How to configure applications to automatically go through firejail?

[Joe23232]

I wanted to know how do I configure certain applications to go through firejail, even through the launcher, for example if on KDE, if I click on firefox, I want it to open through firejail, how do I configure this?

[smitsohu]

Create a symbolic link: sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

You may also want to take a look at man 1 firecfg

[Joe23232]

Create a symbolic link: sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

How does it get firefox to run through firejail if I launched it through KDE? I just want to understand this better.

[smitsohu]

It works because on your system /usr/local/bin precedes /usr/bin in the PATH environment variable. This way, if you type firefox in bash or click an icon in the desktop manager of your choice, what is executed is not /usr/bin/firefox but /usr/local/bin/firefox -> /usr/bin/firejail. Then Firejail learns about the original command by looking at the command line parameters, or argv[0] more specifically. That's the magic!

[glitsj16]

Programs implement default application associations in different ways. While command-line programs traditionally use environment variables, graphical applications - or GUI apps - tend to use the XDG MIME Applications specification. This is a common Linux standard (a convention) using .desktop files in /usr/share/applications to deliver the 'magic'. It also offers a per-user location to over-ride what is in that system-wide path: ~/.local/share/applications. These .desktop files contain instructions on how to execute a specific application.

If you take a look inside, you'll notice an 'Exec=blahblah' line, e.g. 'Exec=firefox %U', which in human-speak means "start Firefox by executing the command 'firefox', and append whatever text string follows" - a URL in this context. Easy peasy, let's hit it already - I hear you think. But wait, there's a problem to be solved first. What happens when there are several commands on the system called 'firefox'? Where exactly can we find all these, and decide which one to actually execute?

Machines can figure this all out and solve the problem by - you guessed it - relying on another (set of) standard convention(s). The relevant one in this context being PATH: a limited set of possible locations where executable files can be found. You can check what your OS has predefined by running the below in a terminal:

$ echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/bin

Like hordes of hungry beasts, machines start scanning through this collection of predefined locations, eagerly looking for something to execute. No matter how fast (or slow) this happens, this process seems to follow the same 'internal logic': let's not waste too much resources here and always execute the command from whatever location we find first so we can move on and take a rest already.

Scanning stops, beasts happily tiptoe off to greener, shadier pastures and, whammo, a new thingie appears that looks like we can actually use it to surf that WWW everybody is on about! In the grand order of things, hopefully /usr/local/bin/firefox is found first, hence executed. By creating symbolic links under a location - /usr/local/bin - that precedes other usual suspects - /usr/bin - firejail is able to ensure that your application - firefox - will now be sandboxed. Ugh!

[Joe23232]

It works because on your system /usr/local/bin precedes /usr/bin in the PATH environment variable. This way, if you type firefox in bash or click an icon in the desktop manager of your choice, what is executed is not /usr/bin/firefox but /usr/local/bin/firefox -> /usr/bin/firejail. Then Firejail learns about the original command by looking at the command line parameters, or argv[0] more specifically. That's the magic!

I see, so like since firejail knows that the link is named as firefox, therefore it will know to open up firefox, am I correct?

Through firetools I configured firefox to not have access to the Desktop's files and it does work fine when I launch firefox either by firejail or firetools. However after adding the symblink in the specified directory, when I launch firefox through KDE's start menu, I can still access the Desktop's files. Is there a way to fix this?

[glitsj16]

I see, so like since firejail knows that the link is named as firefox, therefore it will know to open up firefox, am I correct?

Correct.

Through firetools I configured firefox to not have access to the Desktop's files and it does work fine when I launch firefox either by firejail or firetools. However after adding the symblink in the specified directory, when I launch firefox through KDE's start menu, I can still access the Desktop's files. Is there a way to fix this?

It might be a conflict between firetools and firecfg if you previously also tried that, not 100% sure. I'd recommend sticking to one of the GUI tools to avoid clashes. Just try using your favorite GUI tool to undo all changes you've made so far and start afresh. That can also be achieved thru a file manager or in a terminal (so CLI). Be careful not to remove something from ~/.local/share/applications that you put there yourself (and isn't related to firejail). Making a quick local backup of that path is always a good idea. It will enable you to experiment with firejail and related GUI tools without having to worry about making unrecoverable changes to your system. Please contact us here again if fixing this doesn't work as expected.

[Joe23232]

@glitsj16

It might be a conflict between firetools and firecfg if you previously also tried that, not 100% sure.

I haven't used firecfg. I only used firetools to change firefox's permission.

I'd recommend sticking to one of the GUI tools to avoid clashes.

Is there something alternative to firetools?

Just try using your favorite GUI tool to undo all changes you've made so far and start afresh. That can also be achieved thru a file manager or in a terminal (so CLI). Be careful not to remove something from ~/.local/share/applications that you put there yourself (and isn't related to firejail).

What am I supposed to remove though to start fresh?

[glitsj16]

I haven't used firecfg. I only used firetools to change firefox's permission.

In that case the problem with firefox must be something else. If you could post details here about your firejail and firetools version, files created by firetools in ~/.config/firejail/ to customize firefox and the content of ~/.local/share/applications/firefox.desktop we can determine what is going wrong. Let's not remove anything yet. We can tackle that later.

[Joe23232]

Hmm strange, surprisingly when I typed cd ~/.config/firejail/ and then typed ls the firejail file does not even exist, but there is a firejail-uirc, do you want me to post contents in that file instead?

Also in ~/.local/share/ there is no applications directory. I am using Arch Linux (EndeavourOS) so is the directory structure different or something?

[glitsj16]

Ah, yes do post that firejail-uirc file, I've not used firetools before so that would be interesting to see. While your at it, also post output of

$ ls -lA /usr/local/bin

Also in ~/.local/share/ there is no applications directory. I am using Arch Linux (EndeavourOS) so is the directory structure different or something?

No I think it simple means firetools isn't using that directory to locally override /usr/share/applications.

[Joe23232]

@glitsj16 Under the firejail-uirc file.

[KFileDialog Settings]
detailViewIconSize=0

After executing ls -lA /usr/local/bin I get this.

lrwxrwxrwx 1 root root 17 Jan 29 13:25 firefox -> /usr/bin/firejail

No I think it simple means firetools isn't using that directory to locally override /usr/share/applications.

Oh I see.

So is there something I can do to fix this problem that I am having?

[glitsj16]

Did some more research on firetools. Apparently it uses ~/.config/firetools to store files. So you should have a firefox related file under that dir that you can post here.

[Joe23232]

Ok so under ~/.config/firetools I have this file fstats.config and when I output the file's content I get this.

x 650
y 650

So what does this mean?

[glitsj16]

Looks like window size dimensions. Nothing profile related at least. Is that the only file in that dir?

[Joe23232]

Ok so I typed ls -la and here is the output.

total 12
drwxr-xr-x  2 test test 4096 Jan 29 16:03 .
drwx------ 16 test test 4096 Jan 30 22:29 ..
-rw-r--r--  1 test test   12 Jan 30 16:38 fstats.config

Why does it say total 12 what does that mean?

[glitsj16]

That's directory information. In the manual page of the 'ls' command (man ls) you can find detailed explanations. But again, nothing helpful to fix your issue. Let me suggest something. For now, close the firetools GUI and disable it from autostarting. We will temporarily use the firecfg command to create the necessary files and I'll explain how you can get the same settings for firefox to not show specific files you want to keep out of the sandbox in a minute. Using firecfg will ensure your applications are getting sandboxed, no matter how/which desktop environment you decide to use. It's the firejail native tool to do so. Up for it?

[Joe23232]

Let me suggest something. For now, close the firetools GUI and disable it from autostarting.

How do I disable it from autostarting?

We will temporarily use the firecfg command to create the necessary files and I'll explain how you can get the same settings for firefox to not show specific files you want to keep out of the sandbox in a minute. Using firecfg will ensure your applications are getting sandboxed, no matter how/which desktop environment you decide to use. It's the firejail native tool to do so. Up for it?

Thanks mate I am up for it. I will just run firecfg, is that what you want me to do right now?

Should I remove firefox from /usr/local/bin?

[glitsj16]

To disable firetools from autostarting when you boot your machine you should have 2 options. Either find a setting in the GUI itself to do so. Or open ~/.config/autostart/firetools.desktop and show the content here.

[Joe23232]

This file doesn't appear to exist ~/.config/autostart/firetools.desktop

Should I remove firefox from /usr/local/bin?

[glitsj16]

OK. Proceed with running the commands below. Start by cleaning firejail symlinks first, that will take care of firefox symlink as well as any others you might have.

$ sudo firecfg --clean

Next, set up symlinks and desktop files

$ sudo firecfg

[Joe23232]

Ok done that, now what do I do now?

[glitsj16]

$ firecfg --list

[Joe23232]

Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   ark created
   baloo_file created
   baloo_filemetadata_temp_extractor created
   brave created
   conplay created
   display created
   dnsmasq created
   dolphin created
   enchant-2 created
   enchant-lsmod-2 created
   ffmpeg created
   ffmpegthumbnailer created
   ffplay created
   ffprobe created
   firefox created
   gwenview created
   img2txt created
   kate created
   kwrite created
   less created
   mpg123 created
   mpg123-id3dump created
   mpg123-strip created
   mplayer created
   okular created
   out123 created
   patch created
   pavucontrol created
   pdftotext created
   qt-faststart created
   secret-tool created
   ssh created
   strings created
   wget created
   whois created
   wine created

Adding user test to Firejail access database in /etc/firejail/firejail.users
Creating /etc/firejail/firejail.users

Loading AppArmor profile
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Fixing desktop files in /home/test/.local/share/applications
   firefox.desktop created

This is the output I got when I ran sudo firecfg There appears to be an error

[glitsj16]

The error you see is AppArmor related. What kernel is your EndeavourOS using? Type 'uname -r' to find out.

[Joe23232]

Does firejail use apparmor?

This is the output I get after running uname -r 5.4.15-arch1-1

[glitsj16]

OK, the stock arch linux kernel, which is fine. $ firejail --version

[Joe23232]

I ran it

firejail version 0.9.62

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

[glitsj16]

To test if AppArmor has been correctly enabled:

$ aa-enabled

[Joe23232]

After running it No - disabled at boot.

[glitsj16]

OK, that's something you will need to fix later. Follow the Arch wiki page instructions at https://wiki.archlinux.org/index.php/AppArmor. But don't do that just yet. It needs a reboot and to avoid several reboots we are going to test your firefox first. Close all running instances of the browser and start a new one:

$ firejail --ignore=quiet firefox

And check if you see directories/files in the 'Open File' dialog that you would like to hide in the sandbox like you mentioned earlier.

[glitsj16]

Take your time. As we seem to be in a chat-like communication right now, we'll get things sorted shortly. Just ask and/or describe anything that looks weird when you use your Firefox as usual. I'm on babysit backup this afternoon, but it looks as if I can stay online here to guide you thru this. I'll let you know if that changes.

[Joe23232]

OK, that's something you will need to fix later. Follow the Arch wiki page instructions at https://wiki.archlinux.org/index.php/AppArmor. But don't do that just yet.

Thanks for the link I will try it out later as you said.

Unfortunately I had to do a force shutdown as my system became completely laggy and unsable when running firefox via the specified command.

$ firejail --ignore=quiet firefox And check if you see directories/files in the 'Open File' dialog that you would like to hide in the sandbox like you mentioned earlier.

Ok so after running firejail --ignore=quiet firefox again, and it appears that I can't access the Desktop files.

Take your time. As we seem to be in a chat-like communication right now, we'll get things sorted shortly. Just ask and/or describe anything that looks weird when you use your Firefox as usual. I'm on babysit backup this afternoon, but it looks as if I can stay online here to guide you thru this. I'll let you know if that changes.

Oh I see mate, sorry for taking so long to respond as mentioned earlier my system just screwed up on me. By the way I am using a virtualbox as I just want to test things out before I put all this on my real machine.

[glitsj16]

Oh I see mate, sorry for taking so long to respond as mentioned earlier my system just screwed up on me. By the way I am using a virtualbox as I just want to test things out before I put all this on my real machine.

No problem. That's a wise thing to do actually!

So, after shutting down firefox again, try to test your (KDE) menus, desktop icons and other ways you have on your system to start Firefox to see if they all work properly and firejailed. The latter you can always check via

$ firejail --tree

You should see a firefox entree in the list. If you do you're allright.

[Joe23232]

No problem. That's a wise thing to do actually!

A few days back for some weird reason KDE completely screwed up and showed absolutely nothing after running firecfg and after when I logged out. I am not too sure if it was because of firecfg or it was to do with how I was messing around with the themes. So I had to reinstall EndeavourOS.

So, after shutting down firefox again, try to test your (KDE) menus, desktop icons and other ways you have on your system to start Firefox to see if they all work properly and firejailed.

I closed firefox and I opened it via the start menu on KDE and surprisingly I can't access any files on the Desktop.

The latter you can always check via $ firejail --tree You should see a firefox entree in the list. If you do you're allright.

I did that but i don't see any firefox entry. Here is the output.

1185:test::/usr/bin/firejail /usr/bin/baloo_file 
  1204:test::/usr/bin/firejail /usr/bin/baloo_file 
    1228:test::/usr/bin/baloo_file

Strange is there something wrong with how it is being sandboxed?

[glitsj16]

Let's see what happened. After running the previous 'sudo firecfg' command, it reported creating /home/test/.local/share/applications/firefox.desktop (see your output posted above). Can you post the content of that file?

[Joe23232]

et's see what happened. After running the previous 'sudo firecfg' command, it reported creating /home/test/.local/share/applications/firefox.desktop (see your output posted above).

Oh I see

Can you post the content of that file?

Yeah sure mate

# converted by firecfg
[Desktop Entry]
Version=1.0
Name=Firefox
GenericName=Web Browser
GenericName[ar]=متصفح ويب
GenericName[ast]=Restolador Web
GenericName[bn]=ওয়েব ব্রাউজার
GenericName[ca]=Navegador web
GenericName[cs]=Webový prohlížeč
GenericName[da]=Webbrowser
GenericName[de]=Webbrowser
GenericName[el]=Περιηγητής διαδικτύου
GenericName[es]=Navegador web
GenericName[et]=Veebibrauser
GenericName[fa]=مرورگر اینترنتی
GenericName[fi]=WWW-selain
GenericName[fr]=Navigateur Web
GenericName[gl]=Navegador Web
GenericName[he]=דפדפן אינטרנט
GenericName[hr]=Web preglednik
GenericName[hu]=Webböngésző
GenericName[it]=Browser web
GenericName[ja]=ウェブ・ブラウザ
GenericName[ko]=웹 브라우저
GenericName[ku]=Geroka torê
GenericName[lt]=Interneto naršyklė
GenericName[nb]=Nettleser
GenericName[nl]=Webbrowser
GenericName[nn]=Nettlesar
GenericName[no]=Nettleser
GenericName[pl]=Przeglądarka WWW
GenericName[pt]=Navegador Web
GenericName[pt_BR]=Navegador Web
GenericName[ro]=Navigator Internet
GenericName[ru]=Веб-браузер
GenericName[sk]=Internetový prehliadač
GenericName[sl]=Spletni brskalnik
GenericName[sv]=Webbläsare
GenericName[tr]=Web Tarayıcı
GenericName[ug]=توركۆرگۈ
GenericName[uk]=Веб-браузер
GenericName[vi]=Trình duyệt Web
GenericName[zh_CN]=网络浏览器
GenericName[zh_TW]=網路瀏覽器
Comment=Browse the World Wide Web
Comment[ar]=تصفح الشبكة العنكبوتية العالمية
Comment[ast]=Restola pela Rede
Comment[bn]=ইন্টারনেট ব্রাউজ করুন
Comment[ca]=Navegueu per el web
Comment[cs]=Prohlížení stránek World Wide Webu
Comment[da]=Surf på internettet
Comment[de]=Im Internet surfen
Comment[el]=Μπορείτε να περιηγηθείτε στο διαδίκτυο (Web)
Comment[es]=Navegue por la web
Comment[et]=Lehitse veebi
Comment[fa]=صفحات شبکه جهانی اینترنت را مرور نمایید
Comment[fi]=Selaa Internetin WWW-sivuja
Comment[fr]=Naviguer sur le Web
Comment[gl]=Navegar pola rede
Comment[he]=גלישה ברחבי האינטרנט
Comment[hr]=Pretražite web
Comment[hu]=A világháló böngészése
Comment[it]=Esplora il web
Comment[ja]=ウェブを閲覧します
Comment[ko]=웹을 돌아 다닙니다
Comment[ku]=Li torê bigere
Comment[lt]=Naršykite internete
Comment[nb]=Surf på nettet
Comment[nl]=Verken het internet
Comment[nn]=Surf på nettet
Comment[no]=Surf på nettet
Comment[pl]=Przeglądanie stron WWW
Comment[pt]=Navegue na Internet
Comment[pt_BR]=Navegue na Internet
Comment[ro]=Navigați pe Internet
Comment[ru]=Доступ в Интернет
Comment[sk]=Prehliadanie internetu
Comment[sl]=Brskajte po spletu
Comment[sv]=Surfa på webben
Comment[tr]=İnternet'te Gezinin
Comment[ug]=دۇنيادىكى توربەتلەرنى كۆرگىلى بولىدۇ
Comment[uk]=Перегляд сторінок Інтернету
Comment[vi]=Để duyệt các trang web
Comment[zh_CN]=浏览互联网
Comment[zh_TW]=瀏覽網際網路
Keywords=Internet;WWW;Browser;Web;Explorer
Keywords[ar]=انترنت;إنترنت;متصفح;ويب;وب
Keywords[ast]=Internet;WWW;Restolador;Web;Esplorador
Keywords[ca]=Internet;WWW;Navegador;Web;Explorador;Explorer
Keywords[cs]=Internet;WWW;Prohlížeč;Web;Explorer
Keywords[da]=Internet;Internettet;WWW;Browser;Browse;Web;Surf;Nettet
Keywords[de]=Internet;WWW;Browser;Web;Explorer;Webseite;Site;surfen;online;browsen
Keywords[el]=Internet;WWW;Browser;Web;Explorer;Διαδίκτυο;Περιηγητής;Firefox;Φιρεφοχ;Ιντερνετ
Keywords[es]=Explorador;Internet;WWW
Keywords[fi]=Internet;WWW;Browser;Web;Explorer;selain;Internet-selain;internetselain;verkkoselain;netti;surffaa
Keywords[fr]=Internet;WWW;Browser;Web;Explorer;Fureteur;Surfer;Navigateur
Keywords[he]=דפדפן;אינטרנט;רשת;אתרים;אתר;פיירפוקס;מוזילה;
Keywords[hr]=Internet;WWW;preglednik;Web
Keywords[hu]=Internet;WWW;Böngésző;Web;Háló;Net;Explorer
Keywords[it]=Internet;WWW;Browser;Web;Navigatore
Keywords[is]=Internet;WWW;Vafri;Vefur;Netvafri;Flakk
Keywords[ja]=Internet;WWW;Web;インターネット;ブラウザ;ウェブ;エクスプローラ
Keywords[nb]=Internett;WWW;Nettleser;Explorer;Web;Browser;Nettside
Keywords[nl]=Internet;WWW;Browser;Web;Explorer;Verkenner;Website;Surfen;Online
Keywords[pt]=Internet;WWW;Browser;Web;Explorador;Navegador
Keywords[pt_BR]=Internet;WWW;Browser;Web;Explorador;Navegador
Keywords[ru]=Internet;WWW;Browser;Web;Explorer;интернет;браузер;веб;файрфокс;огнелис
Keywords[sk]=Internet;WWW;Prehliadač;Web;Explorer
Keywords[sl]=Internet;WWW;Browser;Web;Explorer;Brskalnik;Splet
Keywords[tr]=İnternet;WWW;Tarayıcı;Web;Gezgin;Web sitesi;Site;sörf;çevrimiçi;tara
Keywords[uk]=Internet;WWW;Browser;Web;Explorer;Інтернет;мережа;переглядач;оглядач;браузер;веб;файрфокс;вогнелис;перегляд
Keywords[vi]=Internet;WWW;Browser;Web;Explorer;Trình duyệt;Trang web
Keywords[zh_CN]=Internet;WWW;Browser;Web;Explorer;网页;浏览;上网;火狐;Firefox;ff;互联网;网站;
Keywords[zh_TW]=Internet;WWW;Browser;Web;Explorer;網際網路;網路;瀏覽器;上網;網頁;火狐
Exec=firefox %u
Icon=firefox
Terminal=false
X-MultipleArgs=false
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;
StartupNotify=true
StartupWMClass=firefox
Categories=Network;WebBrowser;
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
Name[ach]=Dirica manyen
Name[af]=Nuwe venster
Name[an]=Nueva finestra
Name[ar]=نافذة جديدة
Name[as]=নতুন উইন্ডো
Name[ast]=Ventana nueva
Name[az]=Yeni Pəncərə
Name[be]=Новае акно
Name[bg]=Нов прозорец
Name[bn_BD]=নতুন উইন্ডো (N)
Name[bn_IN]=নতুন উইন্ডো
Name[br]=Prenestr nevez
Name[brx]=गोदान उइन्ड'(N)
Name[bs]=Novi prozor
Name[ca]=Finestra nova
Name[cak]=K'ak'a' tzuwäch
Name[cs]=Nové okno
Name[cy]=Ffenestr Newydd
Name[da]=Nyt vindue
Name[de]=Neues Fenster
Name[dsb]=Nowe wokno
Name[el]=Νέο παράθυρο
Name[en_GB]=New Window
Name[en_US]=New Window
Name[en_ZA]=New Window
Name[eo]=Nova fenestro
Name[es_AR]=Nueva ventana
Name[es_CL]=Nueva ventana
Name[es_ES]=Nueva ventana
Name[es_MX]=Nueva ventana
Name[et]=Uus aken
Name[eu]=Leiho berria
Name[fa]=پنجره جدید
Name[ff]=Henorde Hesere
Name[fi]=Uusi ikkuna
Name[fr]=Nouvelle fenêtre
Name[fy_NL]=Nij finster
Name[ga_IE]=Fuinneog Nua
Name[gd]=Uinneag ùr
Name[gl]=Nova xanela
Name[gn]=Ovetã pyahu
Name[gu_IN]=નવી વિન્ડો
Name[he]=חלון חדש
Name[hi_IN]=नया विंडो
Name[hr]=Novi prozor
Name[hsb]=Nowe wokno
Name[hu]=Új ablak
Name[hy_AM]=Նոր Պատուհան
Name[id]=Jendela Baru
Name[is]=Nýr gluggi
Name[it]=Nuova finestra
Name[ja]=新しいウィンドウ
Name[ja_JP-mac]=新規ウインドウ
Name[ka]=ახალი ფანჯარა
Name[kk]=Жаңа терезе
Name[km]=បង្អួចថ្មី
Name[kn]=ಹೊಸ ಕಿಟಕಿ
Name[ko]=새 창
Name[kok]=नवें जनेल
Name[ks]=نئئ وِنڈو
Name[lij]=Neuvo barcon
Name[lo]=ຫນ້າຕ່າງໃຫມ່
Name[lt]=Naujas langas
Name[ltg]=Jauns lūgs
Name[lv]=Jauns logs
Name[mai]=नव विंडो
Name[mk]=Нов прозорец
Name[ml]=പുതിയ ജാലകം
Name[mr]=नवीन पटल
Name[ms]=Tetingkap Baru
Name[my]=ဝင်းဒိုးအသစ်
Name[nb_NO]=Nytt vindu
Name[ne_NP]=नयाँ सञ्झ्याल
Name[nl]=Nieuw venster
Name[nn_NO]=Nytt vindauge
Name[or]=ନୂତନ ୱିଣ୍ଡୋ
Name[pa_IN]=ਨਵੀਂ ਵਿੰਡੋ
Name[pl]=Nowe okno
Name[pt_BR]=Nova janela
Name[pt_PT]=Nova janela
Name[rm]=Nova fanestra
Name[ro]=Fereastră nouă
Name[ru]=Новое окно
Name[sat]=नावा विंडो (N)
Name[si]=නව කවුළුවක්
Name[sk]=Nové okno
Name[sl]=Novo okno
Name[son]=Zanfun taaga
Name[sq]=Dritare e Re
Name[sr]=Нови прозор
Name[sv_SE]=Nytt fönster
Name[ta]=புதிய சாளரம்
Name[te]=కొత్త విండో
Name[th]=หน้าต่างใหม่
Name[tr]=Yeni pencere
Name[tsz]=Eraatarakua jimpani
Name[uk]=Нове вікно
Name[ur]=نیا دریچہ
Name[uz]=Yangi oyna
Name[vi]=Cửa sổ mới
Name[wo]=Palanteer bu bees
Name[xh]=Ifestile entsha
Name[zh_CN]=新建窗口
Name[zh_TW]=開新視窗
Exec=firefox --new-window %u

[Desktop Action new-private-window]
Name=New Private Window
Name[ach]=Dirica manyen me mung
Name[af]=Nuwe privaatvenster
Name[an]=Nueva finestra privada
Name[ar]=نافذة خاصة جديدة
Name[as]=নতুন ব্যক্তিগত উইন্ডো
Name[ast]=Ventana privada nueva
Name[az]=Yeni Məxfi Pəncərə
Name[be]=Новае акно адасаблення
Name[bg]=Нов прозорец за поверително сърфиране
Name[bn_BD]=নতুন ব্যক্তিগত উইন্ডো
Name[bn_IN]=নতুন ব্যক্তিগত উইন্ডো
Name[br]=Prenestr merdeiñ prevez nevez
Name[brx]=गोदान प्राइभेट उइन्ड'
Name[bs]=Novi privatni prozor
Name[ca]=Finestra privada nova
Name[cak]=K'ak'a' ichinan tzuwäch
Name[cs]=Nové anonymní okno
Name[cy]=Ffenestr Breifat Newydd
Name[da]=Nyt privat vindue
Name[de]=Neues privates Fenster
Name[dsb]=Nowe priwatne wokno
Name[el]=Νέο παράθυρο ιδιωτικής περιήγησης
Name[en_GB]=New Private Window
Name[en_US]=New Private Window
Name[en_ZA]=New Private Window
Name[eo]=Nova privata fenestro
Name[es_AR]=Nueva ventana privada
Name[es_CL]=Nueva ventana privada
Name[es_ES]=Nueva ventana privada
Name[es_MX]=Nueva ventana privada
Name[et]=Uus privaatne aken
Name[eu]=Leiho pribatu berria
Name[fa]=پنجره ناشناس جدید
Name[ff]=Henorde Suturo Hesere
Name[fi]=Uusi yksityinen ikkuna
Name[fr]=Nouvelle fenêtre de navigation privée
Name[fy_NL]=Nij priveefinster
Name[ga_IE]=Fuinneog Nua Phríobháideach
Name[gd]=Uinneag phrìobhaideach ùr
Name[gl]=Nova xanela privada
Name[gn]=Ovetã ñemi pyahu
Name[gu_IN]=નવી ખાનગી વિન્ડો
Name[he]=חלון פרטי חדש
Name[hi_IN]=नयी निजी विंडो
Name[hr]=Novi privatni prozor
Name[hsb]=Nowe priwatne wokno
Name[hu]=Új privát ablak
Name[hy_AM]=Սկսել Գաղտնի դիտարկում
Name[id]=Jendela Mode Pribadi Baru
Name[is]=Nýr huliðsgluggi
Name[it]=Nuova finestra anonima
Name[ja]=新しいプライベートウィンドウ
Name[ja_JP-mac]=新規プライベートウインドウ
Name[ka]=ახალი პირადი ფანჯარა
Name[kk]=Жаңа жекелік терезе
Name[km]=បង្អួចឯកជនថ្មី
Name[kn]=ಹೊಸ ಖಾಸಗಿ ಕಿಟಕಿ
Name[ko]=새 사생활 보호 모드
Name[kok]=नवो खाजगी विंडो
Name[ks]=نْو پرایوٹ وینڈو
Name[lij]=Nêuvo barcón privòu
Name[lo]=ເປີດຫນ້າຕ່າງສວນຕົວຂື້ນມາໃຫມ່
Name[lt]=Naujas privataus naršymo langas
Name[ltg]=Jauns privatais lūgs
Name[lv]=Jauns privātais logs
Name[mai]=नया निज विंडो (W)
Name[mk]=Нов приватен прозорец
Name[ml]=പുതിയ സ്വകാര്യ ജാലകം
Name[mr]=नवीन वैयक्तिक पटल
Name[ms]=Tetingkap Persendirian Baharu
Name[my]=New Private Window
Name[nb_NO]=Nytt privat vindu
Name[ne_NP]=नयाँ निजी सञ्झ्याल
Name[nl]=Nieuw privévenster
Name[nn_NO]=Nytt privat vindauge
Name[or]=ନୂତନ ବ୍ୟକ୍ତିଗତ ୱିଣ୍ଡୋ
Name[pa_IN]=ਨਵੀਂ ਪ੍ਰਾਈਵੇਟ ਵਿੰਡੋ
Name[pl]=Nowe okno prywatne
Name[pt_BR]=Nova janela privativa
Name[pt_PT]=Nova janela privada
Name[rm]=Nova fanestra privata
Name[ro]=Fereastră privată nouă
Name[ru]=Новое приватное окно
Name[sat]=नावा निजेराक् विंडो (W )
Name[si]=නව පුද්ගලික කවුළුව (W)
Name[sk]=Nové okno v režime Súkromné prehliadanie
Name[sl]=Novo zasebno okno
Name[son]=Sutura zanfun taaga
Name[sq]=Dritare e Re Private
Name[sr]=Нови приватан прозор
Name[sv_SE]=Nytt privat fönster
Name[ta]=புதிய தனிப்பட்ட சாளரம்
Name[te]=కొత్త ఆంతరంగిక విండో
Name[th]=หน้าต่างส่วนตัวใหม่
Name[tr]=Yeni gizli pencere
Name[tsz]=Juchiiti eraatarakua jimpani
Name[uk]=Приватне вікно
Name[ur]=نیا نجی دریچہ
Name[uz]=Yangi maxfiy oyna
Name[vi]=Cửa sổ riêng tư mới
Name[wo]=Panlanteeru biir bu bees
Name[xh]=Ifestile yangasese entsha
Name[zh_CN]=新建隐私浏览窗口
Name[zh_TW]=新增隱私視窗
Exec=firefox --private-window %u

[glitsj16]

What is your $PATH?

$ echo $PATH

Let's unclutter that file a bit to make it easier to read. Replace the content with the below.

[Desktop Entry]
Name=Firefox
GenericName=Web Browser
Comment=Browse the World Wide Web
Keywords=Internet;WWW;Browser;Web;Explorer
#Exec=firefox
Exec=firejail firefox %u
Icon=firefox
Terminal=false
X-MultipleArgs=false
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;
StartupNotify=true
StartupWMClass=firefox
Categories=Network;WebBrowser;
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
#Exec=firefox --new-window %u
Exec=firejail firefox --new-window %u

[Desktop Action new-private-window]
Name=New Private Window
#Exec=firefox --private-window %u
Exec=firejail firefox --private-window %u

[Joe23232]

What is your $PATH? $ echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl

Let's unclutter that file a bit to make it easier to read. Replace the content with the below.

So you want me to nano into that file and replace the content and put this content in instead, is that what you mean? What will change if I replace the contents other than the readability?

[glitsj16]

PATH looks fine, stock Arch output.

So you want me to nano into that file and replace the content and put this content in instead, is that what you mean? What will change if I replace the contents other than the readability?

Correct. Other than readability I took out the '# converted by firecfg' line and changed the 'Exec=...' lines. The former should protect the file from being overwritten by future 'sudo firecfg' runs. We have some issues reported on that not working well for certain applications. The latter means taking manual control to ensure your Firefox will always run sandboxed now. At least that's what it should do once you make the edits in nano. So proceed with the edits and test your Firefox browser start routines again, double-checking with the 'firejail --tree' command to confirm it is actually sandboxed now.

Don't worry about changing the content. If this doesn't fix your firefox you can always remove that file and regenerate it by running 'sudo firecfg' again. Apologies for editing/updating my comments here. It could help others that look thru the issues here in the future.

[Joe23232]

PATH looks fine, stock Arch output.

Oh ok nice.

Other than readability I took out the '# converted by firecfg' line and changed the 'Exec=...' lines. The former should protect the file from being overwritten by future 'sudo firecfg' runs.

Do I have to do this to replace all the *.desktop's file's contents and add what you have specified?

What does the firefox.desktop file do anyways, and what happens when it is overwritten? Isn't the same information being overwritten to the same file?

So proceed with the edits and test your Firefox browser start routines again, double-checking with the 'firejail --tree' command to confirm it is actually sandboxed now.

One error, for some weird reason I can make changes using nano but when I am using a text editor (called kate) if I save a change it does not allow me and shows me this error message.

Additionally I did change the write permissions and allowed the file to be written by any user and the same issue still persists.

The reason why I am not using nano is cause how do I highlight all the texts?

[Joe23232]

Sorry I have to go for now I will be available in around 10 hours time. Thanks for all your help :)

[glitsj16]

I'll add a comment explaining a few things regarding your prior comment and what to do next etcetera. We can pick this up again later. Glad to help.

[glitsj16]

Do I have to do this to replace all the *.desktop's file's contents and add what you have specified?

No. In fact it shouldn't be needed at all. But due to some firecfg issues (see e.g. #3179) that are still not fixed or in-progress you currently need this workaround. If you notice any other of your installed applications not getting sandboxed properly (via 'firejail --tree') this routine is a way to take manual control and (try to) fix things.

What does the firefox.desktop file do anyways, and what happens when it is overwritten? Isn't the same information being overwritten to the same file?

Like @smitsohu and myself explained in the beginning of this thread, the firefox.desktop file instructs your OS which command to execute (which additional arguments when specified) and - by explicitly specifying 'Exec=firejail firefox ...' - guarantee running all your supported applications through firejail. Taking out that '# converted by firecfg' line is a safeguard against future overwrites by running 'sudo firecfg', which would regenerate another 'broken' desktop file for firefox in this case. Annoying, but hopefully the firecfg tool will be fixed soon and situations like these become unnecessary.

One error, for some weird reason I can make changes using nano but when I am using a text editor (called kate) if I save a change it does not allow me and shows me this error message.

The 'weird' reason here is actually firejail itself :) In the list you posted in https://github.com/netblue30/firejail/issues/3191#issuecomment-580224583 you can see 'kate created'. That means that your 'kate' editor is now being run through firejail (as are all the applications listed in that output).

Additionally I did change the write permissions and allowed the file to be written by any user and the same issue still persists.

Changing file permissions (outside the sandbox on your real filesystem) won't help here. The 'problem' is that the default /etc/firejail/kate.profile contains 'include disable-common.inc', which in turn has read-only ${HOME}/.local/share/applications (see lines 304-307 of /etc/firejail/disable-common.inc). So 'kate' - being unaware it is being run through firejail - tries to write into a location that is read-only inside the sandbox, fails to do so and shows an error window.

This is all 'standard' firejail behaviour: restrict a profile as much as possible while keeping it reasonably functional for the user. You will have to get used to being in control, believe it or not :). It is you - as the firejail user - that has to decide if/when/how to make changes to these defaults as specified in the profiles under /etc/firejail. Not that firejail is trying to shift blame or responsibility for something not working as expected into your shoes, or anything of the sort. Quite the contrary IMHO. Purposely designing things this way forces users to being more aware of how their specific setup uses the firejail sandboxing techniques and not lull them into a false 'install and forget' kind of security disaster. After all, firejail is just another set of tools. Luckily it tries to be (self-)aware of this and provides a convention to use overrides via .local files.

If you decide to keep using 'kate' firejailed and want to allow it saving files under ~/.local/share/applications you have 2 options. Either create /etc/firejail/kate.local or ~/.config/firejail/kate.local. The former is a system-wide override - affecting all firejail users on your system, the latter a per-user override - only affecting your specific user ID account.

# This file is meant for local customizations of kate.profile

# allow editing local .desktop files (read-only in disable-common.inc)
read-write ${HOME}/.local/share/applications

The reason why I am not using nano is cause how do I highlight all the texts?

To be honest I don't know that OTOH. Manual pages and internet searches to the rescue...

[glitsj16]

To conclude our session for today, here are 2 reminders.

• stop firetools from autostarting (you can decide later to remove it with pacman and use firecfg instead - or keep it and set it up for autostart by changing 'false' to 'true' in the third line below)

mkdir -p ~/.config/autostart
cp -f /etc/xdg/autostart/firetools.desktop ~/.config/autostart/firetools.desktop
echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/firetools.desktop
chmod +x ~/.config/autostart/firetools.desktop

• configure/enable AppArmor see https://wiki.archlinux.org/index.php/AppArmor

Enjoy experimenting!

[Joe23232]

@glitsj16

No. In fact it shouldn't be needed at all. But due to some firecfg issues (see e.g. #3179) that are still not fixed or in-progress you currently need this workaround. If you notice any other of your installed applications not getting sandboxed properly (via 'firejail --tree') this routine is a way to take manual control and (try to) fix things.

Hopefully it gets fixed soon.

Like @smitsohu and myself explained in the beginning of this thread, the firefox.desktop file instructs your OS which command to execute (which additional arguments when specified) and - by explicitly specifying 'Exec=firejail firefox ...' - guarantee running all your supported applications through firejail. Taking out that '# converted by firecfg' line is a safeguard against future overwrites by running 'sudo firecfg', which would regenerate another 'broken' desktop file for firefox in this case. Annoying, but hopefully the firecfg tool will be fixed soon and situations like these become unnecessary.

Oh sorry I should have read it again.

That means that your 'kate' editor is now being run through firejail (as are all the applications listed in that output).

Oh I get it lol.

Changing file permissions (outside the sandbox on your real filesystem) won't help here. The 'problem' is that the default /etc/firejail/kate.profile contains 'include disable-common.inc', which in turn has read-only ${HOME}/.local/share/applications (see lines 304-307 of /etc/firejail/disable-common.inc). So 'kate' - being unaware it is being run through firejail - tries to write into a location that is read-only inside the sandbox, fails to do so and shows an error window.

I understand, I just didn't realise kate was being sandboxed.

Is there a way to use firecfg to specify which applications should get sandboxed? Because I don't want to sandbox all applications, just the ones that I specify?

[glitsj16]

Is there a way to use firecfg to specify which applications should get sandboxed? Because I don't want to sandbox all applications, just the ones that I specify?

No, in its current design firecfg doesn't allow that functionality. More granular control has been requested before, see #3016. I remembered showing a custom script in that issue, which still works fine, but depends heavily on your workflow. Maybe using https://github.com/rahiel/firectl instead of firecfg is the way to go for you in that case.

[Joe23232]

@glitsj16

I did a sudo firecfg --clean to clear out all the files from being sandboxed.

I installed firectl via yay -S firectl (since firectl was not in the official archlinux repository) and installed it. Firefox seems to get sandboxed but with chromium (I instealled chromium after running firecfg and running sudo firecfg --clean) and chromium does not get sandboxed at all when I typed sudo firectl enable chromium.

I ran firectl status and I get this output.

1  Firejail profiles are enabled
   program     symlink    desktop file
   chromium    yes        yes    

6  Firejail profiles are disabled and available
   brave-browser
   firefox
   mplayer
   opera
   pavucontrol
   wine

through firejail chromium is being sandboxed which is good but not through firectl and when I launch it through KDE.

I am not too sure why chromium is not working?

[glitsj16]

Can you post the current content of /usr/share/applications/chromium.desktop please?

As I understand it, firectl prepends "firejail" to the Exec line of the system-wide desktop files. So you need to make absolutely sure there are no overlapping .desktop files with the same name in your ~/.local/share/applications directory. Perhaps firecfg didn't clean everything there. Check that path, remove every .desktop file and try to use firectl again to disable/enable what you want.

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff. It will have disable/enable functionality cfr. firectl, as well as fixes for all currently known/reported firecfg bugs and issues. This will take a while, but I wanted to inform you nonetheless.

On a similar note, if your list of applications you always want to be firejailed isn't too long, I suggest you drop tools like firectl/firecfg completely and setup symlinks (in /usr/local/bin) and edited .desktop files (in ~/.local/share/applications) yourself manually. In the end that looks to be the more manageable solution to all this IMHO. And even when the list is long(er), doing the work manually and keeping a file with info of what you always run through firejail isn't that complicated. It's what I've been doing ever since starting to use firejail for what that's worth...

[rusty-snake]

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff.

I started a firecfg.py, maybe we should collaborate to avoid duplicated work.

[Joe23232]

@glitsj16

Can you post the current content of /usr/share/applications/chromium.desktop please?

Sure mate.

[Desktop Entry]
Version=1.0
Name=Chromium
# Only KDE 4 seems to use GenericName, so we reuse the KDE strings.
# From Ubuntu's language-pack-kde-XX-base packages, version 9.04-20090413.
GenericName=Web Browser
GenericName[ar]=متصفح الشبكة
GenericName[bg]=Уеб браузър
GenericName[ca]=Navegador web
GenericName[cs]=WWW prohlížeč
GenericName[da]=Browser
GenericName[de]=Web-Browser
GenericName[el]=Περιηγητής ιστού
GenericName[en_GB]=Web Browser
GenericName[es]=Navegador web
GenericName[et]=Veebibrauser
GenericName[fi]=WWW-selain
GenericName[fr]=Navigateur Web
GenericName[gu]=વેબ બ્રાઉઝર
GenericName[he]=דפדפן אינטרנט
GenericName[hi]=वेब ब्राउज़र
GenericName[hu]=Webböngésző
GenericName[it]=Browser Web
GenericName[ja]=ウェブブラウザ
GenericName[kn]=ಜಾಲ ವೀಕ್ಷಕ
GenericName[ko]=웹 브라우저
GenericName[lt]=Žiniatinklio naršyklė
GenericName[lv]=Tīmekļa pārlūks
GenericName[ml]=വെബ് ബ്രൌസര്
GenericName[mr]=वेब ब्राऊजर
GenericName[nb]=Nettleser
GenericName[nl]=Webbrowser
GenericName[pl]=Przeglądarka WWW
GenericName[pt]=Navegador Web
GenericName[pt_BR]=Navegador da Internet
GenericName[ro]=Navigator de Internet
GenericName[ru]=Веб-браузер
GenericName[sl]=Spletni brskalnik
GenericName[sv]=Webbläsare
GenericName[ta]=இணைய உலாவி
GenericName[th]=เว็บเบราว์เซอร์
GenericName[tr]=Web Tarayıcı
GenericName[uk]=Навігатор Тенет
GenericName[zh_CN]=网页浏览器
GenericName[zh_HK]=網頁瀏覽器
GenericName[zh_TW]=網頁瀏覽器
# Not translated in KDE, from Epiphany 2.26.1-0ubuntu1.
GenericName[bn]=ওয়েব ব্রাউজার
GenericName[fil]=Web Browser
GenericName[hr]=Web preglednik
GenericName[id]=Browser Web
GenericName[or]=ଓ୍ବେବ ବ୍ରାଉଜର
GenericName[sk]=WWW prehliadač
GenericName[sr]=Интернет прегледник
GenericName[te]=మహాతల అన్వేషి
GenericName[vi]=Bộ duyệt Web
# Gnome and KDE 3 uses Comment.
Comment=Access the Internet
Comment[ar]=الدخول إلى الإنترنت
Comment[bg]=Достъп до интернет
Comment[bn]=ইন্টারনেটটি অ্যাক্সেস করুন
Comment[ca]=Accedeix a Internet
Comment[cs]=Přístup k internetu
Comment[da]=Få adgang til internettet
Comment[de]=Internetzugriff
Comment[el]=Πρόσβαση στο Διαδίκτυο
Comment[en_GB]=Access the Internet
Comment[es]=Accede a Internet.
Comment[et]=Pääs Internetti
Comment[fi]=Käytä internetiä
Comment[fil]=I-access ang Internet
Comment[fr]=Accéder à Internet
Comment[gu]=ઇંટરનેટ ઍક્સેસ કરો
Comment[he]=גישה אל האינטרנט
Comment[hi]=इंटरनेट तक पहुंच स्थापित करें
Comment[hr]=Pristup Internetu
Comment[hu]=Internetelérés
Comment[id]=Akses Internet
Comment[it]=Accesso a Internet
Comment[ja]=インターネットにアクセス
Comment[kn]=ಇಂಟರ್ನೆಟ್ ಅನ್ನು ಪ್ರವೇಶಿಸಿ
Comment[ko]=인터넷 연결
Comment[lt]=Interneto prieiga
Comment[lv]=Piekļūt internetam
Comment[ml]=ഇന്റര്നെറ്റ് ആക്സസ് ചെയ്യുക
Comment[mr]=इंटरनेटमध्ये प्रवेश करा
Comment[nb]=Gå til Internett
Comment[nl]=Verbinding maken met internet
Comment[or]=ଇଣ୍ଟର୍ନେଟ୍ ପ୍ରବେଶ କରନ୍ତୁ
Comment[pl]=Skorzystaj z internetu
Comment[pt]=Aceder à Internet
Comment[pt_BR]=Acessar a internet
Comment[ro]=Accesaţi Internetul
Comment[ru]=Доступ в Интернет
Comment[sk]=Prístup do siete Internet
Comment[sl]=Dostop do interneta
Comment[sr]=Приступите Интернету
Comment[sv]=Gå ut på Internet
Comment[ta]=இணையத்தை அணுகுதல்
Comment[te]=ఇంటర్నెట్ను ఆక్సెస్ చెయ్యండి
Comment[th]=เข้าถึงอินเทอร์เน็ต
Comment[tr]=İnternet'e erişin
Comment[uk]=Доступ до Інтернету
Comment[vi]=Truy cập Internet
Comment[zh_CN]=访问互联网
Comment[zh_HK]=連線到網際網路
Comment[zh_TW]=連線到網際網路
Exec=firejail /usr/bin/chromium %U
StartupNotify=true
Terminal=false
Icon=chromium
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;image/webp;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
Name[am]=አዲስ መስኮት
Name[ar]=نافذة جديدة
Name[bg]=Нов прозорец
Name[bn]=নতুন উইন্ডো
Name[ca]=Finestra nova
Name[cs]=Nové okno
Name[da]=Nyt vindue
Name[de]=Neues Fenster
Name[el]=Νέο Παράθυρο
Name[en_GB]=New Window
Name[es]=Nueva ventana
Name[et]=Uus aken
Name[fa]=پنجره جدید
Name[fi]=Uusi ikkuna
Name[fil]=New Window
Name[fr]=Nouvelle fenêtre
Name[gu]=નવી વિંડો
Name[hi]=नई विंडो
Name[hr]=Novi prozor
Name[hu]=Új ablak
Name[id]=Jendela Baru
Name[it]=Nuova finestra
Name[iw]=חלון חדש
Name[ja]=新規ウインドウ
Name[kn]=ಹೊಸ ವಿಂಡೊ
Name[ko]=새 창
Name[lt]=Naujas langas
Name[lv]=Jauns logs
Name[ml]=പുതിയ വിന്ഡോ
Name[mr]=नवीन विंडो
Name[nl]=Nieuw venster
Name[no]=Nytt vindu
Name[pl]=Nowe okno
Name[pt]=Nova janela
Name[pt_BR]=Nova janela
Name[ro]=Fereastră nouă
Name[ru]=Новое окно
Name[sk]=Nové okno
Name[sl]=Novo okno
Name[sr]=Нови прозор
Name[sv]=Nytt fönster
Name[sw]=Dirisha Jipya
Name[ta]=புதிய சாளரம்
Name[te]=క్రొత్త విండో
Name[th]=หน้าต่างใหม่
Name[tr]=Yeni Pencere
Name[uk]=Нове вікно
Name[vi]=Cửa sổ Mới
Name[zh_CN]=新建窗口
Name[zh_TW]=開新視窗
Exec=firejail /usr/bin/chromium

[Desktop Action new-private-window]
Name=New Incognito Window
Name[ar]=نافذة جديدة للتصفح المتخفي
Name[bg]=Нов прозорец „инкогнито“
Name[bn]=নতুন ছদ্মবেশী উইন্ডো
Name[ca]=Finestra d'incògnit nova
Name[cs]=Nové anonymní okno
Name[da]=Nyt inkognitovindue
Name[de]=Neues Inkognito-Fenster
Name[el]=Νέο παράθυρο για ανώνυμη περιήγηση
Name[en_GB]=New Incognito window
Name[es]=Nueva ventana de incógnito
Name[et]=Uus inkognito aken
Name[fa]=پنجره جدید حالت ناشناس
Name[fi]=Uusi incognito-ikkuna
Name[fil]=Bagong Incognito window
Name[fr]=Nouvelle fenêtre de navigation privée
Name[gu]=નવી છુપી વિંડો
Name[hi]=नई गुप्त विंडो
Name[hr]=Novi anoniman prozor
Name[hu]=Új Inkognitóablak
Name[id]=Jendela Penyamaran baru
Name[it]=Nuova finestra di navigazione in incognito
Name[iw]=חלון חדש לגלישה בסתר
Name[ja]=新しいシークレット ウィンドウ
Name[kn]=ಹೊಸ ಅಜ್ಞಾತ ವಿಂಡೋ
Name[ko]=새 시크릿 창
Name[lt]=Naujas inkognito langas
Name[lv]=Jauns inkognito režīma logs
Name[ml]=പുതിയ വേഷ പ്രച്ഛന്ന വിന്ഡോ
Name[mr]=नवीन गुप्त विंडो
Name[nl]=Nieuw incognitovenster
Name[no]=Nytt inkognitovindu
Name[pl]=Nowe okno incognito
Name[pt]=Nova janela de navegação anónima
Name[pt_BR]=Nova janela anônima
Name[ro]=Fereastră nouă incognito
Name[ru]=Новое окно в режиме инкогнито
Name[sk]=Nové okno inkognito
Name[sl]=Novo okno brez beleženja zgodovine
Name[sr]=Нови прозор за прегледање без архивирања
Name[sv]=Nytt inkognitofönster
Name[ta]=புதிய மறைநிலைச் சாளரம்
Name[te]=క్రొత్త అజ్ఞాత విండో
Name[th]=หน้าต่างใหม่ที่ไม่ระบุตัวตน
Name[tr]=Yeni Gizli pencere
Name[uk]=Нове вікно в режимі анонімного перегляду
Name[vi]=Cửa sổ ẩn danh mới
Name[zh_CN]=新建隐身窗口
Name[zh_TW]=新增無痕式視窗
Exec=firejail /usr/bin/chromium --incognito

remove every .desktop file and try to use firectl again to disable/enable what you want.

Where could all the *.desktop files be located?

I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff. It will have disable/enable functionality cfr. firectl, as well as fixes for all currently known/reported firecfg bugs and issues. This will take a while, but I wanted to inform you nonetheless.

Oh nice I hope it works out :)

On a similar note, if your list of applications you always want to be firejailed isn't too long, I suggest you drop tools like firectl/firecfg completely and setup symlinks (in /usr/local/bin) and edited .desktop files (in ~/.local/share/applications) yourself manually. In the end that looks to be the more manageable solution to all this IMHO. And even when the list is long(er), doing the work manually and keeping a file with info of what you always run through firejail isn't that complicated. It's what I've been doing ever since starting to use firejail for what that's worth...

I could try that but what do I put inside the *.desktop file?

I started a firecfg.py, maybe we should collaborate to avoid duplicated work.

I wish I could help you out but I have basic programming skills, unless if this is easy to code?