On the fly, request/permission based profile building

[romelsalwi]

I have been using firejail for couple of months. At first it was quite impressive and was exactly what I was looking for building restriction around applications. But what I lack is the way of finding the exact resource which the application requires and doing my own due diligence to solve various tweaks.

For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly.

What I would like to see is building permissions for a jailed app. If I'm trying to do something which is in conflict with the rules, ask, and update the profile or local file depending on my choice. In this way, building profile would be easy, like using uBO on hard mode, and I don't mind that cumbersome effort as much as how much intuitive it is!

[glitsj16]

For instance, keepassxc, if jailed causes issues for chromium; jailing free tube restricts usage of external player like mpv; restricting mpv won't allow me to use btfs and stream and watch on the fly.

Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO.

What I would like to see is building permissions for a jailed app.

You can use the --build or --build=profile-file options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet?

[romelsalwi]

First of all, thanks for responding! It means a lot!

Please open separate issues for these problems you're facing. It helps us improve the profiles for all users, even if your use cases are very personal. The freetube profile for example is designed for using the internal player. So you would need to add mpv to private-bin to support that. This is just one example, but it's worth the effort IMO.

I might understand that you guys are trying to build a library for the application. But there are so many of them. My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail.

You can use the --build or --build=profile-file options to create a whitelisting profile for any app you want. Based on the result this can be hardenend further to get it as tight as possible without loosing functionality. Have you looked into that workflow yet?

They don't work as intended. As a refresher I just tried building new profiles with it. Ultimately I had to copy the template and make the profile from scratch. But then I was expecting to refine the profile through build, which didn't go so well. I'm sure I'm doing something wrong.

For instance: I made a profile for Joplin firejail --profile=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage

Which works. But then doing this: firejail --build=~/.config/firejail/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage Gives an error: Error: cannot open profile file.

P.S.: For some unknown reason only absolute path for appimages is working. Interestingly below mentioned command didn't even read my globals.local

firejail --profile=joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage
Reading profile joplin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 5732, child pid 5734

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: skipping none for private /etc
Private /etc installed in 0.08 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 91.08 ms
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
AppImage detached

[glitsj16]

My intend wasn't to post an issue but to illustrate how you can enhance upon the profiling aspect of firejail.

Fair enough, no problem.

They don't work as intended.

Noticing your examples are using AppImages, it might be worthwhile to check your Firejail version. The build options got appimage support only recently via https://github.com/netblue30/firejail/pull/4878. Not sure OTOH if that made it into the latest release. To make sure you could give building from git a try.

Regarding your Joplin examples. You can create your own custom profiles in ~/.config/firejail, no problem doing so. But the --build=foo option is not intended to use an already existing profile AFAIK. At least that doesn't make much sense, as its purpose is to create one from scratch. So I'd go for something like; $ firejail --build=~/Downloads/build-joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage and then start comparing the output of ~/Downloads/build-joplin.profile with what you already have in ~/.config/firejail/joplin.profile to see if/what you can add to harden it according to your needs. Documentation might be unclear on this I guess.

[romelsalwi]

I'm using firejail version 0.9.68 https://archlinux.org/packages/community/x86_64/firejail/

I tried out your step:

firejail --build=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage 
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Then ran the appimage with the created profile:

firejail --profile=/home/***/Downloads/appImages/joplin.profile --appimage ~/Downloads/appImages/Joplin-2.7.15.AppImage 
Reading profile /home/l3m0r/Downloads/appImages/joplin.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4705, child pid 4708

** Warning: dropping all Linux capabilities and setting NO_NEW_PRIVS prctl **

Mounting appimage type 2
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: skipping none for private /etc
Private /etc installed in 0.13 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 119.39 ms
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
AppImage detached

[romelsalwi]

I also tried using the firetools configuration wizard. No luck

[romelsalwi]

Hmm, KeePassXC-2.7.0-x86_64.AppImage worked! But the profile created is barely restricted.

EDIT: After few mods, and loading with the generated profile, the application gives an error Access error for config file /home/*/.config/keepassxc/keepassxc.ini

### Home Directory Whitelisting ###
### If something goes wrong, this section is the first one to comment out.
### Instead, you'll have to relay on the basic blacklisting above.
noblacklist ${HOME}/.config/keepassxc
whitelist ${HOME}/.mozilla/native-messaging-hosts
whitelist ${HOME}/.config/chromium/NativeMessagingHosts
whitelist ${HOME}/.config/keepassxc
whitelist ${HOME}/.cache/keepassxc

[rusty-snake]

--build

TBH It is out of dated and hasn't seen much development for a long time. IMHO we should just remove it from firejail (the binary) and develop an external tool for profile building (in a language which has friendlier support for string parsing & co like python.

[rusty-snake]

What I mean is something like

firejail-profile-builder.py

```python3 #!/usr/bin/python3 # SPDX-License-Identifier: ISC # Copyright © 2022 rusty-snake # # Permission to use, copy, modify, and/or distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM # LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR # OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. import argparse import os.path import pathlib import re import subprocess import sys import tempfile def get_cli_args(argv: list[str]) -> dict[str, str]: parser = argparse.ArgumentParser() parser.add_argument("-o", "--output", required=True) parser.add_argument("program") parser.add_argument("arguments", nargs=argparse.REMAINDER) return vars(parser.parse_args(argv[1:])) def run_program(program: str, arguments: list[str]) -> list[str]: with tempfile.NamedTemporaryFile() as tmpf: subprocess.run( [ "firejail", "--quiet", "--noprofile", "--private", "strace", "-e", "%file", "--quiet=all", "--follow-forks", "--output", tmpf.name, "--", program, *arguments, ], check=True, ) return list(tmpf.read().decode().splitlines()) def parse_strace_output(strace_output: list[str]) -> dict[str, set[str]]: paths = { "open": set(), "stat": set(), "exec": set(), } for line in strace_output: parsed_line = re.match( r"\d+\s+(?P\w+)\((?P.*)\)", line ).groupdict() syscall = parsed_line["syscall"] args = parsed_line["args"].split(",") if syscall == "open": paths["open"].add(args[0].strip(' "')) elif syscall == "openat": paths["open"].add(args[1].strip(' "')) elif syscall == "access": paths["stat"].add(args[0].strip(' "')) elif syscall == "stat": paths["stat"].add(args[0].strip(' "')) elif syscall == "newfstatat": paths["stat"].add(args[1].strip(' "')) elif syscall == "execve": paths["exec"].add(args[0].strip(' "')) else: print( f"firejail-profile-builder.py: Not Implemented: {syscall=}", file=sys.stderr, ) return paths def build_profile(paths: dict[str, set[str]]) -> str: whitelist = [] private_bin = [] ignore_noexec_home = False for path in paths["open"]: if path.startswith(str(pathlib.Path.home())): whitelist.append(path.replace(str(pathlib.Path.home()), "${HOME}")) elif ( path.startswith("/bin") or path.startswith("/sbin") or path.startswith("/usr/bin") or path.startswith("/usr/sbin") ): private_bin.append(os.path.basename(path)) for path in paths["exec"]: if path.startswith(str(pathlib.Path.home())): ignore_noexec_home = True elif ( path.startswith("/bin") or path.startswith("/sbin") or path.startswith("/usr/bin") or path.startswith("/usr/sbin") ): private_bin.append(os.path.basename(path)) return f"""\ {"ignore noexec ${HOME}" if ignore_noexec_home else "# Uncomment to allow executing programs in ${HOME}.
#ignore noexec ${HOME}"} include disable-common.inc include disable-exec.inc include disable-programs.inc {"
".join(f"whitelist {path}" for path in whitelist)} include whitelist-common.inc private-bin {",".join(private_bin)} """.replace( "
", "\n" ) def main(argv: list[str]) -> int: args = get_cli_args(argv) strace_output = run_program(args["program"], args["arguments"]) paths = parse_strace_output(strace_output) with open(args["output"], "w") as output: output.write(build_profile(paths)) return 0 if __name__ == "__main__": try: sys.exit(main(sys.argv)) except KeyboardInterrupt: pass ```

[romelsalwi]

Nice 👍 Is it possible to ask the user before stracer updates the profile?

[rusty-snake]

Python is really much much better than C for tasks like this.

https://github.com/rusty-snake/firejail-profile-builder

[romelsalwi]

Hi @rusty-snake ! I tried out the script. It didn't created the desired effect. It started out at ease while building but when used as a profile it didn't worked out. I used it on turtlapp https://turtlapp.com/

When you use build to create profile, firejail gives access to file during the process.

./firejail-profile-builder.py -o turtl.profile turtl

# Firejail profile for turtl (generated by firejail-profile-builder.py)
#quiet
# Persistent local customizations
#include <FIXME>.local
# Persistent global definitions
include globals.local

# Uncomment to allow executing programs in ${HOME}.
#ignore noexec ${HOME}
# Uncomment to allow executing programs in /tmp.
#ignore noexec /tmp

#noblacklist PATH

# Allow /bin/sh (blacklisted by disable-shell.inc)
#include allow-bin-sh.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
#blacklist ${RUNUSER}
blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-proc.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-X11.inc
#include disable-xdg.inc

#mkdir PATH
#mkfile PATH
whitelist ${HOME}/.Xauthority
whitelist ${HOME}/.Xdefaults
whitelist ${HOME}/.Xdefaults-bitesthedust
whitelist ${HOME}/.cache/nvidia
whitelist ${HOME}/.config
whitelist ${HOME}/.config/Turtl
whitelist ${HOME}/.config/Turtl/.org.chromium.Chromium.cv7p5m
whitelist ${HOME}/.config/Turtl/Cookies
whitelist ${HOME}/.config/Turtl/Cookies-journal
whitelist ${HOME}/.config/Turtl/DevTools Extensions
whitelist ${HOME}/.config/Turtl/File System/primary.origin
whitelist ${HOME}/.config/Turtl/GPUCache
whitelist ${HOME}/.config/Turtl/GPUCache/data_0
whitelist ${HOME}/.config/Turtl/GPUCache/data_1
whitelist ${HOME}/.config/Turtl/GPUCache/data_2
whitelist ${HOME}/.config/Turtl/GPUCache/data_3
whitelist ${HOME}/.config/Turtl/GPUCache/index
whitelist ${HOME}/.config/Turtl/Local Storage
whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage
whitelist ${HOME}/.config/Turtl/Local Storage/file__0.localstorage-journal
whitelist ${HOME}/.config/Turtl/Preferences
whitelist ${HOME}/.config/Turtl/core
whitelist ${HOME}/.config/Turtl/core/core.log
whitelist ${HOME}/.config/Turtl/core/run.lock
whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite
whitelist ${HOME}/.config/Turtl/core/turtl-kv.sqlite-journal
whitelist ${HOME}/.config/Turtl/you-meddling-kids.json
whitelist ${HOME}/.config/Turtl/you-meddling-kids.json.2647574618
whitelist ${HOME}/.config/pulse
whitelist ${HOME}/.config/pulse/client.conf
whitelist ${HOME}/.config/pulse/cookie
whitelist ${HOME}/.nv/nvidia-application-profile-globals-rc
whitelist ${HOME}/.nv/nvidia-application-profiles-rc
whitelist ${HOME}/.nv/nvidia-application-profiles-rc.d
whitelist ${HOME}/.pki
whitelist ${HOME}/.pki/nssdb
whitelist ${HOME}/.pki/nssdb/cert9.db
whitelist ${HOME}/.pki/nssdb/cert9.db-journal
whitelist ${HOME}/.pki/nssdb/key4.db
whitelist ${HOME}/.pki/nssdb/key4.db-journal
whitelist ${HOME}/.pki/nssdb/libnssckbi.so
whitelist ${HOME}/.pki/nssdb/pkcs11.txt
whitelist ${HOME}/.pulse-cookie
whitelist ${HOME}/.pulse/client.conf
whitelist /run/user/1000/pulse
whitelist /usr/share/nvidia/nvidia-application-profiles-510.54-rc
whitelist /usr/share/nvidia/nvidia-application-profiles-rc
include whitelist-common.inc
include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
#ipc-namespace
#machine-id
net none
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
noroot
#nosound
notv
nou2f
novideo
protocol unix,inet6,netlink
seccomp
seccomp.block-secondary
#seccomp.keep
shell none
tracelog
##x11 none

# Uncomment to blacklist /mnt, /run/mnt, /media, /run/media.
#disable-mnt
private-bin turtl
private-cache
private-dev
private-etc ca-certificates/trust-source,fonts/conf.d,fonts/fonts.conf,host.conf,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,nvidia/nvidia-application-profiles-rc,pulse/client.conf,resolv.conf
private-tmp

#dbus-user none
dbus-system none

#read-only ${HOME}

[romelsalwi]

This is the profile I created for scratch:

# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION OF THE PROGRAM
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you create profiles.
# PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e.g. a program that is unable to save user's work is considered bad practice)
#  - dedicate ample time (based on the complexity of the application) to profile testing before
#    submitting a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH env var)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include turtl.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.config/Turtl
noblacklist ${HOME}/Sync/Arch/
whitelist ${HOME}/.config/Turtl
whitelist ${HOME}/Sync/Arch/

##ignore noexec ${HOME}
##ignore noexec /tmp

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allow /bin/sh (blacklisted by disable-shell.inc)
#include allow-bin-sh.inc

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

##blacklist PATH
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only; supersedes Disable Wayland)
#blacklist ${RUNUSER}
# Remove the next blacklist if you system has no /usr/libexec dir,
# otherwise try to add it.
#blacklist /usr/libexec

# disable-*.inc includes
# remove disable-write-mnt.inc if you set disable-mnt
#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-proc.inc
#include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
#include disable-X11.inc
#include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (e.g. unable to save files into
# home directory) they may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-run-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
apparmor
#caps.drop all
##caps.keep CAPS
#hostname turtl
# CLI only
##ipc-namespace
# breaks audio and sometimes dbus related functions
#machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups
#noinput
#nonewprivs
#noprinters
#noroot
#nosound
#notv
#nou2f
#novideo
# Remove each unneeded protocol:
#  - unix is usually needed
#  - inet,inet6 only if internet access is required (see 'net none'/'netfilter' above)
#  - netlink is rarely needed
#  - packet and bluetooth almost never
#protocol unix,inet,inet6,netlink,packet,bluetooth
#seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
##seccomp-error-action log (only for debugging seccomp issues)
#shell none
#tracelog
# Prefer 'x11 none' instead of 'disable-X11.inc' if 'net none' is set
##x11 none

#disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: group,magic,magic.mgc,passwd
#  3D: bumblebee,drirc,glvnd,nvidia
#  Audio: alsa,asound.conf,machine-id,pulse
#  D-Bus: dbus-1,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  KDE: kde4rc,kde5rc
#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
#    Extra: gai.conf,proxychains.conf
#  Qt: Trolltech.conf
##private-lib LIBS
##private-opt NAME
#private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
# check with flatpak (when the application is distributed that way):
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - Some features like native notifications are implemented as portal too.
#  - In order to make dconf work (when used by the app) you need to allow
#    'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and policies about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##deterministic-shutdown
##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
##read-write ${HOME}

[rusty-snake]

I tried out the script. It didn't created the desired effect.

It's still in development.

It started out at ease while building but when used as a profile it didn't worked out.

It will never get the quality of a handwritten profile.

turtlapp

is an electron app, this will need special handling. We will need to detect this.

[rusty-snake]

If you did not disable unprivileged userns, it may work now with electron programs.

[romelsalwi]

Here's something I found relevant: https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference Apparmor uses a profile language, and with the help of auditd, you can trace what the confined app is trying to access.

The interesting and the interactive part I found was globbing. You can glob the directory and tell apparmor how much access the application has, and apply it to the profile using logprof.

By far I have tried it on Firefox and few other frequently used applications and the process when implemented correctly can provide finer result

I followed these pages: https://wiki.archlinux.org/title/AppArmor#Configuration https://wiki.archlinux.org/title/Audit_framework#Adding_rules

During the profile generating process genprof, apparmor is going through the audit reports. It notifies (through aa-notify) what files were accessed, and when you are finished, it creates a profile. It is not compulsive for the application to run as expected and that is why it allows you to run the application in complain mode so that you can refine those edges. When convinced, you can make the rules strict by enabling enforce mode.