Linux sandbox / firejail: Which directories are required to whitelist?

zakazak · 23 August 2024 06:20

OS version: 6.10.6-arch1-1
App version: 8.1.1.27
Downloaded from: Arch repo

I am using firejail to sandbox applications and noticed that no onlyoffice profile exists yet.
I tried creating one and used the libreoffice profile as a template.
Sadly it seems like onlyoffice needs access to more directories are of right now I don’t have:

Recent files shown in onlyoffice
It will not save my selected language / regional settings when re-starting onlyoffice

Current whitelist:

include libreoffice.profile

noblacklist ${HOME}/.config/onlyoffice
noblacklist ${HOME}/.config/kdedefaults

whitelist ${HOME}/Downloads/
whitelist ${HOME}/THW/
whitelist ${HOME}/Documents/

You can find the firejail profile libreoffice.profile and all of the included profiles here:

Thanks!

Constantine · 26 August 2024 12:45

Hello @zakazak

Please share some more details on how Desktop Editors app is installed. If you’ve followed a guide, please share a link to it.

Are opened files located in white-listed directories?

Do you mean that app does not save these settings for existing files or newly created ones?

zakazak · 27 August 2024 09:59

Hello @Constantine

It was installed on Archlinux AUR via sudo paru -S onlyoffice-bin

Yes all files are in the whitelisted directories (else I couldn’t even open them)

It does not save those settings for ANY file. No matter whether new or existing, as long as onlyoffice is run in the sandbox.

Constantine · 27 August 2024 11:12

I believe this package is used, is that correct?
https://aur.archlinux.org/packages/onlyoffice-bin

zakazak · 27 August 2024 11:26

@Constantine yes, correct!

Constantine · 27 August 2024 12:49

Firstly, I have to mention that this package is developed by the community and we are not responsible for that.
Also, I was informed that Desktop Editors were not tested under firejail, so I’m afraid I cannot provide any hints on how to create proper profile. Sorry for inconvenience.

If you manage to find the solution, please feel free to share it with the community. I will keep this topic opened for further info or for other people who seek information on how to run Desktop Editors under firejail.

zakazak · 27 August 2024 13:20

@Constantine

That is why I am posting here - I am trying to make a profile in Firejail to make this work and provide it publicly to firjail.

I just need to know which directories onlyoffice needs access to in order to fully function. That way I can whitelist those directories.

I am sure this will be the same for official onlyoffice as well as the community driven arch package?!

zakazak · 28 August 2024 08:35

I figured it out on my own. This is a working firejail profile for onlyoffice based on libreoffice.profile:

ignore blacklist ${HOME}/.config/onlyoffice
ignore blacklist ${HOME}/.local/share/onlyoffice
ignore join-or-start libreoffice

whitelist ${HOME}/.config/onlyoffice
whitelist ${HOME}/.config/kdedefaults
whitelist ${HOME}/.local/share/onlyoffice/

include libreoffice.profile

join-or-start onlyoffice-desktopeditors

Constantine · 28 August 2024 08:50

Well done! Thank you for sharing it with the community!