3224 zombies

3100 common signalling problems in applications

@NetSysFire

- First make sure you have run `sudo firecfg`.
+ First make sure you have run `firecfg` as root.

There is a huge difference between running firecfg as root and sudo firecfg:
firecfg does only perform a desktop-file fix-up if it is started with sudo.

IMHO: The explicit note for firejail /opt/foo/bar was easier for unskilled users.

For some reason I did not see this.
Fixed: https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions/_compare/a45691b053a8e7431dd4574b0c426c6b4eb85de3...bc30985c2ee1e2d65dce375652757c687a317dd3

I made some relatively small changes to the page.

One thing that is still missing imo is a section or even a page on how to debug errors.

@NetSysFire You find this here. Probably the name should be Debugging Tips instead of Developing Firejail renamed, since there was no activity on that wiki page for a long time

This will not help the average user to debug common issues, like a broken profile. I would like to add something like this:

• run it in your terminal if you have not done that already, the output may contain relevant errors
  
  
  
  • also try to increase the verbosity of the affected application because it may report that it can not access a specific file or directory
  
  
  • if it segfaults, check your syslog for audit messages which indicate a blocked syscall
  
  
• try using the default profile (--profile=default)
• use the --debug* arguments
• ...

I will probably add this to the debugging page later but the list is not complete yet.

Hints on how to debug a specific error message would also be very useful. Error: proc 30891 cannot sync with peer: unexpected EOF for example is not that easy to understand.

We need to change all the dbus stuff.