Support for symlink to firejail binary

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

https://firejail.wordpress.com

GNU General Public License v2.0

5.82k stars 567 forks source link

Support for symlink to firejail binary #36

Closed blueyed closed 9 years ago

blueyed commented 9 years ago

It would be useful to support symlinks to the firejail binary, which means that a symlink firefox to firejail would start firefox, instead of bash.

The idea comes from envoy.

This would allow you to add a symlink firefox to e.g. ~/bin, and it would automatically use firejail, if ~/bin is before /usr/bin in your PATH.

ghost commented 9 years ago

This could work if it was restricted to a few known commands (like firefox or chrome) and then run them in --shell=none mode to handle command-line arguments the same as normal.

netblue30 commented 9 years ago

That's a cool idea, thanks!

envoy people (https://github.com/vodik/envoy) are doing something very interesting in "Wrappers with envoy" section. It seems to me all we need is a simple bash script with the same name as the executable, and we put the bash script in the path before the original executable.

For example for transmission-gtk (bittorrent client), we add the script in /usr/local/bin directory:

$ cat /usr/local/bin/transmission-gtk 
#!/bin/bash
firejail /usr/bin/transmission-gtk

In the script we need the full path (/usr/bin/transmission-gtk), otherwise we'll end up calling ourselves in a loop forever. It works today, it is integrated by default with the file manager, desktop menus and icons. You click on a torrent file and it automatically opens the bittorent client in a sandbox.