Profile requests #1139

$ firejail --noprofile --noblacklist=/usr/bin/bwrap /usr/bin/nyxt
Parent pid 440743, child pid 440744
Child process initialized in 5.28 ms
Nyxt version 3.9.2
<INFO> [15:11:29] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:29] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:29.703: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:29.704: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:29.999: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:29] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:30] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f55bbbcf6c0 pc=0x7f55cc2bd83c Foreign function (null)

Parent is shutting down, bye...

$ firejail --profile=noprofile /usr/bin/nyxt
Reading profile /etc/firejail/noprofile.profile
Parent pid 440852, child pid 440853
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 6.67 ms
Nyxt version 3.9.2
<INFO> [15:11:55] Source location: #P"/usr/share/nyxt/"
<INFO> [15:11:56] Listening to socket: #P"/run/user/1000/nyxt/nyxt.socket"

(nyxt:2): libenchant-WARNING **: 15:11:56.172: Error loading plugin: libhspell.so.0: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory


(nyxt:2): libenchant-WARNING **: 15:11:56.173: Error loading plugin: libvoikko.so.1: cannot open shared object file: No such file or directory

bwrap: Can't mount proc on /newroot/proc: Operation not permitted

** (nyxt:2): ERROR **: 15:11:56.477: Failed to fully launch dbus-proxy: Child process exited with code 1
<WARN> [15:11:56] Warning: Error in FFI method: The value
  :INVALID-CODE-OBJECT-AT-PC
is not of type
  (SIMPLE-ARRAY (SIGNED-BYTE 32) (*))
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6579 (opening nyxt:new) because it crashed
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
<WARN> [15:11:56] Warning: Web process terminated for buffer 6528 (opening ) because it crashed

(process:2): Gtk-CRITICAL (recursed) **: gtk_box_pack: assertion 'GTK_IS_WIDGET (child)' failed
fatal error encountered in SBCL pid 2 tid 12:
SIGABRT received.

   0: fp=0x7f36c6dcf6c0 pc=0x7f36d74fe83c Foreign function (null)

Parent is shutting down, bye...

Too bad firejail and bwrap don't work together. firejail blocks file access for browsers by default except for the download folder, bwrap doesn't do that. I'll see if I can find some bwrap documentation somewhere where I can set this.

glitsj16 · 2023-11-30T15:35:42Z

@marek22k Yup, those incompatibilities are indeed a pain. Maybe you can try containing nyxt with bubblejail, which is bubblewrap-based.

rusty-snake · 2023-11-30T19:00:44Z

(1) Behind the scenes --noprofile uses /etc/default.profile

No. It is more like --profile=/dev/null (I.e. empty.profile).

Longer firejail+bwrap discussions should happen in a new Discussion.

marek22k · 2023-12-06T20:41:31Z

I would be happy about a profile for Apache NetBeans IDE.

Maybe something like the following:

include netbeans.local
include globals.local

noblacklist ${HOME}/.netbeans

ignore include disable-devel.inc
ignore include disable-exec.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc


include allow-common-devel.inc
include disable-common.inc
include disable-programs.inc

caps.drop all
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp

private-cache
private-dev
private-tmp

restrict-namespaces

ilikenwf · 2024-02-15T04:54:45Z

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

dev-uhuru · 2024-02-21T11:41:00Z

I have tweaked some electron profile for Joplin (distributed as appimage). Happy to share my file with the notes of what I tried and didn't. A cleaned up version below (i removed all comments):

#   NOBLACKLISTS
noblacklist ${HOME}/.config/Electron
noblacklist ${HOME}/.config/electron*-flag*.conf

#   ALLOW INCLUDES
#   BLACKLISTS
blacklist /usr/libexec

#   DISABLE INCLUDES
include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc
include disable-shell.inc

# content of disable-exec.inc - removed noexec /tmp, prevented joplin from starting
noexec ${HOME}
noexec ${RUNUSER}
noexec /dev/mqueue
noexec /dev/shm
noexec /run/shm
noexec /var

include chromium-common-hardened.inc.profile

#   NOWHITELISTS

#   MKDIRS
mkdir ${HOME}/.config/Joplin
mkdir ${HOME}/.config/joplin-desktop

#   WHITELISTS
whitelist ${HOME}/.config/Joplin
whitelist ${HOME}/.config/joplin-desktop
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Electron
whitelist ${HOME}/.config/electron*-flag*.conf

#   WHITELIST INCLUDES
include whitelist-runuser-common.inc
include whitelist-var-common.inc

#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv
nou2f
novideo

#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
disable-mnt
private-cache
private-tmp

#   DBUS FILTER
dbus-user filter
dbus-user.talk org.freedesktop.Notifications
dbus-system none

Then launching with: firejail --appimage --profile=joplin --nosound /path/to/Joplin.AppImage

glitsj16 · 2024-02-21T20:50:58Z

@dev-uhuru Nice! Feel free to open a PR for joplin.profile. We can help work out any specifics for the non-appimage version (if there are any). Thanks for sharing.

RundownRhino · 2024-03-22T00:59:56Z

I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and it seems that the comments in the profile are slightly outdated.
In addition to these lines in firefox.local:

# Add the next lines to your firefox.local for plasma browser integration.
dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
dbus-user.talk org.kde.JobViewServer
dbus-user.talk org.kde.kuiserver

(and to ignore dbus-user none and include firefox-common-addons.profile in firefox-common.local), after investigating via firejail --profile=firefox.profile --dbus-user.log firefox I found out I also needed to enable this dbus route:

dbus-user.talk org.kde.kdeconnect

This should probably be added to the comment in firefox.local, if someone can replicate this issue.

glitsj16 · 2024-03-22T11:49:39Z

@RundownRhino Thanks for reporting. Comments are prone to gather dust as software moves on. Can you open a PR for it?

RundownRhino · 2024-03-23T04:38:24Z

@glitsj16 Opened a PR. As a side note, it seems include firefox-common-addons.profile is not necessary for this extension to work, but rather breaks all firefox sound when enabled. Not sure why, maybe from the ignore whitelists that it does.

konstantin1722 · 2024-04-16T14:35:53Z

Hi, I have sketched out a profile for Obsidian, I needed it urgently. I've been looking into it for a couple of hours, so I think more knowledgeable people will suggest improvements. But it already works for appimage and binary.

# Save this file as "obsidian.profile" in ~/.config/firejail directory. Firejail will find it
# automatically every time you sandbox your application.

### Basic Blacklisting ###
include disable-common.inc          # dangerous directories like ~/.ssh and ~/.gnupg
include disable-devel.inc           # development tools such as gcc and gdb
include disable-exec.inc            # non-executable directories such as /var, /tmp, and /home
include disable-interpreters.inc    # perl, python, lua etc.
include disable-programs.inc        # user configuration for programs such as firefox, vlc etc.
include disable-xdg.inc             # standard user directories: Documents, Pictures, Videos, Music

#include disable-shell.inc           # sh, bash, zsh etc.

### Home Directory Whitelisting ###
whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.cache/AMD
whitelist ${HOME}/.cache/nvidia
whitelist ${HOME}/.local/share/vulkan
whitelist ${HOME}/.local/share/vulkan/implicit_layer.d
whitelist ${HOME}/.config/vulkan
whitelist ${HOME}/.local/share/vulkan/loader_settings.d
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.Xdefaults-desktop-pc
whitelist ${HOME}/.config/kdedefaults/gtk-3.0
whitelist ${HOME}/.cache/mesa_shader_cache
whitelist ${HOME}/.local/share/applnk
whitelist ${HOME}/.config/obsidian

include whitelist-common.inc

### Filesystem Whitelisting ###
whitelist /run/systemd/machines/api.obsidian.md
whitelist /run/systemd/resolve/io.systemd.Resolve
whitelist /run/systemd/machines/raw.githubusercontent.com
whitelist /run/udev/control

include whitelist-run-common.inc
include whitelist-runuser-common.inc

whitelist /usr/share/applnk

include whitelist-usr-share-common.inc
include whitelist-var-common.inc

#apparmor       # if you have AppArmor running, try this one!

caps.drop all
ipc-namespace

#no3d           # disable 3D acceleration
#nodvd          # disable DVD and CD devices
#nogroups       # disable supplementary user groups
#noinput        # disable input devices
#novideo        # disable video capture devices

nonewprivs
noroot
?HAS_APPIMAGE: notv            # disable DVB TV devices
?HAS_APPIMAGE: nou2f           # disable U2F devices

protocol unix,inet,inet6,netlink,

# If you need networking, enable the firewall and disable "net none"
#net none        # disable network
netfilter       # enable default firewall in sandbox

seccomp !chroot # allowing chroot, just in case this is an Electron app
shell none

#tracelog       # send blacklist violations to syslog

disable-mnt     # no access to /mnt, /media, /run/mount and /run/media

private-bin git,cat,gawk,tr,realpath,cut,grep,basename,bash,obsidian,electron28
private-dev
private-etc gitattributes,gitconfig,ca-certificates,libva.conf,vulkan,ati,nsswitch.conf,hosts,xdg,gtk-3.0,drirc,fonts,gnutls,

?HAS_APPIMAGE: private-lib
?HAS_APPIMAGE: private-tmp

#dbus-user none
#dbus-system none
dbus-user filter

There's a resolution for git, as I'm using the Obsidian plugin for git.

whitelist ${HOME}/.gitconfig
whitelist ${HOME}/.config/git

...

private-bin ...git,...

Launch commands:

firejail --appimage --profile=/home/$USER/.config/firejail/obsidian.profile ./Obsidian-1.5.12.AppImage
# or
firejail --profile=/home/$USER/.config/firejail/obsidian.profile /usr/bin/obsidian

I left some things commented out as I didn't fully understand them. I'm interested in a discussion on this profile, anyone have any tips for improvement?

UPD: #6314

kmk3 · 2024-04-16T14:41:45Z

Hi, I have sketched out a profile for Obsidian

I left some things commented out as I didn't fully understand them. I'm
interested in a discussion on this profile, anyone have any tips for
improvement?

Please open a pull request for it; this issue is not a good place for reviews.

tmarplatt · 2024-05-09T05:18:00Z

I humbly request profile support for DaVinci Resolve for Linux, a non-linear video editor application. It requires input and gpu dev access. It is released as a self-contained AppImage executable.

The file is free to download but the website may hide the download link and ask you to register before download.

I've not managed to get it working on Linux Mint 21.3. It seems to require elevated privileges and it looks like that conflicts with --appimage.

glitsj16 · 2024-05-09T08:20:05Z

@tmarplatt

I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try.

First of all, its not the program itself that's distributed as AppImage, but its installer. That ties in to your remark that it requires elevated privileges. Anything that wants to install files to the system-wide directories (e.g. /opt/DaVinciResolve) will need sudo, nothing new or unexpected there. The foo.run file (the AppImage) also supports installing into your ${HOME} via the -C switch (see ./foo.run -h for details). TL;DR Install the program first and after doing so you can start testing/creating a firejail profile for it.

Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are several AUR packages available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format).

To save some time and hair-pulling you can check upfront if Firejail is actually able to sandbox DaVinci Resolve properly by running it via the noprofile.profile. Depending on where you've installed that could look like firejail --profile=noprofile /opt/resolve/bin/resolve. If the program doesn't work with that profile it will not be possible to use Firejail for sandboxing it.

Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route.

HTH

vinoff · 2024-05-25T12:15:54Z

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

glitsj16 · 2024-05-25T14:14:20Z

@vinoff

We'll look into vesktop. In the mean time it would be very helpful if you could provide some details on this program. Especially, as it is a Discord clone, my first thoughts are to try to integrate a vesktop.profile into our existing discord-common.profile. Can you tell us where vesktop stores its data? E.g. does it also use ${HOME}/.config/discord or does it have its own dedicated location? Also interesting to know would be the path under which vesktop's executable is installed (/opt/vesktop or somewhere else)?

HTH

ilikenwf · 2024-05-30T16:30:48Z

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

This works but netfilter needs removed otherwise.

glitsj16 · 2024-05-30T18:17:41Z

@ilikenwf

As an aside, what's the difference between including the hardened electron profile and the normal one?

The following options can be added to the sandbox when your kernel supports unprivileged namespaces (which the tradional,larger distro's have for a while now):

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

This results in a significant hardening of the sandbox. So if you can, it's advised to enable it.
We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via blink-common.local that has the one-liner include blink-common-hardened.inc.profile.

Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so.

$ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ArmCord

# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc

ignore noexec ${HOME}

mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

ignore novideo
private-bin armcord

dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start armcord

# Redirect
include electron-common.profile

neurodiverseEsoteric · 2024-05-31T20:26:18Z

Floorp?

glitsj16 · 2024-05-31T20:50:46Z

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

neurodiverseEsoteric · 2024-05-31T20:54:10Z

oh ok thanks

Description: Standalone Discord client. https://armcord.app/ https://github.com/NextWork123/ArmCord Requested in netblue30#1139 (comment).

Description: Standalone Discord client. https://armcord.app/ https://github.com/NextWork123/ArmCord Requested in #1139 (comment).

imgurbot12 · 2024-06-16T00:22:34Z

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

@glitsj16

I came up with the following profile which could be used to start with:

# Custom FireJail Profile for Vesktop
include globals.local

# allow discord access to config directory
noblacklist ${HOME}/.config/discord
mkdir       ${HOME}/.config/discord
whitelist   ${HOME}/.config/discord

# allow Vencord access to config directory
noblacklist ${HOME}/.config/Vencord
mkdir       ${HOME}/.config/Vencord
whitelist   ${HOME}/.config/Vencord

# allow vesktop access to config directory
noblacklist ${HOME}/.config/vesktop
mkdir       ${HOME}/.config/vesktop
whitelist   ${HOME}/.config/vesktop

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

# disable temp
private-tmp
noexec /tmp

# additional restrictions
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

# Below is modified `discord-common.profile`
# ==========================================
include discord-common.local

ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

ignore noexec ${HOME}
ignore novideo

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh,discord,vesktop
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

include electron.profile

It does require vesktop to be run with --no-sandbox because otherwise you get:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Vesktop/chrome-sandbox is owned by root and has mode 4755.

which I'm not sure how to fix.

glitsj16 · 2024-06-16T02:22:48Z

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

imgurbot12 · 2024-06-16T03:21:18Z

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here.

This was referenced Mar 10, 2017

Why not a profile for Tor Messenger #973

Closed

New profiles #1003

Closed

request: a profile for amule #1092

Closed

netblue30 added the enhancement New feature request label Mar 10, 2017

netblue30 mentioned this issue Mar 10, 2017

Profile requests #825

Closed