Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Profile requests #1139

Open
netblue30 opened this issue Mar 10, 2017 · 290 comments
Open

Profile requests #1139

netblue30 opened this issue Mar 10, 2017 · 290 comments
Labels
enhancement New feature request help wanted Extra attention is needed

Comments

@netblue30
Copy link
Owner

netblue30 commented Mar 10, 2017

Issue to ask for and discuss about new profiles.

Progress is tracked in: /~https://github.com/users/netblue30/projects/7

Resolved

strikethrough means won't fix

Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

@nyancat18

This comment has been minimized.

@nyancat18

This comment has been minimized.

@Fred-Barclay

This comment has been minimized.

@magistryo

This comment has been minimized.

@Fred-Barclay

This comment has been minimized.

@nyancat18
Copy link
Contributor

nyancat18 commented Mar 30, 2017

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

2 freecad (a civil-use CAD)

3 dia (from gnome)

4 fontforge

@mustaqimM

This comment has been minimized.

@Fred-Barclay

This comment has been minimized.

@mustaqimM

This comment has been minimized.

@Fred-Barclay

This comment has been minimized.

@Micha-Btz
Copy link

Micha-Btz commented May 1, 2017

would be nice to have profiles for tvbrowser and jdownloader2 :-)

@ghost

This comment has been minimized.

@netblue30

This comment has been minimized.

@qazip

This comment has been minimized.

@nyancat18

This comment has been minimized.

@netblue30

This comment has been minimized.

@nyancat18

This comment has been minimized.

@qazip

This comment has been minimized.

@qazip

This comment has been minimized.

@breznak
Copy link

breznak commented May 25, 2017

@neurodiverseEsoteric
Copy link

oh ok thanks

kmk3 pushed a commit to glitsj16/firejail that referenced this issue Jun 6, 2024
kmk3 pushed a commit that referenced this issue Jun 6, 2024
@imgurbot12
Copy link

vesktop: /~https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

@glitsj16

I came up with the following profile which could be used to start with:

# Custom FireJail Profile for Vesktop
include globals.local

# allow discord access to config directory
noblacklist ${HOME}/.config/discord
mkdir       ${HOME}/.config/discord
whitelist   ${HOME}/.config/discord

# allow Vencord access to config directory
noblacklist ${HOME}/.config/Vencord
mkdir       ${HOME}/.config/Vencord
whitelist   ${HOME}/.config/Vencord

# allow vesktop access to config directory
noblacklist ${HOME}/.config/vesktop
mkdir       ${HOME}/.config/vesktop
whitelist   ${HOME}/.config/vesktop

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

# disable temp
private-tmp
noexec /tmp

# additional restrictions
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

# Below is modified `discord-common.profile`
# ==========================================
include discord-common.local

ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

ignore noexec ${HOME}
ignore novideo

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh,discord,vesktop
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

include electron.profile

It does require vesktop to be run with --no-sandbox because otherwise you get:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Vesktop/chrome-sandbox is owned by root and has mode 4755.

which I'm not sure how to fix.

@glitsj16
Copy link
Collaborator

glitsj16 commented Jun 16, 2024

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

@imgurbot12
Copy link

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here.

@neurodiverseEsoteric
Copy link

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

Also requesting a profile for /usr/bin/webapp-manager, please...

@glitsj16
Copy link
Collaborator

@neurodiverseEsoteric

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

On Arch Linux myself. There simply isn't a 0.9.74 release yet. Best you can do is install firejail-git from AUR and keep that in sync with the git commits.

@glitsj16
Copy link
Collaborator

@neurodiverseEsoteric

Also requesting a profile for /usr/bin/webapp-manager, please...

I've looked into webapp-manager. Although creating a dedicated Firejail profile for it is possible, it would have to create a very weak sandbox due to the upstream use of hardcoded absolute paths (see below). Also, its support for flatpaks and snaps is problematic in this context: Firejail simply can't sandbox those.

Personally I wouldn't feel comfortable using this app to run web browsers in such a weak sandbox. Other collaborators may of course see this differently and create a webapp-manager.profile in the future. So I'm not saying it won't happen. In any case, stay vigilant when using this app...

/~https://github.com/linuxmint/webapp-manager/blob/a061d9a4b0b1b0c3707472b93daf7f732cfc939f/usr/lib/webapp-manager/common.py#L174-L230

@neurodiverseEsoteric
Copy link

@glitsj16 Oh

@Utini2000
Copy link

Utini2000 commented Aug 19, 2024

OnlyOffice-Desktopeditors bases on libreoffice.profile:

ignore blacklist ${HOME}/.config/onlyoffice
ignore blacklist ${HOME}/.local/share/onlyoffice
ignore join-or-start libreoffice

whitelist ${HOME}/.config/onlyoffice
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.local/share/onlyoffice/

include libreoffice.profile

join-or-start onlyoffice-desktopeditors

This works for me just fine.

@rusty-snake

This comment was marked as resolved.

@emerajid
Copy link

emerajid commented Sep 4, 2024

https://pulsar-edit.dev/
https://pulsar-edit.dev/about.html
/~https://github.com/pulsar-edit

Not much different from atom.profile, yet a few changes creeped in.

# Firejail profile for uplsar
# Description: A Community-led Hyper-Hackable Text Editor
# This file is overwritten after every install/update
# Persistent local customizations
include pulsar.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-exec.inc
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor

disable-mnt
noblacklist ${HOME}/.pulsar
noblacklist ${HOME}/.config/Pulsar

# Allows files commonly used by IDEs
include allow-common-devel.inc

# net none
nosound

# Redirect
include electron.profile

@rusty-snake
Copy link
Collaborator

16xPrompt by @leodip in #6470

@kmk3
Copy link
Collaborator

kmk3 commented Sep 10, 2024

x2goserver by @mabra in #5837

@kmk3
Copy link
Collaborator

kmk3 commented Sep 14, 2024

prismlauncher by @ipaqmaster in #6381

@rusty-snake
Copy link
Collaborator

gifsicle and gifski by @salisbury-espinosa in #6481

@neurodiverseEsoteric
Copy link

I'd like a betterbird.profile, please...

@ilikenwf
Copy link
Contributor

@ilikenwf

As an aside, what's the difference between including the hardened electron profile and the normal one?

The following options can be added to the sandbox when your kernel supports unprivileged namespaces (which the tradional,larger distro's have for a while now):

caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink seccomp !chroot

This results in a significant hardening of the sandbox. So if you can, it's advised to enable it. We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via blink-common.local that has the one-liner include blink-common-hardened.inc.profile.

Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so.

$ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ArmCord

# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc

ignore noexec ${HOME}

mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

ignore novideo
private-bin armcord

dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start armcord

# Redirect
include electron-common.profile

private-bin armcord breaks it under Archlinux here.

@gcb
Copy link
Contributor

gcb commented Nov 8, 2024

syncthing at #6536

update: I've been using this for a month on several machines and working perfectly. I think it is ready for review.

@Lonniebiz
Copy link

I'd like a profile for Dbeaver:
https://dbeaver.io/

AppImage of Dbeaver:
/~https://github.com/valicm/dbeaver-ce-appimage/releases/tag/latest

@dmitryvakulenko
Copy link

I try to make profile for Zed editor but got some issue.

@ilikenwf
Copy link
Contributor

ilikenwf commented Jan 2, 2025

Armcord has apparently either been renamed or migrated to "Legcord." - to support both, copy, paste, and renaming is required as everywhere we'd see "armcord," "legcord" needs to be used instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests