According to this: https://www.whonix.org/wiki/Dev/Firejail
A short term workaround until the proposed upstreaming of start-tor-browser  happens: is to append Firejail to all launcher commands under: /usr/share/applications. Reasoning: TBB folder not visible to users. For a user to accidentally execute Tor Browser without protection, they have to go out of their way to find and launch the start-tor-browser script in the hidden TBB folder. In TBB’s use-model we don’t have to worry about command line users because TBB is a GUI app first and foremost. Visual indicators further help warn against accidental execution in the unlikely event it happens. If they use command line the might as well put Firejail before the script name. This solution is tested and working and survives TBB upgrades.
So, I imagined this would mean:
1) In Qubes-Whonix, we would edit the relevant file in the Debian-8 TemplateVM
2) Prepend the firefox executable in the following line with “firejail”
Exec=/usr/lib/firefox-esr/firejail firefox-esr %u
And hoping for Christmas magic, it would lead to Firefox automatically starting contained, because the Qubes menu entry points to: /usr/share/applications/firefox-esr.desktop
Of course, not that easy. Help?
I’m trying to make this easy for dumb users like me. We need our hands held every step of the way, or we will do something really stupid
Although, I don’t mind running a terminal with “firejail firefox” every time, there must be an easy solution.