Hardening Qubes-Whonix

re Qubes dom0 desktop files edit for firejail support:

Don’t. :slight_smile: Really. :slight_smile: Unless of course there is really no other way around. dom0 should not be involved at all. That should be purely up to the VM templates. Qubes dom0 start menu is capable to extract the full exec line. For example whonix-irc-chat-support.desktop uses hexchat --url ircs://irc.oftc.net:9999/#Whonix. The only place where this is configured is inside the template.

The question is: “How to firejailify an application without requiring the user manually typing firejail into the console.”

Or a wider question: "How to automatically prepend commands (such as firejail before applications (such as firefox).

Has been (partially*) discussed here:
https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

(* I’d have to re-read first to know.)