Open netblue30 opened 7 years ago
macrofusion hugin imagej geary
@rekixex does #1154 work for you?
Hey donosaurus - where is you GUI ?? Wery needed firewall like that - app goes to internet -> wirewall asks - > allow/deny/create rule.
@rekixex gpicview has been added: b51d44a29a07772cf4b38b6133aad343e76185d8 :smile:
1 brl-cad (a millitary-veteran CAD..but common at civilian enviorments)
~2 freecad (a civil-use CAD)~
~3 dia (from gnome)~
~4 fontforge~
Nylas Email client Wire Chat client @Fred-Barclay
@mustaqimM We actually already have a Wire profile. :smile:
@Fred-Barclay Thanks for that, for some reason it wasn't in the AUR package, so now I'm using the git one. I'm having trouble creating a profile for Nylas Mail
, I get
Streaming log data to /tmp/Nylas-Mail-3.log
[3:0413/071541:FATAL:udev_linux.cc(20)] Check failed: monitor_.
#0 0x000001e5855e <unknown>
#1 0x000001e6e25b <unknown>
#2 0x000000cbe6a6 <unknown>
#3 0x000001248602 <unknown>
#4 0x000001e59226 <unknown>
#5 0x000001e74755 <unknown>
#6 0x000001e74a48 <unknown>
#7 0x000001e74e9b <unknown>
#8 0x000001e4e669 <unknown>
#9 0x000001e8d41e <unknown>
#10 0x000001eac40a <unknown>
#11 0x000002707e36 <unknown>
#12 0x00000270803e <unknown>
#13 0x000001eac4ce <unknown>
#14 0x000001ea8a53 <unknown>
#15 0x7f332d63e2e7 start_thread
#16 0x7f332707f54f __GI___clone
Failed to generate minidump.
Parent is shutting down, bye...
By the way, it's an electron app.
Sure, I'll take a look at it. Can you open a new issue, post the profile you're currently using, and @Fred-Barclay me so I'll get a notification?
would be nice to have profiles for ~tvbrowser~ and jdownloader2 :-)
Hi, I would like to make a restrictive version of the "transmission-gtk.profile". As of now, it has access to all folders within my home folder, and I would like to restrict it to a "Torrents" folder only in the home folder. How would I go about doing that? My current transmission-gtk profile is the following:
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/transmission-gtk.local
# transmission-gtk bittorrent profile
noblacklist ${HOME}/.config/transmission
noblacklist ${HOME}/.cache/transmission
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin transmission-gtk
private-dev
private-tmp
The easiest way would be to start the sandbox with a different user home directory - /home/username/Torrents in your case. Create an empty ~/Torrents directory (mkdir ~/Torrents) and in your profile file add "private ~/Torrents" at the end of the file.
Profile requests:
cherrytree (a onenote-like app for linux)
vym/freemind
@qazip - Wire is already in, grab he profile from here: https://github.com/netblue30/firejail/blob/master/etc/wire.profile
@nyancat18 - cherytree is in: https://github.com/netblue30/firejail/blob/master/etc/cherrytree.profile\
@hThoreau - If you just use the default profile, is that one working?
$ firejail --profile=/etc/firejail/transmission-gtk.profile transmision-gtk
Blacklist violations are logged in system log - /var/log/syslog or /var/log/messages depending on your distribution
thanks @netblue30
but freemind/vym :D
@netblue30 oh, that's weird. I don't have that file for some reason. Shouldn't I have (I've firejail 0.9.44.10).
Another profile request:
InSync https://www.insynchq.com/
variety http://peterlevi.com/variety/
KDE connect https://community.kde.org/KDEConnect
~RedShift https://wiki.archlinux.org/index.php/redshift~
and Y PPA Manager https://launchpad.net/y-ppa-manager
Would be nice to have too.
cinepaint
jahshakavr
@razip youtube-dl
Would be great if we had a profile which allow us to simulate the installation of programs, as "Arkose" used to do. Look: https://stgraber.org/category/arkose/ Maybe it could be implemented using some overlayfs.
@rekixex Catfish has been added: 67a6d8712f1ec3a43dc5bcf7ffa471c19b0e218e I'll try to work on Cheese as well.
@ghanan - it is quite easy, this is an example using OpenShot video editor:
In a terminal start a overlayfs sandbox (you would need a kernel 3.18 or better):
$ firejail --name=test --overlay --private --noblacklist=/sbin --noblacklist=/usr/sbin
In a different terminal, join the sandbox as root and install the program - I am using apt-get on Debian:
$ sudo firejail --join=test
Switching to pid 2464, the first child process inside the sandbox
changing root to /proc/2464/root
Child process initialized in 6.05 ms
# apt-get install openshot
# exit
Back in the first terminal run the program
$ openshot
Once you close both sandboxes, overlayfs is disabled and openshot disappears.
I saw it's already on the list but nevertheless I'd like to request a profile for Geary Email Client (https://github.com/GNOME/geary).
Thank you very much and keep up with the good work.
I'm using the nautilus profile provided here in the etc folder. It blocks the extensions clamtk-gnome (5.24-1) and nautilus-compare (0.0.4+po1-1), though other extensions that I also have installed, nautilus-wipe (0.3-1) and onionshare (0.9.2-1), work fine. Therefore, I ask for an amendment to nautilus' profile that could allow it to use these extensions as well. Thank you.
@rekixex - KWrite: https://github.com/netblue30/firejail/blob/master/etc/kwrite.profile
@pemartins1 - Geary: https://github.com/netblue30/firejail/blob/master/etc/geary.profile
Requesting a profile for soulseekqt ( a few links because the download page hasn't been updated yet, and the last two are direct links )
http://www.soulseekqt.net/news/ https://groups.google.com/d/msg/soulseek-discussion/lOvh7PoOKR0/uIZKRFZmCQAJ https://www.dropbox.com/s/b8st8jznojbus0b/SoulseekQt-2017-2-20-Ubuntu17-64bit.tgz (x86_64) https://www.dropbox.com/s/m12bxp0bjl6iqo9/SoulseekQt-2017-2-20-Ubuntu17-32bit.tgz (i686)
Tribler, a onion routing torrent client: https://github.com/Tribler/tribler
utox (a light tox client)
Enpass password manager, enpass.io
Minecraft Server (Java), only allow java and server files
@wiredrunner Enpass added in 78b6a1d4b0815770c09fe4db3a37ca6ce3149261 😄
I'd like to make another request, this time for Leonflix (http://leonflix.net/). It's not open source so this one's better be Firejailed.
Thanks for everything once again!
Lightly tested discord profile in #1715
@idnovic VS Code added in f6502ebf237a54a9914c80f386f321772f0e8063 :grin:
Would like to have upwork desktop profile and base profile for other time tracking systems. Nice to have:
Copying from #1878: Coyim (suggested by @bn0785ac)
Minitube https://flavio.tordini.org/minitube
I have put together a profile for Citra (Nintendo 3DS game system emulator), and would like to contribute it.
(Note that the private-dev
line might be uncommented once #2203 is resolved.)
qownnotes: https://github.com/pbek/QOwnNotes
@qazip Can you try this profile for qownnotes?
# Firejail profile for QOwnNotes
# Description: Plain-text file notepad with markdown support and ownCloud integration
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/QOwnNotes.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/Nextcloud/Notes
noblacklist ${HOME}/.config/PBE
noblacklist ${HOME}/.local/share/PBE
mkdir ${HOME}/Nextcloud/Notes
mkdir ${HOME}.config/PBE
mkdir ${HOME}/.local/share/PBE
whitelist ${HOME}/Nextcloud/Notes
whitelist ${HOME}/.config/PBE
whitelist ${HOME}/.local/share/PBE
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc
caps.drop all
machine-id
netfilter
no3d
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
shell none
tracelog
disable-mnt
private-bin QOwnNotes,gio
private-dev
private-etc fonts,ld.so.cache,pulse,resolv.conf,hosts,nsswitch.conf,host.conf,ca-certificates,ssl,pki,crypto-policies
private-tmp
noexec ${HOME}
noexec /tmp
@Fred-Barclay I tested Qownotes profile and it works good. I wonder if we should add:
noblacklist ${DOCUMENTS}
whitelist ${DOCUMENTS}
Issue to ask for and discuss about new profiles.
Progress is tracked in: https://github.com/users/netblue30/projects/7
latex2*
,pdf*
,rst2*
,pod2
,pcp2pdf
,wkhtmltopdf
, ...)disable-sys.inc
to restrict access to files in/sys/{block,bus,class,dev,devices,kernel}
io.elementary.calculator
)io.elementary.calendar
io.elementary.calendar-daemon
io.elementary.camera
)io.elementary.capnet-assist
)io.elementary.code
)io.elementary.files
io.elementary.files-daemon
io.elementary.files-pkexec
io.elementary.music
)io.elementary.photos
) - Based on the old Shotwell codeio.elementary.terminal
)io.elementary.videos
)gnome-podcasts
)pass
gopass
kbfsfuse
(not sure if this one makes sense...)keybase
keybase-gui
ykman
ykman-gui
gzdoom
)quake
)rrootage
)Resolved
> strikethrough means won't fix - [x] kwrite - [x] [Jerry chess](https://github.com/asdfjkl/jerry) - [x] Riot.im (desktop) - [x] freemind - [x] tshark - [x] tcpdump - [x] freecad - [x] geary - [x] [imagej](https://imagej.nih.gov/ij/) - [x] [macrofusion](https://sourceforge.net/projects/macrofusion/) - [x] discord - [x] [rambox](https://github.com/saenzramiro/rambox) - [x] ~gnome-online-miners~ - [x] gnome-sound-recorder - [x] Natron - [x] Cinelerra - [x] amule - [x] Calligra - [x] ~Ghetto-skype~ - [x] Blender - [x] Google Earth - [x] shotcut - [x] ~[Tbb PPA](http://www.webupd8.org/2013/12/tor-browser-bundle-ubuntu-ppa.html)~ - [x] ~Gnome-boxes~ - [x] ~Tor Messenger~ - [x] amuled - [x] shortwave - [x] [WPS-Office](http://www.wps.com/) - [x] ~[Temaviewer](https://www.teamviewer.com/en/download/linux/)~ https://github.com/netblue30/firejail/issues/825#issuecomment-250977527 - [x] [Ricochet](https://ricochet.im/) - [x] tvbrowser - [x] foliate - [x] [RTV](https://github.com/michael-lazar/rtv) - [x] homebank - [x] dooble browser - [x] Otter browser - [x] [mattermost desktop client](https://github.com/mattermost/desktop) - [x] [FreeTube](https://github.com/FreeTubeApp/FreeTube/) - [x] Spectacle - [x] Lyx - [x] [Fractal](https://gitlab.gnome.org/GNOME/fractal) - [x] [Quaternion](https://github.com/QMatrixClient/Quaternion/) - [x] [Youtube-Viewer](https://github.com/trizen/youtube-viewer) - [x] [balsa](https://github.com/GNOME/balsa) - [x] Minecraft Server - [x] [Minitube](https://flavio.tordini.org/minitube) - [x] lutris - [x] tutanota-desktop - [x] Coyim - [x] Avidemux - [x] librewolf - [x] pipe-viewer - [x] gtk-pipe-viewer - [x] sway - [x] tmux - [x] [librecad](https://librecad.org/) - [x] Notable - [x] `qemu-system-*` - [x] ~qemu-kvm~ - [x] virt-manager - [x] Microsoft Edge for linux - [x] [gh](https://cli.github.com/)