Would you be interested in adding support for custom options (at least, a custom profile)?

Would you be interested in adding support for custom options (at least, a custom profile)?

I'm not particularly motivated to do that but I can see where a similar backwards compatible strategy as you implemented in #103813 would work here. Maybe I don't fully understand the use case -- wouldn't profiles in ~/.config/firejail or /etc/firejail work here? (I'll admit I haven't tested it.) Isn't that sufficient for all practical desktop use cases?

If I'm not mistaken, firejail picks up a generic (permissive) profile by default. By running a program with a dedicated profile (and upstream provides many) you get a tighter sandbox.
Adding profiles in ~/config/firejail does not really help as it only registers new profiles which are not used by default.
My use case for additional options is to use --private=/some/dir so that some proprietary programs I must run cannot see my home directory.

@symphorien

If I'm not mistaken, firejail picks up a generic (permissive) profile by default.

Fortunately you seem to be mistaken. Testing this out with libreoffice, firejail does the right thing by reading the upstream profiles:

$ libreoffice
Reading profile /nix/store/1ry4v2vnyli2gpi5h0cx2sm8bmjji4yv-firejail-0.9.62/etc/firejail/soffice.profile
Reading profile /nix/store/1ry4v2vnyli2gpi5h0cx2sm8bmjji4yv-firejail-0.9.62/etc/firejail/libreoffice.profile
Reading profile /nix/store/1ry4v2vnyli2gpi5h0cx2sm8bmjji4yv-firejail-0.9.62/etc/firejail/libreoffice.local
...

Adding profiles in ~/config/firejail does not really help as it only registers new profiles which are not used by default.
My use case for additional options is to use --private=/some/dir so that some proprietary programs I must run cannot see my home directory.

I'm not completely familiar with how firejail's profile precedence works, but local overrides are supposed to override the default profiles. If they do not that is a bug in the nix implementation which it would be better to fix if possible rather than create configuration options to work around it. My best understanding is that local overrides currently do work: #83515.

Fortunately you seem to be mistaken.

Oh I had only tested with zoom, for which it does not work. It looks like it is due to the fact that the executable is called zoom-us and the profile zoom.

I tried this with gimp and the wrapping is circular

I can't reproduce this on stable:

$ head $(which gimp)
#! /nix/store/a3fc4zqaiak11jks9zd579mz5v0li8bg-bash-4.4-p23/bin/bash -e
exec /run/wrappers/bin/firejail "/nix/store/4a0d7inzfq8vc09lqbmp5px9n6czvs7y-gimp-2.10.20/bin/gimp-2.10" "$@"

Any chance you have gimp firejailed elsewhere such as in wrappedBinaries or an override?

Nope that was in a nixos vm with full config:

{ config, pkgs, lib, ...}: {
  config = {
    users.users.root.initialPassword = "root";
    users.users.alice = {
      isNormalUser = true;
      initialPassword = "alice";
    };
    console = {
      font = "Lat2-Terminus16";
      keyMap = "fr";
    };
    programs.firejail = {
      enable = true;
      wrappedPackages = [
        pkgs.gimp
      ];
    };
    services.xserver = {
      enable = true;
      layout = "fr";
      xkbVariant = "oss";
      libinput = {
        enable = true;
        tapping = false;
      };
      xkbOptions = "caps:swapescape, compose:prsc";
      displayManager = {
        lightdm.enable = true;
        defaultSession = "xfce";
      };
      desktopManager = {
        xterm.enable = false;
        xfce = {
          enable = true;
        };
      };
    };
  };
}

First off thanks for introducing me to nixos vm's! Somehow I'd never noticed the build-vm subcommand before.

I still can't reproduce the circular wrapping though and made only the necessary changes so that I could use the keyboard:

{ config, pkgs, lib, ...}: {
  config = {
    users.users.root.initialPassword = "root";
    users.users.alice = {
      isNormalUser = true;
      initialPassword = "alice";
    };
    console = {
      font = "Lat2-Terminus16";
      # keyMap = "fr";
    };
    programs.firejail = {
      enable = true;
      wrappedPackages = [
        pkgs.gimp
      ];
    };
    services.xserver = {
      enable = true;
      # layout = "fr";
      # xkbVariant = "oss";
      libinput = {
        enable = true;
        tapping = false;
      };
      xkbOptions = "caps:swapescape, compose:prsc";
      displayManager = {
        lightdm.enable = true;
        defaultSession = "xfce";
      };
      desktopManager = {
        xterm.enable = false;
        xfce = {
          enable = true;
        };
      };
    };
  };
}

I don't know which environment variable is bothering firejail in this system but it doesn't seem to be caused by this patch.

For full reproducibility:
on top of 03c4f7d7dff27a93a47d8b013ccb71e0b1223228 (your PR), and with this english keymap configuration:

{ config, pkgs, lib, ...}: {
  config = {
    users.users.root.initialPassword = "root";
    users.users.alice = {
      isNormalUser = true;
      initialPassword = "alice";
    };
    console = {
      font = "Lat2-Terminus16";
      # keyMap = "fr";
    };
    programs.firejail = {
      enable = true;
      wrappedPackages = [
        pkgs.gimp
      ];
    };
    services.xserver = {
      enable = true;
      # layout = "fr";
      # xkbVariant = "oss";
      libinput = {
        enable = true;
        tapping = false;
      };
      # xkbOptions = "caps:swapescape, compose:prsc";
      displayManager = {
        lightdm.enable = true;
        defaultSession = "xfce";
      };
      desktopManager = {
        xterm.enable = false;
        xfce = {
          enable = true;
        };
      };
    };
  };
}

then when in run nixos-rebuild build-vm -I nixpkgs=$(pwd) -I nixos-config=$(readlink -f vm.nix) I get
/nix/store/him8q86pfk4yf5if00hjk1dqpkycs9nl-nixos-vm/bin/run-nixos-vm
After removing nixos.qcow2 i can still reproduce the issue.

Can you check that you get the same store paths ? This should help you reproducing.

about the error message about environment variable size: I suppose firejail appends things to environment variable, so if it invokes itself, the environment variable size grows infinitely.

then when in run nixos-rebuild build-vm -I nixpkgs=$(pwd) -I nixos-config=$(readlink -f vm.nix) I get
/nix/store/him8q86pfk4yf5if00hjk1dqpkycs9nl-nixos-vm/bin/run-nixos-vm

Hmm, with the updated config and the exact same commit and invocation I get /nix/store/l3hn02rdsn4fj4mvwnpxiv5sp3v1fmfd-nixos-vm/bin/run-nixos-vm.

about the error message about environment variable size: I suppose firejail appends things to environment variable, so if it invokes itself, the environment variable size grows infinitely.

I don't see how the error message could be related to the circular wrapping issue because as you can see from my vm session above, I got this error even when the circular wrapping wasn't occurring.

Hmm, with the updated config and the exact same commit and invocation I get /nix/store/l3hn02rdsn4fj4mvwnpxiv5sp3v1fmfd-nixos-vm/bin/run-nixos-vm

Just reproduced this output on a freshly provisioned machine, though I'll grant it's configuration is fairly similar to the first.

I pushed an additional commit using makeWrapper to simplify the implementation. I would think this would reduce the likelihood of a circular wrapping issue. edit: I reverted this commit because it was based on an error of makeWrapper usage. I no longer think it's possible to use makeWrapper for this application.