DOKK / manpages / debian 13 / firejail / firecfg.1.en
FIRECFG(1) firecfg man page FIRECFG(1)

Firecfg - Desktop integration utility for Firejail software.

firecfg [OPTIONS]

Firecfg is the desktop integration utility for Firejail sandbox. It allows the user to sandbox applications automatically by clicking on desktop manager icons and menus.

The integration covers:

- programs started in a terminal - typing "firefox" would be enough to start a sandboxed Firefox browser

- programs started by clicking on desktop manager menus - all major desktop managers are supported

- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE/LXQT, MATE and XFCE desktop managers are supported in this moment

Note: The examples use sudo, but doas is also supported.

To set it up, run "sudo firecfg" after installing Firejail software. The same command should also be run after installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin will be created.

To configure the list of programs used by firecfg when creating symlinks, see FILES and SYNTAX.

For user-driven manual integration, see DESKTOP INTEGRATION section in man 1 firejail.

The following actions are implemented by default by running sudo firecfg:

- set or update the symbolic links for desktop integration;

- add the current user to Firejail user access database (firecfg --add-users);

- fix desktop files in $HOME/.local/share/applications/ (firecfg --fix).
- automatically loads and forces the AppArmor profile "firejail-default".

Add the list of users to Firejail user access database.

Example:
$ sudo firecfg --add-users dustin lucas mike eleven

Create and search symbolic links in directory instead of the default location /usr/local/bin. Directory should precede /usr/bin and /bin in the PATH environment variable.

Remove all firejail symbolic links.

Fix .desktop files. Some .desktop files use full path to executable. Firecfg will check .desktop files in /usr/share/applications/, replace full path by name if it is in PATH, and write result to $HOME/.local/share/applications/. This action is done by default when running "sudo firecfg". We have it as a separate option for regular users.

Create a proper ~/.config/pulse/client.conf file without shm support. On some PulseAudio versions, shared memory support (shm) breaks the process ID namespace. PulseAudio software was designed a long time ago, and the introduction of PID namespace in Linux kernel breaks their design. This was reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run "firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes.
Guided configuration for new users.

Example:
$ sudo firecfg --guide

Print debug messages.
-?, --help
Print options end exit.
List all firejail symbolic links
Print program version and exit.

Example:

$ sudo firecfg
/usr/local/bin/firefox created
/usr/local/bin/vlc created
[...]
$ firecfg --list
/usr/local/bin/firefox
/usr/local/bin/vlc
[...]
$ sudo firecfg --clean
/usr/local/bin/firefox removed
/usr/local/bin/vlc removed
[...]

Configuration file syntax:

A line that starts with # is considered a comment.
A line that starts with !PROGRAM means to ignore "PROGRAM" when creating symlinks and fixing .desktop files.
A line that starts with anything else is considered to be the name of an executable and firecfg will attempt to create a symlink for it.

For example, to prevent firecfg from creating symlinks for "firefox" and "patch" while attempting to create a symlink for "myprog", the following lines could be added to /etc/firejail/firecfg.d/10-my.conf:

!firefox
!patch

myprog

Note that certain programs may use different naming schemes for their .desktop file compared to the main executable. To ensure that both files are handled in the same manner, it is recommended to list both names in the configuration. For example, if Spectacle has its main executable at /usr/bin/spectacle and its .desktop file at /usr/share/applications/org.kde.spectacle.desktop, then the following lines can to be used to ignore both:

!org.kde.spectacle
!spectacle

Configuration files are searched for and parsed in the following paths:

1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
2. /etc/firejail/firecfg.config

The programs that are supported by default are listed in /etc/firejail/firecfg.config. It is recommended to leave it as is and put all customizations inside /etc/firejail/firecfg.d/.

Profile files are also searched in the user configuration directory:

3. ~/.config/firejail/*.profile

For every PROGRAM.profile file found, firecfg attempts to create a symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Homepage: https://firejail.wordpress.com

firejail(1), firemon(1), firejail-profile(5), firejail-login(5), firejail-users(5), jailcheck(1)

Apr 2025 0.9.74