# Deprecated

## Firejail

Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does
almost exactly the same thing but runs in the kernel at boot and protects you more
completely. I'm leaving this here in case you're interested but realistically you
should just learn apparmor.

Firejail launches supported applications in a sandboxed environment where it limits access
to system files and resources.

For example:

- Firefox will not be able to access more than a small subset of your home directory.
- VSCode will not be able to acces ~/.config/autostart.

1. `sudo pacman -S firejail`
2. `sudo apparmor_parser -r /etc/apparmor.d/firejail-default`
3. `sudo firecfg`
4. `firecfg --fix`
5. `sudo rm /usr/local/bin/dnsmasq` (this fixes an issue with virsh network start)
6. Add a pacman hook to apply firejail on install

    /etc/pacman.d/hooks/firejail.hook

    ```conf
    [Trigger]
    Type = Path
    Operation = Install
    Operation = Upgrade
    Operation = Remove
    Target = usr/bin/*
    Target = usr/share/applications/*.desktop

    [Action]
    Description = Configure symlinks in /usr/local/bin based on firecfg.config...
    When = PostTransaction
    Depends = firejail
    Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'
    ```

You can run firejail with noprofile to fix access issues (like firefox gnome connector)

```bash
firejail --noprofile firefox
```

You'll probably want to enable the following

`sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'`

/etc/firejail/firejail.config

```conf
browser-disable-u2f no
chroot yes
firejail-prompt yes
force-nonewprivs yes
tracelog yes
```