new and unknown programs

[FOSSONLY]

Hello

Is there an way to isolate new/unknown programs automatically, without profile/user interaction with Firejail? I use Firejail already as Login-Shell, but this only works for shell usage, not single binaries for example.

Btw.: Thanks for this great piece of Software

[glitsj16]

Not something I have experience with, but there might be useful info in #397.

[chiraag-nataraj]

The main problem is that it's hard to have a default profile which actually "just works" for most programs and provides meaningful security enhancements. Otherwise, we could just have one profile and use it for all programs (and then it would be a matter of hooking into the package manager or whatever to setup symlinks on package installation).

As of right now, the best we can do is firecfg, but that will only automatically sandbox programs we have profiles for.

The best way to contribute (even if you don't know C!) is to submit more profiles. You can take a look at the ones already in the repos as a guide for creating your own. A great place to get started is looking at #1139 to see which profiles have been requested. The more profiles we have, the greater the coverage of firecfg (loosely speaking) and thus the closer we are to achieving the goal you laid out here :)

[matu3ba]

@FOSSONLY Please check the wiki on https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software or give input to discussion at the wiki on #2748, #2749, #2755. Will link suggestion into the wiki discussion.
Guess this can be closed then.

[matu3ba]

@chiraag-nataraj Could you change the title to "Automatic isolation of user programs" or "Isolation of user programs without interaction" ?
If this is technical not feasible due to complexity etc, I would suggest to close this.

[rusty-snake]

@FOSSONLY
I'm closing here due to inactivity, please fell free to reopen if you have more questions.