Building Custom Profiles

Several Firejail command line configuration options can be passed to the program using profile files. User-defined profiles are stored in ~/.config/firejail directory. Assuming app_name is the name of command you use to start the application, the steps for building a custom profile are as follows:

1. Create a .config/firejail directory in your home directory:

$ cd ~
$ mkdir -p .config/firejail
$ cd .config/firejail

2. Copy in this directory the default security profile used by Firejail to run unrecognized applications:

cp /etc/firejail/default.profile app_name.profile

The new profile file – app_name.profile – needs to have the same name as the application, with only a .profile extension added. For example, if you intend to run mplayer, your file name will be mplayer.profile.

3. Edit and modify the new profile file, comment out lines, blacklist directories, whitelist files, etc. Use “man 5 firejail-profile” for a description and the correct syntax of all commands.

4. Start your application:

$ firejail app_name

As you start the application, you’ll see Firejail picking up the new security profile file (Reading profile /home/username/.config/firejail/app_name.profile.):

$ firejail app_name
Reading profile /home/username/.config/firejail/app_name.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

28 thoughts on “Building Custom Profiles

  1. Harri

    I’m trying to make a custom profile like this:
    include /etc/firejail/generic.profile
    whitelist ${HOME}/somefile
    read-only ${HOME}/somefile

    For some reason using a white-list seems to discard access to home directory (only “somefile” shown). Does using any white-listed file for example home directory whitelisted by default?
    For some reason “somefile” is also read-write instead of read-only. Is this a bug perhaps? Also some files blacklisted in generic.profile seem to be accessible and readable. (I’m using version firejail_0.9.36_1_amd64.deb on Mint 17.2)

    Like

    Reply
    1. netblue30 Post author

      > For some reason using a white-list seems to discard access to home directory (only “somefile” shown).

      Yes, this is true. Whitelisting allows only the files and directories you specify in the list, everything else is removed.

      > For some reason “somefile” is also read-write instead of read-only.

      It seems to work:

      $ cd ~
      $ touch t
      $  firejail --whitelist=~/t --read-only=~/t
      Reading profile /etc/firejail/generic.profile
      Reading profile /etc/firejail/disable-mgmt.inc
      Reading profile /etc/firejail/disable-secret.inc
      Reading profile /etc/firejail/disable-common.inc
      
      ** Note: you can use --noprofile to disable generic.profile **
      
      Parent pid 1563, child pid 1564
      
      Child process initialized
      $ echo "asdfasdfadsf" > t
      bash: t: Read-only file system
      $ 
      

      Also blacklisting seems to work, give me an example. Thanks!

      Like

      Reply
  2. Ronald McDonald

    Hi,

    I want to use firejail with soulseek, which is a music sharing program (the linux client is nicotine).

    While protecting my system using firejail, I also have to make 1000s (literally thousands) or directories available read only. These thousands of directories all descend from one of five base directories, and ultimately from one single directory. above that.

    The problem is that – as far as can see – firejail does not give recursive permissions to sub-directories. I will have to (make a script to) write thousands of
    :
    whitelist some/dir/name/dir1/
    read-only some/dir/name/dir1/
    whitelist some/dir/name/dir2/
    read-only some/dir/name/dir2/
    :
    :
    pairings.

    Is there any way, like linking under my (firejail faked) home directory, to have firejail make thousands of directories available read only?

    thanks for any help and thanks for a great application.

    R

    Like

    Reply
    1. netblue30 Post author

      You only need to whitelist the top directory. The top directory needs to be in your user home directory. If the top directory is a symbolic link, the real directory also needs to be in user home.

      Like

      Reply
  3. Doud

    If I enter $firejail firefox then Firejail opens the distribution version, 44, of Firefox.
    I use a different version 38esr, of Firefox as my default. How do I get Firejail to open my default version?

    Like

    Reply
  4. Richard

    Is there anywhere custom profiles can be checked? I think I have my ktorrent profile configured correctly but it would be nice to be certain

    Like

    Reply
    1. netblue30 Post author

      Yes, in a terminal run a simple sandbox with your profile:

      $ firejail –profile=path_to_your_profile_file

      It will complain if it finds a problem with the profile file.

      Like

      Reply
  5. fox12

    how do i know which files and directories to whitelist? im trying to generate a custom profile for liferea rss reader.

    Like

    Reply
    1. netblue30 Post author

      I’ll try to bring in support for it in the next version. You need to find the directories where liferea is keeping its internal data in your home directory. They seem to be ~/.config/liferea and ~/.local/share/liferea/

      Like

      Reply
  6. Alex Turbov

    Is there a way to make some directory RO, but one child of it as RW w/o root privileges?
    I’m trying to sandbox my unit tests and disabling any write the sources tree, but have a build tree (which is a child) enabled… i.e. smth like:

    –[unit-tests.profile]—
    read-only /work/my-sources
    read-write /work/my-sources/build/debug
    ——

    unit tests are executed as a separate `builder` user (and it is not supposed to be the `root` user!)

    Like

    Reply
    1. netblue30 Post author

      Yes, this is supported in upcoming version 0.9.42:

      $ man firejail
      [...]
            --read-write=dirname_or_filename
                    Set  directory  or  file  read-write.  Only files or directories
                    belonging to the current user are allowed  for  this  operation.
                    Example:
      
                    $ mkdir ~/test
                    $ touch ~/test/a
                    $ firejail --read-only=~/test --read-write=~/test/a
      [...]
      

      There is a 0.9.42~rc1 version on the download page, or you can grab the latest on mainline from github.

      Like

      Reply
  7. Roger

    Can –whitelist and –noexec be combined?
    I want whitelisted folders to block execution of scripts.
    A jailed app should be able to read/write only from a whitelisted folder and no other folders but not be able to execute.

    Like

    Reply
  8. Roger

    Thanks for the answers. I tried to keep them short and simple.
    I have an app from here that is for recording audio (dictation mostly):
    https://launchpad.net/~audio-recorder/+archive/ubuntu/ppa

    I am trying to block internet access and confine to a folder.
    Seems like something common someone would want to do to an new app that handles sensitive information.

    If I run with just firejail it is fine:
    $ firejail audio-recorder –show-window=0
    Reading profile /home/dad/.config/firejail/audio-recorder.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Parent pid 29206, child pid 29211
    Child process initialized

    Parent is shutting down, bye…
    (the gui launches)

    If I add the whitelist option I get this:
    $ firejail –whitelist=~/Audio audio-recorder –show-window=0
    Reading profile /home/dad/.config/firejail/audio-recorder.profile
    Reading profile /etc/firejail/disable-common.inc
    Reading profile /etc/firejail/disable-programs.inc
    Reading profile /etc/firejail/disable-passwdmgr.inc
    Parent pid 29313, child pid 29314
    Child process initialized
    libdc1394 error: Failed to initialize libdc1394
    (gst-plugin-scanner:5): GLib-GObject-WARNING **: cannot register existing type ‘ClutterGstVideoSink’
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion ‘G_TYPE_IS_INSTANTIATABLE (instance_type)’ failed
    (gst-plugin-scanner:5): GLib-CRITICAL **: g_once_init_leave: assertion ‘result != 0’ failed
    (gst-plugin-scanner:5): GLib-GObject-CRITICAL **: g_object_new: assertion ‘G_TYPE_IS_OBJECT (object_type)’ failed
    ERROR: Caught a segmentation fault while loading plugin file:
    /usr/lib/x86_64-linux-gnu/gstreamer-1.0/libgstclutter-3.0.so
    Please either:
    – remove it and restart.
    – run with –gst-disable-segtrap –gst-disable-registry-fork and debug.
    (audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider v4l2deviceprovider0 which is already stopped
    (audio-recorder:2): GStreamer-CRITICAL **: Trying to stop a GstDeviceProvider pulsedeviceprovider0 which is already stopped
    Parent is shutting down, bye…

    (the gui launches and is missing quite a few options)

    Like

    Reply
    1. netblue30 Post author

      Use –net=none on command line or “net none” in your profile file. It will block any network access.

      libdc1394 error – in your profile file use “protocol unix,inet,inet6,netlink”. You need “netlink” protocol, the program probably tries to access a video camera.

      Like

      Reply
  9. Roger

    I have been experimenting with –net=none.
    It seems to block all networking.
    As an experiment I disabled my Internet access and ran VLC using firejail. No issues.
    I turned the internet back on and ran:
    >firejail –net=none vlc
    Got all kinds of errors.

    Can I block the Internet only or do I have to block all networking?
    With all of the damn spying going on nowadays apps will “phone home” like E.T.
    This must absolutely come to a stop.
    I am hopeful firejail can help me get this done.
    I am also concerned that apps may be accessig my home folder files.
    firejail handles this quite well and for that I am very grateful.

    I really cannot turn off my internet every single time an app runs.
    Windows XP had an app firewall.
    I have been looking into various app firewalls for linux such as Leopard Flower Firewall and Douane
    I am still hopeful that firejail is the one stop solution I have been looking for.

    Like

    Reply
    1. netblue30 Post author

      > firejail –net=none vlc – Got all kinds of errors.

      –net command also disables Unix sockets, some of the program functionality will be lost. – for example DBus functionality. Some applications don’t like it and will not manage to start.

      Another way to disable internet access is to use –private command. For your VLC example, you open /etc/firejail/vlc.profile file in a text editor and replace the line “protocol unix,inet,inet6” with “protocol unix”.

      Like

      Reply
  10. uli

    There was no default tor profile so I wrote this file ~/.config/firejail/torbrowser-launcher.profile
    # Firejail profile for Tor Browser Bundle
    include /etc/firejail/disable-passwdmgr.inc
    include /etc/firejail/disable-programs.inc
    include /etc/firejail/disable-common.inc
    include /etc/firejail/disable-devel.inc
    caps.drop all
    nonewprivs
    nogroups
    shell none
    seccomp
    protocol unix,inet,inet6,netlink
    netfilter
    tracelog
    noroot
    private
    private-tmp
    When I try to start up with the command firejail torbrowser-launcher the newest tor browser is loaded down and installed, then I get the following error message:
    Running /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop
    Unhandled Error
    Traceback (most recent call last):
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
    return func(*args, **kwargs)
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1472, in _finishResponse_WAITING
    self._giveUp(Failure(reason))
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1525, in _giveUp
    self._disconnectParser(reason)
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1513, in _disconnectParser
    parser.connectionLost(reason)
    — —
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 537, in connectionLost
    self.response._bodyDataFinished()
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 916, in dispatcher
    return func(*args, **kwargs)
    File “/usr/lib64/python2.7/site-packages/twisted/web/_newclient.py”, line 1161, in _bodyDataFinished_CONNECTED
    self._bodyProtocol.connectionLost(reason)
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 329, in connectionLost
    self.all_done(reason)
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 346, in response_finished
    self.run_task()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 282, in run_task
    self.verify()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 491, in verify
    self.run_task()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 286, in run_task
    self.extract()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 531, in extract
    self.run_task()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 290, in run_task
    self.run()
    File “/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py”, line 583, in run
    subprocess.call([self.common.paths[‘tbb’][‘start’]], cwd=self.common.paths[‘tbb’][‘dir_tbb’])
    File “/usr/lib64/python2.7/subprocess.py”, line 523, in call
    return Popen(*popenargs, **kwargs).wait()
    File “/usr/lib64/python2.7/subprocess.py”, line 711, in __init__
    errread, errwrite)
    File “/usr/lib64/python2.7/subprocess.py”, line 1343, in _execute_child
    raise child_exception
    exceptions.OSError: [Errno 13] Permission denied
    Any idea what went wrong?

    Like

    Reply
    1. netblue30 Post author

      My guess will be “private” command in your profile. This cleans up you home directory, and it will remove /home/uli/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop from the sandbox.

      Like

      Reply
  11. adsfasdfasdfasdf

    How to configure to use the custom profiles by default. For the default profiles I can just use firecfg. How about the custom ones?

    Like

    Reply
    1. netblue30 Post author

      If you have a profile file, you put it in /home/username/.config/firejail directory. Then, you can create symbolic links by hand in /usr/local/bin directory (ln -s /usr/local/bin/program-name /usr/bin/firejail)

      Like

      Reply
  12. Mr.Fox

    Is there a way i can start my local applications in firejail as different users 🙂 its like make the application started in firejail think its running on different user. While still it should have access to my local content.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s