github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1871] Allow symlinked /opt #1261

New issue
Closed
opened 2026-05-05 07:44:36 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 07:44:36 -06:00
Owner
Copy link

Originally created by @dehnhard on GitHub (Apr 7, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1871

Firejail 0.9.52 (Debian Stretch / Backports repository)

First install of Firejail. It works well for me with the default profiles, though I run into a problem with google-chrome, which is caused by the fact that on that system /opt is symlinked to /home/opt for disk space reasons (/ is on a fast but small SSD, while /home is on a larger HD). So firejail google-chrome results in Error: no suitable /usr/bin/google-chrome executable found because that path is actually a symlink itself to /opt/google/chrome/google-chrome (installed from official Google Debian package), which maps to /home/opt/google/chrome/google-chrome in this setup.

I'd like to ask for either:

  • A way to tell firejail that /home/opt is a valid path for executables. If that's already possible I didn't find it in the documentation or the configuration files.
  • Or to have firejail detect that /opt is a symlink and automatically allow the target path.
Originally created by @dehnhard on GitHub (Apr 7, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1871 Firejail 0.9.52 (Debian Stretch / Backports repository) First install of Firejail. It works well for me with the default profiles, though I run into a problem with google-chrome, which is caused by the fact that on that system `/opt` is symlinked to `/home/opt` for disk space reasons (`/` is on a fast but small SSD, while `/home` is on a larger HD). So `firejail google-chrome` results in `Error: no suitable /usr/bin/google-chrome executable found` because that path is actually a symlink itself to `/opt/google/chrome/google-chrome` (installed from official Google Debian package), which maps to `/home/opt/google/chrome/google-chrome` in this setup. I'd like to ask for either: - A way to tell firejail that `/home/opt` is a valid path for executables. If that's already possible I didn't find it in the documentation or the configuration files. - Or to have firejail detect that `/opt` is a symlink and automatically allow the target path.
gitea-mirror 2026-05-05 07:44:36 -06:00
gitea-mirror commented 2026-05-05 07:44:42 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 7, 2018):

Create /etc/firejail/google-chrome.local and add allusers line inside. You may need to tweak firejail apparmor profile if you use it.

EDIT: Above won't work when whitelist is used inside profile (and it is used). You have to move /home/opt somewhere else, i.e. /home/<user>/opt then disable noexec ${HOME} and add whitelist /home/<user>/opt.

<!-- gh-comment-id:379474001 --> @Vincent43 commented on GitHub (Apr 7, 2018): Create `/etc/firejail/google-chrome.local` and add `allusers` line inside. You may need to tweak firejail [apparmor](https://github.com/netblue30/firejail/blob/master/etc/firejail-default#L101) profile if you use it. **EDIT**: Above won't work when whitelist is used inside profile (and it is used). You have to move `/home/opt` somewhere else, i.e. `/home/<user>/opt` then disable [noexec ${HOME}](https://github.com/netblue30/firejail/blob/master/etc/chromium-common.profile#L34) and add `whitelist /home/<user>/opt`.
gitea-mirror commented 2026-05-05 07:44:44 -06:00
Author
Owner
Copy link

@dehnhard commented on GitHub (Apr 7, 2018):

Thanks for the suggestion, but it still reports the same.

There seems to be something Chrome Profile specific as in firejail --allusers bash that chrome installation is at least executable (although it fails with some chrome sandbox error).

(apparmor is not installed)

<!-- gh-comment-id:379477269 --> @dehnhard commented on GitHub (Apr 7, 2018): Thanks for the suggestion, but it still reports the same. There seems to be something Chrome Profile specific as in `firejail --allusers bash` that chrome installation is at least executable (although it fails with some chrome sandbox error). (apparmor is not installed)
gitea-mirror commented 2026-05-05 07:44:46 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 7, 2018):

Chrome Profile profile uses whitelist under /home/<user> which makes --allusers ineffective. Try firejail --noprofile --allusers --whitelist=/home/<user>/.bashrc bash to see what I mean. /home/opt is really unfortunate choice in that case. I'm afraid you have to choose some other dir to use it with firejail.

<!-- gh-comment-id:379484993 --> @Vincent43 commented on GitHub (Apr 7, 2018): Chrome Profile profile uses `whitelist` under `/home/<user>` which makes `--allusers` ineffective. Try `firejail --noprofile --allusers --whitelist=/home/<user>/.bashrc bash` to see what I mean. `/home/opt` is really unfortunate choice in that case. I'm afraid you have to choose some other dir to use it with firejail.
gitea-mirror commented 2026-05-05 07:44:47 -06:00
Author
Owner
Copy link

@dehnhard commented on GitHub (Apr 7, 2018):

@Vincent43 Thanks for the support. I now understand that the whitelistable directories are fixed and not configurable in firejail. Also allusers would have been nice in this specific case, but still a workaround. To move opt into the users home directory doesn't feel right to me, so I solved this problem by moving opt back in place and only symlinking the subdirectories which really are too large for the partition - they incidentally don't use firejail (e.g. the Android SDK).

Although I solved my problem for now, I'd like to keep this issue open for the devs to consider to implement such a configurability and/or the symlinking. I think it would be good for admins and developers of Linux distributions to have this freedom of choice instead of being restricted to a fixed structure.

<!-- gh-comment-id:379489357 --> @dehnhard commented on GitHub (Apr 7, 2018): @Vincent43 Thanks for the support. I now understand that the whitelistable directories are fixed and not configurable in firejail. Also `allusers` would have been nice in this specific case, but still a workaround. To move opt into the users home directory doesn't feel right to me, so I solved this problem by moving `opt` back in place and only symlinking the subdirectories which really are too large for the partition - they incidentally don't use firejail (e.g. the Android SDK). Although I solved my problem for now, I'd like to keep this issue open for the devs to consider to implement such a configurability and/or the symlinking. I think it would be good for admins and developers of Linux distributions to have this freedom of choice instead of being restricted to a fixed structure.
gitea-mirror commented 2026-05-05 07:44:49 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 7, 2018):

Generally whitelistable directories aren't fixed and are configurable but those directly under /home, i.e. /home/foo, /home/bar other than your user home directory are treated in special way. That's why I wrote that /home/opt is unfortunate choice in that case. Probably any other directory on system would work better with firejail.

<!-- gh-comment-id:379497614 --> @Vincent43 commented on GitHub (Apr 7, 2018): Generally whitelistable directories aren't fixed and are configurable but those directly under `/home`, i.e. `/home/foo`, `/home/bar` other than your user home directory are treated in special way. That's why I wrote that `/home/opt` is unfortunate choice in that case. Probably any other directory on system would work better with firejail.
gitea-mirror commented 2026-05-05 07:44:50 -06:00
Author
Owner
Copy link

@dehnhard commented on GitHub (Apr 8, 2018):

Then let's assume an admin introduces a new directory /alt for alternative software (similar to /opt, but deliberately not taken from FHS folder definitions). One software may be named foo with a binary bar in /alt/foo/bin/bar. How would that admin configure foo in firejail?

<!-- gh-comment-id:379519104 --> @dehnhard commented on GitHub (Apr 8, 2018): Then let's assume an admin introduces a new directory `/alt` for alternative software (similar to /opt, but deliberately not taken from FHS folder definitions). One software may be named foo with a binary bar in `/alt/foo/bin/bar`. How would that admin configure foo in firejail?
gitea-mirror commented 2026-05-05 07:44:51 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Apr 8, 2018):

firejail --ignore=apparmor /alt/foo/bin/bar would work out of the box. You,re right that whitelisting is currently limited to user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp (plus /bin and /lib while using --private-*). If you want to write custom sandboxes from scratch you may try bubblewrap or nsjail.

<!-- gh-comment-id:379544427 --> @Vincent43 commented on GitHub (Apr 8, 2018): `firejail --ignore=apparmor /alt/foo/bin/bar` would work out of the box. You,re right that whitelisting is currently limited to user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp (plus /bin and /lib while using --private-*). If you want to write custom sandboxes from scratch you may try bubblewrap or nsjail.
gitea-mirror commented 2026-05-05 07:44:52 -06:00
Author
Owner
Copy link

@dehnhard commented on GitHub (Apr 9, 2018):

Sounds like making those (supposedly hard-coded) directories you mentioned configurable would give much flexibility at (probably) a low cost. The defaults are arguably very sane for any standard Linux, but this would allow adaptability and also easy portability to other file structures (e.g. BSD flavors). But as stated I solved my problem without it and just leave it as an idea.

<!-- gh-comment-id:379710964 --> @dehnhard commented on GitHub (Apr 9, 2018): Sounds like making those (supposedly hard-coded) directories you mentioned configurable would give much flexibility at (probably) a low cost. The defaults are arguably very sane for any standard Linux, but this would allow adaptability and also easy portability to other file structures (e.g. BSD flavors). But as stated I solved my problem without it and just leave it as an idea.
gitea-mirror commented 2026-05-05 07:44:53 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

So this is basically yet another vote for being able to whitelist arbitrary directories 👍

<!-- gh-comment-id:405114954 --> @chiraag-nataraj commented on GitHub (Jul 15, 2018): So this is basically yet another vote for being able to whitelist arbitrary directories :+1:
gitea-mirror commented 2026-05-05 07:44:54 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

Let's move discussion over to #2041

<!-- gh-comment-id:407244462 --> @chiraag-nataraj commented on GitHub (Jul 24, 2018): Let's move discussion over to #2041
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1261
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?