rusty-snake
commented
4 years ago Working way to fix .desktop files: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0#file-firecfg-py
Closed Joe23232 closed 4 years ago
rusty-snake
commented
4 years ago Working way to fix .desktop files: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0#file-firecfg-py
glitsj16
commented
4 years ago I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff.
I started a firecfg.py, maybe we should collaborate to avoid duplicated work.
@rusty-snake Yeah, I saw your nice Python script, works fine on a test sample for me. And I would definately like to collaborate on this firecfg mess. Give me a day to do some more extensive testing and I'll keep everybody informed on firecfg-ng in #2624 . For now it is just a simple shell script wrapper around firecfg, building on what I added to the discussion in #3016. I opted for a shell script because
Allthough I really like your script, IMHO doing it in Python might hinder acceptance due to dependency decisions or keep it in contrib forever, both of which wouldn't serve the main goal here: to unbreak firecfg for regular users. Obviously the best solution would be to fix the C code in firecfg itself. None of the more capable C coders here seem to have an interest, are not yet aware of firecfg's broken state or simply don't have the time to do all work. This is not a critique, just a personal observation on the current situation. I do understand there's plenty of other work to be done on the C codebase to keep busy for a while :)
glitsj16
commented
4 years ago @Joe23232
Where could all the *.desktop files be located?
Under ~/.local/share/applications.
I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.
The /usr/share/applications/chromium.desktop file looks fine to me. It has all the necessary 'Exec=' lines pointing to 'firejail /usr/bin/chromium', which is the way firectl works. I don't know why your chromium is still being sandboxed after disabling it in firectl. Unless there's still a ~/.local/share/applications/chromium.desktop on your system. If it is, take it out, together with any lingering firejail symlinks in /usr/local/bin.
You can always use @rusty-snake's script too as he suggested. I didn't want to confuse your situation even more by adding another alternative to using firecfg and firectl :).
rusty-snake
commented
4 years ago @glitsj16 as a very first preview: https://github.com/rusty-snake/firecfg.py/tree/6f210201c5f4eec35c8e0ddd6c9c10e7e680e831
IMHO doing it in Python might hinder acceptance due to dependency decisions
My goal about dependencies is to only require python3.6 (or what ever python version it will end). No pip, no other third-party python packages, the standart librarys are big enough.
Reasons for the python decision
or keep it in contrib forever
or as own project forever ;)
glitsj16
commented
4 years ago @rusty-snake Thanks for the link and clarifying your reasons to go with Python. I wouldn't mind such a dependency being added to firejail, we have other Pythons in contrib. But I'm not a package manager :). It was a long day for me and I need a break. I'll keep you informed on the firefox-ng script, should be able to put something out during the weekend.
Joe23232
commented
4 years ago @Joe23232
Where could all the *.desktop files be located?
Under ~/.local/share/applications.
I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.
The /usr/share/applications/chromium.desktop file looks fine to me. It has all the necessary 'Exec=' lines pointing to 'firejail /usr/bin/chromium', which is the way firectl works. I don't know why your chromium is still being sandboxed after disabling it in firectl. Unless there's still a ~/.local/share/applications/chromium.desktop on your system. If it is, take it out, together with any lingering firejail symlinks in /usr/local/bin.
You can always use @rusty-snake's script too as he suggested. I didn't want to confuse your situation even more by adding another alternative to using firecfg and firectl :).
Sure mate, but is @rusty-snake's script stable? Or is it still in testing phase?
Joe23232
commented
4 years ago @rusty-snake Just out of curiosity, if you used Rust instead of Python, would it run faster the script that you are writing?
rusty-snake
commented
4 years ago Sure mate, but is @rusty-snake's script stable? Or is it still in testing phase?
Stable: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0
sudo firecfg).KEEP_EXISTING = True (L51).Prieview (do not use): https://github.com/rusty-snake/firecfg.py/tree/0.0.0-preview
Just out of curiosity, if you used Rust instead of Python, would it run faster
Sure. However, there are more python developers in the world (and in the firejail community) and my intention was no one man show. The python version runs in under one second and firecfg is usually only executed after installing/removing software.
Joe23232
commented
4 years ago Stable: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0
you must first create the firejail symlinks (sudo firecfg). it will override your local desktop files unless you set KEEP_EXISTING = True (L51).
But firecfg still has bugs right?
Prieview (do not use): https://github.com/rusty-snake/firecfg.py/tree/0.0.0-preview
This is the next updated version of firecfg, right?
rusty-snake
commented
4 years ago But
firecfgstill has bugs right?
Yes, that's only an alternative for firecfg --fix
This is the next updated version of
firecfg, right?
Nope, currently this is just a personal project from me. Maybe it will replace firecfg in the future if wished or is shipped with the C-firecfg / in contrib.
Joe23232
commented
4 years ago @rusty-snake
Yes, that's only an alternative for firecfg --fix
Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?
Nope, currently this is just a personal project from me. Maybe it will replace firecfg in the future if wished or is shipped with the C-firecfg / in contrib.
Is this ready to use by any chance? If so I just have to build it and it will work, right?
rusty-snake
commented
4 years ago Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?
If you install/remove software with a firejail profile you should run sudo firecfg which will create/remove the symlinks and fix the desktop-files if necessary.
Is this ready to use by any chance?
Give it some time ;)
rusty-snake
commented
4 years ago I'm closing here due to inactivity, please fell free to reopen if you have more questions.
Joe23232
commented
4 years ago Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?
If you install/remove software with a firejail profile you should run
sudo firecfgwhich will create/remove the symlinks and fix the desktop-files if necessary.Is this ready to use by any chance?
Give it some time ;)
For some weird reason I didn't get your notification or something, sorry I forgot to respond to it if I did :)
I wanted to know how do I configure certain applications to go through firejail, even through the launcher, for example if on KDE, if I click on
firefox, I want it to open through firejail, how do I configure this?