How can I run local applications through firejail?

Question

I've installed debian package locally. I randomly chose Opera, extracted via dkpg -x opera-x.y.z.deb ~/bin/opera_package, and created a symlink in my user's ~/bin folder (which is in the user's path).

Attempting to run in side firejail

$ firejail opera

Reading profile /etc/firejail/opera.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 14762, child pid 14763

Child process initialized
/bin/bash: opera: command not found

parent is shutting down, bye...

If I try to run using absolute path (from my home folder):

$ firejail /bin/local_packages/opera/usr/lib/x86_64-linux-gnu/opera/opera
Reading profile /etc/firejail/opera.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 15796, child pid 15797
Child process initialized
/bin/bash: /bin/local_packages/opera/usr/lib/x86_64-linux-gnu/opera/opera: No such file or directory

Parent is shutting down, bye...

The browser GUI never starts up and the CLI reports the process DOA. I'm assuming I need to adjust the disable-common.inc

# grep -Rin 'bin' .
./disable-common.inc:125:# The user ~/bin directory can override commands such as ls
./disable-common.inc:126:read-only ${HOME}/bin

My Question(s):

How can I run local applications through firejail?
Is there a profile for local apps?
Do I need to edit disable-common.profile?
Is there a CL option to allow folders?
Do I just select a different folder than ~/bin/?

My Goals:

I'd like to...

sandbox applications cloned from github.com after they are compiled
keep both source and binary in my user folder
not have to sudo at any point (outside of installing firejail)

What happens if you specify the full path to opera? -- `firejail $(which opera)` — Barton Chittenden, Apr 08 '17 at 05:52
@BartonChittenden, I updated my question. THe same thing appears to happen. — Rick, Apr 10 '17 at 18:37

score 1 · Answer 1 · answered Aug 10 '17 at 08:03

Firejail should certainly be able to do this out of the box, and I'm using it this way myself. Try running firejail bash and checking if it sees the executables in question. Also, opera may be a shell script that sets up an environment and runs another binary that turns out to be hidden by firejail.

Ron Kaminsky · Answer 2 · 2018-09-20T19:59:42.740

The documentation supplied for firejail is available here. It unfortunately is not very comprehensive and is more like a user guide.

The answer from L29Ah supplied me enough information to figure out how to do this, but it is unfortunate that the answer doesn't give useful examples and more information. So I will try to answer all the questions and show some real ways to do this.

Is there a profile for local apps? From looking at the source code, firejail extracts the command name from the first argument in the command line you tell it to run in the following way: first, it truncates the string value of that argument at the first whitespace character it finds, and then it drops any leading directory components in the path. So the command 'firejail /home/me/various/"commandName commandNameSecondWord" ' would search for a profile called "commandName.profile". There is no special processing for programs which are run from under $HOME versus a system directory like /usr/bin. It is also possible to bypass all of that by using one or more "--profile=..." options on the command line.
Do I need to edit disable-common.profile? No. First, I do not recommend editing this file since it is included by other firejail profiles. Secondly, I did not have a problem running my particular local program even with this file included. Thirdly, if somehow something in that file is a problem, then you should be writing a custom profile which doesn't include it, and if you want some parts of it anyway, just copy them into your custom profile.
Do I just select a different folder than ~/bin/? No, it's more complicated.
Is there a CL option to allow folders? Yes, there are many ways to do this. Ordinarily, however, you would write a profile for the particular program you are running and put it in $HOME/.config/firejail. A "quick and dirty" command line argument which might be enough is "--private-home=..." which can copy top-level files and directories into your sandbox filesystem. Note that there is a limit of 500MB on the size of the copied files, and copying the files will slow down the startup of your sandboxed application.
How can I run local applications through firejail? This question is a bit general, since every application might need a different configuration (the whole reason why firejail is supplied with a whole library of profiles out of the box), and the configuration is dependent on exactly how you want to restrict the application (or not). However, I managed to run my application by installing it under a top-level directory in my home directory called $HOME/.local_fj and adding "private-home .local_fj" in the custom command profile (the 500MB limit mentioned above still applies). Another possibility might be using "whitelist ${HOME}/.local_fj/programInstallDir". In either case, make sure that any "noexec" commands do not block executing the program from the directory where it resides. (Note: I am not an expert user of firejail --- it's almost certain that there are other ways to do this with which I am not familiar.)

How can I run local applications through firejail?

2 Answers2