[GH-ISSUE #2068] Pure computation in a specific folder? #1396

New issue

Closed

opened 2026-05-05 08:03:30 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 08:03:30 -06:00

Owner

Originally created by @gretchenfrage on GitHub (Jul 27, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2068

I need to run an untrusted script, which will run some sort of executable or interpreter, localized within a particular directory. I've been searching for a way to do this in firejail for a while, but I haven't had much luck. I need a way to run a script that allows:

-read-only access to a certain directory, all other directories are blacklisted
-limited to 1 CPU
-limited in memory use
-cannot make dangerous system calls
-cannot access the network
-cannot access the screen
-only I/O is reading the files in specified directory, and standard input/output/error
-ability to call certain language interpreters (python, java, etc).

Is this possible with firejail?
Thank you.

Originally created by @gretchenfrage on GitHub (Jul 27, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2068 I need to run an untrusted script, which will run some sort of executable or interpreter, localized within a particular directory. I've been searching for a way to do this in firejail for a while, but I haven't had much luck. I need a way to run a script that allows: -read-only access to a certain directory, all other directories are blacklisted -limited to 1 CPU -limited in memory use -cannot make dangerous system calls -cannot access the network -cannot access the screen -only I/O is reading the files in specified directory, and standard input/output/error -ability to call certain language interpreters (python, java, etc). Is this possible with firejail? Thank you.

gitea-mirror

2026-05-05 08:03:30 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:03:33 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Jul 27, 2018):

Here is a basic profile for you to get started with.

# Firejail profile for restricted
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/restricted.local
# Persistent global definitions
include /etc/firejail/globals.local

#noblacklist any needed paths here

# Allow access to java
noblacklist ${PATH}/java
noblacklist /usr/lib/java
noblacklist /etc/java
noblacklist /usr/share/java

# Allow access to python
noblacklist ${PATH}/python*
noblacklist /usr/include/python*
noblacklist /usr/lib/python*
noblacklist /usr/local/lib/python*
noblacklist /usr/share/python*

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

#whitelist any needed paths here
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
ipc-namespace
net none
no3d
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none

#disable-mnt #enable if you don't need extra drives
#private #enable to make root and /home empty
#private-bin bash,etc #this is recommended
private-cache
private-dev
private-etc none
#private-lib #fiddle with this after
private-tmp

memory-deny-write-execute
noexec ${HOME}
noexec /tmp

#1 core with 512MB RAM
cpu 0
rlimit-as 512000000

@SkewedZeppelin commented on GitHub (Jul 27, 2018): Here is a basic profile for you to get started with. ``` # Firejail profile for restricted # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/restricted.local # Persistent global definitions include /etc/firejail/globals.local #noblacklist any needed paths here # Allow access to java noblacklist ${PATH}/java noblacklist /usr/lib/java noblacklist /etc/java noblacklist /usr/share/java # Allow access to python noblacklist ${PATH}/python* noblacklist /usr/include/python* noblacklist /usr/lib/python* noblacklist /usr/local/lib/python* noblacklist /usr/share/python* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-xdg.inc #whitelist any needed paths here include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc caps.drop all ipc-namespace net none no3d nodbus nodvd nogroups nonewprivs noroot nosound notv nou2f novideo protocol unix seccomp shell none #disable-mnt #enable if you don't need extra drives #private #enable to make root and /home empty #private-bin bash,etc #this is recommended private-cache private-dev private-etc none #private-lib #fiddle with this after private-tmp memory-deny-write-execute noexec ${HOME} noexec /tmp #1 core with 512MB RAM cpu 0 rlimit-as 512000000 ```

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1396

No description provided.

Rows
Columns