re Qubes dom0 desktop files edit for firejail support:
Don’t. Really.
Unless of course there is really no other way around. dom0 should not be involved at all. That should be purely up to the VM templates. Qubes dom0 start menu is capable to extract the full exec line. For example whonix-irc-chat-support.desktop uses
hexchat --url ircs://irc.oftc.net:9999/#Whonix
. The only place where this is configured is inside the template.
The question is: “How to firejail
ify an application without requiring the user manually typing firejail
into the console.”
Or a wider question: "How to automatically prepend commands (such as firejail
before applications (such as firefox
).
Has been (partially*) discussed here:
https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment
(* I’d have to re-read first to know.)