rusty-snake
commented
2 months ago Duplicated of #4871
--
Also doubting that /usr/local is the right path.
- It conflict if firejail is installed from git with
make installinto/usr/local. - Does not scale well for different filesystem layouts (e.g. guix) and is not the best/correct choice in file-hierachy/fhs/hier.
If one day they accidently run that app using "sudo" then the custom profile in ~/ would not be read and their /Private folder would be read.
If you accidental run apps using sudo you have a different problem in your op-sec. Also running a app using sudo may allow the app to undo a blacklist.
Also I do not think that this is inside of firejails generally to be assumed thread model given that firejail/firecfg does not stop you from running a program without it using e.g. it's full path.
for these system-wide changes it makes more sense to have a system-wide custom directory to not clutter the [default] directory.
Yes
My point being that in most use-cases it doesn't make sense to have profiles specific to one user that also is not blocked system-wide.
.locals: make sense on per-user basis
.profile: may or may not, there a different thing, the main focus of firejail are single.
kmk3
Is your feature request related to a problem? Please describe.
It is hard to manage a lot of custom profiles. The current solution of looking for profiles in ~/.config/firejail does not solve it because it is not system wide, so apps launched from another user will not use those profiles. For custom, multi-user profile management there should be another directory.
This approach allows much cleaner, system-wide profile changes that mixing a ton of new config files /etc/firejail. For example, to move all the custom changes to a new install requires just copy / pasting the /usr/local/etc/firejail directory
Serious errors can be created when creating profiles in "~./config/firejail" that do not exist outside. For example, a user may have profiles that blacklist private directories such as ~./Private. If one day they accidently run that app using "sudo" then the custom profile in ~/ would not be read and their /Private folder would be read.
My point being that in most use-cases it doesn't make sense to have profiles specific to one user that also is not blocked system-wide. And for these system-wide changes it makes more sense to have a system-wide custom directory to not clutter the /etc/firejail directory.
Describe the solution you'd like
Look for profiles in the following order:
~/.config/firejail /usr/local/etc/firejail /etc/firejail