Firejail - Act II, Scene 1, enter Mephistopheles ...

[Goatmilk]

Mephistopheles: "Let's install Firejail again..."

And I did. After it screwed up my system or rather my Calibre and its merry gang and I deleted it all when realizing I was in way over my head. Okay, I swore by all that's holy I will never, ever type "$ sudo firecfg" into a terminal again. And keeping the uninstall instructions handy, just in case.

But I installed it all anyway, Firejail, Firejail-profile and Firetool. By the way, Firetool once again sits there and seems to do nothing. As I see it, all I can do with it is pick one single application from its list and put it in a temporary sandbox. After kicking the Firejail icons out of the panel, it seems to be gone. At least little Max says so:

owl@Max:~
$ firejail --list
owl@Max:~

So do I understand that right that Firetools allows to put up a temporary sandbox that will be gone as soon the Firejail icons are removed from the panel?

Does anyone know if I could put a folder i.e. a directory in a sandbox? I tried with Firetools, but it won't let me.


Then, I tried to put Librewolf into Firejail, this time using the terminal:

$ firejail librewolf
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 28099, child pid 28102
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 232.90 ms
[Parent 9, Main Thread] WARNING: Theme directory scalable/actions of theme buuf-icons-for-plasma has no size field
: 'glib warning', file /root/.local/share/bsys6/work/librewolf-144.0-1/toolkit/xre/nsSigHandlers.cpp:201

(librewolf:9): Gtk-WARNING **: 14:48:57.181: Theme directory scalable/actions of theme buuf-icons-for-plasma has no size field

[Parent 9, Main Thread] WARNING: Theme directory scalable/actions/small/16x16 of theme buuf-icons-for-plasma has no size field
: 'glib warning', file /root/.local/share/bsys6/work/librewolf-144.0-1/toolkit/xre/nsSigHandlers.cpp:201

(librewolf:9): Gtk-WARNING **: 14:48:57.181: Theme directory scalable/actions/small/16x16 of theme buuf-icons-for-plasma has no size field

[Parent 9, Main Thread] WARNING: Theme directory scalable/actions/small/22x22 of theme buuf-icons-for-plasma has no size field
: 'glib warning', file /root/.local/share/bsys6/work/librewolf-144.0-1/toolkit/xre/nsSigHandlers.cpp:201

(librewolf:9): Gtk-WARNING **: 14:48:57.181: Theme directory scalable/actions/small/22x22 of theme buuf-icons-for-plasma has no size field


Parent is shutting down, bye...
owl@Max:~

Seems it didn't work, and all I can see is the damn thing obviously doesn't like my new icons... what the fig?? I mean, what on earth have the icons to do with anything? I mean, if I load an image in, say, mirage, it doesn't tell me, "Hey, I don't like that horse in that picture, load another one..."

At least it didn't have any lasting effect:

owl@Max:~
$ firejail --list
owl@Max:~

Most websites I saw seem to go the all or nothing route, a ka "do firecfg and it takes care of everything".

What, if I only want, say Firefox, Librewolf, and Thunderbird in a sandbox? Then, maybe, another sandbox that will keep programs like maybe Clementine or Calibre from poking around in the internet looking for titles or whatnot - which I don't want them to do. I put everything in there myself and that's that. If I need a title or a cover or whatever I go look for it myself.

Or rather: do I even need Firejail?

 

[teni]

Not an answer to your question, sadly, but more of a "I have the same question." Does anyone know when was the last time the application was updated? It doesn't seem to me like it is still supported, or that a lot of people have been using it in the past couple of years. Which is too bad, because it is such a great tool, and the one I'd really like to have and use well.

They do update the repos, however, and there does seem to be some activity on their Github... so i dunno

I couldn't figure it out, so it kind of castrated my Firefox until I uninstalled it. The message was:

Gtk-WARNING **:: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.

I'm pretty sure it had something to do with mime permissions, and probably the fact that I am on Fedora 43, which uses SELinux sandboxing. Firejail works more fully in Debian/Ubuntu based systems.

Either way... I'm sad without it. I know I will try again but for now no idea where to look for help.

 

[Trml]

@teni sandbox is fedora's native tool, maybe it helps you to achieve one or the other you used to do with firejail.

maybe Clementine or Calibre from poking around in the internet

I suggest you try one of these first, it is simpler when you can full-out deny network access for starters.

The error you get with librewolf linked to icons may be due to missing access. The firejail-profile distributed for firewolf cannot automatically add the icons. If it is, you probably get a comparable error with each application.

What seems odd to me is quoted path /root/.local/share/bsys6/work/librewolf... but I have never used firewolf.

 

[teni]

@teni sandbox is fedora's native tool, maybe it helps you to achieve one or the other you used to do with firejail.


I suggest you try one of these first, it is simpler when you can full-out deny network access for starters.

The error you get with librewolf linked to icons may be due to missing access. The firejail-profile distributed for firewolf cannot automatically add the icons. If it is, you probably get a comparable error with each application.

What seems odd to me is quoted path /root/.local/share/bsys6/work/librewolf... but I have never used firewolf.

Thank you! I guess I'll be off perusing the rest of the wiki before trying to get support elsewhere. Thanks for reminding me of this

 

[Trml]

I guess I'll be off perusing the rest of the wiki before trying to get support elsewhere.

While I think that approach is good, it does not matter where you choose to turn to support first. What you should reconsider, though, is hijacking someone else's thread, but rather open your own.

This is about Mephistopheles and @Goatmilk working their way through the fire to jail a librefox on a debian based distro. We shall focus on that.