github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1790] How best to whitelist/noblacklist a deep directory? #1211

New issue

Closed

opened 2026-05-05 07:39:52 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 07:39:52 -06:00

Owner

Originally created by @Summertime on GitHub (Mar 1, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1790

given a directory structure like the following

~/.config/itch/apps
  |- AppName
  |    |- .itch
  |    |    |- isolate-app.profile
  |    |    '- ... # other files that should be also private
  |    '- AppFolder
  |         |- AppData
  |         '- AppExe
  '- ... #apps to be kept private

How best would one go about doing a whitelist profile for such a program? I've tried:

whitelist ${HOME}/.config/itch/apps/AppName
noblacklist ${HOME}/.config/itch/apps/AppName
blacklist ${HOME}/.config/itch/apps/AppName/.itch

include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

with the command

firejail --profile=~/.config/itch/apps/AppName/.itch/isolate-app.profile -- ls -lah ~/.config/itch/apps/AppName

which results in a permission denied error

I know I can "walk" the whitelists/blacklists down the tree with:

# Allow transversal only, through the ~/.config/itch folder
whitelist ${HOME}/.config/itch
noblacklist ${HOME}/.config/itch
read-only ${HOME}/.config/itch

# Allow transversal only, through the ~/.config/itch/apps folder,
# no other file in ~/.config/itch to be accessible
noblacklist ${HOME}/.config/itch/apps
read-only ${HOME}/.config/itch/apps
blacklist ${HOME}/.config/itch/*

# Allow transversal only, through the ~/.config/itch/apps/AppName folder,
# no other file in ~/.config/itch/apps to be accessible
noblacklist ${HOME}/.config/itch/apps/AppName
read-only ${HOME}/.config/itch/apps/AppName
blacklist ${HOME}/.config/itch/apps/*

# Allow full control. within ~/.config/itch/apps/AppName,
# excepting the ~/.config/itch/apps/AppName/.itch folder
blacklist ${HOME}/.config/itch/apps/AppName/.itch

include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

But I feel like I'm doing something wrong (since it creates 3 lines per level, a bit much!), but it does result in being able to run the executable and ls the various files in the AppName directory

$ firejail version 0.9.50

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- git install support is disabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
$ lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu 17.10
Release:	17.10
Codename:	artful

Running an encrypted filesystem home directory as per the ubuntu server install defaults

Originally created by @Summertime on GitHub (Mar 1, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1790 given a directory structure like the following ``` ~/.config/itch/apps |- AppName | |- .itch | | |- isolate-app.profile | | '- ... # other files that should be also private | '- AppFolder | |- AppData | '- AppExe '- ... #apps to be kept private ``` How best would one go about doing a whitelist profile for such a program? I've tried: ``` whitelist ${HOME}/.config/itch/apps/AppName noblacklist ${HOME}/.config/itch/apps/AppName blacklist ${HOME}/.config/itch/apps/AppName/.itch include /etc/firejail/whitelist-common.inc include /etc/firejail/default.profile ``` with the command ``` firejail --profile=~/.config/itch/apps/AppName/.itch/isolate-app.profile -- ls -lah ~/.config/itch/apps/AppName ``` which results in a permission denied error - - - I know I can "walk" the whitelists/blacklists down the tree with: ``` # Allow transversal only, through the ~/.config/itch folder whitelist ${HOME}/.config/itch noblacklist ${HOME}/.config/itch read-only ${HOME}/.config/itch # Allow transversal only, through the ~/.config/itch/apps folder, # no other file in ~/.config/itch to be accessible noblacklist ${HOME}/.config/itch/apps read-only ${HOME}/.config/itch/apps blacklist ${HOME}/.config/itch/* # Allow transversal only, through the ~/.config/itch/apps/AppName folder, # no other file in ~/.config/itch/apps to be accessible noblacklist ${HOME}/.config/itch/apps/AppName read-only ${HOME}/.config/itch/apps/AppName blacklist ${HOME}/.config/itch/apps/* # Allow full control. within ~/.config/itch/apps/AppName, # excepting the ~/.config/itch/apps/AppName/.itch folder blacklist ${HOME}/.config/itch/apps/AppName/.itch include /etc/firejail/whitelist-common.inc include /etc/firejail/default.profile ``` But I feel like I'm doing something wrong (since it creates 3 lines per level, a bit much!), but it does result in being able to run the executable and `ls` the various files in the `AppName` directory - - - ``` $ firejail version 0.9.50 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled $ lsb_release -a Distributor ID: Ubuntu Description: Ubuntu 17.10 Release: 17.10 Codename: artful ``` Running an encrypted filesystem home directory as per the ubuntu server install defaults

gitea-mirror

2026-05-05 07:39:52 -06:00

closed this issue
added the
information_old

question_old
labels

gitea-mirror commented

2026-05-05 07:39:57 -06:00

Author

Owner

@Vincent43 commented on GitHub (Mar 1, 2018):

It's not clear to me which directories you want access and which not.

Below doesn't make sense. Use blacklist or read-only, not both.

blacklist ${HOME}/.config/itch/*
blacklist ${HOME}/.config/itch/apps/*
read-only ${HOME}/.config/itch/*
read-only ${HOME}/.config/itch/apps/*

@Vincent43 commented on GitHub (Mar 1, 2018): It's not clear to me which directories you want access and which not. Below doesn't make sense. Use blacklist or read-only, not both. ``` blacklist ${HOME}/.config/itch/* blacklist ${HOME}/.config/itch/apps/* read-only ${HOME}/.config/itch/* read-only ${HOME}/.config/itch/apps/* ```

gitea-mirror commented

2026-05-05 07:39:59 -06:00

Author

Owner

@Summertime commented on GitHub (Mar 6, 2018):

Sorry for my poor communication, I corrected some of the paths and added my reasoning:

# Allow transversal only, through the ~/.config/itch folder
whitelist ${HOME}/.config/itch
noblacklist ${HOME}/.config/itch
read-only ${HOME}/.config/itch

# Allow transversal only, through the ~/.config/itch/apps folder,
# no other file in ~/.config/itch to be accessible
noblacklist ${HOME}/.config/itch/apps
read-only ${HOME}/.config/itch/apps
blacklist ${HOME}/.config/itch/*

# Allow transversal only, through the ~/.config/itch/apps/AppName folder,
# no other file in ~/.config/itch/apps to be accessible
noblacklist ${HOME}/.config/itch/apps/AppName
read-only ${HOME}/.config/itch/apps/AppName
blacklist ${HOME}/.config/itch/apps/*

# Allow full control. within ~/.config/itch/apps/AppName,
# excepting the ~/.config/itch/apps/AppName/.itch folder
blacklist ${HOME}/.config/itch/apps/AppName/.itch

include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

If it would help, I could make a full file tree of desired properties of various folders and throw it into a gist?

@Summertime commented on GitHub (Mar 6, 2018): Sorry for my poor communication, I corrected some of the paths and added my reasoning: ``` # Allow transversal only, through the ~/.config/itch folder whitelist ${HOME}/.config/itch noblacklist ${HOME}/.config/itch read-only ${HOME}/.config/itch # Allow transversal only, through the ~/.config/itch/apps folder, # no other file in ~/.config/itch to be accessible noblacklist ${HOME}/.config/itch/apps read-only ${HOME}/.config/itch/apps blacklist ${HOME}/.config/itch/* # Allow transversal only, through the ~/.config/itch/apps/AppName folder, # no other file in ~/.config/itch/apps to be accessible noblacklist ${HOME}/.config/itch/apps/AppName read-only ${HOME}/.config/itch/apps/AppName blacklist ${HOME}/.config/itch/apps/* # Allow full control. within ~/.config/itch/apps/AppName, # excepting the ~/.config/itch/apps/AppName/.itch folder blacklist ${HOME}/.config/itch/apps/AppName/.itch include /etc/firejail/whitelist-common.inc include /etc/firejail/default.profile ``` If it would help, I could make a full file tree of desired properties of various folders and throw it into a gist?

gitea-mirror commented

2026-05-05 07:40:01 -06:00

Author

Owner

@Vincent43 commented on GitHub (Mar 7, 2018):

Does below works for you?

noblacklist ${HOME}/.config/itch
blacklist ${HOME}/.config/itch/apps/AppName/.itch
whitelist ${HOME}/.config/itch/apps/AppName/
read-only ${HOME}/.config/itch/apps/AppName/

include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile

@Vincent43 commented on GitHub (Mar 7, 2018): Does below works for you? ``` noblacklist ${HOME}/.config/itch blacklist ${HOME}/.config/itch/apps/AppName/.itch whitelist ${HOME}/.config/itch/apps/AppName/ read-only ${HOME}/.config/itch/apps/AppName/ include /etc/firejail/whitelist-common.inc include /etc/firejail/default.profile ```

gitea-mirror commented

2026-05-05 07:40:03 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 19, 2018):

@Summertime Did you try what @Vincent43 posted? If so, did it work?

@chiraag-nataraj commented on GitHub (Aug 19, 2018): @Summertime Did you try what @Vincent43 posted? If so, did it work?

gitea-mirror commented

2026-05-05 07:40:05 -06:00

Author

Owner

@Summertime commented on GitHub (Aug 21, 2018):

Sorry for a delayed response, if I remember correctly there were some issues with the provided solution, however I can't test them out currently or for the forseeable future, sorry.

@Summertime commented on GitHub (Aug 21, 2018): Sorry for a delayed response, if I remember correctly there were some issues with the provided solution, however I can't test them out currently or for the forseeable future, sorry.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1211

No description provided.

Rows
Columns