services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
57ff005186b56b4e04566e5ef9b767e36b21c1d0
homelab/active/os_arch/deprecated.md
ducoterra ef9104c796
All checks were successful
Reese's Arch Toolbox / build-and-push-arch-toolbox (push) Successful in 14s
Details
moving everything to active or retired vs incubating and graduated
2025-04-19 18:52:33 -04:00

1.6 KiB
Raw Blame History

Deprecated

Firejail

Don't use firejail, it's a suid binary which only runs in userspace. Apparmor does almost exactly the same thing but runs in the kernel at boot and protects you more completely. I'm leaving this here in case you're interested but realistically you should just learn apparmor.

Firejail launches supported applications in a sandboxed environment where it limits access to system files and resources.

For example:

  • Firefox will not be able to access more than a small subset of your home directory.
  • VSCode will not be able to acces ~/.config/autostart.

  1. sudo pacman -S firejail

  2. sudo apparmor_parser -r /etc/apparmor.d/firejail-default

  3. sudo firecfg

  4. firecfg --fix

  5. sudo rm /usr/local/bin/dnsmasq (this fixes an issue with virsh network start)

  6. Add a pacman hook to apply firejail on install

    /etc/pacman.d/hooks/firejail.hook

    [Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1'

You can run firejail with noprofile to fix access issues (like firefox gnome connector)

firejail --noprofile firefox

You'll probably want to enable the following

sudo cat /etc/firejail/firejail.config | grep -e '^[^#].*'

/etc/firejail/firejail.config

browser-disable-u2f no
chroot yes
firejail-prompt yes
force-nonewprivs yes
tracelog yes
Reference in New Issue View Git Blame Copy Permalink