Building Whitelisted Profiles

When building a profile for a new application, we always start with a simple blacklisted profile based on /etc/firejail/default.profile. The procedure is described in Building Custom Profiles. More restrictive profiles are built using Firejail’s whitelisting feature.

In blacklisted profiles the user “blacklists” the files the application is not allowed to access. In whitelisted profiles the user “whitelists” the files necessary for the application to run, while everything else is off limits. The steps are as follows:

1. Create a simple bash sandbox using –private. The sandbox has an empty home directory, with only a skeleton of files needed to run GUI applications. The directory is built in a temporary (tmpfs) filesystem. When the sandbox is closed, all files in this directory will be destroyed, and the regular home directory is restored.

Start a private sandbox and list the default files in home directory

Start a private sandbox and list the default files in home directory


2. Start the program in this bash session. I use Simutrans game as an example (sudo apt-get install simutrans). Play around for a while, then close the game and list all the files in the home directory using find utility.

Run the program, and list again the files in home directory

Run the program, and list again the files in home directory

Notice the game creates a ~/.simutrans directory where it keeps program configuration and game data. This is the only directory that needs to be whitelisted. We have in this moment all the information we need, so we can type exit and close the sandbox.

3. Create the new profile in ~/.config/firejail directory using your favorite text editor. The file name is always appname.profile, in this case simutrans.profile. The content of the file is as follows:

# simutrans profile

noblacklist ~/.simutrans
mkdir ~/.simutrans
whitelist ~/.simutrans

include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

I use mkdir to create the new ~/.simutrans directory in the real user home in case it doesn’t exist, and whitelist it. I also bring in session configuration such as fonts, desktop themes, GTK, Qt etc. by including /etc/firejail/whitelist-common.inc. In the end I also include the default blacklisting configuration from include /etc/firejail/default.profile in order to import the security filters such as seccomp and capabilities.

4. Test the new profile:

Test the new profile.

Test the new profile.

Advertisements