Setting up firejail with default profiles, override profiles etc

BoredSquirrel · May 16, 2026, 6:26pm

I want to sandbox user programs with default profiles and custom overrides

I guess a lot of existing profile collections like this one dont work on NixOS. The ${HOME} variables are treated as nix variables.

but here is a view of what I got:

programs.firejail = {
    enable = true;
    wrappedBinaries = {
        # BROWSER
        firefox = {
            executable = "${lib.getBin pkgs.firefox}/bin/firefox";
            profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
        };
        ...
    };
};

environment.etc = {

    # DEFAULTS
    "firejail/firejail.config".text = ''
        # Enable native notifications.
        dbus-user.talk org.freedesktop.Notifications

        # https://paramdeo.com/blog/sandboxing-firefox-using-firejail-for-private-browsing
        # prevent app from getting new privileges (required for chromium)
        force-nonewprivs yes

        # hardened malloc
        # https://wiki.archlinux.org/title/Firejail#Use_with_hardened_malloc
        # https://github.com/NixOS/nixpkgs/blob/dbc1b2bd8cbce0ba11768151c7ce2c44fbd9dd89/nixos/modules/config/malloc.nix
        env LD_PRELOAD='${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so'

        # Theme
        env GTK_THEME=Breeze:dark

        ### hardening ###
        # https://github.com/chiraag-nataraj/firejail-profiles/blob/fcd08dd32874f9fb5c856375659c434c922f156a/common.inc
        blacklist /usr/local/bin
        blacklist /usr/local/sbin
        blacklist /boot

        noexec ${HOME}
        noexec /tmp
        noexec ${RUNUSER}

        private-tmp
        read-only /tmp/.X11-unix
        private-dev
        nodvd
        nosound
        notv
        nou2f
        novideo
        no3d
        disable-mnt
        private-opt emp
        private-srv emp

        shell none
        seccomp
        seccomp.block-secondary
        noroot
        caps.drop all
        apparmor
        nonewprivs
        ipc-namespace
        machine-id
        nodbus
        nogroups
        # no internet
        net none
        netfilter
        # block dynamic execution from memory
        memory-deny-write-execute
    '';

    # override existing one
    "firejail/firefox.local".text = ''
        # MISSING: applications portal

        # Allow screensharing under Wayland.
        dbus-user.talk org.freedesktop.portal.Desktop
        # Allow inhibiting screensavers.
        dbus-user.talk org.freedesktop.ScreenSaver

        # from chiraag nataraj
        # https://github.com/chiraag-nataraj/firejail-profiles/blob/fcd08dd32874f9fb5c856375659c434c922f156a/firefox.profile
        ignore private-dev
        ignore nou2f
        ignore net none
        ignore nodbus
        ignore nosound
        ignore novideo
        ignore no3d
        ignore memory-deny-write-execute

        ...
    '';
    ...
};

and so on.

It seems that using overrides configs are preferred over runtime arguments, cleaner to write.

Apparently, firejail.config is the place to set default values, not sure.

And there are some variables that are firejail specific I guess or not. I think they are used by the script in the repo, translating those to nix would be nice.

Also, where are the default profiles stored? whereis firejail didnt give me an etc directory where they are loaded.