Look for config files in /usr/local/etc/firejail/

[QUser534]

Is your feature request related to a problem? Please describe.

It is hard to manage a lot of custom profiles. The current solution of looking for profiles in ~/.config/firejail does not solve it because it is not system wide, so apps launched from another user will not use those profiles. For custom, multi-user profile management there should be another directory.

This approach allows much cleaner, system-wide profile changes that mixing a ton of new config files /etc/firejail. For example, to move all the custom changes to a new install requires just copy / pasting the /usr/local/etc/firejail directory

Serious errors can be created when creating profiles in "~./config/firejail" that do not exist outside. For example, a user may have profiles that blacklist private directories such as ~./Private. If one day they accidently run that app using "sudo" then the custom profile in ~/ would not be read and their /Private folder would be read.

My point being that in most use-cases it doesn't make sense to have profiles specific to one user that also is not blocked system-wide. And for these system-wide changes it makes more sense to have a system-wide custom directory to not clutter the /etc/firejail directory.

Describe the solution you'd like

Look for profiles in the following order:

~/.config/firejail
/usr/local/etc/firejail
/etc/firejail

[rusty-snake]

Duplicated of #4871

--

Also doubting that /usr/local is the right path.

1. It conflict if firejail is installed from git with make install into /usr/local.
2. Does not scale well for different filesystem layouts (e.g. guix) and is not the best/correct choice in file-hierachy/fhs/hier.

If one day they accidently run that app using "sudo" then the custom profile in ~/ would not be read and their /Private folder would be read.

If you accidental run apps using sudo you have a different problem in your op-sec. Also running a app using sudo may allow the app to undo a blacklist.

Also I do not think that this is inside of firejails generally to be assumed thread model given that firejail/firecfg does not stop you from running a program without it using e.g. it's full path.

for these system-wide changes it makes more sense to have a system-wide custom directory to not clutter the [default] directory.

Yes

My point being that in most use-cases it doesn't make sense to have profiles specific to one user that also is not blocked system-wide.

.locals: make sense on per-user basis
.profile: may or may not, there a different thing, the main focus of firejail are single.

[kmk3]

Closing as a duplicate of #4871.

Regarding the path, the most appropriate place to put the profiles would
probably be in /usr/share:

• Install provided profiles under LIBDIR/firejail-profiles #4871 (comment)

Such as in /usr/share/firejail/profiles.