Asked the folks at parrotos about what they do which may help.
Some great feedback from the ParrotOS dev. Its very doable with their technique.  @Patrick see if you have any further questions you would like to ask.
 They enable it automatically for all available programs and re-aply symlinks in event of package updates. Also the home folder is whitelisted for saving files the users wants persistent. I asked about the code and whether its deb packaged.
i tried by default to run firejail and it WORKED without adding anything:
run inside whonix:
if you installed tbb from torbrowser-downloader developed by micah lee
and it will run magically with seccom without adding anything
By automatic we mean out of the box. We don’t want people to type firejail X to take advantage of its security but rather the process is completely transparent to the user.
Yes I know it works, but it defaults to a “default profile” in that mode (which is not very restrictive).
We really need something to auto-select the Tor Browser profile for improved usability and stricter containment if Firejail is used.
packaged for Debian and includes custom code
Problem is, it is these profiles is mixed up with all the C code provided by firejail. A full fork of firejail. That would be good if it was taken by firejail developers like this and merged upstream at firejail.
Just the parts they changed (added profiles; Debian maintainer scripts) in a separate package would a lot a lot better to avoid adding C code and compilation to Whonix source code. Otherwise I’d need to verify firejail by firejail upstream vs firejail from that package matches; and compile.
OK I suggested it.
Could we add firejail to the default packages being installed so it would maybe also get some more testing? The version from backports looks close to the upstream version. Also the specific profile for the torbrowser seems to work, not just the default profile.
i already asked for that
continue discussion here
Tickets are a bit “disorganized” since now firejail is suggested as standalone without T804. Be that as it may…
The suggestion is to add https://packages.debian.org/stretch/firejail to some Whonix meta package? Which one? Please send a pull request. Can you please test that installing firejail alone doesn’t add any regression? Does it activate by default?
I don’t think we can guarantee zero regressions, but anecdotally I have yet to find a program that doesn’t work with firejail.
From the ParrotOS thread, it appears that what happens is Firejail has a script which can automatically compare installed system binaries and reinstall symlinks as packages are reinstalled. Parrot runs this script (which I haven’t seen but haven’t really dug for yet) every time a package is installed via a post-installation step. This itself could be dangerous as perhaps a user is unaware that firejail is not reinstalled in front of a package reinstall, or perhaps they install a package that is not protected by default firejail profiles and also not ParrotOS firejail profiles and expect it to be automatically applied. User education will always solve problems where technology is lacking. We should make the user aware that firejail is in play on the system regardless of how seamless we can make the integration as they may want to review firejail and the available integrated profiles for themselves.
That all said, I am still learning and still educating myself on firejail and the current state of Whonix development itself. If I could send a pull request that would implement firejail as a default package on a meta package, and then create a post-install hook to implement firejail profile reinstallation, and then implement specific and tight firejail profiles, that would still not alleviate all of the potential problems. Again, user education is key, and I’ve noticed this mentioned a couple of times in the Whonix wiki and could not agree more.
That’s just my $.02 on the matter, for what that’s worth right now. Still learning.