How to edit firejail profiles

How can i edit firejail profiles? For example, i have set

  programs.firejail.enable = true;
  programs.firejail.wrappedBinaries = {
    chromium = {
      executable = "${pkgs.lib.getBin pkgs.ungoogled-chromium}/bin/chromium";
      profile = "${pkgs.firejail}/etc/firejail/chromium.profile";

and would like to edit the profile to change the allowed folders. How can i do that?

I tried to access the file in the terminal but this yields

~ ❯ bat ${pkgs.firejail}/etc/firejail/thunderbird.profile
fish: ${ is not a valid variable in fish.
bat ${pkgs.firejail}/etc/firejail/thunderbird.profile

${pkgs.firejail}/etc/firejail/chromium.profile is expanded into the nix store path of package firefox, so something like /nix/store/2aq35w0j03j39m2ylgi6gv3r7n68z8a8-firejail-0.9.70/ depending on firejail derivation. You can’t edit it, all the store is read only.

A solution would be to copy the profile into a read only place, and give the path into the configuration. Why a read only? Because you certainly don’t want a compromised user to have access to the sandbox settings (firejail profile file in this case) :slight_smile:

Alright, so there is no way for me to change anything?

I switched over from Arch where i had extensive apparmor profiles but this is also so not so easy on Nixos, that’s why i tried firejail now…

You can change it by creating a profile file somewhere in your filesystem, and use this path as the value for the profile attribute.

1 Like

I see, stupid question :upside_down_face:

Thank you!

Another Noob question:

‘firejail’ expands to ‘/nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/bin/firejail’

Howevever, running `ls /nix/store/g9m781hbz7301w7dds4nna6j8mg8nyv1-firejail-0.9.68/bin/firejail’ shows nothing, especially no sub folders or profiles, so i can’t grab the default profile and put it somewhere else.

What am i doing wrong? How can i grab the default profile?

This is related to how nix works, when a package (or anything ending in the nix store) is built, it get assigned a hash (the part before the -) computed from ALL the inputs (packages, metadata) required to create the package.

If anything change for that package, a new hash is created, the package is recreated and you update your system with the new one. I picked a firejail path from my nix store, but if you are not using the same repository version as me, it’s unlikely you get the same.

It’s a bit tricky to find it for firejail because it’s a SUID program, and handled a bit differently by Nix. A quicky way to find something is find /nix/store -type d -name '*firejail*' -maxdepth 1