docs: users are told to include main .profile in .local profile

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

https://firejail.wordpress.com

GNU General Public License v2.0

5.69k stars 557 forks source link

docs: users are told to include main .profile in .local profile #5049

Open zithro opened 2 years ago

zithro commented 2 years ago

Hello, it's not a software bug I'm reporting, rather a documentation one (so I didn't use the template). I followed "documentation-2/building-custom-profiles/" to build a vlc custom profile, as this:

net none
include /etc/firejail/vlc.profile

But when running firejail vlc, I enter in an include loop :

Reading profile /etc/firejail/vlc.profile
Reading profile /home/zithro/.config/firejail/vlc.local
[...]
Reading profile /etc/firejail/vlc.profile
Error: maximum profile include level was reached

Removing the include solves it. Is it because I'm running the latest version (0.9.68) and the documentation was written using an older version ?

rusty-snake commented 2 years ago

include /etc/firejail/vlc.profile is not needed (at wrong) if you use a .local.

If you use /home/zithro/.config/firejail/vlc.local (as you should with newer versions of firejail) net none is all you need.

kmk3 commented 2 years ago

@zithro commented on Mar 14:

Hello, it's not a software bug I'm reporting, rather a documentation one (so I didn't use the template). I followed "documentation-2/building-custom-profiles/" to build a vlc custom profile, as this:
net none
include /etc/firejail/vlc.profile
But when running firejail vlc, I enter in an include loop :
Reading profile /etc/firejail/vlc.profile
Reading profile /home/zithro/.config/firejail/vlc.local
[...]
Reading profile /etc/firejail/vlc.profile
Error: maximum profile include level was reached
Removing the include solves it. Is it because I'm running the latest version (0.9.68) and the documentation was written using an older version ?

/etc/firejail/vlc.profile contains:

include vlc.local

On every include command, firejail will first look for the file in ~/.config/firejail. If it does not exist, it will look for the file in /etc/firejail.

If both vlc.profile and vlc.local include each other, then you have an infinite inclusion loop.

zithro commented 2 years ago

Hey guys, thanks for the clarification, so I think the docs need an update ;) "documentation-2/building-custom-profiles/" meant in fact "https://firejail.wordpress.com/documentation-2/building-custom-profiles/" Excerpt :

One popular customization is removing network access for media players such as VLC:
$ cat ~/.config/firejail/vlc.profile
net none
include /etc/firejail/vlc.profile

glitsj16 commented 2 years ago

[...] so I think the docs need an update

Indeed they do. All the examples in that section are inclusion loops. Not sure who actually maintains https://firejail.wordpress.com/ to correct them.

zithro commented 2 years ago

@netblue30 is the author, look at the website comments.

rusty-snake commented 2 years ago

All the examples in that section are inclusion loops.

No, because the suggest to create vlc.profile not vlc.local. FTR: Nowadays you should create a vlc.local without include /etc/firejal/vlc.profile.

netblue30 commented 2 years ago

I wasn't aware of the .local functionality. We just need to document the difference between .local and .profile for files in ~/.config/firejail directory.

rusty-snake commented 2 years ago

FTR https://github.com/netblue30/firejail/wiki/Creating-overrides https://github.com/netblue30/firejail/wiki/Creating-Profiles

zithro commented 2 years ago

Should I close this issue ? The github wiki is up-to-date but the wordpress page is still using .profile everywhere

rusty-snake commented 2 years ago

Should I close this issue ?