-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wiki: Creating Profiles #2748
Comments
I'd welcome some tips such as using |
@jose1711 if you can, start writing. 😉 EDIT: We can also add |
i wish i had that knowledge.. |
Profile Locations/Types explains 3 types of profiles, but lists 4. "system-wide profiles are organized in a consistent manner" Change "Process/Steps for defining your own template (Contribution)" to "Contribute a new profile" or explain the difference between template and profile. |
@matu3ba if you compile firejail your self (without |
done
Fixed. EDIT:
Maybe we should a some examples. Examples:
1. [transmission-cli.profile](https://github.com/netblue30/firejail/blob/master/etc/transmission-cli.profile)
Contains all options to make `transmission-cli` run secure but without trouble.
2. [transmission-create.profile](https://github.com/netblue30/firejail/blob/master/etc/transmission-create.profile)
`transmission-create` need the same options as `transmission-cli`, so `transmission-create.profile` just `include` `transmission-cli.profile`.
3. `transmission-cli.local`
Create by the user to (1) add something (e.g. `private-bin transmission-cli`) or (2) `ignore` something (e.g. `ignore private-etc`) to/in `transmission-cli.profile`.
4. `globals.local`
Create by the user to (1) add something (e.g. `net none`) or (2) `ignore` something (e.g. `ignore apparmor`) to/in all profiles. |
@rusty-snake Please review my changes. |
done@matu3ba looks great.
For me too 😀 .
May we should leave the
Should be reworked again. Let's find a solution here.
You need FJ 0.9.61 (lastet git)
The wiki is new, there's a whole lot more to do. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
You can still run without firejail (
fixed in master
a common mistake?
first cmd then recusive the profiles |
I recommend not to use /etc as it is not relevant and you must be root to edit it. |
It should be reworded, I think they meant |
@rusty-snake @SkewedZeppelin Thanks for the feedback. Included and changed the sections. |
I think the phrase "persistent" might be problematic due to dependence on the commands. |
@rusty-snake @SkewedZeppelin Suggestion for finalization or closing from my side. |
Hello, I am trying to create a profile for the pcloud client (www.pcloud.com) and need some help. If that is the wrong place to ask, please show me right the one :-) My profile looks like that at the moment: include default.profile` When starting with Also the client offers "drive access" without syncing by mounting the cloud to a local folder by default. Has anyone created a profile for pcloud so far? Thanks! |
Longer threads: open a new issue
From pcloud or firejail?
You can try my noprofile. If the error stays pcloud is likely not firejailable. noprofile
|
Thanks for your quick answer! I had to call it without |
Another question: Thanks! |
Open a new issues for the KDE thing. |
Done! Last question - sorry for bothering you: |
Is there a better way to audit Linux PS capabilities currently being used by a process other than pscap or getcap or bcc. Maybe include this in the wiki for caps.keep section https://www.andreasch.com/2018/01/13/capabilities/ https://en.wikibooks.org/wiki/Grsecurity/Appendix/Capability_Names_and_Descriptions |
I would like to rewrite some parts, especially Locations and Types, of this page because they are a bit unclear and should be a bit more simple imo. file typesEvery file in a firejail dir (
file locationsDepending on where you put a file, it might override other files. |
Thanks for helping with the docs 🥇 🤗 . file locations all right file types
Right, I added these "profile-types" to better explain the differences how profile are used. (:nerd_face: There is one function differences:
I would split it
all fine
We could split it in whitelist, disable, special (feh-network.inc). However this is overkill IMHO. |
Just updated my comment to add these improvements |
LGTM
There is one special: /etc/firejail/firejail.config.
We might want to clarify that this is only for blacklisting (by disable-*.inc). If a profile contains |
Is there a reason that preinstalled profiles go to /etc? Wouldn't it make more sense to ship them in /usr? |
I would like to add some more info about directives to the page, like this:
Perhaps it would make sense to add a few more columns, like a notes column which contains relevant issues or caveats. We could maybe even link to the source of the directive, but this may be overkill. There are of course the manual pages but I did not find any information about override support for specific directives for example. |
For making things easy, it is just prefixed. |
Graphical stuff is easier to understand, but you dont want to separate the directive from the support check marks (wasting space). |
This not true or at least just half of it. Preinstalled/vendor config should go to /usr now days to be differentiated from system config. |
No real reason, but it would require code changes and would confuse unskilled users and outdated the most tutorials around the internet,
It would be in large parts a duplication of the man-pages, I don't know if we are doing ourselves good with it.
Since |
Should the content from https://firejail.wordpress.com/documentation-2/building-custom-profiles/ be moved onto the wiki page,
|
Issue for discussions about https://github.com/netblue30/firejail/wiki/Creating-Profiles
The text was updated successfully, but these errors were encountered: