I'm not sure that I understand. You can blacklist any folder if that's what you're trying to achieve.
yes, i thinks this is more or less what i want to do, was not sure i could. Thanks. i want a program/file executed from a folder to be ran automatically isolated.
I'm still not sure that I understand it correctly. If it is about blacklisting folders, please note that Firejail comes with a specific profile for more than 600 applications (they are located in /etc/firejail). Those profiles contain blacklist commands mostly through the various *.inc files in those profiles. In many profiles there are also whitelist directives (which can be used for home, /dev, /etc, /media, /mnt, /opt, /srv, /sys/module, /usr/share, /var, and /tmp) which means that the respective application can only access files/folders therein which are explicitly whitelisted. If your question is about automatically sandboxing an application, this can be achieved by executing sudo firecfg which makes sure that all applications for which a Firejail profile is available are automatically sandboxed when they are started. See chapter 2.3 in this documentaion.
yes this one i used it already. i think it is the closest thing to achieve what i want. Which is more like: you download an installer or file in a folder, then when it is executed, it ran sandboxed.
Well, in Linux you normally install applications from the official repositories with the respective package manager (depending on which distro you are using). They are usually installed in /usr/bin. sudo firecfg does 2 things: 1. It removes the complete path in the .desktop files for those installed applications for which Firejail profiles are available. 2. It creates symbolic links (pointing to /usr/bin/firejail) in /usr/local/bin. As that directory is located before /usr/bin in the $PATH of most distributions (you can check this by executing echo $PATH) the symlink in /usr/local/bin is used when such an application is executed making sure that it is sandboxed by Firejail. This is called symlink invocation. Again, this works only for applications with a Firejail profile. Other applications can be started by executing firejail application_name - in this case the default profile in /etc/firejail is applied. Or you create your own profile in ~/.config/firejail. If you execute sudo firecfg again those custom profiles are also been taken into account.
I think that this is beginning to change with Snap, Appimage, Flatpak. Of course official repositories are not gonna go away, but at least some programs will be installed and updated through these channels. I use Snap for Signal Desktop, NotepadQQ on my primary Debian Testing Gnu/Linux system. Do you know is it possible to create custom Firejail profile for programs installed from Snap?
I must confess that I'm not really familiar with that stuff. I just know that Firejail has built-in AppImage support. Flatpak and Snap have their own sandboxes which make use of seccomp-bpf, namespaces (and AppArmor for Snap). Those sandboxes seem to be rather strict. If additional sandboxing with Firejail makes sense is probably questionable. But I assume that it is possible to create custom profiles.
from what i read Firejail can be used on top of Apparmor without much issues, some capabilities will be redundant, but won't wreck havoc on the system.
Yes, but if you're referring to Flatpak and Snap, they use also technologies used in Firejail so there is a considerable overlap. Regarding using Firejail and AppArmor simultanously, there can be problems but my impression is that a recent fix solved most of them.
Technology allows to create strict policies, but it doesn't mean they are. At least NotepadQQ has access to my ${HOME}. I also tested Firefox from Snap and it also has access to my ${HOME} directory (but by default downloads to "${HOME}/snap/firefox/common/Downloads" instead). I wonder whether there is a way to customize Snap policies.
As mentioned, I'm not familiar with Snap. But according to this site it should be possible to change the confinement to strict. But this could mean that you're running into trouble, of course ...
@reasonablePrivacy : I just realized that Firejail comes with a snap.profile. It doesn't contain seccomp etc. but basically restricts access in your home to ~/Downloads and ~/snap. You can modify it to your liking in ~/.config/firejail/snap.profile or /etc/firejail/snap.local. This post suggests that you might need to start ist similar to the --appimage switch.
This is for building Snap packages from scratch. Unfortunately this doesn't work for me. I don't understand how Snap/snapd works under the hood. It seems for me that it executes some snap code and then launches target application. This is the command I type to execute Signal: Code: snap run signal-desktop so I typed Code: firejail --profile=snap snap run signal-desktop I guess snap needs enough privileges, including suid/root, to work correctly. I think AppArmor or other MAC/RBAC should be more easily used to restrict programs executed by Snap/snapd, but it is only my guess.
firejail 9.58.2 installed today(mx-17) by daily updates along with long list of profiles. i ran firejail --version cmd and it showed 9.58.2 and below that apparmore and several programs ending with x11 program all enabled. do i still need to run the sudo firecfg ? thanks for your help.
I don't really know, but I think if you're unsure it wouldn't hurt to run Code: firecfg --clean to reset everything before running Code: firecfg to reset everything, but I don't know that it's necessary. So, did you enable the test repo? I'm still showing 0.9.50 in the stable, which is the version I have, and they show 0.9.58 and 0.9.58.2 having been put in test some time ago. https://forum.mxlinux.org/viewtopic.php?f=134&t=48245&p=485279&hilit=firejail#p485279
back in december i enabled backports-stretch in synaptic. synaptic-settings-repo you have to expand the repo window to see the entry for the backports-stretch. after rereading threads 603 and 605 several times, i think the sudo firecfg needs to be ran.i did not touch anything in test repo.
It is recommended to run sudo firecfg with every Firejail update as usually a couple of new profiles are added for applications which you may be using. This can also be done if you install new applications for which Firejail profiles are available, of course. Executing sudo firecfg --clean first is not necessary in either case.
i ran the sudo firecfg cmd and there was 2 new profiles. now that i know/understand how the update process works i'm good to go. thanks again for all your help. i love mx-17
Would Firejail be able to prevent the Intel Spoiler exploit from stealing any files from your system? https://www.overclock3d.net/news/cp..._-_intel_cpus_impacted_by_new_vulnerability/1
Who knows? It's possible that an attacker needs to use specific syscalls and/or capabilities to fully exploit that vulnerability and that Firejail could protect against that. But it's also possible that the attack begins at an earlier stage before Firejail can intervene. This is what Intel says:
Thanks that's a relief. Good to know that it's not guaranteed that Spoiler will affect your system as long as you have an up to date kernel.