How to configure applications to automatically go through firejail?

[Joe23232]

I wanted to know how do I configure certain applications to go through firejail, even through the launcher, for example if on KDE, if I click on firefox, I want it to open through firejail, how do I configure this?

[smitsohu]

Create a symbolic link:
sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

You may also want to take a look at man 1 firecfg

[Joe23232]

Create a symbolic link:
sudo ln -s /usr/bin/firejail /usr/local/bin/firefox

How does it get firefox to run through firejail if I launched it through KDE? I just want to understand this better.

[smitsohu]

It works because on your system /usr/local/bin precedes /usr/bin in the PATH environment variable. This way, if you type firefox in bash or click an icon in the desktop manager of your choice, what is executed is not /usr/bin/firefox but /usr/local/bin/firefox -> /usr/bin/firejail. Then Firejail learns about the original command by looking at the command line parameters, or argv[0] more specifically. That's the magic!

[glitsj16]

Programs implement default application associations in different ways. While command-line programs traditionally use environment variables, graphical applications - or GUI apps - tend to use the XDG MIME Applications specification. This is a common Linux standard (a convention) using .desktop files in /usr/share/applications to deliver the 'magic'. It also offers a per-user location to over-ride what is in that system-wide path: ~/.local/share/applications. These .desktop files contain instructions on how to execute a specific application.

If you take a look inside, you'll notice an 'Exec=blahblah' line, e.g. 'Exec=firefox %U', which in human-speak means "start Firefox by executing the command 'firefox', and append whatever text string follows" - a URL in this context. Easy peasy, let's hit it already - I hear you think. But wait, there's a problem to be solved first. What happens when there are several commands on the system called 'firefox'? Where exactly can we find all these, and decide which one to actually execute?

Machines can figure this all out and solve the problem by - you guessed it - relying on another (set of) standard convention(s). The relevant one in this context being PATH: a limited set of possible locations where executable files can be found. You can check what your OS has predefined by running the below in a terminal:

$ echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/bin

Like hordes of hungry beasts, machines start scanning through this collection of predefined locations, eagerly looking for something to execute. No matter how fast (or slow) this happens, this process seems to follow the same 'internal logic': let's not waste too much resources here and always execute the command from whatever location we find first so we can move on and take a rest already.

Scanning stops, beasts happily tiptoe off to greener, shadier pastures and, whammo, a new thingie appears that looks like we can actually use it to surf that WWW everybody is on about! In the grand order of things, hopefully /usr/local/bin/firefox is found first, hence executed. By creating symbolic links under a location - /usr/local/bin - that precedes other usual suspects - /usr/bin - firejail is able to ensure that your application - firefox - will now be sandboxed. Ugh!

[Joe23232]

It works because on your system /usr/local/bin precedes /usr/bin in the PATH environment variable. This way, if you type firefox in bash or click an icon in the desktop manager of your choice, what is executed is not /usr/bin/firefox but /usr/local/bin/firefox -> /usr/bin/firejail. Then Firejail learns about the original command by looking at the command line parameters, or argv[0] more specifically. That's the magic!

I see, so like since firejail knows that the link is named as firefox, therefore it will know to open up firefox, am I correct?

Through firetools I configured firefox to not have access to the Desktop's files and it does work fine when I launch firefox either by firejail or firetools. However after adding the symblink in the specified directory, when I launch firefox through KDE's start menu, I can still access the Desktop's files. Is there a way to fix this?

[glitsj16]

I see, so like since firejail knows that the link is named as firefox, therefore it will know to open up firefox, am I correct?

Correct.

Through firetools I configured firefox to not have access to the Desktop's files and it does work fine when I launch firefox either by firejail or firetools. However after adding the symblink in the specified directory, when I launch firefox through KDE's start menu, I can still access the Desktop's files. Is there a way to fix this?

It might be a conflict between firetools and firecfg if you previously also tried that, not 100% sure. I'd recommend sticking to one of the GUI tools to avoid clashes. Just try using your favorite GUI tool to undo all changes you've made so far and start afresh. That can also be achieved thru a file manager or in a terminal (so CLI). Be careful not to remove something from ~/.local/share/applications that you put there yourself (and isn't related to firejail). Making a quick local backup of that path is always a good idea. It will enable you to experiment with firejail and related GUI tools without having to worry about making unrecoverable changes to your system. Please contact us here again if fixing this doesn't work as expected.

[Joe23232]

@glitsj16

It might be a conflict between firetools and firecfg if you previously also tried that, not 100% sure.

I haven't used firecfg. I only used firetools to change firefox's permission.

I'd recommend sticking to one of the GUI tools to avoid clashes.

Is there something alternative to firetools?

Just try using your favorite GUI tool to undo all changes you've made so far and start afresh. That can also be achieved thru a file manager or in a terminal (so CLI). Be careful not to remove something from ~/.local/share/applications that you put there yourself (and isn't related to firejail).

What am I supposed to remove though to start fresh?

[glitsj16]

I haven't used firecfg. I only used firetools to change firefox's permission.

In that case the problem with firefox must be something else. If you could post details here about your firejail and firetools version, files created by firetools in ~/.config/firejail/ to customize firefox and the content of ~/.local/share/applications/firefox.desktop we can determine what is going wrong. Let's not remove anything yet. We can tackle that later.

[Joe23232]

Hmm strange, surprisingly when I typed cd ~/.config/firejail/ and then typed ls the firejail file does not even exist, but there is a firejail-uirc, do you want me to post contents in that file instead?

Also in ~/.local/share/ there is no applications directory. I am using Arch Linux (EndeavourOS) so is the directory structure different or something?

[glitsj16]

Ah, yes do post that firejail-uirc file, I've not used firetools before so that would be interesting to see. While your at it, also post output of

$ ls -lA /usr/local/bin

Also in ~/.local/share/ there is no applications directory. I am using Arch Linux (EndeavourOS) so is the directory structure different or something?

No I think it simple means firetools isn't using that directory to locally override /usr/share/applications.

[Joe23232]

@glitsj16 Under the firejail-uirc file.

[KFileDialog Settings]
detailViewIconSize=0

After executing ls -lA /usr/local/bin I get this.

lrwxrwxrwx 1 root root 17 Jan 29 13:25 firefox -> /usr/bin/firejail

No I think it simple means firetools isn't using that directory to locally override /usr/share/applications.

Oh I see.

So is there something I can do to fix this problem that I am having?

[glitsj16]

Did some more research on firetools. Apparently it uses ~/.config/firetools to store files. So you should have a firefox related file under that dir that you can post here.

[Joe23232]

Ok so under ~/.config/firetools I have this file fstats.config and when I output the file's content I get this.

x 650
y 650

So what does this mean?

[glitsj16]

Looks like window size dimensions. Nothing profile related at least. Is that the only file in that dir?

[Joe23232]

Ok so I typed ls -la and here is the output.

total 12
drwxr-xr-x  2 test test 4096 Jan 29 16:03 .
drwx------ 16 test test 4096 Jan 30 22:29 ..
-rw-r--r--  1 test test   12 Jan 30 16:38 fstats.config

Why does it say total 12 what does that mean?

[glitsj16]

That's directory information. In the manual page of the 'ls' command (man ls) you can find detailed explanations. But again, nothing helpful to fix your issue. Let me suggest something. For now, close the firetools GUI and disable it from autostarting. We will temporarily use the firecfg command to create the necessary files and I'll explain how you can get the same settings for firefox to not show specific files you want to keep out of the sandbox in a minute. Using firecfg will ensure your applications are getting sandboxed, no matter how/which desktop environment you decide to use. It's the firejail native tool to do so. Up for it?

[Joe23232]

Let me suggest something. For now, close the firetools GUI and disable it from autostarting.

How do I disable it from autostarting?

We will temporarily use the firecfg command to create the necessary files and I'll explain how you can get the same settings for firefox to not show specific files you want to keep out of the sandbox in a minute. Using firecfg will ensure your applications are getting sandboxed, no matter how/which desktop environment you decide to use. It's the firejail native tool to do so. Up for it?

Thanks mate I am up for it. I will just run firecfg, is that what you want me to do right now?

Should I remove firefox from /usr/local/bin?

[glitsj16]

To disable firetools from autostarting when you boot your machine you should have 2 options. Either find a setting in the GUI itself to do so. Or open ~/.config/autostart/firetools.desktop and show the content here.

[Joe23232]

This file doesn't appear to exist ~/.config/autostart/firetools.desktop

Should I remove firefox from /usr/local/bin?

[glitsj16]

OK. Proceed with running the commands below.
Start by cleaning firejail symlinks first, that will take care of firefox symlink as well as any others you might have.

$ sudo firecfg --clean

Next, set up symlinks and desktop files

$ sudo firecfg

[Joe23232]

Ok done that, now what do I do now?

[glitsj16]

$ firecfg --list

[Joe23232]

Removing all firejail symlinks:

Configuring symlinks in /usr/local/bin based on firecfg.config
   ark created
   baloo_file created
   baloo_filemetadata_temp_extractor created
   brave created
   conplay created
   display created
   dnsmasq created
   dolphin created
   enchant-2 created
   enchant-lsmod-2 created
   ffmpeg created
   ffmpegthumbnailer created
   ffplay created
   ffprobe created
   firefox created
   gwenview created
   img2txt created
   kate created
   kwrite created
   less created
   mpg123 created
   mpg123-id3dump created
   mpg123-strip created
   mplayer created
   okular created
   out123 created
   patch created
   pavucontrol created
   pdftotext created
   qt-faststart created
   secret-tool created
   ssh created
   strings created
   wget created
   whois created
   wine created

Adding user test to Firejail access database in /etc/firejail/firejail.users
Creating /etc/firejail/firejail.users

Loading AppArmor profile
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.

Fixing desktop files in /home/test/.local/share/applications
   firefox.desktop created

This is the output I got when I ran sudo firecfg There appears to be an error

[glitsj16]

The error you see is AppArmor related. What kernel is your EndeavourOS using? Type 'uname -r' to find out.

[Joe23232]

Does firejail use apparmor?

This is the output I get after running uname -r
5.4.15-arch1-1

[glitsj16]

OK, the stock arch linux kernel, which is fine.
$ firejail --version

[Joe23232]

I ran it

firejail version 0.9.62

Compile time support:
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

[glitsj16]

To test if AppArmor has been correctly enabled:

$ aa-enabled

[Joe23232]

After running it No - disabled at boot.

[glitsj16]

What is your $PATH?

$ echo $PATH

Let's unclutter that file a bit to make it easier to read. Replace the content with the below.

[Desktop Entry]
Name=Firefox
GenericName=Web Browser
Comment=Browse the World Wide Web
Keywords=Internet;WWW;Browser;Web;Explorer
#Exec=firefox
Exec=firejail firefox %u
Icon=firefox
Terminal=false
X-MultipleArgs=false
Type=Application
MimeType=text/html;text/xml;application/xhtml+xml;x-scheme-handler/http;x-scheme-handler/https;application/x-xpinstall;
StartupNotify=true
StartupWMClass=firefox
Categories=Network;WebBrowser;
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
#Exec=firefox --new-window %u
Exec=firejail firefox --new-window %u

[Desktop Action new-private-window]
Name=New Private Window
#Exec=firefox --private-window %u
Exec=firejail firefox --private-window %u

[Joe23232]

What is your $PATH?
$ echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl

Let's unclutter that file a bit to make it easier to read. Replace the content with the below.

So you want me to nano into that file and replace the content and put this content in instead, is that what you mean? What will change if I replace the contents other than the readability?

[glitsj16]

PATH looks fine, stock Arch output.

So you want me to nano into that file and replace the content and put this content in instead, is that what you mean? What will change if I replace the contents other than the readability?

Correct. Other than readability I took out the '# converted by firecfg' line and changed the 'Exec=...' lines. The former should protect the file from being overwritten by future 'sudo firecfg' runs. We have some issues reported on that not working well for certain applications. The latter means taking manual control to ensure your Firefox will always run sandboxed now. At least that's what it should do once you make the edits in nano. So proceed with the edits and test your Firefox browser start routines again, double-checking with the 'firejail --tree' command to confirm it is actually sandboxed now.

Don't worry about changing the content. If this doesn't fix your firefox you can always remove that file and regenerate it by running 'sudo firecfg' again. Apologies for editing/updating my comments here. It could help others that look thru the issues here in the future.

[Joe23232]

PATH looks fine, stock Arch output.

Oh ok nice.

Other than readability I took out the '# converted by firecfg' line and changed the 'Exec=...' lines. The former should protect the file from being overwritten by future 'sudo firecfg' runs.

Do I have to do this to replace all the *.desktop's file's contents and add what you have specified?

What does the firefox.desktop file do anyways, and what happens when it is overwritten? Isn't the same information being overwritten to the same file?

So proceed with the edits and test your Firefox browser start routines again, double-checking with the 'firejail --tree' command to confirm it is actually sandboxed now.

One error, for some weird reason I can make changes using nano but when I am using a text editor (called kate) if I save a change it does not allow me and shows me this error message.

Additionally I did change the write permissions and allowed the file to be written by any user and the same issue still persists.

The reason why I am not using nano is cause how do I highlight all the texts?

[Joe23232]

Sorry I have to go for now I will be available in around 10 hours time. Thanks for all your help :)

[glitsj16]

I'll add a comment explaining a few things regarding your prior comment and what to do next etcetera. We can pick this up again later. Glad to help.

[glitsj16]

Do I have to do this to replace all the *.desktop's file's contents and add what you have specified?

No. In fact it shouldn't be needed at all. But due to some firecfg issues (see e.g. #3179) that are still not fixed or in-progress you currently need this workaround. If you notice any other of your installed applications not getting sandboxed properly (via 'firejail --tree') this routine is a way to take manual control and (try to) fix things.

What does the firefox.desktop file do anyways, and what happens when it is overwritten? Isn't the same information being overwritten to the same file?

Like @smitsohu and myself explained in the beginning of this thread, the firefox.desktop file instructs your OS which command to execute (which additional arguments when specified) and - by explicitly specifying 'Exec=firejail firefox ...' - guarantee running all your supported applications through firejail. Taking out that '# converted by firecfg' line is a safeguard against future overwrites by running 'sudo firecfg', which would regenerate another 'broken' desktop file for firefox in this case. Annoying, but hopefully the firecfg tool will be fixed soon and situations like these become unnecessary.

One error, for some weird reason I can make changes using nano but when I am using a text editor (called kate) if I save a change it does not allow me and shows me this error message.

The 'weird' reason here is actually firejail itself :) In the list you posted in #3191 (comment) you can see 'kate created'. That means that your 'kate' editor is now being run through firejail (as are all the applications listed in that output).

Additionally I did change the write permissions and allowed the file to be written by any user and the same issue still persists.

Changing file permissions (outside the sandbox on your real filesystem) won't help here. The 'problem' is that the default /etc/firejail/kate.profile contains 'include disable-common.inc', which in turn has read-only ${HOME}/.local/share/applications (see lines 304-307 of /etc/firejail/disable-common.inc). So 'kate' - being unaware it is being run through firejail - tries to write into a location that is read-only inside the sandbox, fails to do so and shows an error window.

This is all 'standard' firejail behaviour: restrict a profile as much as possible while keeping it reasonably functional for the user. You will have to get used to being in control, believe it or not :). It is you - as the firejail user - that has to decide if/when/how to make changes to these defaults as specified in the profiles under /etc/firejail. Not that firejail is trying to shift blame or responsibility for something not working as expected into your shoes, or anything of the sort. Quite the contrary IMHO. Purposely designing things this way forces users to being more aware of how their specific setup uses the firejail sandboxing techniques and not lull them into a false 'install and forget' kind of security disaster. After all, firejail is just another set of tools. Luckily it tries to be (self-)aware of this and provides a convention to use overrides via .local files.

If you decide to keep using 'kate' firejailed and want to allow it saving files under ~/.local/share/applications you have 2 options. Either create /etc/firejail/kate.local or ~/.config/firejail/kate.local. The former is a system-wide override - affecting all firejail users on your system, the latter a per-user override - only affecting your specific user ID account.

# This file is meant for local customizations of kate.profile

# allow editing local .desktop files (read-only in disable-common.inc)
read-write ${HOME}/.local/share/applications

The reason why I am not using nano is cause how do I highlight all the texts?

To be honest I don't know that OTOH. Manual pages and internet searches to the rescue...

[glitsj16]

To conclude our session for today, here are 2 reminders.

• stop firetools from autostarting (you can decide later to remove it with pacman and use firecfg instead - or keep it and set it up for autostart by changing 'false' to 'true' in the third line below)

mkdir -p ~/.config/autostart
cp -f /etc/xdg/autostart/firetools.desktop ~/.config/autostart/firetools.desktop
echo "X-GNOME-Autostart-enabled=false" >> ~/.config/autostart/firetools.desktop
chmod +x ~/.config/autostart/firetools.desktop

• configure/enable AppArmor
  see https://wiki.archlinux.org/index.php/AppArmor

Enjoy experimenting!

[Joe23232]

@glitsj16

No. In fact it shouldn't be needed at all. But due to some firecfg issues (see e.g. #3179) that are still not fixed or in-progress you currently need this workaround. If you notice any other of your installed applications not getting sandboxed properly (via 'firejail --tree') this routine is a way to take manual control and (try to) fix things.

Hopefully it gets fixed soon.

Like @smitsohu and myself explained in the beginning of this thread, the firefox.desktop file instructs your OS which command to execute (which additional arguments when specified) and - by explicitly specifying 'Exec=firejail firefox ...' - guarantee running all your supported applications through firejail. Taking out that '# converted by firecfg' line is a safeguard against future overwrites by running 'sudo firecfg', which would regenerate another 'broken' desktop file for firefox in this case. Annoying, but hopefully the firecfg tool will be fixed soon and situations like these become unnecessary.

Oh sorry I should have read it again.

That means that your 'kate' editor is now being run through firejail (as are all the applications listed in that output).

Oh I get it lol.

Changing file permissions (outside the sandbox on your real filesystem) won't help here. The 'problem' is that the default /etc/firejail/kate.profile contains 'include disable-common.inc', which in turn has read-only ${HOME}/.local/share/applications (see lines 304-307 of /etc/firejail/disable-common.inc). So 'kate' - being unaware it is being run through firejail - tries to write into a location that is read-only inside the sandbox, fails to do so and shows an error window.

I understand, I just didn't realise kate was being sandboxed.

Is there a way to use firecfg to specify which applications should get sandboxed? Because I don't want to sandbox all applications, just the ones that I specify?

[glitsj16]

Is there a way to use firecfg to specify which applications should get sandboxed? Because I don't want to sandbox all applications, just the ones that I specify?

No, in its current design firecfg doesn't allow that functionality. More granular control has been requested before, see #3016. I remembered showing a custom script in that issue, which still works fine, but depends heavily on your workflow. Maybe using https://github.com/rahiel/firectl instead of firecfg is the way to go for you in that case.

[Joe23232]

@glitsj16

I did a sudo firecfg --clean to clear out all the files from being sandboxed.

I installed firectl via yay -S firectl (since firectl was not in the official archlinux repository) and installed it. Firefox seems to get sandboxed but with chromium (I instealled chromium after running firecfg and running sudo firecfg --clean) and chromium does not get sandboxed at all when I typed sudo firectl enable chromium.

I ran firectl status and I get this output.

1  Firejail profiles are enabled
   program     symlink    desktop file
   chromium    yes        yes    

6  Firejail profiles are disabled and available
   brave-browser
   firefox
   mplayer
   opera
   pavucontrol
   wine

through firejail chromium is being sandboxed which is good but not through firectl and when I launch it through KDE.

I am not too sure why chromium is not working?

[glitsj16]

Can you post the current content of /usr/share/applications/chromium.desktop please?

As I understand it, firectl prepends "firejail" to the Exec line of the system-wide desktop files. So you need to make absolutely sure there are no overlapping .desktop files with the same name in your ~/.local/share/applications directory. Perhaps firecfg didn't clean everything there. Check that path, remove every .desktop file and try to use firectl again to disable/enable what you want.

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff. It will have disable/enable functionality cfr. firectl, as well as fixes for all currently known/reported firecfg bugs and issues. This will take a while, but I wanted to inform you nonetheless.

On a similar note, if your list of applications you always want to be firejailed isn't too long, I suggest you drop tools like firectl/firecfg completely and setup symlinks (in /usr/local/bin) and edited .desktop files (in ~/.local/share/applications) yourself manually. In the end that looks to be the more manageable solution to all this IMHO. And even when the list is long(er), doing the work manually and keeping a file with info of what you always run through firejail isn't that complicated. It's what I've been doing ever since starting to use firejail for what that's worth...

[rusty-snake]

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff.

I started a firecfg.py, maybe we should collaborate to avoid duplicated work.

[Joe23232]

@glitsj16

Can you post the current content of /usr/share/applications/chromium.desktop please?

Sure mate.

[Desktop Entry]
Version=1.0
Name=Chromium
# Only KDE 4 seems to use GenericName, so we reuse the KDE strings.
# From Ubuntu's language-pack-kde-XX-base packages, version 9.04-20090413.
GenericName=Web Browser
GenericName[ar]=متصفح الشبكة
GenericName[bg]=Уеб браузър
GenericName[ca]=Navegador web
GenericName[cs]=WWW prohlížeč
GenericName[da]=Browser
GenericName[de]=Web-Browser
GenericName[el]=Περιηγητής ιστού
GenericName[en_GB]=Web Browser
GenericName[es]=Navegador web
GenericName[et]=Veebibrauser
GenericName[fi]=WWW-selain
GenericName[fr]=Navigateur Web
GenericName[gu]=વેબ બ્રાઉઝર
GenericName[he]=דפדפן אינטרנט
GenericName[hi]=वेब ब्राउज़र
GenericName[hu]=Webböngésző
GenericName[it]=Browser Web
GenericName[ja]=ウェブブラウザ
GenericName[kn]=ಜಾಲ ವೀಕ್ಷಕ
GenericName[ko]=웹 브라우저
GenericName[lt]=Žiniatinklio naršyklė
GenericName[lv]=Tīmekļa pārlūks
GenericName[ml]=വെബ് ബ്രൌസര്
GenericName[mr]=वेब ब्राऊजर
GenericName[nb]=Nettleser
GenericName[nl]=Webbrowser
GenericName[pl]=Przeglądarka WWW
GenericName[pt]=Navegador Web
GenericName[pt_BR]=Navegador da Internet
GenericName[ro]=Navigator de Internet
GenericName[ru]=Веб-браузер
GenericName[sl]=Spletni brskalnik
GenericName[sv]=Webbläsare
GenericName[ta]=இணைய உலாவி
GenericName[th]=เว็บเบราว์เซอร์
GenericName[tr]=Web Tarayıcı
GenericName[uk]=Навігатор Тенет
GenericName[zh_CN]=网页浏览器
GenericName[zh_HK]=網頁瀏覽器
GenericName[zh_TW]=網頁瀏覽器
# Not translated in KDE, from Epiphany 2.26.1-0ubuntu1.
GenericName[bn]=ওয়েব ব্রাউজার
GenericName[fil]=Web Browser
GenericName[hr]=Web preglednik
GenericName[id]=Browser Web
GenericName[or]=ଓ୍ବେବ ବ୍ରାଉଜର
GenericName[sk]=WWW prehliadač
GenericName[sr]=Интернет прегледник
GenericName[te]=మహాతల అన్వేషి
GenericName[vi]=Bộ duyệt Web
# Gnome and KDE 3 uses Comment.
Comment=Access the Internet
Comment[ar]=الدخول إلى الإنترنت
Comment[bg]=Достъп до интернет
Comment[bn]=ইন্টারনেটটি অ্যাক্সেস করুন
Comment[ca]=Accedeix a Internet
Comment[cs]=Přístup k internetu
Comment[da]=Få adgang til internettet
Comment[de]=Internetzugriff
Comment[el]=Πρόσβαση στο Διαδίκτυο
Comment[en_GB]=Access the Internet
Comment[es]=Accede a Internet.
Comment[et]=Pääs Internetti
Comment[fi]=Käytä internetiä
Comment[fil]=I-access ang Internet
Comment[fr]=Accéder à Internet
Comment[gu]=ઇંટરનેટ ઍક્સેસ કરો
Comment[he]=גישה אל האינטרנט
Comment[hi]=इंटरनेट तक पहुंच स्थापित करें
Comment[hr]=Pristup Internetu
Comment[hu]=Internetelérés
Comment[id]=Akses Internet
Comment[it]=Accesso a Internet
Comment[ja]=インターネットにアクセス
Comment[kn]=ಇಂಟರ್ನೆಟ್ ಅನ್ನು ಪ್ರವೇಶಿಸಿ
Comment[ko]=인터넷 연결
Comment[lt]=Interneto prieiga
Comment[lv]=Piekļūt internetam
Comment[ml]=ഇന്റര്നെറ്റ് ആക്സസ് ചെയ്യുക
Comment[mr]=इंटरनेटमध्ये प्रवेश करा
Comment[nb]=Gå til Internett
Comment[nl]=Verbinding maken met internet
Comment[or]=ଇଣ୍ଟର୍ନେଟ୍ ପ୍ରବେଶ କରନ୍ତୁ
Comment[pl]=Skorzystaj z internetu
Comment[pt]=Aceder à Internet
Comment[pt_BR]=Acessar a internet
Comment[ro]=Accesaţi Internetul
Comment[ru]=Доступ в Интернет
Comment[sk]=Prístup do siete Internet
Comment[sl]=Dostop do interneta
Comment[sr]=Приступите Интернету
Comment[sv]=Gå ut på Internet
Comment[ta]=இணையத்தை அணுகுதல்
Comment[te]=ఇంటర్నెట్ను ఆక్సెస్ చెయ్యండి
Comment[th]=เข้าถึงอินเทอร์เน็ต
Comment[tr]=İnternet'e erişin
Comment[uk]=Доступ до Інтернету
Comment[vi]=Truy cập Internet
Comment[zh_CN]=访问互联网
Comment[zh_HK]=連線到網際網路
Comment[zh_TW]=連線到網際網路
Exec=firejail /usr/bin/chromium %U
StartupNotify=true
Terminal=false
Icon=chromium
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml_xml;image/webp;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
Name[am]=አዲስ መስኮት
Name[ar]=نافذة جديدة
Name[bg]=Нов прозорец
Name[bn]=নতুন উইন্ডো
Name[ca]=Finestra nova
Name[cs]=Nové okno
Name[da]=Nyt vindue
Name[de]=Neues Fenster
Name[el]=Νέο Παράθυρο
Name[en_GB]=New Window
Name[es]=Nueva ventana
Name[et]=Uus aken
Name[fa]=پنجره جدید
Name[fi]=Uusi ikkuna
Name[fil]=New Window
Name[fr]=Nouvelle fenêtre
Name[gu]=નવી વિંડો
Name[hi]=नई विंडो
Name[hr]=Novi prozor
Name[hu]=Új ablak
Name[id]=Jendela Baru
Name[it]=Nuova finestra
Name[iw]=חלון חדש
Name[ja]=新規ウインドウ
Name[kn]=ಹೊಸ ವಿಂಡೊ
Name[ko]=새 창
Name[lt]=Naujas langas
Name[lv]=Jauns logs
Name[ml]=പുതിയ വിന്ഡോ
Name[mr]=नवीन विंडो
Name[nl]=Nieuw venster
Name[no]=Nytt vindu
Name[pl]=Nowe okno
Name[pt]=Nova janela
Name[pt_BR]=Nova janela
Name[ro]=Fereastră nouă
Name[ru]=Новое окно
Name[sk]=Nové okno
Name[sl]=Novo okno
Name[sr]=Нови прозор
Name[sv]=Nytt fönster
Name[sw]=Dirisha Jipya
Name[ta]=புதிய சாளரம்
Name[te]=క్రొత్త విండో
Name[th]=หน้าต่างใหม่
Name[tr]=Yeni Pencere
Name[uk]=Нове вікно
Name[vi]=Cửa sổ Mới
Name[zh_CN]=新建窗口
Name[zh_TW]=開新視窗
Exec=firejail /usr/bin/chromium

[Desktop Action new-private-window]
Name=New Incognito Window
Name[ar]=نافذة جديدة للتصفح المتخفي
Name[bg]=Нов прозорец „инкогнито“
Name[bn]=নতুন ছদ্মবেশী উইন্ডো
Name[ca]=Finestra d'incògnit nova
Name[cs]=Nové anonymní okno
Name[da]=Nyt inkognitovindue
Name[de]=Neues Inkognito-Fenster
Name[el]=Νέο παράθυρο για ανώνυμη περιήγηση
Name[en_GB]=New Incognito window
Name[es]=Nueva ventana de incógnito
Name[et]=Uus inkognito aken
Name[fa]=پنجره جدید حالت ناشناس
Name[fi]=Uusi incognito-ikkuna
Name[fil]=Bagong Incognito window
Name[fr]=Nouvelle fenêtre de navigation privée
Name[gu]=નવી છુપી વિંડો
Name[hi]=नई गुप्त विंडो
Name[hr]=Novi anoniman prozor
Name[hu]=Új Inkognitóablak
Name[id]=Jendela Penyamaran baru
Name[it]=Nuova finestra di navigazione in incognito
Name[iw]=חלון חדש לגלישה בסתר
Name[ja]=新しいシークレット ウィンドウ
Name[kn]=ಹೊಸ ಅಜ್ಞಾತ ವಿಂಡೋ
Name[ko]=새 시크릿 창
Name[lt]=Naujas inkognito langas
Name[lv]=Jauns inkognito režīma logs
Name[ml]=പുതിയ വേഷ പ്രച്ഛന്ന വിന്ഡോ
Name[mr]=नवीन गुप्त विंडो
Name[nl]=Nieuw incognitovenster
Name[no]=Nytt inkognitovindu
Name[pl]=Nowe okno incognito
Name[pt]=Nova janela de navegação anónima
Name[pt_BR]=Nova janela anônima
Name[ro]=Fereastră nouă incognito
Name[ru]=Новое окно в режиме инкогнито
Name[sk]=Nové okno inkognito
Name[sl]=Novo okno brez beleženja zgodovine
Name[sr]=Нови прозор за прегледање без архивирања
Name[sv]=Nytt inkognitofönster
Name[ta]=புதிய மறைநிலைச் சாளரம்
Name[te]=క్రొత్త అజ్ఞాత విండో
Name[th]=หน้าต่างใหม่ที่ไม่ระบุตัวตน
Name[tr]=Yeni Gizli pencere
Name[uk]=Нове вікно в режимі анонімного перегляду
Name[vi]=Cửa sổ ẩn danh mới
Name[zh_CN]=新建隐身窗口
Name[zh_TW]=新增無痕式視窗
Exec=firejail /usr/bin/chromium --incognito

remove every .desktop file and try to use firectl again to disable/enable what you want.

Where could all the *.desktop files be located?

I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff. It will have disable/enable functionality cfr. firectl, as well as fixes for all currently known/reported firecfg bugs and issues. This will take a while, but I wanted to inform you nonetheless.

Oh nice I hope it works out :)

On a similar note, if your list of applications you always want to be firejailed isn't too long, I suggest you drop tools like firectl/firecfg completely and setup symlinks (in /usr/local/bin) and edited .desktop files (in ~/.local/share/applications) yourself manually. In the end that looks to be the more manageable solution to all this IMHO. And even when the list is long(er), doing the work manually and keeping a file with info of what you always run through firejail isn't that complicated. It's what I've been doing ever since starting to use firejail for what that's worth...

I could try that but what do I put inside the *.desktop file?

I started a firecfg.py, maybe we should collaborate to avoid duplicated work.

I wish I could help you out but I have basic programming skills, unless if this is easy to code?

[rusty-snake]

Working way to fix .desktop files: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0#file-firecfg-py

[glitsj16]

I've started work on a firecfg-ng (firecfg next-generation) to avoid all this messy, headache-inducing stuff.

I started a firecfg.py, maybe we should collaborate to avoid duplicated work.

@rusty-snake Yeah, I saw your nice Python script, works fine on a test sample for me. And I would definately like to collaborate on this firecfg mess. Give me a day to do some more extensive testing and I'll keep everybody informed on firecfg-ng in #2624 . For now it is just a simple shell script wrapper around firecfg, building on what I added to the discussion in #3016. I opted for a shell script because

• it doesn't add any new dependencies;
• it doesn't need any patching.

Allthough I really like your script, IMHO doing it in Python might hinder acceptance due to dependency decisions or keep it in contrib forever, both of which wouldn't serve the main goal here: to unbreak firecfg for regular users. Obviously the best solution would be to fix the C code in firecfg itself. None of the more capable C coders here seem to have an interest, are not yet aware of firecfg's broken state or simply don't have the time to do all work. This is not a critique, just a personal observation on the current situation. I do understand there's plenty of other work to be done on the C codebase to keep busy for a while :)

[glitsj16]

@Joe23232

Where could all the *.desktop files be located?

Under ~/.local/share/applications.

I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.

The /usr/share/applications/chromium.desktop file looks fine to me. It has all the necessary 'Exec=' lines pointing to 'firejail /usr/bin/chromium', which is the way firectl works. I don't know why your chromium is still being sandboxed after disabling it in firectl. Unless there's still a ~/.local/share/applications/chromium.desktop on your system. If it is, take it out, together with any lingering firejail symlinks in /usr/local/bin.

You can always use @rusty-snake's script too as he suggested. I didn't want to confuse your situation even more by adding another alternative to using firecfg and firectl :).

[rusty-snake]

@glitsj16 as a very first preview: https://github.com/rusty-snake/firecfg.py/tree/6f210201c5f4eec35c8e0ddd6c9c10e7e680e831

IMHO doing it in Python might hinder acceptance due to dependency decisions

My goal about dependencies is to only require python3.6 (or what ever python version it will end). No pip, no other third-party python packages, the standart librarys are big enough.

Reasons for the python decision

• In contrast to firejail firecfg is not a suid and not so critical that it must be C, C++, Rust, ...
• Easyer to implement new features
• I can't C (but Rust)
• It will give more people a way to contribute code. @Fred-Barclay 😏

or keep it in contrib forever

or as own project forever ;)

[glitsj16]

@rusty-snake Thanks for the link and clarifying your reasons to go with Python. I wouldn't mind such a dependency being added to firejail, we have other Pythons in contrib. But I'm not a package manager :). It was a long day for me and I need a break. I'll keep you informed on the firefox-ng script, should be able to put something out during the weekend.

[Joe23232]

@Joe23232

Where could all the *.desktop files be located?

Under ~/.local/share/applications.

I am having issues with chromium. After running sudo firecfg --clean and rm firefox.desktop in this directory ~/.local/share/applications and after running sudo firectl enable chromium it does get sandboxed but even if I disable it chromium is still being sandboxed.

The /usr/share/applications/chromium.desktop file looks fine to me. It has all the necessary 'Exec=' lines pointing to 'firejail /usr/bin/chromium', which is the way firectl works. I don't know why your chromium is still being sandboxed after disabling it in firectl. Unless there's still a ~/.local/share/applications/chromium.desktop on your system. If it is, take it out, together with any lingering firejail symlinks in /usr/local/bin.

You can always use @rusty-snake's script too as he suggested. I didn't want to confuse your situation even more by adding another alternative to using firecfg and firectl :).

Sure mate, but is @rusty-snake's script stable? Or is it still in testing phase?

[Joe23232]

@rusty-snake Just out of curiosity, if you used Rust instead of Python, would it run faster the script that you are writing?

[rusty-snake]

Sure mate, but is @rusty-snake's script stable? Or is it still in testing phase?

Stable: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0

• you must first create the firejail symlinks (sudo firecfg).
• it will override your local desktop files unless you set KEEP_EXISTING = True (L51).

Prieview (do not use): https://github.com/rusty-snake/firecfg.py/tree/0.0.0-preview

Just out of curiosity, if you used Rust instead of Python, would it run faster

Sure. However, there are more python developers in the world (and in the firejail community) and my intention was no one man show. The python version runs in under one second and firecfg is usually only executed after installing/removing software.

[Joe23232]

Stable: https://gist.github.com/rusty-snake/3e4b8f8555e942d2964a181d4a5f64a0

you must first create the firejail symlinks (sudo firecfg).
it will override your local desktop files unless you set KEEP_EXISTING = True (L51).

But firecfg still has bugs right?

Prieview (do not use): https://github.com/rusty-snake/firecfg.py/tree/0.0.0-preview

This is the next updated version of firecfg, right?

[rusty-snake]

But firecfg still has bugs right?

Yes, that's only an alternative for firecfg --fix

This is the next updated version of firecfg, right?

Nope, currently this is just a personal project from me. Maybe it will replace firecfg in the future if wished or is shipped with the C-firecfg / in contrib.

[Joe23232]

@rusty-snake

Yes, that's only an alternative for firecfg --fix

Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?

Nope, currently this is just a personal project from me. Maybe it will replace firecfg in the future if wished or is shipped with the C-firecfg / in contrib.

Is this ready to use by any chance? If so I just have to build it and it will work, right?

[rusty-snake]

Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?

If you install/remove software with a firejail profile you should run sudo firecfg which will create/remove the symlinks and fix the desktop-files if necessary.

Is this ready to use by any chance?

Give it some time ;)

[rusty-snake]

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

[Joe23232]

Oh ok so everytime I want to contain a program I have to run firecfg --fix, right?

If you install/remove software with a firejail profile you should run sudo firecfg which will create/remove the symlinks and fix the desktop-files if necessary.

Is this ready to use by any chance?

Give it some time ;)

For some weird reason I didn't get your notification or something, sorry I forgot to respond to it if I did :)