Profile requests

[netblue30]

Issue to ask for and discuss about new profiles.

Progress is tracked in: https://github.com/users/netblue30/projects/7

• command line document converter (e.g. latex2*, pdf*, rst2*, pod2, pcp2pdf, wkhtmltopdf, ...)
• disable-sys.inc to restrict access to files in /sys/{block,bus,class,dev,devices,kernel}
• KVM
• jmemorize
• KTnef,
• KRDC
• discover
• KWalletManager,
• brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
• https://sourceforge.net/projects/animationmaker/
• jdownloader2
• InSync
• variety
• KDE connect
• autotrace
• Y PPA Manager
• Adobe reader
• standalone flashplayer
• Adobe AIR
• cinepaint
• jahshakavr
• soulseekqt
• Tribler
• Leonflix
• upwork desktop
• Quake3
• UrbanTerror
• Citra
• makemkv
• Mellowplayer
• Stubby
• SpamAssassin
• Kile
• llpp
• zotero
• neovim
• Sia-UI
• Calculator (io.elementary.calculator)
• Calendar
  • io.elementary.calendar
  • io.elementary.calendar-daemon
• Camera (io.elementary.camera)
• Captive Portal Assistant (io.elementary.capnet-assist)
• Code (io.elementary.code)
• Files
  • io.elementary.files
  • io.elementary.files-daemon
  • io.elementary.files-pkexec
• Music (io.elementary.music)
• Photos (io.elementary.photos) - Based on the old Shotwell code
• Terminal (io.elementary.terminal)
• Videos (io.elementary.videos)
• GNOME Podcasts (gnome-podcasts)
• pass / gopass
  • pass
  • gopass
• Keybase
  • kbfsfuse (not sure if this one makes sense...)
  • keybase
  • keybase-gui
• Yubikey Manager
  • ykman
  • ykman-gui
• GZDoom (gzdoom)
• QuakeSpasm (quake)
• rRootage (rrootage)
• Renames TV Series
• deepin-screen-recorder
• Joplin
• mate-terminal
• asbru
• socat
• cordless
• Unity/Unity Hub
• pcloud
• lens
• Obsidian
• luarocks
• Stremio
• cointop
• irssi
• easytag
• mbsync
• Bitwig Studio
• radicale
• solvespace
• screen
• khard
• vdirsyncer
• cryptomator
• SRBMiner
• NBMiner
• Hypnotix
• Fwknop
• Sublime Text 4
• Hamsket
• webex
• Veloren and Airshipper
• openstego
• etcher and Ventoy
• waifu2x-converter-cpp
• MEGAsync
• seafile-client
• retroshare
• Aether
• rust-analyzer
• FireDM
• xournal-thumbnailer
• blender-thumbnailer.py
• rustup
• scour
• gnome-extensions-app
• gnome-extensions
• gnome-games
• gnome-do
• gnome-epub-thumbnailer
• gnome-kra-ora-thumbnailer
• gnome-dictionary
• gnome-translate
• x2goserver

Resolved

strikethrough means won't fix

• kwrite
• Jerry chess
• Riot.im (desktop)
• freemind
• tshark
• tcpdump
• freecad
• geary
• imagej
• macrofusion
• discord
• rambox
• gnome-online-miners
• gnome-sound-recorder
• Natron
• Cinelerra
• amule
• Calligra
• Ghetto-skype
• Blender
• Google Earth
• shotcut
• Tbb PPA
• Gnome-boxes
• Tor Messenger
• amuled
• shortwave
• WPS-Office
• Temaviewer Profile requests #825 (comment)
• Ricochet
• tvbrowser
• foliate
• RTV
• homebank
• dooble browser
• Otter browser
• mattermost desktop client
• FreeTube
• Spectacle
• Lyx
• Fractal
• Quaternion
• Youtube-Viewer
• balsa
• Minecraft Server
• Minitube
• lutris
• tutanota-desktop
• Coyim
• Avidemux
• librewolf
• pipe-viewer
• gtk-pipe-viewer
• sway
• tmux
• librecad
• Notable
• qemu-system-*
• qemu-kvm
• virt-manager
• Microsoft Edge for linux
• gh

Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

[nyancat18]

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

2 freecad (a civil-use CAD)

3 dia (from gnome)

4 fontforge

[Micha-Btz]

would be nice to have profiles for tvbrowser and jdownloader2 :-)

[breznak]

InSync
https://www.insynchq.com/

variety
http://peterlevi.com/variety/

KDE connect
https://community.kde.org/KDEConnect

RedShift
https://wiki.archlinux.org/index.php/redshift

and
Y PPA Manager
https://launchpad.net/y-ppa-manager

Would be nice to have too.

[glitsj16]

@tmarplatt

I've looked into 'DaVinci Resolve for Linux'. Don't have the hardware to actually use it, but there are a few things you might try.

First of all, its not the program itself that's distributed as AppImage, but its installer. That ties in to your remark that it requires elevated privileges. Anything that wants to install files to the system-wide directories (e.g. /opt/DaVinciResolve) will need sudo, nothing new or unexpected there. The foo.run file (the AppImage) also supports installing into your ${HOME} via the -C switch (see ./foo.run -h for details). TL;DR Install the program first and after doing so you can start testing/creating a firejail profile for it.

Other observations. This is not your 'common' application, and there seem to be loads of potential roadblocks (not very surprising with proprietary software). I consulted the Arch Wiki page while investigating, might be helpful on your Linux Mint too: https://wiki.archlinux.org/title/DaVinci_Resolve. There are several AUR packages available that you can look at for guidance on how to get it properly installed (if you're familiar with Arch Linux's PKGBUILD format).

To save some time and hair-pulling you can check upfront if Firejail is actually able to sandbox DaVinci Resolve properly by running it via the noprofile.profile. Depending on where you've installed that could look like firejail --profile=noprofile /opt/resolve/bin/resolve. If the program doesn't work with that profile it will not be possible to use Firejail for sandboxing it.

Far from ideal and very likely a lot of moving parts. The PDF that came with the download actually mentions 'Installing DaVinci Resolve’s Rocky Linux ISO' in a VM. IMO that's going to be the easier route.

HTH

[vinoff]

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

[glitsj16]

@vinoff

We'll look into vesktop. In the mean time it would be very helpful if you could provide some details on this program. Especially, as it is a Discord clone, my first thoughts are to try to integrate a vesktop.profile into our existing discord-common.profile. Can you tell us where vesktop stores its data? E.g. does it also use ${HOME}/.config/discord or does it have its own dedicated location? Also interesting to know would be the path under which vesktop's executable is installed (/opt/vesktop or somewhere else)?

HTH

[ilikenwf]

I'd like a profile for Armcord, as it seems hamsket is not developed anymore. As an aside, what's the difference between including the hardened electron profile and the normal one?

Either way, something like the following (it uses gio for opening links).

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-programs.inc
#include electron-common.profile # to use this we'd need to ignore the no private-lib directive?

mkdir ${HOME}/.config/ArmCord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/ArmCord
include whitelist-common.inc

dbus-user.talk org.freedesktop.Notifications
ignore dbus-user none

dbus-user.talk org.mozilla.librewolf.*
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*

private-lib gio

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

This works but netfilter needs removed otherwise.

[glitsj16]

@ilikenwf

As an aside, what's the difference between including the hardened electron profile and the normal one?

The following options can be added to the sandbox when your kernel supports unprivileged namespaces (which the tradional,larger distro's have for a while now):

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

This results in a significant hardening of the sandbox. So if you can, it's advised to enable it.
We shuffled around a few includes in the git version as compared to 0.9.72. The actual hardening needs to be enabled now via blink-common.local that has the one-liner include blink-common-hardened.inc.profile.

Based on the ArmCord packages available in the AUR I've created the below (untested) armcord.profile. It would be awesome if you could test it, but as hinted above, you'll need the firejail-git version to do so.

$ cat ~/.config/firejail/armcord.profile
# Firejail profile for armcord
# Description: Standalone Discord client
# This file is overwritten after every install/update
# Persistent local customizations
include armcord.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/ArmCord

# sh is needed to allow Firefox to open links
#include allow-bin-sh.inc

ignore noexec ${HOME}

mkdir ${HOME}/.config/ArmCord
whitelist ${HOME}/.config/ArmCord
#whitelist /opt/Armcord
whitelist /opt/armcord
whitelist /usr/share/armcord

# The lines below are needed to find the default Firefox profile name, to allow
# opening links in an existing instance of Firefox (note that it still fails if
# there isn't a Firefox instance running with the default profile; see #5352)
noblacklist ${HOME}/.mozilla
whitelist ${HOME}/.mozilla/firefox/profiles.ini

ignore novideo
private-bin armcord

dbus-user filter
dbus-user.talk io.gitlab.librewolf.*
dbus-user.talk org.cachyos.cachy_browser.*
dbus-user.talk org.freedesktop.Notifications
# Allow D-Bus communication with Firefox for opening links
dbus-user.talk org.mozilla.*
ignore dbus-user none

join-or-start armcord

# Redirect
include electron-common.profile

[neurodiverseEsoteric]

Floorp?

[glitsj16]

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

[neurodiverseEsoteric]

oh ok thanks

[imgurbot12]

vesktop: https://github.com/Vencord/Vesktop

Vesktop is a custom Discord App aiming to give you better performance and improve linux support

@glitsj16

I came up with the following profile which could be used to start with:

# Custom FireJail Profile for Vesktop
include globals.local

# allow discord access to config directory
noblacklist ${HOME}/.config/discord
mkdir       ${HOME}/.config/discord
whitelist   ${HOME}/.config/discord

# allow Vencord access to config directory
noblacklist ${HOME}/.config/Vencord
mkdir       ${HOME}/.config/Vencord
whitelist   ${HOME}/.config/Vencord

# allow vesktop access to config directory
noblacklist ${HOME}/.config/vesktop
mkdir       ${HOME}/.config/vesktop
whitelist   ${HOME}/.config/vesktop

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc

# disable temp
private-tmp
noexec /tmp

# additional restrictions
caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink

# Below is modified `discord-common.profile`
# ==========================================
include discord-common.local

ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore apparmor
ignore disable-mnt
ignore private-cache
ignore dbus-user none
ignore dbus-system none

ignore noexec ${HOME}
ignore novideo

private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh,discord,vesktop
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

include electron.profile

It does require vesktop to be run with --no-sandbox because otherwise you get:

The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/Vesktop/chrome-sandbox is owned by root and has mode 4755.

which I'm not sure how to fix.

[glitsj16]

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

[imgurbot12]

@vinoff @imgurbot12

Here's a vesktop.profile you can test with Firejail 0.9.72. See https://gist.github.com/glitsj16/174ba5da566f3948d1716676e353daf3 for details.

HTH

Major thanks @glitsj16, testing now but I'm having some issues. Will post in the gist to avoid bloating the convo here.

[neurodiverseEsoteric]

@neurodiverseEsoteric

We have floorp.profile now. You can either use firejail-git or wait until it comes down whenever your OS receives the upcoming 0.9.74 release.

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

Also requesting a profile for /usr/bin/webapp-manager, please...

[glitsj16]

@neurodiverseEsoteric

I'm running archlinux, the bleeding-edgiest of the bleeding-edges, and it's not up to version 0.9.74 yet?

On Arch Linux myself. There simply isn't a 0.9.74 release yet. Best you can do is install firejail-git from AUR and keep that in sync with the git commits.

[glitsj16]

@neurodiverseEsoteric

Also requesting a profile for /usr/bin/webapp-manager, please...

I've looked into webapp-manager. Although creating a dedicated Firejail profile for it is possible, it would have to create a very weak sandbox due to the upstream use of hardcoded absolute paths (see below). Also, its support for flatpaks and snaps is problematic in this context: Firejail simply can't sandbox those.

Personally I wouldn't feel comfortable using this app to run web browsers in such a weak sandbox. Other collaborators may of course see this differently and create a webapp-manager.profile in the future. So I'm not saying it won't happen. In any case, stay vigilant when using this app...

https://github.com/linuxmint/webapp-manager/blob/a061d9a4b0b1b0c3707472b93daf7f732cfc939f/usr/lib/webapp-manager/common.py#L174-L230

[neurodiverseEsoteric]

@glitsj16 Oh

[Utini2000]

OnlyOffice-Desktopeditors bases on libreoffice.profile:

ignore blacklist ${HOME}/.config/onlyoffice
ignore blacklist ${HOME}/.local/share/onlyoffice
ignore join-or-start libreoffice

whitelist ${HOME}/.config/onlyoffice
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.local/share/onlyoffice/

include libreoffice.profile

join-or-start onlyoffice-desktopeditors

This works for me just fine.

[emerajid]

https://pulsar-edit.dev/
https://pulsar-edit.dev/about.html
https://github.com/pulsar-edit

Not much different from atom.profile, yet a few changes creeped in.

# Firejail profile for uplsar
# Description: A Community-led Hyper-Hackable Text Editor
# This file is overwritten after every install/update
# Persistent local customizations
include pulsar.local
# Persistent global definitions
include globals.local

# Disabled until someone reported positive feedback
ignore include disable-exec.inc
ignore include disable-devel.inc
ignore include disable-interpreters.inc
ignore include disable-xdg.inc
ignore whitelist ${DOWNLOADS}
ignore whitelist ${HOME}/.config/Electron
ignore whitelist ${HOME}/.config/electron*-flag*.conf
ignore include whitelist-common.inc
ignore include whitelist-runuser-common.inc
ignore include whitelist-usr-share-common.inc
ignore include whitelist-var-common.inc
ignore apparmor

disable-mnt
noblacklist ${HOME}/.pulsar
noblacklist ${HOME}/.config/Pulsar

# Allows files commonly used by IDEs
include allow-common-devel.inc

# net none
nosound

# Redirect
include electron.profile

[rusty-snake]

16xPrompt by @leodip in #6470

[kmk3]

x2goserver by @mabra in #5837

[kmk3]

prismlauncher by @ipaqmaster in #6381

[rusty-snake]

gifsicle and gifski by @salisbury-espinosa in #6481