Well that is what I meant, would they break anything? But I will just test around.. for now I am more concerened about opening app by default with firejail.
You can blacklist almost all of them. There are exceptions, of course, e.g. Firefox needs to read ".mozilla" in order for it to use your profile. You need to test your apps to see what works and what doesn't. My suggestion is to block everything and then whitelist what the app needs, kind of like a good firewall practice.
My I ask which kernel you are using ? I know that there is one official one with grsecurity enabled by default but that's about it ?
Yes, I'm using linux-grsec from the repo. It's the latest Kernel that grsecurity supports in their Testing repo.
If anyone is interested in a quick and easy way on how to open apps with firejail by default on XFCE: Settings -> MIME Type Editor -> Choose the MIME/Protocol e.g. http -> double click it -> below the list of apps that could open it there is "custom command" -> custom command "firejail iceweasel". Now whenever you open a link or http protocol it will open with "firejail iceweasel" instead of "iceweasel". The only downside: Instead of showing "iceweasel" as the prefered application in the MIME Type Editor, it will display firejail.. so you will have a lot of "firejail" entries in that editor instead of the actual app that will open it. It is also a pain to configure.. because e.g. okular opens like 50 different MIME/Protocols and you have to change everyone of them one-by-one :/
That doesn't work for me. After doing $ firejail skype I get the following output: Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-history.inc ** Note: you can use --noprofile to disable generic.profile ** Parent pid 6098, child pid 6099 Child process initialized parent is shutting down, bye... Nothing happens after that.
Due to this: https://github.com/netblue30/firejail/tree/master/etc - Firejail doesn't come with a skype profile. I created skype.profile in /etc/firejail directory including this: # Start Firejail Skype profile noblacklist ${HOME}/.Skype include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc caps.drop all #seccomp netfilter noroot # End Firejail Skype profile Seccomp is off , because skype doesn't start with this option. PS: Archlinux+ Grsecurity/PAXD(softmode=0)
@UnknownK : Firejail doesn't come with a skye profile. As there is no Skype profile the generic profile is used. And I guess that you're running into the same problem like our friend @amarildojr : You probably have a 64bit system but Skype is, AFAIR, a 32bit application. seccomp-bpf doesn't work with it. So you should create your own skype profille and disable seccomp. Let us know if that works.
Hi, I use linux mint 17.2 and installed firejail and firetools.However im relatively new to linux and i see the red launcher for firetools but i dont know how to add my browser or any other program to the launcher. Any ideas please. I use the palemoon browser if it helps. Thanks.
There isn't a facility for adding other programs to the launcher other than from source compilation. Firetools isn't particular important IMO unless you want the convenience of the monitoring window, I prefer to add scripts to the desktop in the normal way to launch stuff.
Firejail 0.9.32 is out with many improvements. You should update immediately as the old version contained a very nasty bug:
You're welcome! I'm thinking about how to best use the new --private-bin option which sounds intriguing. As far as I understand this means that the firejailed applications cannot start any other application in /bin, /usr/bin, /usr/sbin and /sbin (the first and the last two being only symbolic links to /usr/bin in Arch Linux, anyhow) except the ones specifically added to that option.
There is another "trick" mentioned by netblue30 somewhere on his github site: Just create custom launch scripts in /usr/local/bin. Examples of scripts I've created: firefox Code: #!/bin/bash firejail --profile=/home/heat/.config/firejail/firefox.profile /usr/lib/firefox/firefox $1 libreoffice Code: #!/bin/bash firejail --profile=/home/heat/.config/firejail/libreoffice.profile /usr/bin/libreoffice "$@" Just make them executable and all is well. The advantage is that those custom scripts won't be overwritten by updates unlike the system-wide desktop files in /usr/share/applications. EDIT: Regarding $1 and "$@" : You might need to experiment which positional parameter is needed for the respective application. EDIT2: @amarildojr : We discussed the problem that a firejailed Gwenview couldn't open a file with blanks. Unfortunately, adding shell none to its profile didn't work anymore for v. 15.08.2-1, and I also ran into the same problem with the new Okular version. Solution: Remove the firejail argument in the KDE start menu and create those 2 custom start scripts: gwenview Code: #!/bin/bash firejail --profile=/home/heat/.config/firejail/gwenview.profile /usr/bin/gwenview "$*" okular Code: #!/bin/bash firejail --profile=/home/heat/.config/firejail/okular.profile /usr/bin/okular "$@" BTW, adding the --profile option is not necessary. I'm doing it to make sure that those applications use the correct profile if I accidentally start them as root.
This keeps getting better... Lock down your Firejailed browsers DNS # firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox Obviously swap out Google's DNS for your DNS of choice.
Oh that is nice..together with dnscrypt I would simlly force the browser to only use 127.0.0.1 as dns server