Tight Firejail profiles
This is a collection of tighter firejail (https://github.com/netblue30/firejail) profiles for certain applications. These may or may not work on your computer since some of them use seccomp filters, which may depend on architecture and OS. These were designed on Debian sid/experimental x86_64.
I am slowly switching the profiles to use a common.inc file so that maintenance becomes easier and I cut down on duplicate stuff.
Just a note: I would highly recommend using systemd to sandbox system processes. I personally do not use firejail to sandbox system processes since I'm using systemd to start the process anyway (so it's easier to use the sandboxing capabilities of systemd itself).
Currently there is one utility file in this repository: gen_libraries. gen_libraries is a collection of bash functions which helps dynamically resolve the libraries needed by a program in a more powerful way than the built-in one shipped with firejail. Most pertinently, it allows passing a folder as the first argument, in which case it will use find to locate all files within the folder and run ldd on each of them. This makes it easier, say, to compile a list for firefox.
An example script, private-profile.sh, which makes use of gen_libraries is provided in this repository as well. private-profile.sh makes it easy to generate a temporary profile for an application (usually a browser) and run the application with that profile. There are five possible arguments to the script. Positional arguments come at the end. The arguments are as follows:
- The only positional argument is the path to a
.privatefile..privatefiles define several application-specific variables which are used later in the script. More on this below. -pis the path to an existing profile. This will be used in certain circumstances.-ttoggles whether the script should create a temporary profile.-ctoggles whether the script should copy certain files or folders from the existing profile to the temporary profile.-nenables a network namespace on the given interface.
A .private file defines several application-specific variables. The following variables are recognized:
$privlibenables the dynamic generation of aprivate-libfilter. If enabled, the following variables should be defined:$genlibis the path to thegen_librariespath.$libdiris the path to the application's lib folder.$extralibs[optional] is the list of hard-coded libraries which are not automatically detected. Can be left unset if no hard-coded libraries are required.
$use_systemdenablessystemdintegration.$use_firejailenablesfirejailintegration.$profilediris the path to the directory where profiles are stored.$tocopyis the list of files to copy to the temporary profile.$destdir[optional] is the directory to generate inside the temporary profile directory. If set to""or unset, then the temporary directory itself is treated as the profile.$prognameis the command to run.$progargsis the array of arguments to pass when the program is not already running.$rprogargsis the array of arguments to pass when the program is already running.$envvars[optional] is a bash array used for setting any environment variables (now usesfirejail's environment handling!). If set to an empty array (()) or unset, no extra environment variables are passed along.
There are two example .private files in this repo, private-profiles/firefox.private and private-profiles/chromium.private.
Another example script, dropbox, is also provided which uses gen_libraries to dynamically generate the library dependencies needed to get dropbox working with a private-lib filter.
Yet another example script, google-earth-pro, is provided which uses gen_libraries to dynamically generate the library dependencies needed to get google-earth-pro working with a private-lib filter. Also note that due to some issues with google-earth-pro, the script manually removes the lock file generated by Google Earth after quitting.
List of currently-supported programs:
- Ardour 5
- Akregator
- aMule
- Blender
- Brackets
- BRL-CAD (experimental) - use the generator script
brlcad-gen.shto generate aliased profiles and setup theprivate-binpredicate. - calcurse
- Calligra
- Darktable
- Dia
- Discord
- Dropbox
- ELinks
- Feh
- Fetchmail
- Firefox (regular and ESR)
- Flameshot
- Flowblade
- Fontforge
- FreeCAD
- Geany
- Gerbera
- GIMP
- Git
- Google Chrome
- Google Earth Pro
- Gradio
- Hugin
- ImageJ
- Inkscape
- Kdenlive
- Libreoffice
- Linphone
- LMMS
- Luminance HDR
- Macrofusion
- Matlab
- Messenger For Desktop
- MPD
- mps-youtube (mpsyt)
- MPV
- MuPDF
- Mutt
- Natron (thanks @triceratops1!)
- Newsboat
- OpenShot
- Opera
- Pidgin
- ping
- Qemu (VMs should be stored in
${HOME}/qemu-vmsor editqemu-system-common.profileto whitelist the folder you store your VMs in) - profiles included forqemu-system-{i386,x86_64}, but you can create your own by building off ofqemu-system-common.profile - QPDFView
- Ricochet
- rtv
- Scribus
- Scrot
- Shotcut
- Signal Desktop
- Skype
- Slack Desktop
- SSH
- Synfig Studio
- Telegram Desktop
- Tor Browser Bundle (through the torbrowser-launcher package on Debian)
- Tor Browser profile for Arch (thanks @robotanarchy!)
- Viber
- Viewnior
- Virtualbox
- Generic terminal emulator (the profile is called x-terminal-emulator because of the /etc/alternatives system in Debian)
- Xfburn
- Youtube-dl
- Zart (thanks @triceratops1!)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent