Profile requests

[netblue30]

Issue to ask for and discuss about new profiles.

Progress is tracked in: https://github.com/users/netblue30/projects/7

• command line document converter (e.g. latex2*, pdf*, rst2*, pod2, pcp2pdf, wkhtmltopdf, ...)
• [ ] disable-sys.inc to restrict access to files in /sys/{block,bus,class,dev,devices,kernel}
• [ ] KVM
• [ ] jmemorize
• [ ] KTnef,
• [ ] KRDC
• [ ] discover
• [ ] KWalletManager,
• [ ] brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
• [ ] https://sourceforge.net/projects/animationmaker/
• [ ] jdownloader2
• [ ] InSync
• [ ] variety
• [ ] KDE connect
• [ ] autotrace
• [ ] Y PPA Manager
• [ ] Adobe reader
• [ ] standalone flashplayer
• [ ] Adobe AIR
• [ ] cinepaint
• [ ] jahshakavr
• [ ] soulseekqt
• [ ] Tribler
• [ ] Leonflix
• [ ] upwork desktop
• [ ] Quake3
• [ ] UrbanTerror
• [ ] Citra
• [ ] makemkv
• [ ] Mellowplayer
• [ ] Stubby
• [ ] SpamAssassin
• [ ] Kile
• [ ] llpp
• [ ] zotero
• [ ] neovim
• [ ] Sia-UI
• [ ] Calculator (io.elementary.calculator)
• [ ] Calendar
  • [ ] io.elementary.calendar
  • [ ] io.elementary.calendar-daemon
• [ ] Camera (io.elementary.camera)
• [ ] Captive Portal Assistant (io.elementary.capnet-assist)
• [ ] Code (io.elementary.code)
• [ ] Files
  • [ ] io.elementary.files
  • [ ] io.elementary.files-daemon
  • [ ] io.elementary.files-pkexec
• [ ] Music (io.elementary.music)
• [ ] Photos (io.elementary.photos) - Based on the old Shotwell code
• [ ] Terminal (io.elementary.terminal)
• [ ] Videos (io.elementary.videos)
• [ ] GNOME Podcasts (gnome-podcasts)
• [ ] pass / gopass
  • [ ] pass
  • [ ] gopass
• [ ] Keybase
  • [ ] kbfsfuse (not sure if this one makes sense...)
  • [ ] keybase
  • [ ] keybase-gui
• [ ] Yubikey Manager
  • [ ] ykman
  • [ ] ykman-gui
• [ ] GZDoom (gzdoom)
• [ ] QuakeSpasm (quake)
• [ ] rRootage (rrootage)
  • [ ] Renames TV Series
• [ ] deepin-screen-recorder
• [ ] Joplin
• [ ] mate-terminal
• [ ] asbru
• [ ] socat
• [ ] cordless
• [ ] Unity/Unity Hub
• [ ] pcloud
• [ ] lens
• [ ] Obsidian
• [ ] luarocks
• [ ] Stremio
• [ ] cointop
• [ ] irssi
• [ ] easytag
• [ ] mbsync
• [ ] Bitwig Studio
• [ ] radicale
• [ ] solvespace
• [ ] screen
• [ ] khard
• [ ] vdirsyncer
• [ ] cryptomator
• [ ] SRBMiner
• [ ] NBMiner
• [ ] Hypnotix
• [ ] Fwknop
• [ ] Sublime Text 4
• [ ] Hamsket
• [ ] webex
• [ ] Veloren and Airshipper
• [ ] openstego
• [ ] etcher and Ventoy
• [ ] waifu2x-converter-cpp
• [ ] MEGAsync
• [ ] seafile-client
• [ ] retroshare
• [ ] Aether
• [ ] rust-analyzer
• [ ] FireDM
• [ ] xournal-thumbnailer
• [ ] blender-thumbnailer.py
• [ ] rustup
• [ ] scour
• [ ] gnome-extensions-app
• [ ] gnome-extensions
• [ ] gnome-games
• [ ] gnome-do
• [ ] gnome-epub-thumbnailer
• [ ] gnome-kra-ora-thumbnailer
• [ ] gnome-dictionary
• [ ] gnome-translate
• [ ] x2goserver

Resolved

> strikethrough means won't fix - [x] kwrite - [x] [Jerry chess](https://github.com/asdfjkl/jerry) - [x] Riot.im (desktop) - [x] freemind - [x] tshark - [x] tcpdump - [x] freecad - [x] geary - [x] [imagej](https://imagej.nih.gov/ij/) - [x] [macrofusion](https://sourceforge.net/projects/macrofusion/) - [x] discord - [x] [rambox](https://github.com/saenzramiro/rambox) - [x] ~gnome-online-miners~ - [x] gnome-sound-recorder - [x] Natron - [x] Cinelerra - [x] amule - [x] Calligra - [x] ~Ghetto-skype~ - [x] Blender - [x] Google Earth - [x] shotcut - [x] ~[Tbb PPA](http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)~ - [x] ~Gnome-boxes~ - [x] ~Tor Messenger~ - [x] amuled - [x] shortwave - [x] [WPS-Office](http://www.wps.com/) - [x] ~[Temaviewer](https://www.teamviewer.com/en/download/linux/)~ https://github.com/netblue30/firejail/issues/825#issuecomment-250977527 - [x] [Ricochet](https://ricochet.im/) - [x] tvbrowser - [x] foliate - [x] [RTV](https://github.com/michael-lazar/rtv) - [x] homebank - [x] dooble browser - [x] Otter browser - [x] [mattermost desktop client](https://github.com/mattermost/desktop) - [x] [FreeTube](https://github.com/FreeTubeApp/FreeTube/) - [x] Spectacle - [x] Lyx - [x] [Fractal](https://gitlab.gnome.org/GNOME/fractal) - [x] [Quaternion](https://github.com/QMatrixClient/Quaternion/) - [x] [Youtube-Viewer](https://github.com/trizen/youtube-viewer) - [x] [balsa](https://github.com/GNOME/balsa) - [x] Minecraft Server - [x] [Minitube](https://flavio.tordini.org/minitube) - [x] lutris - [x] tutanota-desktop - [x] Coyim - [x] Avidemux - [x] librewolf - [x] pipe-viewer - [x] gtk-pipe-viewer - [x] sway - [x] tmux - [x] [librecad](https://librecad.org/) - [x] Notable - [x] `qemu-system-*` - [x] ~qemu-kvm~ - [x] virt-manager - [x] Microsoft Edge for linux - [x] [gh](https://cli.github.com/)

Comments which are marked as resolved contain request/question to new profiles or a hint to a PR/a commit which adds a new profile

[nyancat18]

macrofusion hugin imagej geary

[nyancat18]

https://sourceforge.net/projects/macrofusion/ http://hugin.sourceforge.net/ https://imagej.nih.gov/ij/

[Fred-Barclay]

@rekixex does #1154 work for you?

[magistryo]

Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.

[Fred-Barclay]

@rekixex gpicview has been added: b51d44a29a07772cf4b38b6133aad343e76185d8 :smile:

[nyancat18]

1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)

~2 freecad (a civil-use CAD)~

~3 dia (from gnome)~

~4 fontforge~

[mustaqimM]

Nylas Email client Wire Chat client @Fred-Barclay

[Fred-Barclay]

@mustaqimM We actually already have a Wire profile. :smile:

[mustaqimM]

@Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for Nylas Mail, I get

Streaming log data to /tmp/Nylas-Mail-3.log
[3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e <unknown>
#1 0x000001e6e25b <unknown>
#2 0x000000cbe6a6 <unknown>
#3 0x000001248602 <unknown>
#4 0x000001e59226 <unknown>
#5 0x000001e74755 <unknown>
#6 0x000001e74a48 <unknown>
#7 0x000001e74e9b <unknown>
#8 0x000001e4e669 <unknown>
#9 0x000001e8d41e <unknown>
#10 0x000001eac40a <unknown>
#11 0x000002707e36 <unknown>
#12 0x00000270803e <unknown>
#13 0x000001eac4ce <unknown>
#14 0x000001ea8a53 <unknown>
#15 0x7f332d63e2e7 start_thread
#16 0x7f332707f54f __GI___clone

Failed to generate minidump.
Parent is shutting down, bye...

By the way, it's an electron app.

[Fred-Barclay]

Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?

[Micha-Btz]

would be nice to have profiles for ~tvbrowser~ and jdownloader2 :-)

[ghost]

Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/transmission-gtk.local

# transmission-gtk bittorrent profile
noblacklist ${HOME}/.config/transmission
noblacklist ${HOME}/.cache/transmission

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog

private-bin transmission-gtk
private-dev
private-tmp

[netblue30]

The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.

[qazip]

Profile requests:

• Riot.im
• Wire.com

[nyancat18]

cherrytree (a onenote-like app for linux)

vym/freemind

[netblue30]

@qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile

@nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\

@hThoreau - If you just use the default profile, is that one working?

$ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk

Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution

[nyancat18]

thanks @netblue30

but freemind/vym :D

[qazip]

@netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).

[qazip]

Another profile request:

• Jerry chess (https://github.com/asdfjkl/jerry)

[breznak]

InSync https://www.insynchq.com/

variety http://peterlevi.com/variety/

KDE connect https://community.kde.org/KDEConnect

~RedShift https://wiki.archlinux.org/index.php/redshift~

and Y PPA Manager https://launchpad.net/y-ppa-manager

Would be nice to have too.

[nyancat18]

cinepaint

[nyancat18]

jahshakavr

[qazip]

• Youtube-Viewer (https://github.com/trizen/youtube-viewer)

[nyancat18]

@razip youtube-dl

[ghanan]

Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/ Maybe it could be implemented using some overlayfs.

[Fred-Barclay]

@rekixex Catfish has been added: 67a6d8712f1ec3a43dc5bcf7ffa471c19b0e218e I'll try to work on Cheese as well.

[netblue30]

@ghanan - it is quite easy, this is an example using OpenShot video editor:

In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better):

$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin

In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian:

$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms
# apt-get install openshot
# exit

Back in the first terminal run the program

$ openshot

Once you close both sandboxes, overlayfs is disabled and openshot disappears.

[pemartins1]

I saw it's already on the list but nevertheless I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).

Thank you very much and keep up with the good work.

[ghost]

I'm using the nautilus profile provided here in the etc folder. It blocks the extensions clamtk-gnome (5.24-1) and nautilus-compare (0.0.4+po1-1), though other extensions that I also have installed, nautilus-wipe (0.3-1) and onionshare (0.9.2-1), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.

[startx2017]

@rekixex - KWrite: https://github.com/netblue30/firejail/blob/master/etc/kwrite.profile

@pemartins1 - Geary: https://github.com/netblue30/firejail/blob/master/etc/geary.profile

[ghost]

Requesting a profile for soulseekqt ( a few links because the download page hasn't been updated yet, and the last two are direct links )

http://www.soulseekqt.net/news/ https://groups.google.com/d/msg/soulseek-discussion/lOvh7PoOKR0/uIZKRFZmCQAJ https://www.dropbox.com/s/b8st8jznojbus0b/SoulseekQt-2017-2-20-Ubuntu17-64bit.tgz (x86_64) https://www.dropbox.com/s/m12bxp0bjl6iqo9/SoulseekQt-2017-2-20-Ubuntu17-32bit.tgz (i686)

[ghost]

Tribler, a onion routing torrent client: https://github.com/Tribler/tribler

[nyancat18]

utox (a light tox client)

[wiredrunner]

Enpass password manager, enpass.io

[KernelFreeze]

Minecraft Server (Java), only allow java and server files

[barrosfelipe]

Discord.

[Fred-Barclay]

@wiredrunner Enpass added in 78b6a1d4b0815770c09fe4db3a37ca6ce3149261 😄

[pemartins1]

I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed.

Thanks for everything once again!

[SkewedZeppelin]

@pemartins1 see https://github.com/netblue30/firejail/pull/1613#issuecomment-340260231

[viq]

Lightly tested discord profile in #1715

[idnovic]

add vs code

[Fred-Barclay]

@idnovic VS Code added in f6502ebf237a54a9914c80f386f321772f0e8063 :grin:

[punksta]

Would like to have upwork desktop profile and base profile for other time tracking systems. Nice to have:

• disabled/random system hardware information
• window sandbox by default

[chiraag-nataraj]

Copying from #1878: Coyim (suggested by @bn0785ac)

[pemartins1]

Minitube https://flavio.tordini.org/minitube

[pemartins1]

Cantata https://github.com/CDrummond/cantata

[iskunk]

I have put together a profile for Citra (Nintendo 3DS game system emulator), and would like to contribute it.

(Note that the private-dev line might be uncommented once #2203 is resolved.)

[qazip]

qownnotes: https://github.com/pbek/QOwnNotes

[Fred-Barclay]

@qazip Can you try this profile for qownnotes?

# Firejail profile for QOwnNotes
# Description: Plain-text file notepad with markdown support and ownCloud integration
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/QOwnNotes.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE

mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog

disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp

noexec ${HOME}
noexec /tmp

[Vincent43]

@Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add:

noblacklist ${DOCUMENTS}
whitelist ${DOCUMENTS}