-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profile requests #1139
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
would be nice to have profiles for |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
InSync variety KDE connect
and Would be nice to have too. |
Too bad firejail and bwrap don't work together. firejail blocks file access for browsers by default except for the download folder, bwrap doesn't do that. I'll see if I can find some bwrap documentation somewhere where I can set this. |
@marek22k Yup, those incompatibilities are indeed a pain. Maybe you can try containing nyxt with bubblejail, which is bubblewrap-based. |
No. It is more like --profile=/dev/null (I.e. empty.profile). Longer firejail+bwrap discussions should happen in a new Discussion. |
I would be happy about a profile for Apache NetBeans IDE. Maybe something like the following:
|
I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one? Either way, something like the following (it uses gio for opening links).
|
I have tweaked some electron profile for Joplin (distributed as appimage). Happy to share my file with the notes of what I tried and didn't. A cleaned up version below (i removed all comments):
Then launching with: |
@dev-uhuru Nice! Feel free to open a PR for joplin.profile. We can help work out any specifics for the non-appimage version (if there are any). Thanks for sharing. |
I recently set up KDE connect and plasma-browser-integration for firefox (Linux Mint 21.2) and it seems that the comments in the profile are slightly outdated.
(and to
This should probably be added to the comment in |
@RundownRhino Thanks for reporting. Comments are prone to gather dust as software moves on. Can you open a PR for it? |
@glitsj16 Opened a PR. As a side note, it seems |
Hi, I have sketched out a profile for Obsidian, I needed it urgently. I've been looking into it for a couple of hours, so I think more knowledgeable people will suggest improvements. But it already works for appimage and binary.
There's a resolution for git, as I'm using the Obsidian plugin for git.
Launch commands: firejail --appimage --profile=/home/$USER/.config/firejail/obsidian.profile ./Obsidian-1.5.12.AppImage
# or
firejail --profile=/home/$USER/.config/firejail/obsidian.profile /usr/bin/obsidian I left some things commented out as I didn't fully understand them. I'm interested in a discussion on this profile, anyone have any tips for improvement? UPD: #6314 |
Please open a pull request for it; this issue is not a good place for reviews. |
I humbly request profile support for DaVinci Resolve for Linux, a non-linear video editor application. It requires input and gpu dev access. It is released as a self-contained AppImage executable. The file is free to download but the website may hide the download link and ask you to register before download. I've not managed to get it working on Linux Mint 21.3. It seems to require elevated privileges and it looks like that conflicts with |
I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try. First of all, its Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are several AUR packages available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format). To save some time and hair-pulling you can Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route. HTH |
vesktop: https://github.com/Vencord/Vesktop Vesktop is a custom Discord App aiming to give you better performance and improve linux support |
We'll look into HTH |
This works but netfilter needs removed otherwise. |
The following options can be added to the sandbox when your kernel supports caps.drop all This results in a significant hardening of the sandbox. So if you can, it's advised to enable it. Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so. $ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local
noblacklist ${HOME}/.config/ArmCord
# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc
ignore noexec ${HOME}
mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord
# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini
ignore novideo
private-bin armcord
dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none
join-or-start armcord
# Redirect
include electron-common.profile
|
We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming |
oh ok thanks |
Description: Standalone Discord client. https://armcord.app/ https://github.com/NextWork123/ArmCord Requested in netblue30#1139 (comment).
Description: Standalone Discord client. https://armcord.app/ https://github.com/NextWork123/ArmCord Requested in #1139 (comment).
I came up with the following profile which could be used to start with:
It does require vesktop to be run with
which I'm not sure how to fix. |
Here's a HTH |
Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here. |
Issue to ask for and discuss about new profiles.
Progress is tracked in: https://github.com/netblue30/firejail/projects/3?fullscreen=true
latex2*
,pdf*
,rst2*
,pod2
,pcp2pdf
,wkhtmltopdf
, ...)disable-sys.inc
to restrict access to files in/sys/{block,bus,class,dev,devices,kernel}
io.elementary.calculator
)io.elementary.calendar
io.elementary.calendar-daemon
io.elementary.camera
)io.elementary.capnet-assist
)io.elementary.code
)io.elementary.files
io.elementary.files-daemon
io.elementary.files-pkexec
io.elementary.music
)io.elementary.photos
) - Based on the old Shotwell codeio.elementary.terminal
)io.elementary.videos
)gnome-podcasts
)pass
gopass
kbfsfuse
(not sure if this one makes sense...)keybase
keybase-gui
ykman
ykman-gui
gzdoom
)quake
)rrootage
)Resolved
gnome-online-minersGhetto-skypeTbb PPAGnome-boxesTor MessengerTemaviewerProfile requests #825 (comment)The text was updated successfully, but these errors were encountered: